Getting Started with External Secrets Operator on Kubernetes using AWS Secrets Manager
Introduction
Kubernetes has a built-in feature for secrets management called a Secret
. The Secret object is convenient to use but does not support storing or retrieving secret data from external secret management systems such as AWS Secrets Manager.
It’s often beneficial to use Kubernetes with an external secrets service that handles secret management. Due to this limitation, GoDaddy came up with an open-source solution called External Secrets Operator.
External Secrets Operator (ESO in short)
ESO provides the same ease of use as native Secret
object and provides access to secrets stored externally. It does this by extending Kubernetes with Custom Resources, which define where secrets live and how to synchronize them.
In simple terms, ESO makes API calls to retrieve secret data from the external secrets service like AWS Secrets Manager and injects the secret data as Kubernetes Secrets
object.
Key Concepts:
- External Secrets Controller — A Kubernetes controller that fetches secrets from an external API and creates Kubernetes secrets. If the secret from the external API changes, the controller reconciles the state in the cluster and updates the secrets.
- ExternalSecret — A custom resource definition that specifies what secret data to fetch. It references SecretStore which knows how to access that data. The controller uses the ExternalSecret as a blueprint to create secrets.
- SecretStore — A custom resource definition that specifies the access needed to fetch the secret from the external API. SecretStore takes care of authentication and access.
And there are two kinds of SecretStore
resources:
- ClusterSecretStore — A global, cluster-wide
SecretStore
that can be referenced from all namespaces. You can use it to provide a central gateway to your secret provider. - SecretStore — A namespaced
SecretStore
that can only be referenced from a single namespace.
Integrating AWS Secrets Manager with Kubernetes
Install External Secrets Operator using Helm
Let’s go ahead and install ESO in a Kubernetes cluster using the official Helm chart.
TL;DR
helm repo add external-secrets https://charts.external-secrets.io
helm repo update
Install ESO inexternal-secrets
namespace
helm upgrade --namespace external-secrets --create-namespace --install --wait external-secrets external-secrets/external-secrets
Verify ESO installation
kubectl -n external-secrets get all
Deployed resources: External secrets controller + CRDs, webhook + service and a cert controller.
Create an IAM user and attach the managed policy
Now, that we have ESO successfully deployed in the cluster. Let’s create a dedicated AWS IAM user, which will be used to authenticate to AWS and access the secret data from the AWS Secrets Manager.
aws iam create-user --user-name external-secrets
And assign the SecretsManagerReadWrite
managed policy to grant the IAM user access to the secrets manager.
🔐️ For a good security hygiene, use the principle of least priviledge on production, limiting the permissions for the external-secrets IAM user to only access the needed secrets path and KMS key.
aws iam attach-user-policy --user-name external-secrets --policy-arn arn:aws:iam::aws:policy/SecretsManagerReadWrite
Now, generate the AWS access and secret key.
aws iam create-access-key --user-name external-secrets
Place the access key and secret key onto a file and create a secret in default
namespace called awssm-secret
from the file.
echo -n "REPLACE_ME_WITH_YOUR_ACCESS_KEY" > access-key
echo -n "REPLACE_ME_WITH_YOUR_SECRET_KEY" > secret-access-keykubectl create secret generic awssm-secret --from-file=./access-key --from-file=./secret-access-key
Create app secret in AWS Secret Manager
Go ahead and create a demo app secret in us-east-1
region of the AWS Secrets Manager via AWS CLI, which will be fetched later by External Secrets and exposed to the application Pod via environment variable:
aws secretsmanager create-secret --name app-secret --secret-string '{"username":"bob","password":"abc123xyz456"}' --region us-east-1
And verify the secret from the AWS Secrets Manager console.
Create a cluster-scoped secret store
As mentioned before, a cluster-scoped secret store allows referencing the secret store from any namespaces, which is convenient to use as a central gateway to the secret provider, rather than creating a secret store per namespace.
Go ahead, and save the following YAML as cluster-secret-store.yaml
cat > cluster-secret-store.yaml <<EOF
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: global-secret-store
spec:
provider:
aws:
service: SecretsManager
region: us-east-1
auth:
secretRef:
accessKeyIDSecretRef:
name: awssm-secret
key: access-key
namespace: default
secretAccessKeySecretRef:
name: awssm-secret
key: secret-access-key
namespace: default
EOF
And apply the manifest:
kubectl apply -f cluster-secret-store.yaml
And, verify the cluster secret store is created successfully and shows the message “store validated”.
kubectl describe clustersecretstore global-secret-store
Create ExternalSecret to fetch the secret data
We’re now ready to create theExternalSecret
resource and fetch the app-secret
demo secret data from AWS Secrets Manager by referencing the cluster-scoped secret store.
Firstly, create a namespace called app
kubectl create namespace app
And save the following YAML as app-secret.yaml
where ExternalSecret object specification is structured as such:
spec.refreshInterval
is set to 1 minute, meaning reconciliation will take place every minute.spec.secretStoreRef
is set to ClusterSecretStore namedglobal-secret-store
which we created before.spec.target.name
specifies the name of the secret object that will be created in the same namespace, where ExternalSecret is created.spec.dataFrom
specifies the secret name in the AWS Secrets Manager askey
andextract
tells it to retrieve all key/value secrets.
cat > app-secret.yaml <<EOF
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: app-secret
spec:
refreshInterval: 1m
secretStoreRef:
name: global-secret-store
kind: ClusterSecretStore
target:
name: app-secret
creationPolicy: Owner
dataFrom:
- extract:
key: app-secret
EOF
Finally, go ahead and apply the manifest:
kubectl -n app apply -f app-secret.yaml
If everything went as planned, we should get SecretSynced
status for ExternalSecret resource and a new Kubernetes Secret resource called app-secret
should be created.
kubectl -n app get externalsecret
kubectl -n app get secret app-secret
What just happened?
- ExternalSecret was able to authenticate to AWS Secrets Manager using the cluster-scoped secret store.
- ExternalSecret was able to fetch the secret data and create the Kubernetes Secret object.
Consume the secret from the Pod
Now, that ExternalSecret was able to retrieve the secrets from AWS Secrets Manager and on-the-fly create the Kubernetes Secret for us. We can reference this secret app-secret
as usual from the Pod, without any application modification.
Let’s go ahead and apply the following Pod manifest and see if our container has the secret data in its environment variable.
cat > app-pod.yaml <<EOF
apiVersion: v1
kind: Pod
metadata:
name: app-pod
spec:
containers:
- name: app
image: k8s.gcr.io/busybox
command: [ "/bin/sh", "-c", "env" ]
envFrom:
- secretRef:
name: app-secret
EOF
And apply the manifest:
kubectl -n app apply -f app-pod.yaml
Once, applied. The Pod will create a single container and runs env
command and exits. We can check the Pod log to verify that our secret data was indeed available as an environment variable.
kubectl -n app logs app-pod | egrep 'username|password'
🎉 Congratulations on successfully integrating AWS Secrets Manger on Kubernetes using External Secrets Operator.
🙏 Conclusion
Kubernetes External Secrets is a mature and popular project with great community engagement. It is well-tested and stable for production workload with high-availability features for managing and synchronizing large-scale secrets and supports many popular external secrets providers like HashiCorp Vault, Google Secrets Manager, Azure Key Vault, and many more.
Since External Secrets provides the same ease of use as Kubernetes native Secret
objects, it doesn’t require any application modifications and existing application leveraging Secret
object works out of the box without any changes.
If you find this article interesting and useful, hit that 👏 and share with your friends and co-workers!
👋 Let’s connect on Twitter (my DMs are open). Ping me, if you have any questions or need help!