|
|
@@ -95,6 +95,91 @@ spec:
|
|
|
|
|
|
**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` for `serviceAccountRef` with the namespace where the service account resides.
|
|
|
|
|
|
+## EKS Pod Identity Setup
|
|
|
+
|
|
|
+In order to use EKS Pod Identity Agent, create a role like this:
|
|
|
+
|
|
|
+```json
|
|
|
+{
|
|
|
+ "Statement": [
|
|
|
+ {
|
|
|
+ "Action": [
|
|
|
+ "secretsmanager:GetResourcePolicy",
|
|
|
+ "secretsmanager:GetSecretValue",
|
|
|
+ "secretsmanager:DescribeSecret",
|
|
|
+ "secretsmanager:ListSecretVersionIds"
|
|
|
+ ],
|
|
|
+ "Effect": "Allow",
|
|
|
+ "Resource": [
|
|
|
+ "*"
|
|
|
+ ]
|
|
|
+ }
|
|
|
+ ],
|
|
|
+ "Version": "2012-10-17"
|
|
|
+}
|
|
|
+```
|
|
|
+
|
|
|
+```json
|
|
|
+{
|
|
|
+ "Version": "2012-10-17",
|
|
|
+ "Statement": [
|
|
|
+ {
|
|
|
+ "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
|
|
|
+ "Effect": "Allow",
|
|
|
+ "Principal": {
|
|
|
+ "Service": "pods.eks.amazonaws.com"
|
|
|
+ },
|
|
|
+ "Action": [
|
|
|
+ "sts:AssumeRole",
|
|
|
+ "sts:TagSession"
|
|
|
+ ]
|
|
|
+ }
|
|
|
+ ]
|
|
|
+}
|
|
|
+
|
|
|
+```
|
|
|
+
|
|
|
+
|
|
|
+Install ESO using helm and define these values:
|
|
|
+
|
|
|
+```yaml
|
|
|
+serviceAccount:
|
|
|
+ annotations:
|
|
|
+ name: external-secrets
|
|
|
+```
|
|
|
+
|
|
|
+Create a pod association:
|
|
|
+
|
|
|
+```
|
|
|
+aws eks create-pod-identity-association --cluster-name my-cluster --role-arn arn:aws:iam::111122223333:role/my-role --namespace external-secrets --service-account external-secrets
|
|
|
+```
|
|
|
+
|
|
|
+Then create a secret store like this:
|
|
|
+
|
|
|
+```yaml
|
|
|
+apiVersion: external-secrets.io/v1beta1
|
|
|
+kind: SecretStore
|
|
|
+metadata:
|
|
|
+ name: store
|
|
|
+spec:
|
|
|
+ provider:
|
|
|
+ aws:
|
|
|
+ service: SecretsManager
|
|
|
+ region: eu-central-1
|
|
|
+```
|
|
|
+
|
|
|
+
|
|
|
+_Note_: `serviceAccountRef` _cannot_ be used together with EKS Pod Identity. That's because ESO can not impersonate
|
|
|
+service accounts which have iam roles bound using pod identity. Doing so will result in an error like this:
|
|
|
+```
|
|
|
+unable to create session: an IAM role must be associated with service account ...
|
|
|
+```
|
|
|
+
|
|
|
+_Note:_ No `auth` section is defined for the SecretStore.
|
|
|
+
|
|
|
+_Note:_ For even more details you can follow this post for more setup and information using Terraform [here](https://containscloud.com/2024/03/24/integrating-aws-secrets-manager-to-eks-using-external-secrets/).
|
|
|
+
|
|
|
+
|
|
|
## Custom Endpoints
|
|
|
|
|
|
You can define custom AWS endpoints if you want to use regional, vpc or custom endpoints. See List of endpoints for [Secrets Manager](https://docs.aws.amazon.com/general/latest/gr/asm.html), [Secure Systems Manager](https://docs.aws.amazon.com/general/latest/gr/ssm.html) and [Security Token Service](https://docs.aws.amazon.com/general/latest/gr/sts.html).
|
Gergely Brautigam