AWS secretsmanager high security documentation change
Summary
Added documentation for filePermission parameter in SecretProviderClass configurations
Security assessment
Introduces security controls for file permissions when mounting secrets (e.g., 0600/0400). Proper file permissions prevent unauthorized access to secrets in Kubernetes pods, directly addressing security configuration best practices.
Diff
diff --git a/secretsmanager/latest/userguide/ascp-examples.md b/secretsmanager/latest/userguide/ascp-examples.md index ea6296b73..6dd84ed80 100644 --- a//secretsmanager/latest/userguide/ascp-examples.md +++ b//secretsmanager/latest/userguide/ascp-examples.md @@ -117,0 +118,5 @@ Required if you don't use a Secrets Manager ARN for `objectName`. Can be either +**filePermission** + + +(Optional) The 4 digit octal string which specifies the file permission to mount secret with. If you don't specify this field it will default to `"0644"`. + @@ -142,0 +148,5 @@ The file name to be mounted in the Amazon EKS Pod. If the field contains a hyphe +**filePermission** + + +(Optional) The 4 digit octal string which specifies the file permission to mount secret with. If you don't specify this field it will default to the parent object's file permission. + @@ -254,0 +265,22 @@ This example shows how to mount specific key-value pairs from a JSON-formatted s +#### Example: Mount secrets by file permission + +This example shows how to mount a secret with a specific file permission + + + apiVersion: secrets-store.csi.x-k8s.io/v1 + kind: SecretProviderClass + metadata: + name: aws-secrets + spec: + provider: aws + parameters: + objects: | + - objectName: "mySecret" + objectType: "secretsmanager" + filePermission: "0600" + jmesPath: + - path: username + objectAlias: dbusername + filePermission: "0400" + +