Skip to content


This document describes how customers can configure and use AWS Secrets Manager to provide functionality to retrieve secrets programmatically. AWS Secrets Manager provides a number of key benefits allowing organizations to offload a secure secret management solution to AWS.

  • Secrets Manager improves your security posture by removing credentials from source code
  • Secrets are retrieved with a runtime API call
  • Secrets Manager is seamlessly integrated with AWS's Security Services i.e. all queries sent to the service are authorized by AWS Identity and Access Management (IAM).
  • Secrets Manager encrypts the protected text of a secret by using AWS Key Management Service (AWS KMS)
  • Secrets can be configured to automatically rotate on-demand or periodically
  • Amazon Relational Database Service (Amazon RDS) support

What Will You Do

In this multi-part recipe, you will perform the following:

Part 1

  • Provision an Amazon EKS Cluster

Part 2

  • Create a secret in AWS Secrets Manager
  • Create an IAM Role for Service Accounts (IRSA) so the pod will have permission to pull the secret from the Secrets Manager service
  • Create a custom cluster blueprint with the following addons:

    1. Secrets Store CSI Driver
    2. ASCP
  • Apply the newly created cluster blueprint to your EKS Cluster

Part 3

  • Deploy a sample application which will pull secrets created in part 2.


  • You have an AWS account with sufficient privileges to provision an EKS cluster using the Controller, create IAM policies, and create secrets
  • You have access to an Org with a role to provision clusters and deploy workloads.


This recipe utilizes the CSI Secrets Store Driver and ASCP addons and shows an example pulling secrets from AWS Secrets Manager. The same addons support AWS Parameter Store as well so the custom blueprint defined in this recipe can also support pulling parameters from AWS Parameter Store.