Table of Contents

AWS Parameter Store to Kubernetes Secrets
#

You can use AWS Parameters Store to keep your secrets in the safe Cloud storage. Using ESO - External Secrets Operator, you can pull them from AWS and create local Kubernetes Secrets in your namespace.

Install ESO - External Secrets Operator
#

External Secrets Operator

helm repo add external-secrets https://charts.external-secrets.io

helm install external-secrets \
   external-secrets/external-secrets \
    -n external-secrets \
    --create-namespace \
  # --set installCRDs=false

Create IAM Policy with RO access to the store
#

# Create IAM Policy to enable RO access to Parameter Store
data "aws_iam_policy_document" "ssm_read" {
	statement {
		effect = "Allow"

		actions = [
			"ssm:GetParameter",
			"ssm:GetParameters",
			"ssm:GetParametersByPath"
		]

		resources = ["*"]
	}
}

Create IAM User and attach the policy
#

# Create IAM user 
resource "aws_iam_user" "eso" {
        name = "tf-parameter-store-ro"
}

resource "aws_iam_user_policy" "ssm_read" {
        name = "ssm-read"
        user = aws_iam_user.eso.name
        policy = data.aws_iam_policy_document.ssm_read.json
}

Create AWS Credentials
#

# Create Access Key for the RO user used in external K8s ESO
resource "aws_iam_access_key" "eso" {
        user = aws_iam_user.eso.name
}

# Output AWS Credentials
output "access_key_id" {
        value = aws_iam_access_key.eso.id
}

output "secret_access_key" {
        value = aws_iam_access_key.eso.secret
        sensitive = true
}

Configure ESO
#

Create K8s Secret with AWS credentials
#

kubectl create secret generic aws-eso-ro \
        --from-literal=access-key-id=YOUR_KEY_ID \
        --from-literal=secret-access-key=YOUR_SECRET_KEY

Create Secret Store
#

Connect microk8s to AWS Parameter Store using IAM user with RO only access. Use the CRD defined by ESO:

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: aws-ssm
spec:
  provider:
    aws:
      service: ParameterStore
      region: us-east-1
      auth:
        secretRef:
          accessKeyIDSecretRef:
            name: aws-eso-ro
            key: access-key-id
          secretAccessKeySecretRef:
            name: aws-eso-ro
            key: secret-access-key

Create K8s Secret from AWS key/pair
#

Use ESO defined CRD to pull the secret from AWS and create namespace scoped K8s secret:

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: dev-mongo-pass
spec:
  refreshInterval: 1h0m0s
  secretStoreRef:
    name: aws-ssm
    kind: SecretStore
  target:
    name: dev-mongo-password
    creationPolicy: Owner
  data:
    - secretKey: mongo-password
      remoteRef:
        key: dev-mongo-password

AWS Parameter Store to Kubernetes Secrets #

Install ESO - External Secrets Operator #

Create IAM Policy with RO access to the store #

Create IAM User and attach the policy #

Create AWS Credentials #

Configure ESO #

Create K8s Secret with AWS credentials #

Create Secret Store #

Create K8s Secret from AWS key/pair #