Skip to content
Kindo Kindo Docs

AWS Secrets Manager Integration

This guide covers configuring secrets management for Kindo on AWS using the kindo-secrets Terraform module.

Overview

The kindo-secrets module:

  • Creates AWS Secrets Manager entries for all Kindo services
  • Generates secure passwords for databases and services
  • Manages API keys and external service credentials
  • Integrates with External Secrets Operator in Kubernetes

Quick Start

  1. Set up the secrets stack:

    Terminal window
    cd kindo-modules/stacks/secrets
    cp terraform.tfvars.example terraform.tfvars

  2. Configure terraform.tfvars with infrastructure outputs from the previous step and external service credentials.

  3. Deploy:

    Terminal window
    terraform init
    terraform plan
    terraform apply

Configuration

Required Infrastructure References

The secrets module needs outputs from the infrastructure deployment:

project_name = "mycompany"
environment  = "production"
aws_region   = "us-west-2"


# From infra-aws outputs
rds_endpoint    = "mycompany-production.xxx.us-west-2.rds.amazonaws.com"
redis_endpoint  = "mycompany-production.xxx.cache.amazonaws.com"
rabbitmq_endpoint = "amqps://xxx.mq.us-west-2.amazonaws.com"

External Service Credentials

# AI Provider API Keys (at least one required)
openai_api_key    = "sk-..."
anthropic_api_key = "sk-ant-..."


# Vector Database
pinecone_api_key  = "..."
pinecone_environment = "us-east-1-aws"
pinecone_index_name  = "kindo-embeddings"


# Kindo Registry
kindo_registry_username = "..."
kindo_registry_password = "..."

Auto-Generated Secrets

The module automatically generates these secrets:

SecretPurpose
nextauth-secretNextAuth session encryption
key-encryption-keyData encryption key
um-internal-api-keyInternal API authentication
litellm-master-keyLiteLLM proxy authentication
unleash-admin-tokenUnleash admin API access
unleash-client-tokenUnleash client-side access

External Secrets Operator Integration

The module creates ExternalSecret resources that sync AWS Secrets Manager entries to Kubernetes secrets in the appropriate namespaces.

After deploying the peripheries stack (which includes External Secrets Operator), secrets will automatically sync to Kubernetes.

Verify synchronization:

Terminal window
# Check secret sync status
kubectl get externalsecrets -A
kubectl get secrets -n api

Next Steps

Proceed to AWS Peripherals to deploy supporting services.