AWS EKS & Secrets Manager (File & Env | Kubernetes | Secrets Store CSI Driver | K8s)

🔴 - To support my channel, I’d like to offer Mentorship/On-the-Job Support/Consulting - me@antonputra.com
👉 [UPDATED] AWS EKS Kubernetes Tutorial [NEW]: czcams.com/play/PLiMWaCMwGJXnKY6XmeifEpjIfkWRo9v2l.html&si=wc6LIC5V2tD-Tzwl

Get Full-Length High-Quality DevOps Tutorials for Free - Subscribe Now! - czcams.com/users/AntonPutra

👉 How to Manage Secrets in Terraform - czcams.com/video/3N0tGKwvBdA/video.html
👉 Terraform Tips & Tricks - czcams.com/video/7S94oUTy2z4/video.html
👉 ArgoCD Tutorial - czcams.com/video/zGndgdGa1Tc/video.html

🟢 [New] Terragrunt Tutorial: Create VPC, EKS from Scratch! (Step-by-Step) - czcams.com/video/yduHaOj3XMg/video.html

please dont put background music it kind of disturbing by the way great video 👍👍👍👍

🔴UPDATED🔴 How to create EKS Cluster using Terraform MODULES (AWS Load Balancer Controller + Autoscaler + IRSA) - czcams.com/video/kRKmcYC71J4/video.html

You're a life-saver Anton.

🔴UPDATED🔴: How to Create EKS Cluster Using Terraform - czcams.com/video/MZyrxzb7yAU/video.html

⏱️TIMESTAMPS⏱️
0:00 Intro
0:43 Create IAM User with Full Access
1:20 Create Secret in AWS Secrets Manager
2:32 Create EKS Cluster Using eksctl
3:59 Create IAM OIDC Provider for EKS
4:58 Create IAM Policy to Read Secrets
5:42 Create IAM Role for a Kubernetes Service Account
6:14 Associate an IAM Role with Kubernetes Service Account
7:51 Install the Kubernetes Secrets Store CSI Driver
10:51 Install AWS Secrets & Configuration Provider (ASCP)
12:20 Create Secret Provider Class
13:07 Demo

Thank you Very much for the this Video. It really saved my day. I was trying to set environment variable from the Secrets but it was not going well. Your hint in the ClusterRole really helped to solve the problem. Much Appreciated.

Thanks a lot for step by step implementation tutorial. I manage to mount secret as environment variable in container. But, if I update secret value in secret manager; updated value doesn't show on container.

can you please give the helm link to install secrets store csi driver and aws provider

Thank you very much for this video, you just explained a lot to me! Good Day

Great Video You are doing great Job, my Question is it is giving json out put (Key/Value) instead of Environment Variable (Value) which is expected, how can I resolve this for my Application? kindly suggest thanks

thanks for the video, just one question, at the time stamp 13:55 for the env: block, you have not mentioned the name of any secret, so what if i have multiple secrets in my secret manager, so which secret will be passed as env?

Great explanation. Thank you!!

Hello Anton! GREAT WORK, one question! What if I only want to create de Secret with the values from the Secret Manager secret, without having to create a deployment?

When I follow the first few steps until the point where you create a namespace and a sa, I see 0 under secrets when I get the service accounts in production namespace, why is it so? Can someone please help

instead of passing whole secret object in env. Is it possible to pass each individual secret key with secret value as environment to the deployment ?
- name: GOOGLE_CLIENT_ID
valueFrom:
secretKeyRef:
name: api-token
like this is what i want to do and pass more like this, thanks

Thanks for the wonderful video, do we have AWS secret manager and csi driver implementing using terraform including CRD.

thank you

Thanks for the video, is the a way get only the values from secrets? in this video at the end you will get a key-value pair and you have to parse it so you can get the value. I just want to have the values per key and no more parsing.

Thanks for the beautiful video, i have one doubt why we are using CSI driver, can we use FES instead.

thank you Anton for the great video, one question related to this approach, do you think that using and mounting values to a volume is a safe approach ? and from your personal experience what do you recommend for working with secrets on AWS EKS ?

Awesome!! Thank you

Thanks a lot for the great video. I was looking for something similar. Just wondering if these works the same way for eks fargate as well ?

Great video.
But I'm curious, if we update the secret value from secret manager will it also effect the secret in k8s?

I have another question, suppose I want to access the key value directly from secret manager to k8s pod without creating k8s secrets. So that when I run "env" command inside pod at that time the key value is shown. Is it possible without creating k8s secrets?? If possible how to do that??

hmmm.. now this brings up another topic... and that is .. how can assign a kms role to the worker node so that it can encrypt and decrypt encrypted secrets in secrets manager/system parameter store?

Very good content... but why going so fast? :-)

Hello Sir
I have one question
I have hosted the Docker Image in the ECS
My Jenkins server will push the Docker Images into the ECS
Now in every 24 hours the ECS Secrete token will expires and I need to add the new Token every time manually
Is there is any method in AWS So that My ECS Token will updates automatically inside the Jenkins server so that I don't provide the credentials every-time

Hi.
At first really great video which is really helpfull.
I do have a question which i am unlucky to find any answer to it.
It is possible to take values from the SecretManager/Parameter store which are in Key-Value format and store them into a specific file?
For example taking values from multiple SecretManager endpoints and mount as single file without using an init/side container to perform it as part of script?
I know that it is possible with hashicorp vault just not sure if it is possible with this also.
Thanks :)

Hi
I had a question about management secret. Thank you for your guidance.
All secret management tools need a token or API key to retrieve secrets. Where should we store this token?
If we leave token on the server and delete it after getting the information - if the program encounters a problem for any reason and is restarted, we need the token again, but we have deleted it.
How to handle the token that is used to get information from the secret manager and keep it safe?
Thanks

I deployed this with helm but my pods are unable to fetch the secrets from AWS. Getting error : error fetching secrets SyntaxError: Unexpected end of JSON input . Can you please help me ?

Liked the secrets manager injection to k8 video but background music is way too loud. I would like to follow and see more if there was low volume or No background music.

Working fine, but doesn't seem to work with secret auto-rotation. What is the best way to apply changes to the secret store.

Hi Anton, a huge thanks for the great step by step demo, but can you confirm if we can integrate the secrets manager with a k8s cluster running on an on-prem server.
You mentioned at 4:10 that we just need to create a service account without creating a OIDC provider ID, but it is failing when we create it.

This is a great step-by-step video, Anton. The github repo is very useful, Thank you! May I just ask, when I update the secret in aws, I can see that it updates the value in /mnt/api-token/secret-token when I restart the pod. However, the environment variable still seems to retain the old value. Would you know if this is expected? And if yes, would you have suggestions on how to keep the secret in-sync? Again, this is a very useful tutorial, thank you.

Nice informative content. I am trying to create environment variable but it says that the k8s secret is not created in the first place. Though I can view the secret value if I just mount the secret in filesystem.

Hi Anton, Thank you for the detailed explanation. Could you confirm if Secrets Store CSI Driver works on managed EKS cluster created on fargate as you have created few daemonset yaml files?

This is great Anton! I was able to extract multiple secrets stored in Secrets Manager. I have a single query, in case I want to include all the data stored in the Secret created from SecretProviderClass, what annotation should I add in my Deployment? I have tried with envFrom and the name of the secret but it doesn't work. I enter my pod but it does not contain all the data of the Secret, do you have any solution? Thank you very much for the video!

can you please help iam getting
Unable to attach or mount volumes: unmounted volumes=[my-api-token]

My God! All this just to access the AWS Secrets?? :O

Thank you for explanation.
Is it possible to create a k8s cluster on EC2 instance and then use aws csi driver provider ? Also can we use it with clusters outside aws ?

Is it possible to fetch secret value as an env variable in container instead of a json??

great work, just a small note if you accept it, the music is very loud and made me lost focus many times

Problem with AWS Secrets Store driver is that you cannot pass multiple key=value pairs into the k8s secret. What's more, in your example you are passing key=value as an ENV value, not the value itself. To pass only the value you need to create secret in Secret Manager as a plaintext containing the secret value only.

bro running on 2x speed

Cool!!

Nihuya neponyatno no ochen interesno

What kind of audience were in your mind when you created this. This is just going too fast for someone who really wants to learn something. Honestly I have seen your other videos. You need to slow down a little bit and avoid the background music which is used for cooking tutorials. Thanks

Pls remove background music

L background music.

ur cover taste is really bad....god bless u

Hi from which location you performed
cat new_credentials.csv

This works perfectly fine for me when I tried following your solution but I am seeing AccessDeniedException: User: arn:aws:sts:::assumed-role/dev-eks-irsa/secrets-store-csi-driver-provider-aws is not authorized to perform: secretsmanager:GetSecretValue on resource: dev/service/token, For testing I added AministratorAccess permission and it worked but then I manually deleted the POD and it is trying to mount the volume and started seeing that error back. Not sure why?