Skip to content

Eks pod identity

๐Ÿ” EKS Pod Identity Integration Overviewยถ

Purpose

This document explains how to securely integrate AWS Secrets Manager with Amazon EKS pods using IAM Roles for Service Accounts (IRSA), enabling secure access to secrets and credentials.

๐Ÿ” EKS Pod Identity Integration for AWS Secrets Managerยถ

This guide explains how to securely integrate AWS Secrets Manager with your Amazon EKS pods, enabling them to fetch certificates and user passwords.
It covers IAM roles for service accounts (IRSA), mounting secrets as files, and injecting secrets as environment variables.

๐Ÿ›ก๏ธ Overviewยถ

Amazon EKS supports fine-grained IAM permissions for pods using IRSA (IAM Roles for Service Accounts).
This allows pods to access AWS resources, such as Secrets Manager, without exposing static credentials.

โš™๏ธ Prerequisitesยถ

  • EKS cluster with OIDC provider enabled.
  • AWS CLI and kubectl configured.
  • IAM role with permissions to access AWS Secrets Manager.
  • Kubernetes service account annotated for IRSA.

๐Ÿ“ Step-by-Step Integrationยถ

1. Create IAM Policy for Secrets Manager Accessยถ

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:unibeam/*"
    }
  ]
}

Least Privilege

Restrict the policy to only the secrets your pods require.

2. Create IAM Role and Associate with Kubernetes Service Accountยถ

eksctl create iamserviceaccount \
  --name unibeam-sa \
  --namespace unibeam \
  --cluster unibeam-eks \
  --attach-policy-arn arn:aws:iam::123456789012:policy/UnibeamSecretsManagerPolicy \
  --approve

IRSA

The service account will be annotated with the IAM role ARN for automatic credential injection.

3. Mount Certificate Secret as a Fileยถ

Use an init container or sidecar (e.g., aws-secrets-manager-csi-driver) to mount the certificate as a file.

apiVersion: v1
kind: Pod
metadata:
  name: cert-app
  namespace: unibeam
spec:
  serviceAccountName: unibeam-sa
  containers:
    - name: app
      image: nginx
      volumeMounts:
        - name: cert-volume
          mountPath: "/etc/certs"
  volumes:
    - name: cert-volume
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: "aws-cert-provider"

CSI Driver

The AWS Secrets Manager CSI Driver mounts secrets as files inside the pod.

4. Inject User Password as Environment Variableยถ

apiVersion: v1
kind: Pod
metadata:
  name: password-app
  namespace: unibeam
spec:
  serviceAccountName: unibeam-sa
  containers:
    - name: app
      image: nginx
      env:
        - name: USER_PASSWORD
          valueFrom:
            secretKeyRef:
              name: aws-user-password
              key: password

Environment Variables

Sync the AWS secret to a Kubernetes secret using an operator, then reference it in your pod spec.

๐Ÿ“Š Monitoring & Troubleshootingยถ

  • Check pod logs for authentication errors.
  • Verify IAM role and service account annotations.
  • Use kubectl describe pod <pod-name> -n unibeam to inspect volume mounts and environment variables.

Security

Never hardcode secrets in manifests. Always use IRSA and secret management tools.

๐Ÿ“š Referencesยถ