Skip to content


This document describes how customers can configure and use External Secrets Operator to provide the functionality to synchronize secrets programmatically with AWS's Secret Manager. The External Secrets Operator provides support for several other cloud providers by using their API to inject values into a K8s secret.

What Will You Do

In this multi-part recipe, you will perform the following:

Part 1

  • Provision an Amazon EKS Cluster

Part 2

  • Create a secret in AWS Secrets Manager
  • Create an IAM Role for Service Accounts (IRSA) so the pod will have permission to pull the secret from the Secrets Manager service
  • Create a custom cluster blueprint with the following addons:

    1. External Secrets Operator
  • Apply the newly created cluster blueprint to your EKS Cluster

Part 3

  • Deploy a SecretStore and ExternalSecret K8s resource to synchronize the secrets created in part 2


  • You have an AWS account with sufficient privileges to provision an EKS cluster using the Controller, create IAM policies, and create secrets
  • You have access to an Org with a role to provision clusters and deploy workloads