AWS SSM Parameters Advanced

This covers an advanced way so that Kubernetes Secrets are created from AWS SSM Parameter Store in a conventional way.

For example if you have these secret values:

$ aws ssm get-parameter --name /demo/development/db_user --with-decryption | jq '.Parameter.Value'
$ aws ssm get-parameter --name /demo/development/db_pass --with-decryption | jq '.Parameter.Value'

Set up a Kubes hook.


ssm = true, prefix: "/demo/development/")
  label: "Get secrets from AWS SSM Manager",
  execute: ssm,

Then set the secrets in the YAML:


apiVersion: v1
kind: Secret
  name: demo
    app: demo
<% do |k,v| -%>
  <%= k %>: <%= base64(v) %>
<% end -%>

This results in AWS secrets with the prefix the demo/dev/ being added to the Kubernetes secret data. The values are automatically base64 encoded. Produces:


  namespace: demo
  name: demo-2a78a13682
    app: demo
apiVersion: v1
kind: Secret
  db_pass: dGVzdDEK
  db_user: dGVzdDIK


These environment variables can be set:

Name Description
AWS_SSM_PREFIX Prefixed used to list and filter AWS SSM Parameters. IE: demo/dev/.

Secrets#initialize options:

Variable Description Default
base64 Automatically base64 encode the values. false
upcase Automatically upcase the Kubernetes secret data keys. false
prefix Prefixed used to list and filter AWS secrets. IE: demo/dev/. Can also be set with the AWS_SECRET_PREFIX env variable. The env variable takes the highest precedence. nil

Note, Kubernetes secrets are only base64 encoded. So users who have access to read Kubernetes secrets will be able to decode and get the value trivially. Depending on your security posture requirements, this may or may not suffice.