You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jul 26, 2022. It is now read-only.
The generated kubernetes manifests will be in `./output_dir` and can be applied to deploy `kubernetes-external-secrets` to the cluster.
52
52
53
-
### Use IAM credentials for Secrets Manager access
53
+
### Secrets Manager access
54
54
55
-
If not running on EKS you will have to use an IAM user (in lieu of a role).
56
-
Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env vars in the session/pod.
57
-
You can use envVarsFromSecret in the helm chart to create these env vars from existing k8s secrets
55
+
For `kubernetes-external-secrets` to be able to retrieve your secrets it will need access to your secret backend.
56
+
57
+
#### AWS based backends
58
+
59
+
Access to AWS secrets backends (SSM & secrets manager) can be granted in various ways:
60
+
61
+
1. Granting your nodes explicit access to your secrets using the [node instance role](https://docs.aws.amazon.com/eks/latest/userguide/worker_node_IAM_role.html) (easy for experimentation, not recommended)
62
+
63
+
2.[IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
64
+
65
+
3. Per pod IAM authentication: [kiam](https://github.com/uswitch/kiam) or [kube2iam](https://github.com/jtblin/kube2iam).
66
+
67
+
4. Directly provide AWS access credentials to the `kubernetes-external-secrets` pod by environmental variables.
68
+
69
+
##### Using AWS access credentials
70
+
71
+
Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env vars in the `kubernetes-external-secrets` session/pod.
72
+
You can use envVarsFromSecret in the helm chart to create these env vars from existing k8s secrets.
58
73
59
74
Additionally, you can specify a `roleArn` which will be assumed before retrieving the secret.
60
75
You can limit the range of roles which can be assumed by this particular *namespace* by using annotations on the namespace resource. The annotation key is configurable (see above). The annotation value is evaluated as a regular expression and tries to match the `roleArn`.
0 commit comments