The External Secrets Enterprise is product suite is a premium product. It requires a specific subscription. Contact us for more information.
In Order to use AWS IAM Keys Generator, you must have the Enterprise Distribution of ESO available via ESI Agent or via our Helm chart bundle

Introduction

Rotating IAM Keys can be quite cumbersome if you have a very spread out AWS Accounts topology. Even though OIDC, AWS IAM Identity Center and many other services help you with that, eventually the need to use IAM Keys will be needed - and then rotation of those IAM keys can be come quite cumbersome. AWS IAM Keys Generator for ESO allows you to easily rotate credentials as close as possible to the application using, making sure no application downtime ever happens.

Output Keys and Values

KeyDescription
access_key_idThe AWS_ACCESS_KEY_ID value
secret_access_keyThe AWS_SECRET_ACCESS_KEY value

Authentication

IAM Key Generator supports IRSA, Pod Identity, and AWS Programmatic Keys as way to authenticate to AWS.

Set up

Setting up Appropriate AWS Permissions

In order for the IAM Key Generator to work, the following AWS Permissions are needed:
  • iam:CreateAccessKey
  • iam:DeleteAccessKey
  • iam:ListAccessKeys
  • iam:GetAccessKeyLastUsed
The following policy shows an example of minimal permissions to grant for a given IAM Key Generator: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateAccessKey",
        "iam:DeleteAccessKey",
        "iam:ListAccessKeys",
        "iam:GetAccessKeyLastUsed"
      ],
      "Resource": [
        "arn:aws:iam::<YOUR_ACCOUNT_ID>:user/<USERNAME>"
      ]
    }
  ]
}
With this policy created, either Set up a role for Service Account with IRSA or create a new AWS IAM User for Workloads with these permissions.
Setting up IRSA is recommended as it will enable short-lived credentials for the IAM Key Generator to work

Generator Config

apiVersion: generators.external-secrets.io/v1alpha1
kind: AWSIAMKey
metadata:
  name: iam-key-gen
spec:
  # specify aws region (mandatory)
  region: eu-west-1
  # Optional: assume a role with the given authentication credentials
  role: my-role
  iamRef:
    username: aws-username
    maxKeys: 1 # Set up to 2 for zero application downtime
  auth:
    jwt:
      serviceAccountRef:
        name: sa-name-with-irsa

ExternalSecrets Config

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: iam-keys
spec:
  refreshInterval: 1h # Rotates every 1 hour
  dataFrom:
  - sourceRef:
      generatorRef:
        apiVersion: generators.external-secrets.io/v1alpha1
        kind: AWSIAMKey
        name: "iam-key-gen"

Using the Generated Secret

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-container
        image: my-image:latest
        env:
        ## Set Up AWS Access Keys from Generated Secret
        - name: AWS_ACCESS_KEY_ID
          valueFrom:
            secretKeyRef:
              name: iam-keys
              key: access_key_id
        - name: AWS_ACCESS_KEY_ID
          valueFrom:
            secretKeyRef:
              name: iam-keys
              key: secret_access_key