Eazy SaaS
AWS Azure GCP Docker K8s Jenkins PostgreSQL
Blog Get in Touch

Kubernetes External Secrets Operator

February 13, 2026 | Kubernetes Secrets Security

Sync from AWS Secrets Manager.

External Secrets Operator for Kubernetes

Managing secrets in Kubernetes natively means storing base64-encoded values in etcd — not truly secure. The External Secrets Operator (ESO) synchronizes secrets from external providers like AWS Secrets Manager, HashiCorp Vault, and Azure Key Vault into Kubernetes Secrets, providing centralized management and automatic rotation.

Installation

helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets \
  --namespace external-secrets \
  --create-namespace

AWS Secrets Manager Integration

First, create a SecretStore that defines how to authenticate with AWS:

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: aws-secrets-manager
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-east-1
      auth:
        jwt:
          serviceAccountRef:
            name: external-secrets-sa
            namespace: external-secrets

Syncing Secrets

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: app-secrets
  namespace: production
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets-manager
    kind: ClusterSecretStore
  target:
    name: app-secrets
    creationPolicy: Owner
  data:
  - secretKey: DATABASE_URL
    remoteRef:
      key: prod/app/database
      property: url
  - secretKey: API_KEY
    remoteRef:
      key: prod/app/api-keys
      property: primary

This creates a Kubernetes Secret named app-secrets that automatically syncs from AWS Secrets Manager every hour.

Using Synced Secrets in Pods

apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      containers:
      - name: app
        envFrom:
        - secretRef:
            name: app-secrets

Secret Rotation

When secrets are rotated in AWS Secrets Manager, ESO automatically updates the Kubernetes Secret on the next refresh interval. For immediate propagation:

  • Set refreshInterval: 5m for frequently rotated secrets
  • Use Reloader or stakater/Reloader to automatically restart pods when secrets change
  • For database credentials, use connection poolers that can reload credentials without restart

Multi-Provider Setup

ESO supports multiple secret providers simultaneously:

  • AWS Secrets Manager — Primary for application secrets
  • AWS SSM Parameter Store — For configuration values (cheaper than Secrets Manager)
  • HashiCorp Vault — For dynamic database credentials

Security Best Practices

  1. Use IRSA — Authenticate ESO with IAM Roles for Service Accounts, not static credentials
  2. Encrypt etcd — Even synced secrets are stored in etcd; enable encryption at rest
  3. Namespace isolation — Use SecretStore (namespaced) instead of ClusterSecretStore when possible
  4. Audit access — Enable CloudTrail logging for Secrets Manager API calls
  5. Least privilege IAM — Grant ESO read-only access to specific secret paths only

Eazy SaaS Tip: We set up External Secrets Operator as part of every EKS deployment. Combined with AWS Secrets Manager automatic rotation, this ensures credentials are never stale and never stored in Git repositories.

← Back to Blog