search

aws / secrets-store-csi-driver-provider-aws

The AWS provider for the Secrets Store CSI Driver allows you to fetch secrets from AWS Secrets Manager and AWS Systems Manager Parameter Store, and mount them into Kubernetes pods.
Apache License 2.0
459 stars 130 forks source link

Is it possible to use this outside of EKS? #335

Closed jan-osch closed 5 months ago

jan-osch commented 6 months ago

We are looking for a solution to sync secrets from Secrets Manager to our k3s clusters running on EC2 (no EKS). Is it possible to use this project with outside clusters?

roberto-sebastiano commented 6 months ago

Same here, I run k3s on prem and I would like to use AWS secrets manager. Is this possible with this project ?

Elentary commented 5 months ago

Yes, however it is not officially documented. You shoud have working IAM role association for service accounts in your self-hosted cluster via AWS IAM OIDC (or similar approach like kube2iam, but I haven't tested it). Then you should:

  1. Set driverWritesSecrets launch argument to True (currently not possible via Helm, but I am already on it)
  2. Create IAM role with permissions to sts:AssumeRoleWithWebIdentity (see the Medium article above) and secretsmanager:GetSecretValue.
  3. Add "eks.amazonaws.com/role-arn" annotation to the service account you will use later for your pod. Use ARN of the role from step 2 as the value.
  4. Add AWS_DEFAULT_REGION, AWS_ROLE_ARN, AWS_WEB_IDENTITY_TOKEN_FILE envs to your pod (also see Medium article above :)
  5. Now configure volumes, volume mounts and SecretProviderClass as you would in EKS (see guide in this repo)

Do you think detailed article about using this project in self-hosted k8s would be useful ?

roberto-sebastiano commented 5 months ago

Absolutely, I think so