Closed jan-osch closed 5 months ago
Same here, I run k3s on prem and I would like to use AWS secrets manager. Is this possible with this project ?
Yes, however it is not officially documented. You shoud have working IAM role association for service accounts in your self-hosted cluster via AWS IAM OIDC (or similar approach like kube2iam, but I haven't tested it). Then you should:
driverWritesSecrets
launch argument to True
(currently not possible via Helm, but I am already on it)sts:AssumeRoleWithWebIdentity
(see the Medium article above) and secretsmanager:GetSecretValue
."eks.amazonaws.com/role-arn"
annotation to the service account you will use later for your pod. Use ARN of the role from step 2 as the value.AWS_DEFAULT_REGION
, AWS_ROLE_ARN
, AWS_WEB_IDENTITY_TOKEN_FILE
envs to your pod (also see Medium article above :)Do you think detailed article about using this project in self-hosted k8s would be useful ?
Absolutely, I think so
We are looking for a solution to sync secrets from Secrets Manager to our k3s clusters running on EC2 (no EKS). Is it possible to use this project with outside clusters?