Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Use AWS Secrets Manager secrets in Amazon Elastic Kubernetes Service

PDF
RSS
Focus mode
Use AWS Secrets Manager secrets in Amazon Elastic Kubernetes Service - AWS Secrets Manager
ASCP with IAM Roles for Service Accounts (IRSA)ASCP with Pod IdentityChoosing the right approach

To show secrets from AWS Secrets Manager (ASCP) as files mounted in Amazon EKS Pods, you can use the AWS Secrets and Configuration Provider for the Kubernetes Secrets Store CSI Driver. The ASCP works with Amazon Elastic Kubernetes Service 1.17+ running an Amazon EC2 node group. AWS Fargate node groups are not supported. With the ASCP, you can store and manage your secrets in Secrets Manager and then retrieve them through your workloads running on Amazon EKS. If your secret contains multiple key-value pairs in JSON format, you can choose which ones to mount in Amazon EKS. The ASCP uses JMESPath syntax to query the key-value pairs in your secret. The ASCP also works with Parameter Store parameters. The ASCP offers two methods of authentication with Amazon EKS The first approach uses IAM Roles for Service Accounts (IRSA). The second approach uses Pod Identities. Each approach has its benefits and use cases.

ASCP with IAM Roles for Service Accounts (IRSA)

The ASCP with IAM Roles for Service Accounts (IRSA) allows you to mount secrets from AWS Secrets Manager as files in your Amazon EKS Pods. This approach is suitable when:

  • You need to mount secrets as files in your Pods.

  • You're using Amazon EKS version 1.17 or later with Amazon EC2 node groups.

  • You want to retrieve specific key-value pairs from JSON-formatted secrets.

For more information, see Use AWS Secrets and Configuration Provider CSI with IAM Roles for Service Accounts (IRSA) .

ASCP with Pod Identity

The ASCP with Pod Identity method enhances security and simplifies configuration for accessing secrets in Amazon EKS. This approach is beneficial when:

  • You need more granular permission management at the Pod level.

  • You're using Amazon EKS version 1.24 or later.

  • You want improved performance and scalability.

For more information, see Use AWS Secrets and Configuration Provider CSI with Pod Identity for Amazon EKS.

Choosing the right approach

Consider the following factors when deciding between ASCP with IRSA and ASCP with Pod Identity:

  • Amazon EKSversion: Pod Identity requires Amazon EKS 1.24+, while CSI driver works with Amazon EKS 1.17+.

  • Security requirements: Pod Identity offers more granular control at the Pod level.

  • Performance: Pod Identity generally performs better in high-scale environments.

  • Complexity: Pod Identity simplifies setup by eliminating the need for separate service accounts.

Choose the method that best aligns with your specific requirements and Amazon EKS environment.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.