Alibaba Cloud
Alibaba Cloud Secrets Manager
External Secrets Operator integrates with Alibaba Cloud Key Management Service for secrets and Keys management.
Authentication
We support Access key and RRSA authentication.
To use RRSA authentication, you should follow Use RRSA to authorize pods to access different cloud services to assign the RAM role to external-secrets operator.
Access Key authentication
To use accessKeyID
and accessKeySecrets
, simply create them as a regular Kind: Secret
beforehand and associate it with the SecretStore
:
apiVersion: v1
kind: Secret
metadata:
name: secret-sample
data:
accessKeyID: bXlhd2Vzb21lYWNjZXNza2V5aWQ=
accessKeySecret: bXlhd2Vzb21lYWNjZXNza2V5c2VjcmV0
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: secretstore-sample
spec:
provider:
alibaba:
regionID: ap-southeast-1
auth:
secretRef:
accessKeyIDSecretRef:
name: secret-sample
key: accessKeyID
accessKeySecretSecretRef:
name: secret-sample
key: accessKeySecret
RRSA authentication
When using RRSA authentication we manually project the OIDC token file to pod as volume
extraVolumes:
- name: oidc-token
projected:
sources:
- serviceAccountToken:
path: oidc-token
expirationSeconds: 7200 # The validity period of the OIDC token in seconds.
audience: "sts.aliyuncs.com"
extraVolumeMounts:
- name: oidc-token
mountPath: /var/run/secrets/tokens
and provide the RAM role ARN and OIDC volume path to the secret store
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: secretstore-sample
spec:
provider:
alibaba:
regionID: ap-southeast-1
auth:
rrsa:
oidcProviderArn: acs:ram::1234:oidc-provider/ack-rrsa-ce123456
oidcTokenFilePath: /var/run/secrets/tokens/oidc-token
roleArn: acs:ram::1234:role/test-role
sessionName: secrets
Creating external secret
To create a kubernetes secret from the Alibaba Cloud Key Management Service secret a Kind=ExternalSecret
is needed.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: example
spec:
refreshInterval: 1h
secretStoreRef:
name: secretstore-sample
kind: SecretStore
target:
name: example-secret
creationPolicy: Owner
data:
- secretKey: secret-key
remoteRef:
key: ext-secret