WebinarIf AI can generate anything, what makes us original? Find out Dec 10.

Open-sourcing kube-secret-syncer: A Kubernetes operator to sync secrets from AWS Secrets Manager

Published on October 20, 2020

BLOG SecretSyncer
Written by

Inspiration for your inbox

Subscribe and stay up-to-date on best practices for delivering modern digital experiences.

Looking for an efficient, flexible and secure way to sync secrets from AWS Secrets Manager to Kubernetes? We’ve got you covered.

We’re releasing the open source code for Kube-secret-syncer, a Kubernetes operator that syncs secrets from AWS Secrets Manager. This operator improves on existing projects by delivering sophisticated access control, templated fields and caching to reduce costs. For those familiar with the struggles that come from synching secrets between the two, we hope this comes as a welcome solution. 

Securing, auditing and managing your secrets is an administrative task that was made infinitely easier with managed secret stores such as AWS Secret Manager. Its strong access control, secret rotation and log auditing features enable you to meet strong security and compliance requirements.

Problems can arise when synching secrets from AWS Secrets Manager to Kubernetes; this requires a custom solution. Several open source solutions exist, such as Kubernetes External Secrets or AWS Secret Operator, but they lack either in security, caching or flexibility. Especially when you’re synching thousands of secrets, the costs add up.

As a result, our infrastructure team took on the project of developing our take on an operator and built Kube-secret-syncer. Kube-secret-syncer uses caching to retrieve the value of secrets only when they have changed. This feature substantially reduces costs when syncing a large number of secrets. The syncer also enables sophisticated access controls in AWS Secrets Manager using IAM roles. This feature allows more control over what secrets individual Kubernetes namespaces can access. The third feature we introduced was templated fields. Kube-secret-syncer supports templated fields for Kubernetes secrets enabling the use of values from multiple AWS secret manager secrets in one Kubernetes secret.  

Kube-secret-syncer is ready to go, and you can download the source code from Github. We would be very interested in hearing your feedback. Please don’t hesitate to get in touch and let us know how it goes

Contentful logo
Take a tour

Chat with our team

Your experiences should wow, not wait. Let's talk.

Inspiration for your inbox

Subscribe and stay up-to-date on best practices for delivering modern digital experiences.

Meet the authors

Yann Hamon

Yann Hamon

Reliability & Infrastructure Engineer

Contentful

Reliability Engineer - Infrastructure at Contentful

Related articles

GraphQL icon pulling from many different data sources (could be database tables or files) connected by a single line to Python logo (with a server icon next to it) Browser connected to the Python server by a single line (API call)
Guides

How to query a GraphQL API using Python and Flask

July 31, 2025

We held a poll to ask developers about their favorite JavaScript frameworks. These are the 12 best JavaScript frameworks according to our Discord community.
Guides

Building an app? These are the best JavaScript frameworks in 2025

January 30, 2025

This guide compares the best React rich text editors. It includes a tutorial for using Quill, one of the most popular React rich text editors.
Guides

Which is the best React rich text editor? Five options compared

March 18, 2025

Contentful Logo 2.5 Dark

Ready to start building?

Put everything you learned into action. Create and publish your content with Contentful — no credit card required.

Get started