🔑 AWS Secrets Manager¶
Authentication via IRSA¶
The AWS provider uses IAM Roles for Service Accounts (IRSA) to authenticate:
clustersecretstore:
name: cluster-aws-backend
providerType: aws
aws:
region: "us-east-1"
auth:
serviceAccountName: "external-secrets-sa"
serviceAccountNamespace: "external-secrets"
Prerequisites¶
1. Create an IAM Policy¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": "arn:aws:secretsmanager:us-east-1:123456789:secret:*"
}
]
}
2. Create an IAM Role with IRSA Trust¶
eksctl create iamserviceaccount \
--name external-secrets-sa \
--namespace external-secrets \
--cluster my-cluster \
--attach-policy-arn arn:aws:iam::123456789:policy/ExternalSecretsPolicy \
--approve
3. Verify the Service Account¶
kubectl get sa external-secrets-sa -n external-secrets -o yaml
# Should have annotation: eks.amazonaws.com/role-arn
Storing Secrets in AWS¶
Single Value¶
Multivalue (JSON)¶
aws secretsmanager create-secret \
--name app-config \
--secret-string '{"DB_HOST":"db.example.com","DB_PORT":"5432"}'
Multi-Region¶
Deploy multiple ClusterSecretStores for different regions by installing the chart multiple times: