Tutorial: Create and mount an Amazon Secrets Manager secret in an Amazon EKS pod
In this tutorial, you create an example secret in Secrets Manager, and then you mount the secret in an Amazon EKS pod and deploy it.
Before you begin, install the ASCP: Install the ASCP.
To create and mount a secret
-
Set the Amazon Web Services Region and the name of your cluster as shell variables so you can use them in bash commands. For
<REGION>
, enter the Amazon Web Services Region where your Amazon EKS cluster runs. For<CLUSTERNAME>
, enter the name of your cluster.REGION=
<REGION>
CLUSTERNAME=<CLUSTERNAME>
-
Create a test secret. For more information, see Create and manage secrets with Amazon Secrets Manager.
aws --region "$REGION" secretsmanager create-secret --name MySecret --secret-string '{"username":"lijuan", "password":"hunter2"}'
-
Create a resource policy for the pod that limits its access to the secret you created in the previous step. For
<SECRETARN>
, use the ARN of the secret. Save the policy ARN in a shell variable.POLICY_ARN=$(aws --region "$REGION" --query Policy.Arn --output text iam create-policy --policy-name nginx-deployment-policy --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"], "Resource": ["
<SECRETARN>
"] } ] }') -
Create an IAM OIDC provider for the cluster if you don't already have one. For more information, see Create an IAM OIDC provider for your cluster.
eksctl utils associate-iam-oidc-provider --region="$REGION" --cluster="$CLUSTERNAME" --approve # Only run this once
-
Create the service account the pod uses and associate the resource policy you created in step 3 with that service account. For this tutorial, for the service account name, you use nginx-deployment-sa. For more information, see Create an IAM role for a service account.
eksctl create iamserviceaccount --name nginx-deployment-sa --region="$REGION" --cluster "$CLUSTERNAME" --attach-policy-arn "$POLICY_ARN" --approve --override-existing-serviceaccounts
-
Create the
SecretProviderClass
to specify which secret to mount in the pod. The following command usesExampleSecretProviderClass.yaml
in the ASCP GitHub repo examplesdirectory to mount the secret you created in step 2. For information about creating your own SecretProviderClass
, see SecretProviderClass.kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/examples/ExampleSecretProviderClass.yaml
-
Deploy your pod. The following command uses
ExampleDeployment.yaml
in the ASCP GitHub repo examplesdirectory to mount the secret in /mnt/secrets-store
in the pod.kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/examples/ExampleDeployment.yaml
-
To verify the secret has been mounted properly, use the following command and confirm that your secret value appears.
kubectl exec -it $(kubectl get pods | awk '/nginx-deployment/{print $1}' | head -1) cat /mnt/secrets-store/MySecret; echo
The secret value appears.
{"username":"lijuan", "password":"hunter2"}