AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2026-01-10 · Documentation low

File: eks/latest/userguide/argocd-configure-repositories.md

Summary

Updated Argo CD repository configuration documentation: Replaced ECR Helm Charts with ECR OCI Artifacts, added AWS Secrets Manager credential rotation benefits, introduced repository credential templates, removed public repositories section, and standardized IAM policies to AWS-managed policies.

Security assessment

The changes enhance security documentation by promoting credential rotation through AWS Secrets Manager (reducing credential exposure risks), recommending least-privilege AWS-managed policies (AmazonEC2ContainerRegistryPullOnly, AWSSecretsManagerClientReadOnlyAccess), and introducing repository credential templates to minimize secret duplication. No evidence of addressing a specific vulnerability.

Diff

diff --git a/eks/latest/userguide/argocd-configure-repositories.md b/eks/latest/userguide/argocd-configure-repositories.md
index 10642b1cd..04d1e6ca6 100644
--- a//eks/latest/userguide/argocd-configure-repositories.md
+++ b//eks/latest/userguide/argocd-configure-repositories.md
@@ -5 +5 @@
-PrerequisitesAuthentication methodsDirect access to AWS servicesUsing AWS Secrets ManagerUsing AWS CodeConnectionsUsing Kubernetes SecretsPublic repositoriesCodeCommit repositoriesVerify repository connectionAdditional resources
+PrerequisitesAuthentication methodsDirect access to AWS servicesUsing AWS Secrets ManagerUsing AWS CodeConnectionsUsing Kubernetes SecretsCodeCommit repositoriesVerify repository connectionAdditional resources
@@ -32 +32 @@ For direct AWS service integrations (ECR Helm charts, CodeCommit repositories, a
-For credential reuse across multiple repositories, you can use repository credential templates (repocreds). For more information, see [Private Repositories](https://argo-cd.readthedocs.io/en/stable/user-guide/private-repositories/) in the Argo CD documentation.
+AWS CodeConnections can connect to Git servers located in AWS Cloud or on-premises. For more information, see [AWS CodeConnections](https://docs.aws.amazon.com/codeconnections/latest/userguide/welcome.html).
@@ -41 +41 @@ CodeConnections |  Connect to GitHub, GitLab, or Bitbucket with managed authenti
-ECR Helm Charts |  Direct integration with AWS ECR for OCI Helm charts. No Repository configuration needed. |  `ecr:GetAuthorizationToken`, `ecr:BatchGetImage`, `ecr:GetDownloadUrlForLayer`  
+ECR OCI Artifacts |  Direct integration with AWS ECR for OCI Helm charts and manifest images. No Repository configuration needed. |  `arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly`  
@@ -43,4 +43,4 @@ ECR Helm Charts |  Direct integration with AWS ECR for OCI Helm charts. No Repos
-AWS Secrets Manager (Username/Token) |  Store personal access tokens or passwords |  `secretsmanager:GetSecretValue`  
-AWS Secrets Manager (SSH Key) |  Use SSH key authentication |  `secretsmanager:GetSecretValue`  
-AWS Secrets Manager (GitHub App) |  GitHub App authentication with private key |  `secretsmanager:GetSecretValue`  
-Kubernetes Secret |  Standard Argo CD method using in-cluster secrets |  None (trust policy only)  
+AWS Secrets Manager (Username/Token) |  Store personal access tokens or passwords. Enables credential rotation without Kubernetes access. |  `arn:aws:iam::aws:policy/AWSSecretsManagerClientReadOnlyAccess`  
+AWS Secrets Manager (SSH Key) |  Use SSH key authentication. Enables credential rotation without Kubernetes access. |  `arn:aws:iam::aws:policy/AWSSecretsManagerClientReadOnlyAccess`  
+AWS Secrets Manager (GitHub App) |  GitHub App authentication with private key. Enables credential rotation without Kubernetes access. |  `arn:aws:iam::aws:policy/AWSSecretsManagerClientReadOnlyAccess`  
+Kubernetes Secret |  Standard Argo CD method using in-cluster secrets |  None (permissions handled by EKS Access Entry with Kubernetes RBAC)  
@@ -154 +154 @@ Note: Include the `oci://` prefix when using OCI format. Use the `path` field in
-Required Capability Role permissions:
+Required Capability Role permissions - attach the managed policy:
@@ -157,14 +157,3 @@ Required Capability Role permissions:
-    {
-      "Version": "2012-10-17",		 	 	 
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Action": [
-            "ecr:GetAuthorizationToken",
-            "ecr:BatchGetImage",
-            "ecr:GetDownloadUrlForLayer"
-          ],
-          "Resource": "*"
-        }
-      ]
-    }
+    arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly
+
+This policy includes the necessary ECR permissions: `ecr:GetAuthorizationToken`, `ecr:BatchGetImage`, and `ecr:GetDownloadUrlForLayer`.
@@ -174 +163,5 @@ Required Capability Role permissions:
-Store repository credentials in Secrets Manager and reference them in Argo CD Repository configurations.
+Store repository credentials in Secrets Manager and reference them in Argo CD Repository configurations. Using Secrets Manager enables automated credential rotation without requiring Kubernetes RBAC access—credentials can be rotated using IAM permissions to Secrets Manager, and Argo CD automatically reads the updated values.
+
+###### Note
+
+For credential reuse across multiple repositories (for example, all repositories under a GitHub organization), use repository credential templates with `argocd.argoproj.io/secret-type: repo-creds`. This provides better UX than creating individual repository secrets. For more information, see [Repository Credentials](https://argo-cd.readthedocs.io/en/stable/operator-manual/argocd-repo-creds-yaml/) in the Argo CD documentation.
@@ -298,0 +292,23 @@ The `githubAppPrivateKeySecret` value must be base64 encoded.
+### Repository credential templates
+
+For credential reuse across multiple repositories (for example, all repositories under a GitHub organization or user), use repository credential templates with `argocd.argoproj.io/secret-type: repo-creds`. This provides better UX than creating individual repository secrets for each repository.
+
+**Create a repository credential template** :
+    
+    
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: github-org-creds
+      namespace: argocd
+      labels:
+        argocd.argoproj.io/secret-type: repo-creds
+    stringData:
+      type: git
+      url: https://github.com/your-org
+      secretArn: arn:aws:secretsmanager:us-west-2:111122223333:secret:argocd/github-org-AbCdEf
+
+This credential template applies to all repositories matching the URL prefix ` [https://github.com/your-org](https://github.com/your-org) `. You can then reference any repository under this organization in Applications without creating additional secrets.
+
+For more information, see [Repository Credentials](https://argo-cd.readthedocs.io/en/stable/operator-manual/argocd-repo-creds-yaml/) in the Argo CD documentation.
+
@@ -301 +317 @@ The `githubAppPrivateKeySecret` value must be base64 encoded.
-Ensure your IAM Capability Role has `secretsmanager:GetSecretValue` permissions for the secrets you create. See [Argo CD considerations](./argocd-considerations.html) for IAM policy configuration.
+Ensure your IAM Capability Role has the managed policy `arn:aws:iam::aws:policy/AWSSecretsManagerClientReadOnlyAccess` attached, or equivalent permissions including `secretsmanager:GetSecretValue` and KMS decrypt permissions. See [Argo CD considerations](./argocd-considerations.html) for IAM policy configuration.
@@ -347,17 +362,0 @@ Store credentials directly in Kubernetes using the standard Argo CD method.
-## Public repositories
-
-No additional configuration needed for public repositories:
-    
-    
-    apiVersion: argoproj.io/v1alpha1
-    kind: Application
-    metadata:
-      name: public-app
-      namespace: argocd
-    spec:
-      source:
-        repoURL: https://github.com/argoproj/argocd-example-apps
-        targetRevision: HEAD
-        path: guestbook
-      # ... rest of configuration
-