Storing Certificate Files in AWS Secrets Manager and Accessing Them in Kubernetes Secrets

In modern cloud-native applications, managing sensitive information like TLS/SSL certificates securely is crucial. One reliable approach is to store certificates in AWS Secrets Manager and retrieve them in Kubernetes Secrets. This blog post explains how to configure this setup, ensuring your certificates remain secure and accessible to your Kubernetes workloads.

Why Use AWS Secrets Manager for Certificates?

AWS Secrets Manager provides robust security features for managing sensitive information such as certificates. Key benefits include:

• Automatic rotation of secrets for enhanced security.
• Fine-grained access control using IAM policies.
• Encryption of sensitive data at rest and in transit.
• Centralized management of secrets across environments.

While Kubernetes Secrets can also manage certificates, integrating AWS Secrets Manager enhances security by leveraging AWS’s built-in encryption and management capabilities.

Steps to Store and Retrieve Certificates

Let’s go through the process of storing certificates in AWS Secrets Manager and configuring Kubernetes to retrieve them.

1. Storing Certificates in AWS Secrets Manager

To store your certificates:

1. Go to AWS Secrets Manager and select Store a new secret.
2. Choose Other type of secret for custom data.

3. Under Key/value pairs, add the certificate and private key. Ensure the private key follows this format:
   

   {
     "name_of_cert.crt": "-----BEGIN CERTIFICATE-----\nMIID...base64content...\n-----END CERTIFICATE-----"
   }
   

   Each line within the certificate and key content must be separated by \n for correct formatting.

4. Name the secret (e.g., my-app-certificates) and add any required tags.

5. Configure access permissions using IAM policies to ensure only authorized services can access these secrets.

2. Retrieving Certificates in Kubernetes

Once stored, you can configure a Kubernetes Secret to retrieve and store the certificate data from AWS Secrets Manager. The following Helm chart snippet demonstrates how to create a Kubernetes Secret that dynamically pulls and base64-encodes the certificate data.

Sample Kubernetes Secret Manifest

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: certs
data:
  {{.Values.name_of_cert}}.crt: <path:{{.Values.secret_aws_arn_path}}#name_of_cert.crt | base64encode>

• .Values.name_of_cert is a Helm variable for dynamic certificate naming.
• {{.Values.secret_aws_arn_path}} references the AWS Secrets Manager ARN where the certificate is stored.
• base64encode ensures the certificate data meets Kubernetes Secret requirements.

Summary

Using AWS Secrets Manager to store certificates provides a secure, manageable, and compliant method for handling sensitive certificate data in Kubernetes. With AWS handling encryption and access management, and Kubernetes natively managing the secret retrieval, this setup optimally balances security and accessibility in cloud-native applications.

With these steps, your certificates are securely stored in AWS Secrets Manager and can be accessed by Kubernetes workloads without compromising sensitive data. Always review and update IAM policies to enforce the principle of least privilege, and periodically rotate your certificates for optimal security.

By following this guide, you’ll have a secure solution for managing certificates across Kubernetes and AWS environments.