Cover image for The Secret: Kubernetes Secrets and AWS SSM

The Secret: Kubernetes Secrets and AWS SSM

hammotime profile image Adam Hammond Originally published at engi.fyi ・1 min read

Kubernetes and secrets is always a difficult problem. I've got a super simple solution using AWS SSM today that we can use during our CI/CD pipeline to inject our secrets into our services. This is so simple and quick, that you might miss it, so I'll get to it.

First, log into AWS and open up Systems Manager. Go to Parameter Store, and create a new Parameter. The parameter type needs to be SecureString, feel free to name it whatever you like; I like to go with /<cloud_provider>/k8s/<application>/<environment>. Add the contents of secret.yaml as the parameter's value.

apiVersion: v1
kind: Secret
  name: wp-secrets
  namespace: wp-custom-domain
  wordpress_db_password: QXdm .. mRUg=

Secondly, jump into your CI configuration and add the following as a step prior to creating your Kubernetes Deployment.

# create secrets
aws ssm get-parameters-by-path \
  --path "/${CLOUD_PROVIDER}/k8s/${APP_TYPE}/" \
  --query "Parameters[?Name==\`/do/k8s/${APP_TYPE}/${CI_ENVIRONMENT_NAME}\`].Value" \
  --with-decryption --output text | kubectl apply -f -

Finally, configure your Deployment spec to include the value of the secret using the valueFrom directive.

  - name: wordpress
    image: _/wordpress:5.3.2
           name: wp-secrets
           key:  wordpress_db_password

The only thing you need to do now is run your CI Deployment and your secrets will be available in Kubernetes! See, I told you it was simple! This is a simple, yet effective way to deploy secrets into your environment while keeping them out of source code.

Posted on by:

hammotime profile

Adam Hammond


I'm an Australian DevOps Engineer that loves picking things apart to figure out how they work. Opinions are my own. #devops #python #aws #containers


Editor guide