Help improve this page
Want to contribute to this user guide? Scroll to the bottom of this page and select Edit this page on GitHub. Your contributions will help make our user guide better for everyone.
Encrypt Kubernetes secrets with AWS KMS on existing clusters
If you enable secrets encryption
-
Symmetric
-
Can encrypt and decrypt data
-
Created in the same AWS Region as the cluster
-
If the KMS key was created in a different account, the IAM principal must have access to the KMS key.
For more information, see Allowing IAM principals in other accounts to use a KMS key in the AWS Key Management Service Developer Guide .
Warning
You can’t disable secrets encryption after enabling it. This action is irreversible.
- eksctl
-
You can enable encryption in two ways:
-
Add encryption to your cluster with a single command.
To automatically re-encrypt your secrets, run the following command.
eksctl utils enable-secrets-encryption \ --cluster my-cluster \ --key-arn arn:aws:kms:region-code:account:key/key
To opt-out of automatically re-encrypting your secrets, run the following command.
eksctl utils enable-secrets-encryption --cluster my-cluster \ --key-arn arn:aws:kms:region-code:account:key/key \ --encrypt-existing-secrets=false
-
Add encryption to your cluster with a
kms-cluster.yaml
file.apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: my-cluster region: region-code secretsEncryption: keyARN: arn:aws:kms:region-code:account:key/key
To have your secrets re-encrypt automatically, run the following command.
eksctl utils enable-secrets-encryption -f kms-cluster.yaml
To opt out of automatically re-encrypting your secrets, run the following command.
eksctl utils enable-secrets-encryption -f kms-cluster.yaml --encrypt-existing-secrets=false
-
- AWS Management Console
-
-
Open the Amazon EKS console
. -
Choose the cluster that you want to add KMS encryption to.
-
Choose the Overview tab (this is selected by default).
-
Scroll down to the Secrets encryption section and choose Enable.
-
Select a key from the dropdown list and choose the Enable button. If no keys are listed, you must create one first. For more information, see Creating keys
-
Choose the Confirm button to use the chosen key.
-
- AWS CLI
-
-
Associate the secrets encryption
configuration with your cluster using the following AWS CLI command. Replace the example values
with your own.aws eks associate-encryption-config \ --cluster-name my-cluster \ --encryption-config '[{"resources":["secrets"],"provider":{"keyArn":"arn:aws:kms:region-code:account:key/key"}}]'
An example output is as follows.
{ "update": { "id": "3141b835-8103-423a-8e68-12c2521ffa4d", "status": "InProgress", "type": "AssociateEncryptionConfig", "params": [ { "type": "EncryptionConfig", "value": "[{\"resources\":[\"secrets\"],\"provider\":{\"keyArn\":\"arn:aws:kms:region-code:account:key/key\"}}]" } ], "createdAt": 1613754188.734, "errors": [] } }
-
You can monitor the status of your encryption update with the following command. Use the specific
cluster name
andupdate ID
that was returned in the previous output. When aSuccessful
status is displayed, the update is complete.aws eks describe-update \ --region region-code \ --name my-cluster \ --update-id 3141b835-8103-423a-8e68-12c2521ffa4d
An example output is as follows.
{ "update": { "id": "3141b835-8103-423a-8e68-12c2521ffa4d", "status": "Successful", "type": "AssociateEncryptionConfig", "params": [ { "type": "EncryptionConfig", "value": "[{\"resources\":[\"secrets\"],\"provider\":{\"keyArn\":\"arn:aws:kms:region-code:account:key/key\"}}]" } ], "createdAt": 1613754188.734>, "errors": [] } }
-
To verify that encryption is enabled in your cluster, run the
describe-cluster
command. The response contains anEncryptionConfig
string.aws eks describe-cluster --region region-code --name my-cluster
-
After you enabled encryption on your cluster, you must encrypt all existing secrets with the new key:
Note
If you use eksctl
, running the following command is necessary only if you opt out of re-encrypting your secrets automatically.
kubectl get secrets --all-namespaces -o json | kubectl annotate --overwrite -f - kms-encryption-timestamp="time value"
Warning
If you enable secrets encryption
Note
By default, the create-key
command creates a symmetric encryption KMS key with a key policy that gives the account root admin access on AWS KMS actions and resources. If you want to scope down the permissions, make sure that the kms:DescribeKey
and kms:CreateGrant
actions are permitted on the policy for the principal that calls the create-cluster
API.
For clusters using KMS Envelope Encryption, kms:CreateGrant
permissions are required. The condition kms:GrantIsForAWSResource
is not supported for the CreateCluster action, and should not be used in KMS policies to control kms:CreateGrant
permissions for users performing CreateCluster.