🔥Let’s Do DevOps: EKS K8s & Python Fuzzy Staging with AWS Secrets Manager, K8s Init disk, Secrets Injection

This blog series focuses on presenting complex DevOps projects as simple and approachable via plain language and lots of pictures. You can do it!

Hey all!

I’ve been deep diving into K8’s CSI drivers for AWS Secrets Manager and ESO, the External Secrets Operator, an open source project that’s similar. Both purport to allow pods to call secrets on demand from external sources on launch. And they do! But they do something that you may not want (and I know I don’t want) — they replicate your external, well protected and encrypted secrets to the k8s secrets store, where they are less protected.

That has some excellent caching benefits, but the big cost is that now your secret passwords and certificates — the keys to your infrastructure and data, now live in a second place. That now needs to be secured, and audited, and monitored with as much security as the primary location where your secrets are stored.

Why use CSI or ESO when we can do it ourselves with python? Background Photo by Sharon McCutcheon on Unsplash

That’s a pretty significant security architecture expansion, and maybe not one you want or can permit. So I decided to do it my own way. I wrote a python program that does a fuzzy match (partial search matching to select multiple secrets) against AWS Secrets Manager in an init container. That…