DEV Community

Cover image for The Secret: Kubernetes Secrets and AWS SSM
Adam Hammond
Adam Hammond

Posted on • Originally published at engi.fyi

The Secret: Kubernetes Secrets and AWS SSM

Kubernetes and secrets is always a difficult problem. I've got a super simple solution using AWS SSM today that we can use during our CI/CD pipeline to inject our secrets into our services. This is so simple and quick, that you might miss it, so I'll get to it.

First, log into AWS and open up Systems Manager. Go to Parameter Store, and create a new Parameter. The parameter type needs to be SecureString, feel free to name it whatever you like; I like to go with /<cloud_provider>/k8s/<application>/<environment>. Add the contents of secret.yaml as the parameter's value.

apiVersion: v1
kind: Secret
metadata:
  name: wp-secrets
  namespace: wp-custom-domain
data:
  wordpress_db_password: QXdm .. mRUg=
Enter fullscreen mode Exit fullscreen mode

Secondly, jump into your CI configuration and add the following as a step prior to creating your Kubernetes Deployment.

# create secrets
# /do/k8s/$APP_TYPE/$CI_ENVIRONMENT_NAME
aws ssm get-parameters-by-path \
  --path "/${CLOUD_PROVIDER}/k8s/${APP_TYPE}/" \
  --query "Parameters[?Name==\`/do/k8s/${APP_TYPE}/${CI_ENVIRONMENT_NAME}\`].Value" \
  --with-decryption --output text | kubectl apply -f -
Enter fullscreen mode Exit fullscreen mode

Finally, configure your Deployment spec to include the value of the secret using the valueFrom directive.

spec:
  containers:
  - name: wordpress
    image: _/wordpress:5.3.2
    env:
    - name: WORDPRESS_DB_PASSWORD
      valueFrom:
         secretKeyRef:
           name: wp-secrets
           key:  wordpress_db_password
Enter fullscreen mode Exit fullscreen mode

The only thing you need to do now is run your CI Deployment and your secrets will be available in Kubernetes! See, I told you it was simple! This is a simple, yet effective way to deploy secrets into your environment while keeping them out of source code.

Top comments (1)

Collapse
 
ismailyenigul profile image
ismail yenigul

Thanks for the article. Just keep in your mind that get-parameters-by-path can return maximum 10 items. If there are more than 10 secret, NextToken should be used to fetch iteratively. the details are
docs.aws.amazon.com/systems-manage... and docs.aws.amazon.com/cli/latest/use...