Skip to main content

Overview

The kit uses External Secrets Operator to sync secrets from AWS Secrets Manager into Kubernetes. This keeps sensitive data out of Git while providing a GitOps-friendly secret management workflow.

Architecture

  1. ClusterSecretStore - Configures access to AWS Secrets Manager (one per cluster)
  2. ExternalSecret - Defines which secrets to fetch and how to map them
  3. Secret - The Kubernetes Secret created and kept in sync

Prerequisites

The External Secrets Operator uses Pod Identity to authenticate to AWS. This is configured automatically by the EKS Terraform module. Verify the ClusterSecretStore is working:

Create a Secret in AWS

1

Create the secret in Secrets Manager

Using AWS CLI:
Or using the AWS Console:
  1. Navigate to Secrets Manager
  2. Click “Store a new secret”
  3. Choose “Other type of secret”
  4. Enter key/value pairs or plaintext
  5. Name it following the naming convention
2

Create the ExternalSecret manifest

Create ExternalSecret.myapp-secrets.yaml in your service’s templates:
3

Deploy and verify

Secret Naming Conventions

The kit uses CloudPosse null-label for consistent resource naming. Secrets follow the same pattern:
The examples below use ksk as the namespace (the kit’s default). Replace this with the namespace you configured during Bootstrap Accounts.
Examples:
  • ksk-use2-staging-myapp-db - Database credentials for myapp
  • ksk-use2-staging-argocd-github-dex - ArgoCD GitHub OAuth credentials
  • ksk-use2-staging-signoz-ingestion-key - SigNoz observability ingestion key
This convention:
  • Aligns with all other Terraform-managed resources
  • Makes secrets easy to identify by cluster/environment
  • Enables fine-grained IAM policies using prefixes
  • Avoids naming conflicts across environments

Fetch Multiple Values from One Secret

AWS Secrets Manager secrets can contain JSON with multiple key/value pairs:
1

Create a JSON secret

2

Extract specific keys

Use Secrets in Pods

Reference the synced Secret in your Deployment:

Refresh and Sync Behavior

Automatic Refresh

ExternalSecrets periodically refresh from AWS based on refreshInterval:

Force Refresh

To immediately sync a secret:

Reloader Integration

The kit includes Reloader, which automatically restarts pods when their Secrets change:
Or for specific secrets:

Environment-Specific Secrets

Use different secret paths for each environment:
Then template the ExternalSecret:

IAM Permissions

The External Secrets service account needs permission to read secrets. This is configured via Pod Identity in the EKS Terraform module. By default, the External Secrets Pod Identity role has access to all secrets (arn:aws:secretsmanager:*:*:secret:*). To restrict access to specific prefixes, update the policy in terraform/modules/eks/base-infra-resources.tf:

Next Steps