Kubernetes Secrets from Secrets Manager using External Secrets Operators


This article won’t go too much in details about the technology stacks we will use. We assume that you should have some knowledges of the following.

  • Helm — We will use it to deploy the External Secrets Operator on GKE.
  • Secrets Manager — We will store the secrets in the Secrets Manager
  • Kubernetes.

Source Code

The source codes relate to this article are kept publicly in the GitHub repository here — https://github.com/its-knowledge-sharing/setup-gke-external-secret. I would recommend to clone the code and read them at the same time you read this article.

Create the GKE cluster

I’m assuming that we are familiar to the Google Cloud Platform (GCP) and already have the GCP account. See this script for more detail 01-setup-gke.bash, run the script and wait until the GKE is created.

Create service account (SA)

To allow External Secrets to retrieve the secrets, we will need to provide the SA for External Secrets to talk to Secrets Manager. See this script for more detail 02-create-sa.bash.

Deploy External Secrets to GKE

The easiest way we deploy External Secrets into Kubernetes is by using Helm. The External Secrets also provided it’s own Helm chart here https://charts.external-secrets.io/. What we need to do is to create the Helm values file to customize what we need and run some Helm commands to get everything.

Cluster Secret Store

As mentioned earlier that there are 3 CRDs created when we deploy External Secrets by using the script. The ClusterSecretStore is one of them, it is a cluster scoped resource that can be referenced by all ExternalSecrets (will explain later) from all namespaces. Use it to offer a central gateway to your secret backend (Secrets Manager in our case).

Create secrets in the Secrets Manager

Before pulling secrets from Secrets Manager, we will need to create a Secret (this is not the Kubernetes Secret) in the Secrets Manager first. Run the script 03–3-create-secret-manager.bash to create a Secret.

Create ExternalSecret CRD

The ExternalSecret is the way to describe how the data should be fetched from the secret backend (Secrets Manager in our case) and how data should be transformed to Kubernetes Secret.

Create a pod and inject Kubernetes Secret into

Now it’s the time to use Kubernetes Secret we just created by the helping of ExternalSecret. We will run this script 04–1-create-pod.bash to create a pod which will mount a Secret test-secret to files inside a pod, under this path /secrets.

Update Secret in Secret Manager

Now run this script 05–1-update-secret-manager.bash to modify the existing Secret gcp-demo-secret-key in the Secrets Manager and we should see the new secret values similar to the picture below.


Congratulation!!! if you’ve read the entire article and it is able to help you solve your issues. You can support me by:

  • Follow me.
  • Share my articles.
  • Buy me a coffee via ADA address below if you want.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store