Skip to content

Configure

In this part, you will

  • Create a secret inside AWS Secrets Manger
  • Create an IAM Role for Service Accounts (IRSA) so that pods have the necessary get and describe permissions to access the secret

Step 1: Create Secret

  • Login into the AWS Console
  • Select the AWS Secrets Manager Service and create a new secret

In the example below, we have created a secret called "test/eso/testSecret" in the "us-west-2" AWS region.

My Secret

You could also create a secret using the AWS CLI.

REGION=us-west-2
CLUSTERNAME=eso-demo

aws --region "$REGION" secretsmanager  create-secret --name test/eso/testSecret --secret-string '{"username":"rafay", "password":"Rafay$2021"}'

Step 2: IRSA

In this step, you will create an IRSA so that the EKS cluster will have the necessary permissions to sync the secret created in Step 1. In AWS, it is a recommended best practice to use IAM roles for service accounts (IRSA) to access AWS services outside the EKS cluster because of the following benefits:

Benefit Description
Least Privilege No longer need to provide extended permissions to the node IAM role so that pods on that node can call AWS APIs. You can scope IAM permissions to a service account, and only pods that use that service account have access to those permissions. This feature also eliminates the need for third-party solutions such as kiam or kube2iam.
Credential Isolation A container can only retrieve credentials for the IAM role that is associated with the service account to which it belongs. A container never has access to credentials that are intended for another container that belongs to another pod.
Auditability Access and event logging is available through CloudTrail to help ensure retrospective auditing.

Create Namespace

We have deployed the External Secrets Operator to the "external-secrets" namespace. In addition we will deploy our SecretStore and ExternalSecret resource to a namespace managed by an application team.

  • Click on Infrastructure -> Namespaces
  • Click on the "+ New Namespace" button to create a new namespace
  • Enter "app-team-1" in the "Name" section
  • For "Type" Select "Wizard" from the dropdown
  • Click on "SAVE"
  • Click "Save & Go To Placement"
  • Set "Placement Policy" to "Specific Clusters"
  • Select your cluster you want the namespace in

Namespace 1

  • Click the "Save And Go To Publish" button
  • Click the "Publish" button

Create IRSA

To create the IRSA we will define a policy that will allow AWS get and describe actions to the secret resource. The AWS secret's ARN will need to be applied to the policy and configured in the Console.

We will use the following policy. Change the highlighted line to the ARN of your secret. We will supply the policy during the IAM Service Account creation.

{
  "Statement": [
    {
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:secretsmanager:us-west-2:123456789:secret:test/eso/testSecret-FaW8G6"
      ]
    }
  ],
  "Version": "2012-10-17"
}
  • Click on Infrastructure -> Clusters
  • Click on the cluster tile we will be adding the IRSA to
  • Click on the "IAM Service Accounts" tab
  • Click on "NEW IAM SERVICE ACCOUNT"
  • Enter the name "my-secret-irsa", select the namespace, and supply the policy created above. Policies can be supplied as an ARN if created previously, uploaded as an IAM Inline Policy Document, or supplied as input.
  • Select "SAVE"

IAM Role for Service Accounts


Verify IRSA

Creation of the IRSA can take a few minutes. You can verify the status of the IRSA by doing the following:

  • Click on the "IAM Service Accounts" tab for the cluster.

IAM Role for Service Accounts

You can also verify that the k8s service account was created in the EKS cluster in the "app-team-1" namespace.

  • Click on the Zero Trust Kubectl Shell on the web console for the cluster where the IRSA was created and run the following kubectl command.
kubectl get sa -n app-team-1

NAME             SECRETS   AGE
default          0         10m
my-secret-irsa   0         2m57s

The "my-secret-irsa" service account should have been created in the "app-team-1" namespace.


Next Steps

You are now ready to move on to the next part of the recipe where you will create a SecretStore and ExternalSecret resource which will pull the secret from AWS Secrets Manager and sync to a K8s secret.