Tutorial: Create and mount an Amazon Secrets Manager secret in an Amazon EKS pod - Amazon Secrets Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Tutorial: Create and mount an Amazon Secrets Manager secret in an Amazon EKS pod

In this tutorial, you create an example secret in Secrets Manager, and then you mount the secret in an Amazon EKS pod and deploy it.

Before you begin, install the ASCP: Install the ASCP.

To create and mount a secret

  1. Set the Amazon Web Services Region and the name of your cluster as shell variables so you can use them in bash commands. For <REGION>, enter the Amazon Web Services Region where your Amazon EKS cluster runs. For <CLUSTERNAME>, enter the name of your cluster.

    REGION=<REGION>
CLUSTERNAME=<CLUSTERNAME>

  2. Create a test secret. For more information, see Create and manage secrets with Amazon Secrets Manager.

    aws --region "$REGION" secretsmanager  create-secret --name MySecret --secret-string '{"username":"lijuan", "password":"hunter2"}'

  3. Create a resource policy for the pod that limits its access to the secret you created in the previous step. For <SECRETARN>, use the ARN of the secret. Save the policy ARN in a shell variable. 

    POLICY_ARN=$(aws --region "$REGION" --query Policy.Arn --output text iam create-policy --policy-name nginx-deployment-policy --policy-document '{
    "Version": "2012-10-17",
    "Statement": [ {
        "Effect": "Allow",
        "Action": ["secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"],
        "Resource": ["<SECRETARN>"]
    } ]
}')

  4. Create an IAM OIDC provider for the cluster if you don't already have one. For more information, see Create an IAM OIDC provider for your cluster.

    eksctl utils associate-iam-oidc-provider --region="$REGION" --cluster="$CLUSTERNAME" --approve # Only run this once

  5. Create the service account the pod uses and associate the resource policy you created in step 3 with that service account. For this tutorial, for the service account name, you use nginx-deployment-sa. For more information, see Create an IAM role for a service account.

    eksctl create iamserviceaccount --name nginx-deployment-sa --region="$REGION" --cluster "$CLUSTERNAME" --attach-policy-arn "$POLICY_ARN" --approve --override-existing-serviceaccounts

  6. Create the SecretProviderClass to specify which secret to mount in the pod. The following command uses ExampleSecretProviderClass.yaml in the ASCP GitHub repo examples directory to mount the secret you created in step 2. For information about creating your own SecretProviderClass, see SecretProviderClass.

    kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/examples/ExampleSecretProviderClass.yaml

  7. Deploy your pod. The following command uses ExampleDeployment.yaml in the ASCP GitHub repo examples directory to mount the secret in /mnt/secrets-store in the pod.

    kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/examples/ExampleDeployment.yaml

  8. To verify the secret has been mounted properly, use the following command and confirm that your secret value appears.

    kubectl exec -it $(kubectl get pods | awk '/nginx-deployment/{print $1}' | head -1) cat /mnt/secrets-store/MySecret; echo

    The secret value appears. 

    {"username":"lijuan", "password":"hunter2"}