Implementing AWS Secret Manager

To implement AWS Secret Manager on your setup, complete the following steps:

Procedure

  1. Using a command line interface, restrict access to your pods using IAM roles for service accounts. Alternatively, you can also restrict access using a console.
  2. To turn on Open ID Connect (OIDC), run the following eksctl command: 
    eksctl utils associate-iam-oidc-provider --region=<REGION> --cluster=<CLUSTERNAME> --approve
    Note:
    • You must run the earlier mentioned command only once.
    • In the command, mentioned earlier, replace <REGION> and <CLUSTERNAME> with relevant and appropriate values.
  3. For retrieving secrets from AWS Secret Manager, create a policy by running the following command: 
    aws iam create-policy --policy-name <my-policy> --policy-document file://policy

    A sample policy file follows:

    
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [x`
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds"
            ],
            "Resource": "arn:aws:secretsmanager:ap-south-1:385481138434:secret:*"
        },
        {
            "Effect": "Allow",
            "Action": "secretsmanager:ListSecrets",
            "Resource": "*"
        }
    ]
}
  4. Create a service account role to associate the policy (created in Step 2) with your service account. To create a service account, run the following command: 
    eksctl create iamserviceaccount --name <SERVICE_ACCOUNT_NAME> --namespace <NAMESPACE> --cluster <CLUSTERNAME> --attach-policy-arn <IAM_policy_ARN> --approve --override-existing-serviceaccounts
    Note: In the command, mentioned earlier, replace <NAMESPACE>, <CLUSTERNAME>, <IAM_policy_ARN>, and <SERVICE_ACCOUNT_NAME> with relevant and appropriate values.
  5. To install the Kubernetes secrets store CSI driver, using helm with syncSecret.enabled=true, run the following commands:
    1. Run the following command: 
      helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
    2. If you do not require a periodical pull of updated secrets, initialize the driver by running the following command: 
      helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --set syncSecret.enabled=true --namespace kube-system
    3. If you want to turn on automated rotation for the driver, using the rotation reconciler feature which is currently in alpha, run the following command: 
      helm -n kube-system install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --set enableSecretRotation=true --set rotationPollInterval=3600s
      Note: You can adjust the rotation intervals, as per your requirements, to find an appropriate balance between API call cost consideration and rotation frequency
  6. To install the ASCP, run the following command: 
    kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml
  7. Create the custom resource SecretProviderClass and deploy it to sync with AWS secret with Kubernetes. For details, access the spc.yaml inside the Unica helm chart.
  8. Configure and deploy the pods to mount the volumes based on the configured secrets.

  9. In the rbac.yaml file, assign the ClusterRoleBinding permissions to the iamservice account, created in Step 3, for internal Kubernetes communication.