helm-external-secrets/main/provider/aws-access/index.html

<!doctype html>
<html lang="en" class="no-js">
  <head>
    
      <meta charset="utf-8">
      <meta name="viewport" content="width=device-width,initial-scale=1">
      
      
      
      
        <link rel="prev" href="../aws-parameter-store/">
      
      
        <link rel="next" href="../azure-key-vault/">
      
      
        
      
      
      <link rel="icon" href="../../pictures/eso-round-logo.svg">
      <meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.7.6">
    
    
      
        <title>AWS Access - External Secrets Operator</title>
      
    
    
      <link rel="stylesheet" href="../../assets/stylesheets/main.484c7ddc.min.css">
      
        
        <link rel="stylesheet" href="../../assets/stylesheets/palette.ab4e12ef.min.css">
      
      


    
    
      
    
    
      
        
        
        <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
        <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
        <style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
      
    
    
    <script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
    
      
  


  
  

<script id="__analytics">function __md_analytics(){function e(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],e("js",new Date),e("config","G-QP38TD8K7V"),document.addEventListener("DOMContentLoaded",(function(){document.forms.search&&document.forms.search.query.addEventListener("blur",(function(){this.value&&e("event","search",{search_term:this.value})}));document$.subscribe((function(){var t=document.forms.feedback;if(void 0!==t)for(var a of t.querySelectorAll("[type=submit]"))a.addEventListener("click",(function(a){a.preventDefault();var n=document.location.pathname,d=this.getAttribute("data-md-value");e("event","feedback",{page:n,data:d}),t.firstElementChild.disabled=!0;var r=t.querySelector(".md-feedback__note [data-md-value='"+d+"']");r&&(r.hidden=!1)})),t.hidden=!1})),location$.subscribe((function(t){e("config","G-QP38TD8K7V",{page_path:t.pathname})}))}));var t=document.createElement("script");t.async=!0,t.src="https://www.googletagmanager.com/gtag/js?id=G-QP38TD8K7V",document.getElementById("__analytics").insertAdjacentElement("afterEnd",t)}</script>
  
    <script>"undefined"!=typeof __md_analytics&&__md_analytics()</script>
  

    
    
  </head>
  
  
    
    
      
    
    
    
    
    <body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
  
    
    <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
    <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
    <label class="md-overlay" for="__drawer"></label>
    <div data-md-component="skip">
      
        
        <a href="#aws-authentication" class="md-skip">
          Skip to content
        </a>
      
    </div>
    <div data-md-component="announce">
      
    </div>
    
      <div data-md-color-scheme="default" data-md-component="outdated" hidden>
        
          <aside class="md-banner md-banner--warning">
            <div class="md-banner__inner md-grid md-typeset">
              
  You're not viewing the latest version.
  <a href="../../..">
    <strong>Click here to go to latest.</strong>
  </a>

            </div>
            <script>var el=document.querySelector("[data-md-component=outdated]"),base=new URL("../.."),outdated=__md_get("__outdated",sessionStorage,base);!0===outdated&&el&&(el.hidden=!1)</script>
          </aside>
        
      </div>
    
    
      

<header class="md-header" data-md-component="header">
  <nav class="md-header__inner md-grid" aria-label="Header">
    <a href="../.." title="External Secrets Operator" class="md-header__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
      
  <img src="../../pictures/eso-round-logo.svg" alt="logo">

    </a>
    <label class="md-header__button md-icon" for="__drawer">
      
      <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg>
    </label>
    <div class="md-header__title" data-md-component="header-title">
      <div class="md-header__ellipsis">
        <div class="md-header__topic">
          <span class="md-ellipsis">
            External Secrets Operator
          </span>
        </div>
        <div class="md-header__topic" data-md-component="header-topic">
          <span class="md-ellipsis">
            
              AWS Access
            
          </span>
        </div>
      </div>
    </div>
    
      
        <form class="md-header__option" data-md-component="palette">
  
    
    
    
    <input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo"  aria-label="Switch to dark mode"  type="radio" name="__palette" id="__palette_0">
    
      <label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_1" hidden>
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
      </label>
    
  
    
    
    
    <input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="indigo"  aria-label="Switch to light mode"  type="radio" name="__palette" id="__palette_1">
    
      <label class="md-header__button md-icon" title="Switch to light mode" for="__palette_0" hidden>
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12s-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
      </label>
    
  
</form>
      
    
    
      <script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
    
    
    
      
      
        <label class="md-header__button md-icon" for="__search">
          
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
        </label>
        <div class="md-search" data-md-component="search" role="dialog">
  <label class="md-search__overlay" for="__search"></label>
  <div class="md-search__inner" role="search">
    <form class="md-search__form" name="search">
      <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
      <label class="md-search__icon md-icon" for="__search">
        
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
        
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
      </label>
      <nav class="md-search__options" aria-label="Search">
        
        <button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
          
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg>
        </button>
      </nav>
      
    </form>
    <div class="md-search__output">
      <div class="md-search__scrollwrap" tabindex="0" data-md-scrollfix>
        <div class="md-search-result" data-md-component="search-result">
          <div class="md-search-result__meta">
            Initializing search
          </div>
          <ol class="md-search-result__list" role="presentation"></ol>
        </div>
      </div>
    </div>
  </div>
</div>
      
    
    
      <div class="md-header__source">
        <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
  <div class="md-source__icon md-icon">
    
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M439.6 236.1 244 40.5c-5.4-5.5-12.8-8.5-20.4-8.5s-15 3-20.4 8.4L162.5 81l51.5 51.5c27.1-9.1 52.7 16.8 43.4 43.7l49.7 49.7c34.2-11.8 61.2 31 35.5 56.7-26.5 26.5-70.2-2.9-56-37.3L240.3 199v121.9c25.3 12.5 22.3 41.8 9.1 55-6.4 6.4-15.2 10.1-24.3 10.1s-17.8-3.6-24.3-10.1c-17.6-17.6-11.1-46.9 11.2-56v-123c-20.8-8.5-24.6-30.7-18.6-45L142.6 101 8.5 235.1C3 240.6 0 247.9 0 255.5s3 15 8.5 20.4l195.6 195.7c5.4 5.4 12.7 8.4 20.4 8.4s15-3 20.4-8.4l194.7-194.7c5.4-5.4 8.4-12.8 8.4-20.4s-3-15-8.4-20.4"/></svg>
  </div>
  <div class="md-source__repository">
    External Secrets Operator
  </div>
</a>
      </div>
    
  </nav>
  
</header>
    
    <div class="md-container" data-md-component="container">
      
      
        
          
            
<nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
  <div class="md-grid">
    <ul class="md-tabs__list">
      
        
  
  
  
  
    
    
      <li class="md-tabs__item">
        <a href="../.." class="md-tabs__link">
          
  
  
    
  
  Introduction

        </a>
      </li>
    
  

      
        
  
  
  
  
    
    
      <li class="md-tabs__item">
        <a href="../../api/components/" class="md-tabs__link">
          
  
  
    
  
  API

        </a>
      </li>
    
  

      
        
  
  
  
  
    
    
      <li class="md-tabs__item">
        <a href="../../guides/introduction/" class="md-tabs__link">
          
  
  
    
  
  Guides

        </a>
      </li>
    
  

      
        
  
  
  
    
  
  
    
    
      <li class="md-tabs__item md-tabs__item--active">
        <a href="../aws-secrets-manager/" class="md-tabs__link">
          
  
  
    
  
  Provider

        </a>
      </li>
    
  

      
        
  
  
  
  
    
    
      <li class="md-tabs__item">
        <a href="../../examples/gitops-using-fluxcd/" class="md-tabs__link">
          
  
  
    
  
  Examples

        </a>
      </li>
    
  

      
        
  
  
  
  
    
    
      
  
  
  
  
    
    
      <li class="md-tabs__item">
        <a href="../../contributing/devguide/" class="md-tabs__link">
          
  
  
    
  
  Community

        </a>
      </li>
    
  

    
  

      
    </ul>
  </div>
</nav>
          
        
      
      <main class="md-main" data-md-component="main">
        <div class="md-main__inner md-grid">
          
            
              
              <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
                <div class="md-sidebar__scrollwrap">
                  <div class="md-sidebar__inner">
                    


  


<nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
  <label class="md-nav__title" for="__drawer">
    <a href="../.." title="External Secrets Operator" class="md-nav__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
      
  <img src="../../pictures/eso-round-logo.svg" alt="logo">

    </a>
    External Secrets Operator
  </label>
  
    <div class="md-nav__source">
      <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
  <div class="md-source__icon md-icon">
    
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M439.6 236.1 244 40.5c-5.4-5.5-12.8-8.5-20.4-8.5s-15 3-20.4 8.4L162.5 81l51.5 51.5c27.1-9.1 52.7 16.8 43.4 43.7l49.7 49.7c34.2-11.8 61.2 31 35.5 56.7-26.5 26.5-70.2-2.9-56-37.3L240.3 199v121.9c25.3 12.5 22.3 41.8 9.1 55-6.4 6.4-15.2 10.1-24.3 10.1s-17.8-3.6-24.3-10.1c-17.6-17.6-11.1-46.9 11.2-56v-123c-20.8-8.5-24.6-30.7-18.6-45L142.6 101 8.5 235.1C3 240.6 0 247.9 0 255.5s3 15 8.5 20.4l195.6 195.7c5.4 5.4 12.7 8.4 20.4 8.4s15-3 20.4-8.4l194.7-194.7c5.4-5.4 8.4-12.8 8.4-20.4s-3-15-8.4-20.4"/></svg>
  </div>
  <div class="md-source__repository">
    External Secrets Operator
  </div>
</a>
    </div>
  
  <ul class="md-nav__list" data-md-scrollfix>
    
      
      
  
  
  
  
    
    
      
        
          
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
    
    
    
      
      
    
    
    <li class="md-nav__item md-nav__item--nested">
      
        
        
          
        
        <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_1" >
        
          
          <div class="md-nav__link md-nav__container">
            <a href="../.." class="md-nav__link ">
              
  
  
  <span class="md-ellipsis">
    
  
    Introduction
  

    
  </span>
  
  

            </a>
            
              
              <label class="md-nav__link " for="__nav_1" id="__nav_1_label" tabindex="0">
                <span class="md-nav__icon md-icon"></span>
              </label>
            
          </div>
        
        <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_1_label" aria-expanded="false">
          <label class="md-nav__title" for="__nav_1">
            <span class="md-nav__icon md-icon"></span>
            
  
    Introduction
  

          </label>
          <ul class="md-nav__list" data-md-scrollfix>
            
              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../introduction/overview/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Overview
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../introduction/glossary/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Glossary
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../introduction/prerequisites/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Prerequisites
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../introduction/getting-started/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Getting started
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../introduction/faq/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    FAQ
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../introduction/stability-support/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Stability and Support
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../introduction/deprecation-policy/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Deprecation Policy
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
          </ul>
        </nav>
      
    </li>
  

    
      
      
  
  
  
  
    
    
      
        
      
        
      
        
      
        
      
    
    
    
      
      
    
    
    <li class="md-nav__item md-nav__item--nested">
      
        
        
          
        
        <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2" >
        
          
          <label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
            
  
  
  <span class="md-ellipsis">
    
  
    API
  

    
  </span>
  
  

            <span class="md-nav__icon md-icon"></span>
          </label>
        
        <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
          <label class="md-nav__title" for="__nav_2">
            <span class="md-nav__icon md-icon"></span>
            
  
    API
  

          </label>
          <ul class="md-nav__list" data-md-scrollfix>
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/components/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Components
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    
    
      
        
      
        
      
        
      
        
      
        
      
        
      
    
    
    
      
      
    
    
    <li class="md-nav__item md-nav__item--nested">
      
        
        
          
        
        <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_2" >
        
          
          <label class="md-nav__link" for="__nav_2_2" id="__nav_2_2_label" tabindex="0">
            
  
  
  <span class="md-ellipsis">
    
  
    Core Resources
  

    
  </span>
  
  

            <span class="md-nav__icon md-icon"></span>
          </label>
        
        <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_2_label" aria-expanded="false">
          <label class="md-nav__title" for="__nav_2_2">
            <span class="md-nav__icon md-icon"></span>
            
  
    Core Resources
  

          </label>
          <ul class="md-nav__list" data-md-scrollfix>
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/externalsecret/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    ExternalSecret
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/secretstore/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    SecretStore
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/clustersecretstore/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    ClusterSecretStore
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/clusterexternalsecret/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    ClusterExternalSecret
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/clusterpushsecret/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    ClusterPushSecret
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/pushsecret/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    PushSecret
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
          </ul>
        </nav>
      
    </li>
  

              
            
              
                
  
  
  
  
    
    
      
        
          
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
    
    
    
      
      
    
    
    <li class="md-nav__item md-nav__item--nested">
      
        
        
          
        
        <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_3" >
        
          
          <div class="md-nav__link md-nav__container">
            <a href="../../api/generator/" class="md-nav__link ">
              
  
  
  <span class="md-ellipsis">
    
  
    Generators
  

    
  </span>
  
  

            </a>
            
              
              <label class="md-nav__link " for="__nav_2_3" id="__nav_2_3_label" tabindex="0">
                <span class="md-nav__icon md-icon"></span>
              </label>
            
          </div>
        
        <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_3_label" aria-expanded="false">
          <label class="md-nav__title" for="__nav_2_3">
            <span class="md-nav__icon md-icon"></span>
            
  
    Generators
  

          </label>
          <ul class="md-nav__list" data-md-scrollfix>
            
              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/generator/acr/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Azure Container Registry
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/generator/ecr/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    AWS Elastic Container Registry
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/generator/sts/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    AWS STS Session Token
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/generator/cloudsmith/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Cloudsmith
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/generator/cluster/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Cluster Generator
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/generator/gcr/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Google Container Registry
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/generator/grafana/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Grafana
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/generator/quay/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Quay
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/generator/vault/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Vault Dynamic Secret
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/generator/password/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Password
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/generator/fake/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Fake
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/generator/webhook/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Webhook
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/generator/github/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Github
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/generator/uuid/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    UUID
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/generator/mfa/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    MFA
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/generator/sshkey/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    SSHKey
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
          </ul>
        </nav>
      
    </li>
  

              
            
              
                
  
  
  
  
    
    
      
        
      
        
      
        
      
        
      
    
    
    
      
      
    
    
    <li class="md-nav__item md-nav__item--nested">
      
        
        
          
        
        <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_4" >
        
          
          <label class="md-nav__link" for="__nav_2_4" id="__nav_2_4_label" tabindex="0">
            
  
  
  <span class="md-ellipsis">
    
  
    Reference Docs
  

    
  </span>
  
  

            <span class="md-nav__icon md-icon"></span>
          </label>
        
        <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_4_label" aria-expanded="false">
          <label class="md-nav__title" for="__nav_2_4">
            <span class="md-nav__icon md-icon"></span>
            
  
    Reference Docs
  

          </label>
          <ul class="md-nav__list" data-md-scrollfix>
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/spec/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    API specification
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/controller-options/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Controller Options
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/metrics/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Metrics
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../api/selectable-fields/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Selectable Fields
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
          </ul>
        </nav>
      
    </li>
  

              
            
          </ul>
        </nav>
      
    </li>
  

    
      
      
  
  
  
  
    
    
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
    
    
    
      
      
    
    
    <li class="md-nav__item md-nav__item--nested">
      
        
        
          
        
        <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3" >
        
          
          <label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
            
  
  
  <span class="md-ellipsis">
    
  
    Guides
  

    
  </span>
  
  

            <span class="md-nav__icon md-icon"></span>
          </label>
        
        <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
          <label class="md-nav__title" for="__nav_3">
            <span class="md-nav__icon md-icon"></span>
            
  
    Guides
  

          </label>
          <ul class="md-nav__list" data-md-scrollfix>
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/introduction/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Introduction
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    
    
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
    
    
    
      
      
    
    
    <li class="md-nav__item md-nav__item--nested">
      
        
        
          
        
        <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_2" >
        
          
          <label class="md-nav__link" for="__nav_3_2" id="__nav_3_2_label" tabindex="0">
            
  
  
  <span class="md-ellipsis">
    
  
    External Secrets
  

    
  </span>
  
  

            <span class="md-nav__icon md-icon"></span>
          </label>
        
        <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_2_label" aria-expanded="false">
          <label class="md-nav__title" for="__nav_3_2">
            <span class="md-nav__icon md-icon"></span>
            
  
    External Secrets
  

          </label>
          <ul class="md-nav__list" data-md-scrollfix>
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/all-keys-one-secret/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Extract structured data
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/getallsecrets/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Find Secrets by Name or Metadata
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/datafrom-rewrite/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Rewriting Keys
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    
    
      
        
      
        
      
    
    
    
      
      
    
    
    <li class="md-nav__item md-nav__item--nested">
      
        
        
          
        
        <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_2_4" >
        
          
          <label class="md-nav__link" for="__nav_3_2_4" id="__nav_3_2_4_label" tabindex="0">
            
  
  
  <span class="md-ellipsis">
    
  
    Advanced Templating
  

    
  </span>
  
  

            <span class="md-nav__icon md-icon"></span>
          </label>
        
        <nav class="md-nav" data-md-level="3" aria-labelledby="__nav_3_2_4_label" aria-expanded="false">
          <label class="md-nav__title" for="__nav_3_2_4">
            <span class="md-nav__icon md-icon"></span>
            
  
    Advanced Templating
  

          </label>
          <ul class="md-nav__list" data-md-scrollfix>
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/templating/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    v2
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/templating-v1/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    v1
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
          </ul>
        </nav>
      
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/common-k8s-secret-types/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Kubernetes Secret Types
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/ownership-deletion-policy/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Lifecycle: ownership & deletion
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/decoding-strategy/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Decoding Strategies
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/controller-class/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Controller Classes
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
          </ul>
        </nav>
      
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/targeting-custom-resources/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Targeting Custom Resources
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/generator/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Generators
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/pushsecrets/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Push Secrets
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    
    
      
        
      
        
      
        
      
        
      
        
      
        
      
    
    
    
      
      
    
    
    <li class="md-nav__item md-nav__item--nested">
      
        
        
          
        
        <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_6" >
        
          
          <label class="md-nav__link" for="__nav_3_6" id="__nav_3_6_label" tabindex="0">
            
  
  
  <span class="md-ellipsis">
    
  
    Operations
  

    
  </span>
  
  

            <span class="md-nav__icon md-icon"></span>
          </label>
        
        <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_6_label" aria-expanded="false">
          <label class="md-nav__title" for="__nav_3_6">
            <span class="md-nav__icon md-icon"></span>
            
  
    Operations
  

          </label>
          <ul class="md-nav__list" data-md-scrollfix>
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/multi-tenancy/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Multi Tenancy
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/security-best-practices/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Security Best Practices
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/threat-model/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Threat Model
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/v1beta1/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Upgrading to v1beta1
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/using-latest-image/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Using Latest Image
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/disable-cluster-features/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Disable Cluster Features
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
          </ul>
        </nav>
      
    </li>
  

              
            
              
                
  
  
  
  
    
    
      
        
      
    
    
    
      
      
    
    
    <li class="md-nav__item md-nav__item--nested">
      
        
        
          
        
        <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_7" >
        
          
          <label class="md-nav__link" for="__nav_3_7" id="__nav_3_7_label" tabindex="0">
            
  
  
  <span class="md-ellipsis">
    
  
    Tooling
  

    
  </span>
  
  

            <span class="md-nav__icon md-icon"></span>
          </label>
        
        <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_7_label" aria-expanded="false">
          <label class="md-nav__title" for="__nav_3_7">
            <span class="md-nav__icon md-icon"></span>
            
  
    Tooling
  

          </label>
          <ul class="md-nav__list" data-md-scrollfix>
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../guides/using-esoctl-tool/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Using the esoctl tool
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
          </ul>
        </nav>
      
    </li>
  

              
            
          </ul>
        </nav>
      
    </li>
  

    
      
      
  
  
    
  
  
  
    
    
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
    
    
    
      
        
        
      
      
    
    
    <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested">
      
        
        
        <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" checked>
        
          
          <label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="">
            
  
  
  <span class="md-ellipsis">
    
  
    Provider
  

    
  </span>
  
  

            <span class="md-nav__icon md-icon"></span>
          </label>
        
        <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="true">
          <label class="md-nav__title" for="__nav_4">
            <span class="md-nav__icon md-icon"></span>
            
  
    Provider
  

          </label>
          <ul class="md-nav__list" data-md-scrollfix>
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../aws-secrets-manager/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    AWS Secrets Manager
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../aws-parameter-store/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    AWS Parameter Store
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
    
  
  
  
    <li class="md-nav__item md-nav__item--active">
      
      <input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
      
      
      
        <label class="md-nav__link md-nav__link--active" for="__toc">
          
  
  
  <span class="md-ellipsis">
    
  
    AWS Access
  

    
  </span>
  
  

          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <a href="./" class="md-nav__link md-nav__link--active">
        
  
  
  <span class="md-ellipsis">
    
  
    AWS Access
  

    
  </span>
  
  

      </a>
      
        

<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
  
  
  
  
    <label class="md-nav__title" for="__toc">
      <span class="md-nav__icon md-icon"></span>
      Table of contents
    </label>
    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
      
        <li class="md-nav__item">
  <a href="#aws-authentication" class="md-nav__link">
    <span class="md-ellipsis">
      
        AWS Authentication
      
    </span>
  </a>
  
    <nav class="md-nav" aria-label="AWS Authentication">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#controllers-pod-identity" class="md-nav__link">
    <span class="md-ellipsis">
      
        Controller's Pod Identity
      
    </span>
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#access-key-id-secret-access-key" class="md-nav__link">
    <span class="md-ellipsis">
      
        Access Key ID &amp; Secret Access Key
      
    </span>
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#eks-service-account-credentials" class="md-nav__link">
    <span class="md-ellipsis">
      
        EKS Service Account credentials
      
    </span>
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
      
        <li class="md-nav__item">
  <a href="#eks-pod-identity-setup" class="md-nav__link">
    <span class="md-ellipsis">
      
        EKS Pod Identity Setup
      
    </span>
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#custom-endpoints" class="md-nav__link">
    <span class="md-ellipsis">
      
        Custom Endpoints
      
    </span>
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#sts-session-tags" class="md-nav__link">
    <span class="md-ellipsis">
      
        STS Session Tags
      
    </span>
  </a>
  
    <nav class="md-nav" aria-label="STS Session Tags">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#simple-policy" class="md-nav__link">
    <span class="md-ellipsis">
      
        Simple Policy
      
    </span>
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#custom-policy" class="md-nav__link">
    <span class="md-ellipsis">
      
        Custom Policy
      
    </span>
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#required-iam-permissions" class="md-nav__link">
    <span class="md-ellipsis">
      
        Required IAM Permissions
      
    </span>
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
      
    </ul>
  
</nav>
      
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../azure-key-vault/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Azure Key Vault
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../barbican/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Barbican
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../beyondtrust/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    BeyondTrust
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../bitwarden-secrets-manager/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Bitwarden Secrets Manager
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../chef/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Chef
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../cloudru/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Cloud.ru Secret Manager
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../conjur/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    CyberArk Conjur
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../google-secrets-manager/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Google Cloud Secret Manager
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../hashicorp-vault/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    HashiCorp Vault
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../kubernetes/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Kubernetes
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../ibm-secrets-manager/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    IBM Secrets Manager
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../akeyless/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Akeyless
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../yandex-certificate-manager/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Yandex Certificate Manager
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../yandex-lockbox/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Yandex Lockbox
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../gitlab-variables/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    GitLab Variables
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../github/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Github Actions Secrets
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../oracle-vault/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Oracle Vault
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../ovhcloud/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    OVHcloud
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../1password-automation/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    1Password Connect Server
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../1password-sdk/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    1Password SDK
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../webhook/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Webhook
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../fake/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Fake
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../senhasegura-dsm/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    senhasegura DevOps Secrets Management (DSM)
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../doppler/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Doppler
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../keeper-security/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Keeper Security
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../cloak/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Cloak End 2 End Encrypted Secrets
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../scaleway/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Scaleway
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../delinea/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Delinea
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../secretserver/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Secret Server
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../passbolt/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Passbolt
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../pulumi/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Pulumi ESC
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../onboardbase/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Onboardbase
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../provider-passworddepot/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Password Depot
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../fortanix/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Fortanix
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../infisical/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Infisical
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../previder/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Previder
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../openbao/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    OpenBao
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../volcengine/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Volcengine
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../ngrok/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    ngrok
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../devolutions-server/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Devolutions Server
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../nebius-mysterybox/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Nebius MysteryBox
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
          </ul>
        </nav>
      
    </li>
  

    
      
      
  
  
  
  
    
    
      
        
      
        
      
        
      
        
      
    
    
    
      
      
    
    
    <li class="md-nav__item md-nav__item--nested">
      
        
        
          
        
        <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_5" >
        
          
          <label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
            
  
  
  <span class="md-ellipsis">
    
  
    Examples
  

    
  </span>
  
  

            <span class="md-nav__icon md-icon"></span>
          </label>
        
        <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
          <label class="md-nav__title" for="__nav_5">
            <span class="md-nav__icon md-icon"></span>
            
  
    Examples
  

          </label>
          <ul class="md-nav__list" data-md-scrollfix>
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../examples/gitops-using-fluxcd/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    FluxCD
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../examples/anchore-engine-credentials/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Anchore Engine
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../examples/jenkins-kubernetes-credentials/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Jenkins
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../examples/bitwarden/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Bitwarden
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
          </ul>
        </nav>
      
    </li>
  

    
      
      
  
  
  
  
    
    
      
        
      
        
      
    
    
    
      
      
    
    
    <li class="md-nav__item md-nav__item--nested">
      
        
        
          
        
        <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6" >
        
          
          <label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
            
  
  
  <span class="md-ellipsis">
    
  
    Community
  

    
  </span>
  
  

            <span class="md-nav__icon md-icon"></span>
          </label>
        
        <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
          <label class="md-nav__title" for="__nav_6">
            <span class="md-nav__icon md-icon"></span>
            
  
    Community
  

          </label>
          <ul class="md-nav__list" data-md-scrollfix>
            
              
                
  
  
  
  
    
    
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
        
      
    
    
    
      
      
    
    
    <li class="md-nav__item md-nav__item--nested">
      
        
        
          
        
        <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_1" >
        
          
          <label class="md-nav__link" for="__nav_6_1" id="__nav_6_1_label" tabindex="0">
            
  
  
  <span class="md-ellipsis">
    
  
    Contributing
  

    
  </span>
  
  

            <span class="md-nav__icon md-icon"></span>
          </label>
        
        <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_1_label" aria-expanded="false">
          <label class="md-nav__title" for="__nav_6_1">
            <span class="md-nav__icon md-icon"></span>
            
  
    Contributing
  

          </label>
          <ul class="md-nav__list" data-md-scrollfix>
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../contributing/devguide/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Developer guide
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../contributing/process/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Contributing Process
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../contributing/release/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Release Process
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../contributing/coc/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Code of Conduct
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../contributing/calendar/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Community meetings calendar
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../contributing/roadmap/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Roadmap
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../contributing/burnout-mitigation/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Burnout Prevention
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../contributing/llm-policy/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    LLM Policy
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
          </ul>
        </nav>
      
    </li>
  

              
            
              
                
  
  
  
  
    
    
      
        
      
        
      
        
      
        
      
    
    
    
      
      
    
    
    <li class="md-nav__item md-nav__item--nested">
      
        
        
          
        
        <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_2" >
        
          
          <label class="md-nav__link" for="__nav_6_2" id="__nav_6_2_label" tabindex="0">
            
  
  
  <span class="md-ellipsis">
    
  
    External Resources
  

    
  </span>
  
  

            <span class="md-nav__icon md-icon"></span>
          </label>
        
        <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_2_label" aria-expanded="false">
          <label class="md-nav__title" for="__nav_6_2">
            <span class="md-nav__icon md-icon"></span>
            
  
    External Resources
  

          </label>
          <ul class="md-nav__list" data-md-scrollfix>
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../eso-talks/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Talks
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../eso-demos/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Demos
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../eso-blogs/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Blogs
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
              
                
  
  
  
  
    <li class="md-nav__item">
      <a href="../../eso-tools/" class="md-nav__link">
        
  
  
  <span class="md-ellipsis">
    
  
    Tools
  

    
  </span>
  
  

      </a>
    </li>
  

              
            
          </ul>
        </nav>
      
    </li>
  

              
            
          </ul>
        </nav>
      
    </li>
  

    
  </ul>
</nav>
                  </div>
                </div>
              </div>
            
            
              
              <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
                <div class="md-sidebar__scrollwrap">
                  <div class="md-sidebar__inner">
                    

<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
  
  
  
  
    <label class="md-nav__title" for="__toc">
      <span class="md-nav__icon md-icon"></span>
      Table of contents
    </label>
    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
      
        <li class="md-nav__item">
  <a href="#aws-authentication" class="md-nav__link">
    <span class="md-ellipsis">
      
        AWS Authentication
      
    </span>
  </a>
  
    <nav class="md-nav" aria-label="AWS Authentication">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#controllers-pod-identity" class="md-nav__link">
    <span class="md-ellipsis">
      
        Controller's Pod Identity
      
    </span>
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#access-key-id-secret-access-key" class="md-nav__link">
    <span class="md-ellipsis">
      
        Access Key ID &amp; Secret Access Key
      
    </span>
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#eks-service-account-credentials" class="md-nav__link">
    <span class="md-ellipsis">
      
        EKS Service Account credentials
      
    </span>
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
      
        <li class="md-nav__item">
  <a href="#eks-pod-identity-setup" class="md-nav__link">
    <span class="md-ellipsis">
      
        EKS Pod Identity Setup
      
    </span>
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#custom-endpoints" class="md-nav__link">
    <span class="md-ellipsis">
      
        Custom Endpoints
      
    </span>
  </a>
  
</li>
      
        <li class="md-nav__item">
  <a href="#sts-session-tags" class="md-nav__link">
    <span class="md-ellipsis">
      
        STS Session Tags
      
    </span>
  </a>
  
    <nav class="md-nav" aria-label="STS Session Tags">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#simple-policy" class="md-nav__link">
    <span class="md-ellipsis">
      
        Simple Policy
      
    </span>
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#custom-policy" class="md-nav__link">
    <span class="md-ellipsis">
      
        Custom Policy
      
    </span>
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#required-iam-permissions" class="md-nav__link">
    <span class="md-ellipsis">
      
        Required IAM Permissions
      
    </span>
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
      
    </ul>
  
</nav>
                  </div>
                </div>
              </div>
            
          
          
            <div class="md-content" data-md-component="content">
              
              <article class="md-content__inner md-typeset">
                
                  


  
  


  <h1>AWS Access</h1>

<h2 id="aws-authentication">AWS Authentication</h2>
<h3 id="controllers-pod-identity">Controller's Pod Identity</h3>
<p><img alt="Pod Identity Authentication" src="../../pictures/diagrams-provider-aws-auth-pod-identity.png" /></p>
<p>Note: If you are using Parameter Store replace <code>service: SecretsManager</code> with <code>service: ParameterStore</code> in all examples below.</p>
<p>This is basically a zero-configuration authentication method that inherits the credentials from the runtime environment using the <a href="https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default">aws sdk default credential chain</a>.</p>
<p>You can attach a role to the pod using <a href="https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">IRSA</a>, <a href="https://github.com/uswitch/kiam">kiam</a> or <a href="https://github.com/jtblin/kube2iam">kube2iam</a>. When no other authentication method is configured in the <code>Kind=Secretstore</code> this role is used to make all API calls against AWS Secrets Manager or SSM Parameter Store.</p>
<p>Based on the Pod's identity you can do a <code>sts:assumeRole</code> before fetching the secrets to limit access to certain keys in your provider. This is optional.</p>
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">team-b-store</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
<span class="w">    </span><span class="nt">aws</span><span class="p">:</span>
<span class="w">      </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretsManager</span>
<span class="w">      </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eu-central-1</span>
<span class="w">      </span><span class="c1"># optional: do a sts:assumeRole before fetching secrets</span>
<span class="w">      </span><span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">team-b</span>
</code></pre></div>
<h3 id="access-key-id-secret-access-key">Access Key ID &amp; Secret Access Key</h3>
<p><img alt="SecretRef" src="../../pictures/diagrams-provider-aws-auth-secret-ref.png" /></p>
<p>You can store Access Key ID &amp; Secret Access Key in a <code>Kind=Secret</code> and reference it from a SecretStore.</p>
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">team-b-store</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
<span class="w">    </span><span class="nt">aws</span><span class="p">:</span>
<span class="w">      </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretsManager</span>
<span class="w">      </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eu-central-1</span>
<span class="w">      </span><span class="c1"># optional: assume role before fetching secrets</span>
<span class="w">      </span><span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">team-b</span>
<span class="w">      </span><span class="nt">auth</span><span class="p">:</span>
<span class="w">        </span><span class="nt">secretRef</span><span class="p">:</span>
<span class="w">          </span><span class="nt">accessKeyIDSecretRef</span><span class="p">:</span>
<span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">awssm-secret</span>
<span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">access-key</span>
<span class="w">          </span><span class="nt">secretAccessKeySecretRef</span><span class="p">:</span>
<span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">awssm-secret</span>
<span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-access-key</span>
</code></pre></div>
<p><strong>NOTE:</strong> In case of a <code>ClusterSecretStore</code>, Be sure to provide <code>namespace</code> in <code>accessKeyIDSecretRef</code>, <code>secretAccessKeySecretRef</code> with the namespaces where the secrets reside.</p>
<h3 id="eks-service-account-credentials">EKS Service Account credentials</h3>
<p><img alt="Service Account" src="../../pictures/diagrams-provider-aws-auth-service-account.png" /></p>
<p>This feature lets you use short-lived service account tokens to authenticate with AWS.
You must have <a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection">Service Account Volume Projection</a> enabled - it is by default on EKS. See <a href="https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html">EKS guide</a> on how to set up IAM roles for service accounts.</p>
<p>The big advantage of this approach is that ESO runs without any credentials.</p>
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ServiceAccount</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="w">  </span><span class="nt">annotations</span><span class="p">:</span>
<span class="w">    </span><span class="nt">eks.amazonaws.com/role-arn</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">arn:aws:iam::123456789012:role/team-a</span>
<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-serviceaccount</span>
<span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span>
</code></pre></div>
<p>Reference the service account from above in the Secret Store:</p>
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secretstore-sample</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
<span class="w">    </span><span class="nt">aws</span><span class="p">:</span>
<span class="w">      </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretsManager</span>
<span class="w">      </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eu-central-1</span>
<span class="w">      </span><span class="nt">auth</span><span class="p">:</span>
<span class="w">        </span><span class="nt">jwt</span><span class="p">:</span>
<span class="w">          </span><span class="nt">serviceAccountRef</span><span class="p">:</span>
<span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-serviceaccount</span>
</code></pre></div>
<p><strong>NOTE:</strong> In case of a <code>ClusterSecretStore</code>, Be sure to provide <code>namespace</code> for <code>serviceAccountRef</code> with the namespace where the service account resides.</p>
<h2 id="eks-pod-identity-setup">EKS Pod Identity Setup</h2>
<p>In order to use EKS Pod Identity Agent, create a role like this:</p>
<div class="highlight"><pre><span></span><code><span class="p">{</span>
<span class="w">    </span><span class="nt">&quot;Statement&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<span class="w">        </span><span class="p">{</span>
<span class="w">            </span><span class="nt">&quot;Action&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<span class="w">                </span><span class="s2">&quot;secretsmanager:GetResourcePolicy&quot;</span><span class="p">,</span>
<span class="w">                </span><span class="s2">&quot;secretsmanager:GetSecretValue&quot;</span><span class="p">,</span>
<span class="w">                </span><span class="s2">&quot;secretsmanager:DescribeSecret&quot;</span><span class="p">,</span>
<span class="w">                </span><span class="s2">&quot;secretsmanager:ListSecretVersionIds&quot;</span>
<span class="w">            </span><span class="p">],</span>
<span class="w">            </span><span class="nt">&quot;Effect&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Allow&quot;</span><span class="p">,</span>
<span class="w">            </span><span class="nt">&quot;Resource&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<span class="w">                </span><span class="s2">&quot;*&quot;</span>
<span class="w">            </span><span class="p">]</span>
<span class="w">        </span><span class="p">}</span>
<span class="w">    </span><span class="p">],</span>
<span class="w">    </span><span class="nt">&quot;Version&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;2012-10-17&quot;</span>
<span class="p">}</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="p">{</span>
<span class="w">    </span><span class="nt">&quot;Version&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;2012-10-17&quot;</span><span class="p">,</span>
<span class="w">    </span><span class="nt">&quot;Statement&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<span class="w">        </span><span class="p">{</span>
<span class="w">            </span><span class="nt">&quot;Sid&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;AllowEksAuthToAssumeRoleForPodIdentity&quot;</span><span class="p">,</span>
<span class="w">            </span><span class="nt">&quot;Effect&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Allow&quot;</span><span class="p">,</span>
<span class="w">            </span><span class="nt">&quot;Principal&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
<span class="w">                </span><span class="nt">&quot;Service&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;pods.eks.amazonaws.com&quot;</span>
<span class="w">            </span><span class="p">},</span>
<span class="w">            </span><span class="nt">&quot;Action&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<span class="w">                </span><span class="s2">&quot;sts:AssumeRole&quot;</span><span class="p">,</span>
<span class="w">                </span><span class="s2">&quot;sts:TagSession&quot;</span>
<span class="w">            </span><span class="p">]</span>
<span class="w">        </span><span class="p">}</span>
<span class="w">    </span><span class="p">]</span>
<span class="p">}</span>
</code></pre></div>
<p>Install ESO using helm and define these values:</p>
<div class="highlight"><pre><span></span><code><span class="nt">serviceAccount</span><span class="p">:</span>
<span class="w">  </span><span class="nt">annotations</span><span class="p">:</span>
<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets</span>
</code></pre></div>
<p>Create a pod association:</p>
<div class="highlight"><pre><span></span><code>aws eks create-pod-identity-association --cluster-name my-cluster --role-arn arn:aws:iam::111122223333:role/my-role --namespace external-secrets --service-account external-secrets
</code></pre></div>
<p>Then create a secret store like this:</p>
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">store</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
<span class="w">    </span><span class="nt">aws</span><span class="p">:</span>
<span class="w">      </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretsManager</span>
<span class="w">      </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eu-central-1</span>
</code></pre></div>
<p><em>Note</em>: <code>serviceAccountRef</code> <em>cannot</em> be used together with EKS Pod Identity. That's because ESO can not impersonate
service accounts which have iam roles bound using pod identity. Doing so will result in an error like this:
<div class="highlight"><pre><span></span><code>unable to create session: an IAM role must be associated with service account ...
</code></pre></div></p>
<p><em>Note:</em> No <code>auth</code> section is defined for the SecretStore.</p>
<p><em>Note:</em> For even more details you can follow this post for more setup and information using Terraform <a href="https://containscloud.com/2024/03/24/integrating-aws-secrets-manager-to-eks-using-external-secrets/">here</a>.</p>
<h2 id="custom-endpoints">Custom Endpoints</h2>
<p>You can define custom AWS endpoints if you want to use regional, vpc or custom endpoints. See List of endpoints for <a href="https://docs.aws.amazon.com/general/latest/gr/asm.html">Secrets Manager</a>, <a href="https://docs.aws.amazon.com/general/latest/gr/ssm.html">Secure Systems Manager</a> and <a href="https://docs.aws.amazon.com/general/latest/gr/sts.html">Security Token Service</a>.</p>
<p>Use the following environment variables to point the controller to your custom endpoints. Note: All resources managed by this controller are affected.</p>
<table>
<thead>
<tr>
<th>ENV VAR</th>
<th>DESCRIPTION</th>
</tr>
</thead>
<tbody>
<tr>
<td>AWS_SECRETSMANAGER_ENDPOINT</td>
<td>Endpoint for the Secrets Manager Service. The controller uses this endpoint to fetch secrets from AWS Secrets Manager.</td>
</tr>
<tr>
<td>AWS_SSM_ENDPOINT</td>
<td>Endpoint for the AWS Secure Systems Manager. The controller uses this endpoint to fetch secrets from SSM Parameter Store.</td>
</tr>
<tr>
<td>AWS_STS_ENDPOINT</td>
<td>Endpoint for the Security Token Service. The controller uses this endpoint when creating a session and when doing <code>assumeRole</code> or <code>assumeRoleWithWebIdentity</code> calls.</td>
</tr>
<tr>
<td>AWS_ECR_ENDPOINT</td>
<td>Endpoint for the ECR Service. The controller uses this endpoint to fetch authorization tokens from ECR.</td>
</tr>
<tr>
<td>AWS_ECR_PUBLIC_ENDPOINT</td>
<td>Endpoint for the Public ECR Service. The controller uses this endpoint to fetch authorization tokens from ECR.</td>
</tr>
</tbody>
</table>
<h2 id="sts-session-tags">STS Session Tags</h2>
<p>You can have ESO automatically include Kubernetes context data into <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">STS session tags</a> when assuming an IAM role. These tags can be used in IAM policy conditions to implement attribute-based access control (ABAC).</p>
<p>The behavior is controlled by setting the optional <code>spec.provider.aws.sessionTagsPolicy</code> field on a SecretStore, which can be set to one of the following values:</p>
<table>
<thead>
<tr>
<th>Policy</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>None</code></td>
<td>Default. No session tags are added.</td>
</tr>
<tr>
<td><code>Simple</code></td>
<td>Automatically adds <code>esoNamespace</code>, <code>esoStoreName</code>, and <code>esoStoreKind</code> tags.</td>
</tr>
<tr>
<td><code>Custom</code></td>
<td>Adds the same three built-in tags plus any additional tags defined in <code>customSessionTags</code>.</td>
</tr>
</tbody>
</table>
<p>The automatically added tags are derived from the store configuration and the namespace of the ExternalSecret:</p>
<table>
<thead>
<tr>
<th>Tag</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>esoNamespace</code></td>
<td>The namespace of the <code>ExternalSecret</code> making the request.</td>
</tr>
<tr>
<td><code>esoStoreName</code></td>
<td>The name of the <code>SecretStore</code> or <code>ClusterSecretStore</code>.</td>
</tr>
<tr>
<td><code>esoStoreKind</code></td>
<td>The kind of the store (<code>SecretStore</code> or <code>ClusterSecretStore</code>).</td>
</tr>
</tbody>
</table>
<p>Session tags are configured per secret store. If using <code>spec.dataFrom[].sourceRef.storeRef</code> to reference secrets from multiple different stores, each store must be configured with the desired <code>sessionTagsPolicy</code> independently. Although the session tags for each secret will have the name and kind of the specified secret store, they'll all share the same namespace which comes from the ExternalSecret.</p>
<h3 id="simple-policy">Simple Policy</h3>
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">team-b-store</span>
<span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">team-b</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
<span class="w">    </span><span class="nt">aws</span><span class="p">:</span>
<span class="w">      </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretsManager</span>
<span class="w">      </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eu-central-1</span>
<span class="w">      </span><span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">team-b</span>
<span class="w">      </span><span class="nt">sessionTagsPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Simple</span>
</code></pre></div>
<p>Session tags will include <code>esoNamespace=team-b</code>, <code>esoStoreName=team-b-store</code>, and <code>esoStoreKind=SecretStore</code>.</p>
<h3 id="custom-policy">Custom Policy</h3>
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">team-b-store</span>
<span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">team-b</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
<span class="w">    </span><span class="nt">aws</span><span class="p">:</span>
<span class="w">      </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretsManager</span>
<span class="w">      </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eu-central-1</span>
<span class="w">      </span><span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">team-b</span>
<span class="w">      </span><span class="nt">sessionTagsPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Custom</span>
<span class="w">      </span><span class="nt">customSessionTags</span><span class="p">:</span>
<span class="w">        </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">production</span>
<span class="w">        </span><span class="nt">team</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">platform</span>
</code></pre></div>
<p>Session tags will include the three automatically added tags, plus <code>env=production</code> and <code>team=platform</code>.</p>
<p><strong>NOTE:</strong> Custom tags with empty keys or empty values are silently ignored. Built-in tags (<code>esoNamespace</code>, <code>esoStoreName</code>, <code>esoStoreKind</code>) will always be included even when the sessionTagsPolicy is <code>Custom</code>. They cannot be overridden via <code>customSessionTags</code>.</p>
<h3 id="required-iam-permissions">Required IAM Permissions</h3>
<p>When session tags are enabled, the role trust policy must allow <code>sts:TagSession</code>:</p>
<div class="highlight"><pre><span></span><code><span class="p">{</span>
<span class="w">  </span><span class="nt">&quot;Version&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;2012-10-17&quot;</span><span class="p">,</span>
<span class="w">  </span><span class="nt">&quot;Statement&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<span class="w">    </span><span class="p">{</span>
<span class="w">      </span><span class="nt">&quot;Effect&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Allow&quot;</span><span class="p">,</span>
<span class="w">      </span><span class="nt">&quot;Principal&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nt">&quot;AWS&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;arn:aws:iam::111122223333:role/eso-controller&quot;</span><span class="w"> </span><span class="p">},</span>
<span class="w">      </span><span class="nt">&quot;Action&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&quot;sts:AssumeRole&quot;</span><span class="p">,</span><span class="w"> </span><span class="s2">&quot;sts:TagSession&quot;</span><span class="p">]</span>
<span class="w">    </span><span class="p">}</span>
<span class="w">  </span><span class="p">]</span>
<span class="p">}</span>
</code></pre></div>









  




                
              </article>
            </div>
          
          
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
        </div>
        
      </main>
      
<img referrerpolicy="no-referrer-when-downgrade"
  src="https://static.scarf.sh/a.png?x-pxid=6658a9eb-067d-49f1-94f2-b8b00f21451e" alt=""
  hidden />
  
        <footer class="md-footer">
  
  <div class="md-footer-meta md-typeset">
    <div class="md-footer-meta__inner md-grid">
      <div class="md-copyright">
  
    <div class="md-copyright__highlight">
      &copy; 2025 The external-secrets Authors.<br/>
&copy; 2025 The Linux Foundation. All rights reserved.<br/><br/>
The Linux Foundation has registered trademarks and uses trademarks.<br/>
For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage/">Trademark Usage page</a>.

    </div>
  
  
    Made with
    <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
      Material for MkDocs
    </a>
  
</div>
      
    </div>
  </div>
</footer>
      

    </div>
    <div class="md-dialog" data-md-component="dialog">
      <div class="md-dialog__inner md-typeset"></div>
    </div>
    
    
    
      
      
      <script id="__config" type="application/json">{"annotate": null, "base": "../..", "features": ["navigation.tabs", "navigation.indexes", "navigation.expand"], "search": "../../assets/javascripts/workers/search.2c215733.min.js", "tags": null, "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"provider": "mike"}}</script>
    
    
      <script src="../../assets/javascripts/bundle.79ae519e.min.js"></script>
      
    
  </body>
</html>