AWS secrets when applying Kubernetes Resources

[prosto]

We are using Applying Kubernetes Resources in order to deploy our storefront application. We would like to pass through secrets from AWS Secret Manager to k8s POD, e.g.

    const SUPER_SECRET = cdk.SecretValue.secretsManager('/my/awesome/secret', {
      jsonField: 'SECRET_FIELD',
    });

    const deployment = {
      apiVersion: 'apps/v1',
      kind: 'Deployment',
      metadata: { name: 'storefront-deployment' },
      spec: {
        replicas: 1,
        selector: { matchLabels: appLabel },
        template: {
          metadata: { labels: appLabel },
          spec: {
            containers: [
              {
                name: 'storefront-container',
                image,
                ports: [{ containerPort: 3000 }],
                env: [
                  {
                    name: 'SUPER_SECRET',
                    value: SUPER_SECRET,
                  },
                ],
              },
            ],
          },
        },
      },
    };

    new eks.KubernetesManifest(this, 'B2C-Storefront', {
      cluster,
      manifest: [deployment],
      overwrite: true,
    });

After deployment container gets the following environment var: SECRET_FIELD: {{resolve:secretsmanager:/my/awesome/secret:SecretString:SECRET_FIELD::}}. It does not seem to resolve secret value during deployment. Is that expected? How can we pass through secrets from AWS Secret manager to k8s manifests?

CDK Version: 1.105.0

thanks for your help

[MarkMcCulloh]

It is expected, per https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html. Interactions with kubectl are done through custom resources and:

Dynamic references for secure values, such as ssm-secure and secretsmanager, aren't currently supported in custom resources.

I would suggest something like https://github.com/external-secrets/kubernetes-external-secrets for getting the secrets into the cluster and then doing this. In your example you're attempting to put the secret as plaintext in the env, which is probably not a good idea.