Awesome Open Source
Awesome Open Source

External Secret Operator

github actions Go Report Card codecov

This operator reads information from a third party service like AWS Secrets Manager or AWS SSM and automatically injects the values as Kubernetes Secrets.

Disclaimer ⚠️

This project will not be maintained anymore, and we are trying to concentrate afforts on this new colaboration:



Table of Contents


  • Secrets are refreshed from time to time allowing you to rotate secrets in your providers and still keep everything up to date inside your k8s cluster.
  • Change the refresh interval of the secrets to match your needs. You can even make it 10s if you need to debug something (beware of API rate limits).
  • For the AWS Backend we support both simple secrets and binfiles.
  • You can get speciffic versions of the secrets or just get latest versions of them.
  • If you change something in your ExternalSecret CR, the operator will reconcile it (Even if your refresh interval is big).
  • AWS Secret Manager, Credstash (AWS KMS), Azure Key Vault, Google Secret Manager and Gitlab backends supported currently!

Quick start

Using Kustomize

Install the operator CRDs

  • Install CRDs
make install

What does it do?

Given a secret defined in AWS Secrets Manager:

% aws secretsmanager create-secret \
  --name=example-externalsecret-key \
  --secret-string='this string is a secret'

and updated aws credentials to be used in config/credentials/kustomization.yaml with valid AWS credentials:

%cat config/credentials/kustomization.yaml
# - credentials-gsm.yaml
- credentials-asm.yaml
# - credentials-dummy.yaml
# - credentials-gitlab.yaml
# - credentials-akv.yaml
%cat config/credentials/credentials-asm.yaml
credentials.json: |-
      "accessKeyID": "AKIA...",
      "secretAccessKey": "cmFuZG9tS2VZb25Eb2Nz...",
      "sessionToken": "" 

and an SecretStore resource definition like this one:

% cat config/samples/store_v1alpha1_secretstore.yaml
kind: SecretStore
  name: secretstore-sample
  controller: staging
    type: asm
        name: externalsecret-operator-credentials-asm
      region: eu-west-2

and an ExternalSecret resource definition like this one:

% cat config/samples/secrets_v1alpha1_externalsecret.yaml
kind: ExternalSecret
  name: externalsecret-sample
    name: externalsecret-operator-secretstore-sample
    - key: example-externalsecret-key
      version: latest

The operator fetches the secret from AWS Secrets Manager and injects it as a secret:

% make deploy
% kubectl get secret externalsecret-operator-externalsecret-sample -n externalsecret-operator-system \
  -o jsonpath='{.data.example-externalsecret-key}' | base64 -d
this string is a secret


In this article you can find more information about the architecture and design choices.

Here's a high-level diagram of how things are put together.


Running tests


  • Golang 1.15 or later
  • Kubebuilder installed at /usr/local/kubebuilder

Then just:

make test

CRDs Spec

Other Supported Backends

We would like to support as many backends as possible and it should be rather easy to write new ones. Currently supported backends are: | Provider | Backend Doc | |--------------------------------------------------------------------|--------------------------------------------------------------------| |AWS Secrets Manager Info | AWS Secrets Manager Backend Docs | |Credstash Info | Credstash (AWS KMS) Docs | |GCP Secret Manager Info | GCP Secret Manager Backend Docs | |Gitlab CI/CD Variables Info | Gitlab CI/CD Variables Backend Docs | |Azure Key Vault Info | Azure Key Vault Backend Docs |


Yay! We welcome and encourage contributions to this project!

See our contributing document and Issues for planned improvements and additions.

Alternatives To Externalsecret Operator
Select To Compare

Alternative Project Comparisons
Related Awesome Lists
Top Programming Languages
Top Projects

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
Go (163,592
Aws (38,646
Security (31,926
Cloud (29,159
Kubernetes (25,177
Azure (17,868
Gcp (5,455
Cloud Native (995