External Secrets From Aws Parameter Store

March 20, 2026

AWS Parameter Store to Kubernetes Secrets

You can use AWS Parameters Store to keep your secrets in the safe Cloud storage. Using ESO - External Secrets Operator, you can pull them from AWS and create local Kubernetes Secrets in your namespace.

Install ESO - External Secrets Operator

External Secrets Operator

helm repo add external-secrets https://charts.external-secrets.io

helm install external-secrets \
   external-secrets/external-secrets \
    -n external-secrets \
    --create-namespace \
  # --set installCRDs=false

Create IAM Policy with RO access to the store

# Create IAM Policy to enable RO access to Parameter Store
data "aws_iam_policy_document" "ssm_read" {
	statement {
		effect = "Allow"

		actions = [
			"ssm:GetParameter",
			"ssm:GetParameters",
			"ssm:GetParametersByPath"
		]

		resources = ["*"]
	}
}

Create IAM User and attach the policy

# Create IAM user 
resource "aws_iam_user" "eso" {
        name = "tf-parameter-store-ro"
}

resource "aws_iam_user_policy" "ssm_read" {
        name = "ssm-read"
        user = aws_iam_user.eso.name
        policy = data.aws_iam_policy_document.ssm_read.json
}

Create AWS Credentials

# Create Access Key for the RO user used in external K8s ESO
resource "aws_iam_access_key" "eso" {
        user = aws_iam_user.eso.name
}

# Output AWS Credentials
output "access_key_id" {
        value = aws_iam_access_key.eso.id
}

output "secret_access_key" {
        value = aws_iam_access_key.eso.secret
        sensitive = true
}

Configure ESO

Create K8s Secret with AWS credentials

kubectl create secret generic aws-eso-ro \
        --from-literal=access-key-id=YOUR_KEY_ID \
        --from-literal=secret-access-key=YOUR_SECRET_KEY

Create Secret Store

Connect microk8s to AWS Parameter Store using IAM user with RO only access. Use the CRD defined by ESO:

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: aws-ssm
spec:
  provider:
    aws:
      service: ParameterStore
      region: us-east-1
      auth:
        secretRef:
          accessKeyIDSecretRef:
            name: aws-eso-ro
            key: access-key-id
          secretAccessKeySecretRef:
            name: aws-eso-ro
            key: secret-access-key

Create K8s Secret from AWS key/pair

Use ESO defined CRD to pull the secret from AWS and create namespace scoped K8s secret:

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: dev-mongo-pass
spec:
  refreshInterval: 1h0m0s
  secretStoreRef:
    name: aws-ssm
    kind: SecretStore
  target:
    name: dev-mongo-password
    creationPolicy: Owner
  data:
    - secretKey: mongo-password
      remoteRef:
        key: dev-mongo-password