AWS Secrets Manager Integration
This guide covers configuring secrets management for Kindo on AWS using the kindo-secrets Terraform module.
Overview
The kindo-secrets module:
- Creates AWS Secrets Manager entries for all Kindo services
- Generates secure passwords for databases and services
- Manages API keys and external service credentials
- Integrates with External Secrets Operator in Kubernetes
Quick Start
-
Set up the secrets stack:
Terminal window cd kindo-modules/stacks/secretscp terraform.tfvars.example terraform.tfvars -
Configure
terraform.tfvarswith infrastructure outputs from the previous step and external service credentials. -
Deploy:
Terminal window terraform initterraform planterraform apply
Configuration
Required Infrastructure References
The secrets module needs outputs from the infrastructure deployment:
project_name = "mycompany"environment = "production"aws_region = "us-west-2"
# From infra-aws outputsrds_endpoint = "mycompany-production.xxx.us-west-2.rds.amazonaws.com"redis_endpoint = "mycompany-production.xxx.cache.amazonaws.com"rabbitmq_endpoint = "amqps://xxx.mq.us-west-2.amazonaws.com"External Service Credentials
# AI Provider API Keys (at least one required)openai_api_key = "sk-..."anthropic_api_key = "sk-ant-..."
# Vector Databasepinecone_api_key = "..."pinecone_environment = "us-east-1-aws"pinecone_index_name = "kindo-embeddings"
# Kindo Registrykindo_registry_username = "..."kindo_registry_password = "..."Auto-Generated Secrets
The module automatically generates these secrets:
| Secret | Purpose |
|---|---|
nextauth-secret | NextAuth session encryption |
key-encryption-key | Data encryption key |
um-internal-api-key | Internal API authentication |
litellm-master-key | LiteLLM proxy authentication |
unleash-admin-token | Unleash admin API access |
unleash-client-token | Unleash client-side access |
External Secrets Operator Integration
The module creates ExternalSecret resources that sync AWS Secrets Manager entries to Kubernetes secrets in the appropriate namespaces.
After deploying the peripheries stack (which includes External Secrets Operator), secrets will automatically sync to Kubernetes.
Verify synchronization:
# Check secret sync statuskubectl get externalsecrets -Akubectl get secrets -n apiNext Steps
Proceed to AWS Peripherals to deploy supporting services.