Kubernetes Secret to AWS Secret Manager
AWS SecretManager requires the secrets to be in decoded format. However, Kubernetes Secrets are encoded in base64 and require conversion. We can use jq
to do this for us.
Once the secrets are decoded, we can pass this key-value pair to AWS CLI to create a Secret Manager object.
kubectl get secret app-config -o jsonpath='{.data}' | jq -r 'reduce to_entries[] as {$key, $value} (null; .[$key] = ($value|@base64d))' > secret.json
aws secretsmanager create-secret --name app-config --secret-string file://secret.json
AWS Secret Manager to Kubernetes Secret
AWS CLI can fetch decoded secrets from Secret Manager. However, kubectl
requires the secrets to be in env
format if there are plenty of them. Once again, we can use jq
to map them in env
like and later this env
file can be used to create the Kubernetes Secret.
aws secretsmanager get-secret-value --secret-id app-config | jq -r '.SecretString | fromjson | to_entries[] | "(.key)=(.value)"' > secret.env
kubectl create secret generic app-config --from-env-file=secret.env