In a significant update, AWS Secrets Manager has announced that the AWS Secrets and Configuration Provider (ASCP) now integrates with Amazon Elastic Kubernetes Service (EKS) Pod Identity.
This integration streamlines IAM authentication for Kubernetes applications, making it easier and more secure to retrieve secrets from AWS Secrets Manager or parameters from AWS Systems Manager Parameter Store.
With this enhancement, managing IAM permissions for Kubernetes workloads becomes more efficient, enabling granular access control through role session tags on secrets.
What Does This Integration Offer?
ASCP is a plugin for the industry-standard Kubernetes Secrets Store CSI Driver, designed to help applications running in Kubernetes pods securely retrieve secrets from AWS Secrets Manager.
Previously, ASCP relied on IAM Roles for Service Accounts (IRSA) for authentication. Now, with the integration of Amazon EKS Pod Identity, you have the flexibility to choose between IRSA and Pod Identity for IAM authentication.
This is made possible through a new optional parameter, usePodIdentity, which allows you to select the authentication method that best aligns with your security and operational requirements.
This integration combines the strengths of ASCP and Pod Identity, offering a more streamlined and secure way to manage secrets in Amazon EKS environments. Key benefits include:
- Simplified IAM Authentication: Pod Identity simplifies the process of configuring IAM permissions for Kubernetes applications, reducing operational overhead.
- Granular Access Control: Role session tags enable fine-grained access control, ensuring that only authorized pods can access specific secrets.
- Seamless Secret Rotation: ASCP eliminates the need for custom code or container restarts when secrets are rotated, ensuring uninterrupted application performance.
- Flexibility in Authentication: The ability to choose between IRSA and Pod Identity provides flexibility, allowing teams to adopt the method that best suits their security policies and workflows.
Why This Matters
Managing secrets securely and efficiently is a critical aspect of running Kubernetes workloads in production environments. With the integration of ASCP and Pod Identity, AWS has made it easier than ever to:
- Enhance Security: By leveraging IAM authentication, you can ensure that only authorized applications access sensitive secrets.
- Reduce Complexity: The integration simplifies the configuration process, allowing teams to focus on building and deploying applications rather than managing infrastructure.
- Improve Scalability: With support for secret rotation and granular access control, this integration is designed to scale with your applications.
Getting Started
The integration of ASCP with Pod Identity is available in all AWS Regions where AWS Secrets Manager and Amazon EKS Pod Identity are supported. To get started, check out the following resources:
Conclusion
The integration of AWS Secrets and Configuration Provider (ASCP) with Amazon EKS Pod Identity marks a significant step forward in simplifying and securing secret management for Kubernetes workloads. By combining the power of ASCP with the flexibility of Pod Identity, AWS has provided a robust solution for managing IAM permissions and secrets in Amazon EKS environments. Whether you’re running a small application or a large-scale production workload, this integration offers the tools you need to enhance security, reduce complexity, and scale with confidence.
If you do not want to use this architecture to manage secrets in your Kubernetes cluster, there are other options. One of them is Using SealedSecrets by Bitnami.
