IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at and

Using AWS Secrets Manager CSI on Red Hat OpenShift on AWS with STS

Authors: Paul Czarkowski, Chris Kang
Last Editor: Andy Repton
Published Date: 25 May 2023
Modified Date: 25 May 2023

The AWS Secrets and Configuration Provider (ASCP) provides a way to expose AWS Secrets as Kubernetes storage volumes. With the ASCP, you can store and manage your secrets in Secrets Manager and then retrieve them through your workloads running on ROSA or OSD.

This is made even easier and more secure through the use of AWS STS and Kubernetes PodIdentity.


Preparing Environment

  1. Validate that your cluster has STS

    oc get cluster -o json \
      | jq .spec.serviceAccountIssuer

    You should see something like the following, if not you should not proceed, instead look to the Red Hat documentation on creating an STS cluster .

  2. Set SecurityContextConstraints to allow the CSI driver to run

    oc new-project csi-secrets-store
    oc adm policy add-scc-to-user privileged \
    oc adm policy add-scc-to-user privileged \
  3. Create some environment variables to refer to later

    export REGION=us-east-2
    export OIDC_ENDPOINT=$(oc get cluster \
      -o jsonpath='{.spec.serviceAccountIssuer}' | sed  's|^https://||')
    export AWS_ACCOUNT_ID=`aws sts get-caller-identity --query Account --output text`
    export AWS_PAGER=""

Deploy the AWS Secrets and Configuration Provider

  1. Use Helm to register the secrets store csi driver

    helm repo add secrets-store-csi-driver \
  2. Update your Helm Repositories

    helm repo update
  3. Install the secrets store csi driver

    helm upgrade --install -n csi-secrets-store \
      csi-secrets-store-driver secrets-store-csi-driver/secrets-store-csi-driver
  4. Deploy the AWS provider

    oc -n csi-secrets-store apply -f \
  5. Check that both Daemonsets are running

    oc -n csi-secrets-store get ds \
      csi-secrets-store-provider-aws \

Creating a Secret and IAM Access Policies

  1. Create a secret in Secrets Manager

    SECRET_ARN=$(aws --region "$REGION" secretsmanager create-secret \
      --name MySecret --secret-string \
      '{"username":"shadowman", "password":"hunter2"}' \
      --query ARN --output text)
    echo $SECRET_ARN
  2. Create IAM Access Policy document

    cat << EOF > policy.json
      "Version": "2012-10-17",
      "Statement": [{
          "Effect": "Allow",
          "Action": [
          "Resource": ["$SECRET_ARN"]
  3. Create an IAM Access Policy

    POLICY_ARN=$(aws --region "$REGION" --query Policy.Arn \
      --output text iam create-policy \
      --policy-name openshift-access-to-mysecret-policy \
      --policy-document file://policy.json)
    echo $POLICY_ARN
  4. Create IAM Role trust policy document

    Note the trust policy is locked down to the default service account of a namespace you will create later.

    cat <<EOF > trust-policy.json
      "Version": "2012-10-17",
      "Statement": [
      "Effect": "Allow",
      "Condition": {
        "StringEquals" : {
          "${OIDC_ENDPOINT}:sub": ["system:serviceaccount:my-application:default"]
      "Principal": {
        "Federated": "arn:aws:iam::$AWS_ACCOUNT_ID:oidc-provider/${OIDC_ENDPOINT}"
      "Action": "sts:AssumeRoleWithWebIdentity"
  5. Create IAM Role

    ROLE_ARN=$(aws iam create-role --role-name openshift-access-to-mysecret \
      --assume-role-policy-document file://trust-policy.json \
      --query Role.Arn --output text)
    echo $ROLE_ARN
  6. Attach Role to the Policy

    aws iam attach-role-policy --role-name openshift-access-to-mysecret \
      --policy-arn $POLICY_ARN

Create an Application to use this secret

  1. Create an OpenShift project

    oc new-project my-application
  2. Annotate the default service account to use the STS Role

    oc annotate -n my-application serviceaccount default \$ROLE_ARN
  3. Create a secret provider class to access our secret

    cat << EOF | oc apply -f -
    kind: SecretProviderClass
      name: my-application-aws-secrets
      provider: aws
        objects: |
            - objectName: "MySecret"
              objectType: "secretsmanager"
  4. Create a Deployment using our secret

    cat << EOF | oc apply -f -
    apiVersion: v1
    kind: Pod
      name: my-application
        app: my-application
      - name: secrets-store-inline
          readOnly: true
            secretProviderClass: "my-application-aws-secrets"
      - name: my-application-deployment
          - "/bin/sleep"
          - "10000"
        - name: secrets-store-inline
          mountPath: "/mnt/secrets-store"
          readOnly: true
  5. Verify the Pod has the secret mounted

    oc exec -it my-application -- cat /mnt/secrets-store/MySecret


  1. Delete application

    oc delete project my-application
  2. Delete the secrets store csi driver

    helm delete -n csi-secrets-store csi-secrets-store-driver
  3. Delete Security Context Constraints

    oc adm policy remove-scc-from-user privileged \
    oc adm policy remove-scc-from-user privileged \
  4. Delete the AWS provider

    oc -n csi-secrets-store delete -f \
  5. Delete AWS Roles and Policies

    aws iam detach-role-policy --role-name openshift-access-to-mysecret \
      --policy-arn $POLICY_ARN
    aws iam delete-role --role-name openshift-access-to-mysecret
    aws iam delete-policy --policy-arn $POLICY_ARN
  6. Delete the Secrets Manager secret

    aws secretsmanager --region $REGION delete-secret --secret-id $SECRET_ARN