AWS Secrets Manager: Tutorial & Best Practices
AWS Secrets Manager vs KMS: Differences & Synergies
AWS Secrets Manager vs. Parameter Store: Features, Cost & More
AWS CLI Secrets Manager: In-Depth Tutorial With Examples
AWS Secrets Manager with Terraform: Tutorial & Examples
AWS KMS Key Rotation: Tutorial & Best Practices
AWS Secrets Manager for Kubernetes: Tutorial & Best Practices
AWS Secrets Manager Alternatives: A Comprehensive Analysis
AWS Lambda Secrets Manager Best Practices
AWS Vault: Tutorial, Best Practices & Limitations
AWS CDK Secrets Manager Tutorial & Best Practices
SSM Parameter Store: Tutorial & Best Practices
Effective secrets management, such as securing tokens and passwords, is essential to Kubernetes security. Kubernetes provides a native secret management capability, Kubernetes Secrets, to manage and store sensitive information like passwords, API keys, database credentials, and certificates in Kubernetes. However, Kubernetes Secrets, by default, stores your secrets unencrypted in the API server’s data store (etcd). This can make the secrets vulnerable to anyone with access to etcd, API server, or permission to create a Pod in that namespace.
AWS Secrets Manager is a popular external secret management service supported by Kubernetes that can provide enhanced secrets protection. Secrets Manager provides a robust and enterprise-grade secret storage solution compared to native Kubernetes Secrets.
This article will explore AWS Secrets Manager for Kubernetes and how you can integrate AWS Secrets Manager with Elastic Kubernetes Services (EKS) and Kubernetes on an EC2 instance. We will also review how tools like Doppler can improve Kubernetes secret management with features like integrating multiple secret stores and automatically injecting secrets into your Kubernetes workloads.
The table below summarizes five Kubernetes secret management best practices this article will explore in depth.
The five best practices below enable organizations to reduce the risk of a secret being compromised and reduce the damage a threat actor can do if a secret is exposed.
Kubernetes Secrets stores sensitive data, such as passwords, OAuth Tokens, SSH keys, and API keys, in base64 encoded format. ConfigMaps store values like environment variables as plain text. Using Kubernetes Secrets allows users to enable secret encryption at rest, restrict access to the secrets, and rotate them periodically.
Kubernetes Secrets are, by default, stored in etcd as base64 encoded unencrypted strings. Enabling Secrets encryption at rest provides an extra layer of security and helps ensure the secrets remain confidential. The encryption is managed by the Kubernetes control plane and by default, only Pods that need access to a Secret can view the decrypted Secret data
Rotating secrets periodically can help limit the vulnerability window if a secret is compromised. Regularly rotating secrets make it harder for attackers to steal and exploit secrets over long periods. Also, specific certificates and API keys have expiration dates, so rotating ensures the secret is still valid.
Access control is fundamental to a strong security posture. The four tips below can help teams implement strong access controls to protect their Kubernetes secrets.
Using a centralized secrets management store like AWS Secrets Manager or Azure Key Vault can offer many benefits, such as easier management of secrets, enhanced security, auditing, integration support, and automatic secret injection. This can provide a more scalable and secure approach than storing secrets using Kubernetes Secrets.
The native Kubernetes Secrets solution has the benefit of being simple and being part of Kubernetes by default. However, it lacks many security features that production-grade solutions may need. Specifically, here are eight limitations of Kubernetes Secrets:
AWS Secrets Manager is a popular alternative solution for managing secrets in Kubernetes. It can improve Kubernetes secret management by providing the following advantages over native Kubernetes Secrets:
Though AWS Secrets Manager can improve secret management in Kubernetes, it faces the following limitations:
Now that we understand how AWS Secrets Manager can address Kubernetes Secrets limitations, let’s see how we can integrate Secrets Manager with EKS and Kubernetes on an EC2 instance.
This tutorial assumes you already have Kubernetes clusters and Secrets Manager stores. We will cover two use cases:
The following method works only for EKS versions 1.17 and above, having Amazon EC2 node groups (AWS Fargate node groups are not supported). If you want to integrate AWS Secrets stores on EKS Clusters with Fargate node groups, follow this article from AWS.
First, create a Kubernetes service account in the EKS Cluster by running the following command. Make sure to replace the name and namespace with the desired values.
Next, let’s create the OpenID Connect (OIDC) provider associated with the EKS cluster in your AWS account so that your cluster can access AWS resources.
Grab the OIDC provider URL of your cluster from the EKS Cluster dashboard under the Overview tab.
Navigate to the IAM console, click on Identity providers, and choose Add provider.
Choose OpenID Connect for the Provider type and enter the Provider URL that you copied from the above step. Then, click on Get thumbprint and add Audience as sts.amazonaws.com.
Finish creating the Identity provider by clicking on Add provider.
Now, let’s create the IAM policy that grants access to the Secrets Manager store. The IAM role associated with this policy will be used to limit access to secrets within namespaces in the cluster by attaching it to the Kubernetes service account.
Navigate to the IAM console and create a policy that allows “secretsmanager:GetSecretValue” and “secretsmanager:DescribeSecret” access to your secret.
Once you have the IAM policy ready, create the IAM role that your Kubernetes service account can use.
Go to the IAM console, click Create role, and choose Custom trust policy.
Next, add the following trust policy replacing $account_id, $oidc_provider, $namespace, and $service_account with appropriate values.
Here’s an example of how your trust policy should look:
Finish the creation of your IAM role by attaching the policy that you previously created.
Now that you’ve created your IAM role, let’s attach it to the service account in the Kubernetes namespace you specified by running the following command:
Replace $namespace, $service_account, and $roleARN with appropriate values from above steps.
Next, let’s install the AWS Secrets and Configuration Provider (ASCP) for the Kubernetes Secrets Store CSI Driver. We will be using this to fetch secrets from AWS Secrets Manager and mount them into Pods.
To install Secrets Store CSI Driver and ASCP using Helm, use the following commands:
Once you’ve finished setting up ASCP, create a SecretProviderClass that contains the secrets you want to mount. We will reference this resource to mount the secrets to the containers inside the Pods.
Note that the SecretProviderClass should be created in the same namespace you created the service account.
Run the following command to create the SecretProviderClass:
You can view more details on the other supported secret mounting options provided by the SecretProviderClass here.
Now that the secret store is ready, let’s verify if the secrets can be mounted by creating a deployment using the following command:
You can log into the container in the Pod to verify if the secrets are stored in it or run the following command to do that:
In the above example, secrets are mounted as volume inside the containers. You can also expose secrets to containers using environment variables.
Since Kubernetes Pods do not automatically pull the Secrets Manager changes, we will have to manually restart the Pods to update the secrets. You can do this using the following command:
This will ensure that your Pods restart gradually without downtime and refresh the secrets with the latest values.
Secrets Store CSI Driver’s rotation reconciler is currently an alpha feature that periodically remounts the secrets in the SecretProviderClass so that the secrets are automatically updated in your Pods when they’re rotated.
To enable this optional feature, you can use the following command:
Note that this runs for a defined interval and can create additional API calls and charges. Also, users might still need to restart their Pods based on their application as it might only re-read secret changes inside the application during the container startup.
Accessing Secrets Manager stores within Kubernetes on an EC2 instance can be done with the help of External Secrets Operator. However, this requires an IAM user credential that the External Secrets Operator can use to assume the IAM role attached to your secret, to retrieve the secret.
Follow the tutorial here to learn how to integrate Secrets Manager with Kubernetes on an EC2 instance.
Doppler is a centralized secret management platform that unifies handling secrets across AWS, Azure, GCP, GitHub, GitLab, and Kubernetes among others. It can improve the Secrets Manager Kubernetes integration by providing the following capabilities:
Doppler can integrate your secrets directly with Kubernetes using the Doppler Secrets Operator, External Secrets Operator, CI/CD Secrets Sync, and Doppler CLI. Learn more in the official Doppler documentation.
Kubernetes' native Secrets Manager is often insufficient for enterprises and production workloads. Fortunately, organizations can address complex use cases and improve security posture with the right practices and tools. For example, third-party tools like AWS Secrets Manager and Doppler can tightly integrate with Kubernetes and provide robust security controls. As a result, teams can leverage the power of Kubernetes without compromising on security.
Trusted by the world’s best DevOps and security teams. Doppler is the secrets manager developers love.