AWS Secrets and Configuration Provider (ASCP) for Kubernetes

Introduction

When running applications on Amazon Elastic Kubernetes Service (EKS), securely managing secrets such as API keys, database credentials, and other sensitive information is crucial. AWS Secrets Manager is a natural choice for securely storing and accessing these secrets. Traditionally, secrets can be mounted using Kubernetes secrets, but directly integrating AWS Secrets Manager simplifies secret management by ensuring that your application always has access to the latest version of the secret. In this post, we’ll explore how to use AWS Secrets and Configuration Provider (ASCP) to seamlessly access secrets stored in Secrets Manager from your EKS pods.

📚 This guide is at an intermediate level difficulty. 📚

Why Use ASCP?

AWS Secrets and Configuration Provider (ASCP) is a plugin for Kubernetes, designed to allow your applications to fetch secrets and configuration data directly from AWS Secrets Manager and AWS Systems Manager Parameter Store. Instead of mounting static secrets, ASCP provides a dynamic approach to retrieving secrets at runtime.

Dynamic Secret Access: With ASCP, you can access the latest version of secrets without manual intervention or pod redeployment.
Eliminates Sync Overhead: Unlike using Kubernetes secrets, you don’t need to periodically synchronize updates from Secrets Manager into Kubernetes.
Fine-Grained IAM Permissions: By leveraging IAM roles, ASCP ensures that only authorized pods can access specific secrets.
Native Kubernetes Integration: ASCP simplifies setup by injecting secrets directly into pods as environment variables or volumes.

Setting Up ASCP in EKS

Here’s how to configure ASCP to access AWS Secrets Manager from your EKS pods:

1. IAM Role for Service Account (IRSA)

To securely grant pods permissions to access AWS services, use IAM Roles for Service Accounts (IRSA). This allows pods to assume an IAM role without requiring access keys.

Create an IAM role with a policy granting access to the specific secrets in AWS Secrets Manager. For example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "arn:aws:secretsmanager:REGION:ACCOUNT_ID:secret:SECRET_NAME"
    }
  ]
}

Associate the IAM role with a Kubernetes service account used by your pods. For more details on how to achieve this, read this blog post I wrote on the topic.

2. Install ASCP

Deploy the AWS Secrets and Configuration Provider to your EKS cluster using Helm:

helm repo add aws-secrets-and-config https://aws.github.io/secrets-store-csi-driver-provider-aws
helm install aws-secrets-store aws-secrets-and-config/secrets-store-csi-driver-provider-aws

3. Define Secrets in Kubernetes Manifests

Create a SecretProviderClass resource to specify which secrets to fetch from AWS Secrets Manager:

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: my-secret-provider
spec:
  provider: aws
  parameters:
    objects: |
      - objectName: my-secret
        objectType: "secretsmanager"

4. Mount Secrets in Pods

Reference the SecretProviderClass in your pod’s volume configuration:

volumes:
  - name: secrets-store-inline
    csi:
      driver: secrets-store.csi.k8s.io
      readOnly: true
      volumeAttributes:
        secretProviderClass: "my-secret-provider"

Benefits in Practice

Using ASCP ensures that your applications always retrieve up-to-date secrets while minimizing the risk of exposing sensitive data. By combining it with IAM roles, you achieve fine-grained, least-privilege access control. Additionally, the seamless integration with Kubernetes makes managing secrets straightforward without requiring major code changes to your application.

In summary, if you’re looking to simplify secret management in your EKS workloads, ASCP is a highly secure and efficient solution. Its dynamic secret retrieval mechanism ensures that your applications are always in sync with AWS Secrets Manager, helping you focus on building robust and scalable applications.

I’ll be posting more of these guides, going over a wide range of difficulty, so subscribe below! My newsletter sends out friendly emails when I make new posts.

Want to learn more about how I can assist you with your cloud and DevOps needs? Visit my homepage to get in touch and let’s find out how I can support your next project!

Share the Post:

Running Terraform in an Air-Gapped Environment – Part 2

In this post, we’ll focus on running Terraform in an air-gapped AWS environment and using VPCE’s for secure communication with AWS services without relying on internet connectivity. (2/2)
📚 Beginner level difficulty 📚

Running Terraform in an Air-Gapped Environment – Part 1

This post walks through how to configure Terraform for offline use and ensuring smooth Terraform operations in restricted environments. (1/2)
📚 intermediate lvl difficulty 📚