Community Blog Working with Alibaba Cloud KMS Secret Manager from a Kubernetes Cluster

Working with Alibaba Cloud KMS Secret Manager from a Kubernetes Cluster

A rundown of KMS Secret Manager, Alibaba Cloud Kubernetes Clusters, and how to make them work together.

What is KMS Secret Manager?

KMS stands for Key Management Service. This is one of the most critical services for cloud providers to manage customer's security-related properties on the cloud.

It is the same in Alibaba Cloud. Key Management Service (KMS) provides secure and compliant key management and cryptography services to help you encrypt and protect sensitive data assets.

Secret Manager is a new feature that is provided by Alibaba Cloud KMS Service in 2020. It enables you to manage your secrets in a centralized manner throughout their lifecycle (creation, retrieval, updating, and deletion.)

Important Notes before Moving to Best Practice

Why is it Required to Work with an ACK Kubernetes Cluster?

1. Lifecycle Mismatch:

Kubernetes provides Secret as a resource to supply credentials for various purposes (database access/API call.) but it can only be considered as temporary storage since it goes away with cluster deletion. Database accounts and API credentials should not be cleared. This requires as a cloud provider to securely store the credential information in a central location and synchronize with applications that are running in Kubernetes clusters.

2. Security Management:

Secret Manager (together with other cloud services like Audit Log) keeps user actions and historical changes in one place. This is critical for security auditing.

3. Key Rotation integration:

With REST API support, Secret Manager can easily be integrated in CI/CD pipelines for database credential rotation and API credentials updates.

What's Missing?

The last puzzle to complete the picture is an agent to automatically synchronize the Secrets in Kubernetes and the KMS Secret Manager.

Here are two situations for synchronizing the KMS Secret Manager and Alibaba Cloud Kubernetes Cluster. One is from Alibaba Cloud and the other one is from Kubernetes eco-system.

1. Kubernetes External Secrets

External Secrets is more popular from a user perspective. It supports Alibaba Cloud and most of the major cloud providers.

2. ACK Secret Manager

ACK Secret Manager provides a similar setup to External Secrets and is controlled and contributed to mainly by Alibaba Cloud's internal developers. It provides more functionalities and flexibilities.

Making ACK and KMS Secret Manager Work Together

1. Create a Kubernetes Cluster using ACK:

You can do it manually by following the official document or using terraform by following the demo.

2. Deploy External Secrets or ACK Secret Manager:

  • ACK Secret Manager

Do not forget to attach the required privilege to the WorkerRole.

"Action": [
"Resource": [
"Effect": "Allow"

Then, install it in kubernetes cluster.

# for ACK Secret Manager
$ helm repo add http://aliacs-k8s-eu-central-1.oss-eu-central-1.aliyuncs.com/app/charts-incubator/
$ helm install aliyun/ack-secret-manager
  • External Secrets

Install it in Kubernetes cluster with the environments values by following the helm chart values definition.

# for External secrets
$ helm repo add external-secrets https://godaddy.github.io/kubernetes-external-secrets/
$ helm install external-secrets/kubernetes-external-secrets --set envVarsFromSecret.ALICLOUD_ENDPOINT=xxx --set envVarsFromSecret.ALICLOUD_ACCESS_KEY_ID=xxx --set envVarsFromSecret.ALICLOUD_ACCESS_KEY_SECRET=xxx

3. Create a Secret using aliyun-cli

# you need to configure aliyun-cli with a valid RAM user and proper permission
aliyun kms CreateSecret --SecretName my_secret --SecretData P@ssw0rd --VersionId 001

4. Deploy CRD

  • ACK Secret Manager
apiVersion: 'alibabacloud.com/v1alpha1'
kind: ExternalSecret
name: hello-service
backendType: alicloud-kms
- key: test
name: password
versionStage: ACSCurrent
  • External Secrets
# External secrets demo
apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
name: hello-service
backendType: alicloudSecretsManager
# optional: specify role to assume using provided access key ID and access key secret when retrieving the data
roleArn: acs:ram::{UID}:role/demo
- key: hello-credentials1
name: password
- key: hello-credentials2
name: username
# Version Stage in Alibaba Cloud KMS Secrets Manager. Optional, default value is ACSCurrent
versionStage: ACSCurrent

Then, run command

# deploy CRD
$ kubectl apply -f hello-service-external-secret.yml

5. Verify the results.

After 30 seconds, check to see if Secret got an update

# print secret in yaml format
$ kubectl get secret hello-service -oyaml

This is what you should see:

apiVersion: v1
kind: Secret
name: hello-service
type: Opaque
password: MTIzNA==

That's it! Alibaba makes your life easier.

0 1 0
Share on


1 posts | 0 followers

You may also like



1 posts | 0 followers

Related Products