AWS
external secret operator
multiple targets
cloud security
Kubernetes

Create multiple targets using external secret operator AWS

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Introduction

In the realm of cloud-native applications, securely managing secrets is a critical task. Kubernetes, while fantastic for orchestration, requires robust external management of secrets to ensure security and compliance. This is where the External Secrets Operator (ESO) shines. It allows Kubernetes to leverage external secret management systems to fetch secret data. A popular integration is with AWS Secrets Manager, which permits high scalability and security that AWS environments provide. This article explores how to create multiple targets using the External Secrets Operator in conjunction with AWS.

Prerequisites

Before diving into creating multiple secret targets, ensure you have the following:

  • A working Kubernetes cluster.
  • AWS account with permissions to create and manage secrets.
  • Installed External Secrets Operator (ESO) on your Kubernetes cluster.
  • Configured AWS IAM policies to allow the ESO to access AWS Secrets Manager.

Creating Secrets in AWS Secrets Manager

AWS Secrets Manager is a service designed to manage and retrieve secrets securely. Create multiple secrets as follows:

  1. Log in to AWS Management Console: Navigate to the Secrets Manager.
  2. Create Secrets:
    • Choose "Store a new secret".
    • Under "Key/value pairs", add your secret information. For instance, you might input:
      • `db_username`: `admin`
      • `db_password`: `supersecurepassword`
    • Name the secret, e.g. `my-database-secrets`.
  3. Define Access Policy:
    • Control access through AWS IAM, ensuring that the ESO has permissions using an IAM Role for Service Accounts (IRSA).

Configuring External Secrets Operator to Use Multiple Targets

With the secrets in AWS, the next step is to configure the ESO to access these secrets and store them at multiple Kubernetes targets. Here’s a detailed guide:

Installing External Secrets Operator

If not already done, install the ESO using Helm or YAML manifests. Use the following Helm command:

  • extract:
    • key: my-database-secrets
    • key: my-database-secrets
  • name: "app1-credentials"
  • name: "app2-credentials"
  • Spec Structure: The `spec` defines where the secret comes from and how it's used.
  • Secret Targets: This setup allows us to define not just one, but multiple secret targets such as `app1-credentials` and `app2-credentials`.
  • Data Retrieval: The `dataFrom` field indicates the path to fetch data within AWS Secrets.
  • Templating: Ensures the secrets are accessible in the desired format, extracting the key-value pairs directly and also allowing transformation if required.

Course illustration
Course illustration

All Rights Reserved.