AWS Secrets and Configuration Provider now integrates with Pod Identity for Amazon EKS

Posted on: Feb 11, 2025

Today, AWS Secrets Manager announces that AWS Secrets and Configuration Provider (ASCP) now integrates with Amazon Elastic Kubernetes Service (Amazon EKS) Pod Identity. This integration simplifies IAM authentication for Amazon EKS when retrieving secrets from AWS Secrets Manager or parameters from AWS Systems Manager Parameter Store. With this new capability, you can manage IAM permissions for Kubernetes applications more efficiently and securely, enabling granular access control through role session tags on secrets.

ASCP is a plugin for the industry-standard Kubernetes Secrets Store CSI Driver. It enables applications running in Kubernetes pods to retrieve secrets from AWS Secrets Manager easily, without the need for custom code or restarting containers when secrets are rotated. The AWS EKS Pod Identity, streamlines the process of configuring IAM permissions for Kubernetes applications in a more efficient and secure way. This integration combines the strengths of both components, enhancing secret management in Amazon EKS environments.

Previously, ASCP relied on IAM Roles for Service Accounts (IRSA) for authentication. Now, you can choose between IRSA and Pod Identity for IAM authentication using the new optional parameter "usePodIdentity". This flexibility allows you to adopt the authentication method that best suits your security requirements and operational needs.

The integration of ASCP with Pod Identity is available in all AWS Regions where AWS Secrets Manager and Amazon EKS Pod Identity are supported. To get started with this new feature, see the following resources AWS Secrets Manager documentation, Amazon EKS Pod Identity documentation and launch blog post.