Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 10. Tutorial: Using AWS Secrets Manager CSI on Red Hat OpenShift Service on AWS with STS

The AWS Secrets and Configuration Provider (ASCP) provides a way to expose AWS Secrets as Kubernetes storage volumes. With the ASCP, you can store and manage your secrets in Secrets Manager and then retrieve them through your workloads running on Red Hat OpenShift Service on AWS.

10.1. Prerequisites
Link kopieren

Ensure that you have the following resources and tools before starting this process:

  • A Red Hat OpenShift Service on AWS cluster deployed with STS
  • Helm 3
  • aws CLI
  • oc CLI
  • jq CLI

Additional environment requirements

  1. Log in to your Red Hat OpenShift Service on AWS cluster by running the following command: 

    $ oc login --token=<your-token> --server=<your-server-url>
    Copy to Clipboard Toggle word wrap

    You can find your login token by accessing your cluster in pull secret from Red Hat OpenShift Cluster Manager.

  2. Validate that your cluster has STS by running the following command: 

    $ oc get authentication.config.openshift.io cluster -o json \
  | jq .spec.serviceAccountIssuer
    Copy to Clipboard Toggle word wrap

    Example output

    "https://xxxxx.cloudfront.net/xxxxx"
    Copy to Clipboard Toggle word wrap

    If your output is different, do not proceed. See Red Hat documentation on creating an STS cluster before continuing this process.

  3. Set the SecurityContextConstraints permission to allow the CSI driver to run by running the following command: 

    $ oc new-project csi-secrets-store
$ oc adm policy add-scc-to-user privileged \
    system:serviceaccount:csi-secrets-store:secrets-store-csi-driver
$ oc adm policy add-scc-to-user privileged \
    system:serviceaccount:csi-secrets-store:csi-secrets-store-provider-aws
    Copy to Clipboard Toggle word wrap

  4. Create environment variables to use later in this process by running the following command: 

    $ export REGION=$(oc get infrastructure cluster -o=jsonpath="{.status.platformStatus.aws.region}")
$ export OIDC_ENDPOINT=$(oc get authentication.config.openshift.io cluster \
   -o jsonpath='{.spec.serviceAccountIssuer}' | sed  's|^https://||')
$ export AWS_ACCOUNT_ID=`aws sts get-caller-identity --query Account --output text`
$ export AWS_PAGER=""
    Copy to Clipboard Toggle word wrap

10.2. Deploying the AWS Secrets and Configuration Provider
Link kopieren

  1. Use Helm to register the secrets store CSI driver by running the following command: 

    $ helm repo add secrets-store-csi-driver \
    https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
    Copy to Clipboard Toggle word wrap

  2. Update your Helm repositories by running the following command: 

    $ helm repo update
    Copy to Clipboard Toggle word wrap

  3. Install the secrets store CSI driver by running the following command: 

    $ helm upgrade --install -n csi-secrets-store \
    csi-secrets-store-driver secrets-store-csi-driver/secrets-store-csi-driver
    Copy to Clipboard Toggle word wrap

  4. Deploy the AWS provider by running the following command: 

    $ oc -n csi-secrets-store apply -f \
    https://raw.githubusercontent.com/rh-mobb/documentation/main/content/misc/secrets-store-csi/aws-provider-installer.yaml
    Copy to Clipboard Toggle word wrap

  5. Check that both Daemonsets are running by running the following command: 

    $ oc -n csi-secrets-store get ds \
    csi-secrets-store-provider-aws \
    csi-secrets-store-driver-secrets-store-csi-driver
    Copy to Clipboard Toggle word wrap

  6. Label the Secrets Store CSI Driver to allow use with the restricted pod security profile by running the following command: 

    $ oc label csidriver.storage.k8s.io/secrets-store.csi.k8s.io security.openshift.io/csi-ephemeral-volume-profile=restricted
    Copy to Clipboard Toggle word wrap

10.3. Creating a Secret and IAM Access Policies
Link kopieren

  1. Create a secret in Secrets Manager by running the following command: 

    $ SECRET_ARN=$(aws --region "$REGION" secretsmanager create-secret \
    --name MySecret --secret-string \
    '{"username":"shadowman", "password":"hunter2"}' \
    --query ARN --output text); echo $SECRET_ARN
    Copy to Clipboard Toggle word wrap

  2. Create an IAM Access Policy document by running the following command: 

    $ cat << EOF > policy.json
{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret"
      ],
      "Resource": ["$SECRET_ARN"]
      }]
}
EOF
    Copy to Clipboard Toggle word wrap

  3. Create an IAM Access Policy by running the following command: 

    $ POLICY_ARN=$(aws --region "$REGION" --query Policy.Arn \
--output text iam create-policy \
--policy-name openshift-access-to-mysecret-policy \
--policy-document file://policy.json); echo $POLICY_ARN
    Copy to Clipboard Toggle word wrap

  4. Create an IAM Role trust policy document by running the following command:

    Note

    The trust policy is locked down to the default service account of a namespace you create later in this process. 

    $ cat <<EOF > trust-policy.json
{
   "Version": "2012-10-17",
   "Statement": [
   {
   "Effect": "Allow",
   "Condition": {
     "StringEquals" : {
       "${OIDC_ENDPOINT}:sub": ["system:serviceaccount:my-application:default"]
      }
    },
    "Principal": {
       "Federated": "arn:aws:iam::$AWS_ACCOUNT_ID:oidc-provider/${OIDC_ENDPOINT}"
    },
    "Action": "sts:AssumeRoleWithWebIdentity"
    }
    ]
}
EOF
    Copy to Clipboard Toggle word wrap

  5. Create an IAM role by running the following command: 

    $ ROLE_ARN=$(aws iam create-role --role-name openshift-access-to-mysecret \
--assume-role-policy-document file://trust-policy.json \
--query Role.Arn --output text); echo $ROLE_ARN
    Copy to Clipboard Toggle word wrap

  6. Attach the role to the policy by running the following command: 

    $ aws iam attach-role-policy --role-name openshift-access-to-mysecret \
    --policy-arn $POLICY_ARN
    Copy to Clipboard Toggle word wrap

10.4. Create an Application to use this secret
Link kopieren

  1. Create an OpenShift project by running the following command: 

    $ oc new-project my-application
    Copy to Clipboard Toggle word wrap

  2. Annotate the default service account to use the STS Role by running the following command: 

    $ oc annotate -n my-application serviceaccount default \
    eks.amazonaws.com/role-arn=$ROLE_ARN
    Copy to Clipboard Toggle word wrap

  3. Create a secret provider class to access our secret by running the following command: 

    $ cat << EOF | oc apply -f -
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: my-application-aws-secrets
spec:
  provider: aws
  parameters:
    objects: |
      - objectName: "MySecret"
        objectType: "secretsmanager"
EOF
    Copy to Clipboard Toggle word wrap

  4. Create a deployment by using our secret in the following command: 

    $ cat << EOF | oc apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: my-application
  labels:
    app: my-application
spec:
  volumes:
  - name: secrets-store-inline
    csi:
      driver: secrets-store.csi.k8s.io
      readOnly: true
      volumeAttributes:
        secretProviderClass: "my-application-aws-secrets"
  containers:
  - name: my-application-deployment
    image: k8s.gcr.io/e2e-test-images/busybox:1.29
    command:
      - "/bin/sleep"
      - "10000"
    volumeMounts:
    - name: secrets-store-inline
      mountPath: "/mnt/secrets-store"
      readOnly: true
EOF
    Copy to Clipboard Toggle word wrap

  5. Verify the pod has the secret mounted by running the following command: 

    $ oc exec -it my-application -- cat /mnt/secrets-store/MySecret
    Copy to Clipboard Toggle word wrap

10.5. Clean up
Link kopieren

  1. Delete the application by running the following command: 

    $ oc delete project my-application
    Copy to Clipboard Toggle word wrap

  2. Delete the secrets store csi driver by running the following command: 

    $ helm delete -n csi-secrets-store csi-secrets-store-driver
    Copy to Clipboard Toggle word wrap

  3. Delete the security context constraints by running the following command: 

    $ oc adm policy remove-scc-from-user privileged \
    system:serviceaccount:csi-secrets-store:secrets-store-csi-driver; oc adm policy remove-scc-from-user privileged \
    system:serviceaccount:csi-secrets-store:csi-secrets-store-provider-aws
    Copy to Clipboard Toggle word wrap

  4. Delete the AWS provider by running the following command: 

    $ oc -n csi-secrets-store delete -f \
https://raw.githubusercontent.com/rh-mobb/documentation/main/content/misc/secrets-store-csi/aws-provider-installer.yaml
    Copy to Clipboard Toggle word wrap

  5. Delete AWS Roles and Policies by running the following command: 

    $ aws iam detach-role-policy --role-name openshift-access-to-mysecret \
    --policy-arn $POLICY_ARN; aws iam delete-role --role-name openshift-access-to-mysecret; aws iam delete-policy --policy-arn $POLICY_ARN
    Copy to Clipboard Toggle word wrap

  6. Delete the Secrets Manager secret by running the following command: 

    $ aws secretsmanager --region $REGION delete-secret --secret-id $SECRET_ARN
    Copy to Clipboard Toggle word wrap
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat