The ack-secret-manager plug-in bridges Key Management Service (KMS) and Container Service for Kubernetes (ACK). It periodically pulls the latest secret values from KMS and caches them in your cluster as Kubernetes Secrets. Applications consume those secrets the same way they use any Kubernetes Secret—no plaintext transmission, no secrets baked into images or environment variables.
Prerequisites
Before you begin, make sure you have:
A running ACK cluster (managed or dedicated) or a self-managed Kubernetes cluster
Sufficient Resource Access Management (RAM) permissions to create custom policies and attach them to roles
KMS secrets already created, or permission to create them (see Step 2)
For VPC-only access: the workload's virtual private cloud (VPC) bound to the KMS instance
Step 1: Install the ack-secret-manager plug-in
ACK cluster
Log on to the ACK console and click ack-secret-manager on the Marketplace page.
In the upper-right corner of the ack-secret-manager page, click Deploy.
In the Deploy panel, set Cluster, keep the default values for Namespace and Release Name, and click Next.
In the Parameters step, configure the following parameters and click OK. After the deployment completes, you are redirected to the ack-secret-manager page.
Parameter Description Example command.backendBackend of the external key management system. Only KMS is supported. alicloud-kmscommand.regionRegion where secrets are retrieved. cn-hangzhoucommand.disablePollingSet to trueto disable automatic synchronization of the latest secret values from KMS. Default:false.falsecommand.pollingIntervalInterval at which existing secret values are synchronized from KMS. 120sVerify the installation. If the following resources are created, the plug-in is installed successfully.
Self-managed Kubernetes cluster
Follow the installation instructions in the ack-secret-manager GitHub repository.
Step 2: Create secrets in KMS
Create secrets of any supported type:
Step 3: Grant the plug-in access to KMS
The ack-secret-manager plug-in needs permission to read secrets from KMS. Two access methods are available depending on your setup.
Choose an access method
| Access method | Use when |
|---|---|
| KMS endpoint | Your secrets are in a KMS instance, or were created in the KMS version that does not use KMS instances |
KMS instance endpoint ({kmsInstanceId}.cryptoservice.kms.aliyuncs.com) | Your secrets are in a KMS instance and you want access restricted to your VPC |
Access KMS by using a KMS endpoint
Create a custom RAM policy that grants access to secrets. Adjust the
Resourcefield to scope access to specific secrets if needed.{ "Action": [ "kms:GetSecretValue", "kms:Decrypt" ], "Resource": [ "*" ], "Effect": "Allow" }For details, see Use RAM to manage access to KMS resources.
Attach the policy to workloads or pods using one of the following methods.
Attach the custom policy to the required worker role of your cluster
Log on to the ACK console. In the left-side navigation pane, click Clusters.
Find the cluster and click Details in the Actions column.
On the Cluster Resources tab, click the RAM role named KubernetesWorkerRole-********. Attach the custom policy to the role on the RAM console page that opens.
Use the RAM Roles for Service Accounts (RRSA) feature to attach the custom policy by pod
Use the RRSA feature: create a RAM role for a service account, specify a trust policy for the role, and attach the custom policy.
Access KMS by using a KMS instance endpoint
Before using this method, bind the VPC of the workload or pod to the KMS instance. See Access a KMS instance from multiple VPCs in the same region.
Create an application access point (AAP) to authenticate the plug-in against the KMS instance. See Create an AAP.
Step 4: Configure the plug-in to read secrets
In the ack-secret-manager plug-in, specify the protocol, endpoint, client key, and secret name. For more information, see the ack-secret-manager repository.
What's next
To protect secrets cached in your cluster, encrypt Kubernetes Secrets at rest using KMS. This also protects system secrets (static secrets) stored in the cluster. See Use KMS to encrypt Kubernetes Secrets at rest.