Extracting Secrets from AWS Secrets Manager to EKS Using Pod Identity

By /

Listen to this Post

2025-02-15

In modern cloud-native environments, securely managing secrets is critical. AWS Secrets Manager provides a robust solution for storing and retrieving sensitive information, while Amazon EKS (Elastic Kubernetes Service) is widely used for container orchestration. Traditionally, IRSA (IAM Roles for Service Accounts) has been the go-to method for granting permissions to Kubernetes pods to access AWS resources. However, using Pod Identity offers a more streamlined and scalable approach.

Key Benefits of Using Pod Identity:

  1. No Service Account Management: Eliminates the need to create and manage individual service accounts for each application.
  2. Granular Permissions: Provides finer control over permissions at the Pod level, enhancing security.
  3. Scalability: Easier to implement in large-scale environments with multiple applications and teams.
  4. Security Best Practices: Aligns with modern security standards by reducing the attack surface.

Implementation Steps

Prerequisites:

  • AWS CLI installed and configured.
  • kubectl configured to interact with your EKS cluster.
  • AWS Secrets Manager set up with the required secrets.

Step 1: Set Up Pod Identity

  1. Install the Pod Identity webhook in your EKS cluster:
    kubectl apply -f https://raw.githubusercontent.com/aws/amazon-eks-pod-identity-webhook/master/deploy/kubernetes/deployment.yaml

  2. Create an IAM role with the necessary permissions to access Secrets Manager. Attach the following policy to the role:

    { 
"Version": "2012-10-17", 
"Statement": [ 
{ 
"Effect": "Allow", 
"Action": "secretsmanager:GetSecretValue", 
"Resource": "*" 
} 
] 
}

  3. Annotate your Kubernetes Pod to assume the IAM role:

    apiVersion: v1 
kind: Pod 
metadata: 
name: my-app 
annotations: 
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/my-secrets-role 
spec: 
containers:</p></li>
</ol>

<p>- name: my-app 
image: my-app-image

    Step 2: Retrieve Secrets in Your Application

    Use the AWS SDK in your application to fetch secrets from Secrets Manager. Here’s an example in Python:

    import boto3 
import os

client = boto3.client('secretsmanager') 
response = client.get_secret_value(SecretId='my-secret') 
secret = response['SecretString'] 
print(secret)

    What Undercode Say

    Securing and managing secrets in a Kubernetes environment is a critical aspect of modern DevOps practices. By leveraging AWS Secrets Manager and EKS Pod Identity, teams can achieve a more scalable and secure solution compared to traditional methods like IRSA. This approach not only simplifies permission management but also aligns with security best practices.

    For further exploration, consider diving into advanced topics like secret rotation, cross-account access, and integrating with CI/CD pipelines. Here are some useful resources:
    AWS Secrets Manager Documentation
    EKS Pod Identity Webhook GitHub Repository

    By adopting these practices, you can ensure your applications remain secure, scalable, and compliant with industry standards.

    References:

    Hackers Feeds, Undercode AIFeatured Image

Related Posts: