Using. KMS key in AWS
Closed this issue · 3 comments
If there are secrets stored in AWS secrets manager with or without a KMS key and I have an EKS cluster created with that KMS key, does KES know when to use the key automatically or is there some kind fo setting in the external secret?
David
Correct me if I am wrong. The KMS key added to the cluster at cluster creation time is or encrypting the passwords in the cluster - etcd. The question I am asking is about using a custom KMS key to store passwords in Secrets Manager. If no KMS key is used when storing a password in Secrets Managerthen AWS uses its own default key. If customer key us used to encrypt the password in Secrets Manager, how does KES know to use the custom key when fetching the secret value? Does the policy for the ExternalSecret role need to vie modified to mention the custom key. Something like the following? I found this in YAML form in issue Add required IAM permissions to Readme #116. This should allow access to decrypt using the keys which the secrets are encrypted and granting access to a sub path of values in this case hello-service. Is this correct?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Decrypt",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-east-1:0123456789AB:key/a0495691-1f7a-4d94-b27d-58a20e2d1aef"
},
{
"Sid": "Password",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
]
"Resource": [
"arn:aws:secretsmanager:us-east-1:0123456789AB:secret:/hello-service/*"
]
}
]
}
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.
This issue was closed because it has been stalled for 30 days with no activity.