Conversion between AWS Secrets Manager and Kubernetes Secrets

Kubernetes Secret to AWS Secret Manager

AWS SecretManager requires the secrets to be in decoded format. However, Kubernetes Secrets are encoded in base64 and require conversion. We can use jq to do this for us.

Once the secrets are decoded, we can pass this key-value pair to AWS CLI to create a Secret Manager object.

kubectl get secret app-config -o jsonpath='{.data}' | jq -r 'reduce to_entries[] as {$key, $value} (null; .[$key] = ($value|@base64d))' > secret.json

aws secretsmanager create-secret --name app-config --secret-string file://secret.json

AWS Secret Manager to Kubernetes Secret

AWS CLI can fetch decoded secrets from Secret Manager. However, kubectl requires the secrets to be in env format if there are plenty of them. Once again, we can use jq to map them in env like and later this env file can be used to create the Kubernetes Secret.

aws secretsmanager get-secret-value --secret-id app-config | jq -r '.SecretString | fromjson | to_entries[] | "(.key)=(.value)"' > secret.env

kubectl create secret generic app-config --from-env-file=secret.env