-
|
We are looking for a solution to sync secrets from Secrets Manager to our k3s clusters running on EC2 (no EKS). Is it possible to use this project with outside clusters? |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments
-
|
Same here, I run k3s on prem and I would like to use AWS secrets manager. |
Beta Was this translation helpful? Give feedback.
-
|
Yes, however it is not officially documented.
Do you think detailed article about using this project in self-hosted k8s would be useful ? |
Beta Was this translation helpful? Give feedback.
-
|
Absolutely, I think so |
Beta Was this translation helpful? Give feedback.
-
|
In the case that a self-hosted cluster doesn't have IAM role association for service accounts - would there be a problem to use IAM role for Amazon EC2 instead? |
Beta Was this translation helpful? Give feedback.
-
|
I did installation of secrets-store-csi-driver and secrets-store-csi-driver-provider-aws on non eks cluster but with instructions above, but unfortunately I don't have success because my provider log shows:
And endpoint is absent on non eks cluster. |
Beta Was this translation helpful? Give feedback.
Yes, however it is not officially documented.
You shoud have working IAM role association for service accounts in your self-hosted cluster via AWS IAM OIDC (or similar approach like kube2iam, but I haven't tested it).
Then you should:
driverWritesSecretslaunch argument toTrue(currently not possible via Helm, but I am already on it)sts:AssumeRoleWithWebIdentity(see the Medium article above) andsecretsmanager:GetSecretValue."eks.amazonaws.com/role-arn"annotation to the service account you will use later for your pod. Use ARN of the role from step 2 as the value.AWS_DEFAULT_REGION,AWS_ROLE_ARN,AWS_WEB_IDENTITY_TOKEN_FILEenvs to you…