Skip to main content
Instead of storing RAD Security Cluster API keys as Kubernetes secrets, they can be stored and retrieved from AWS Secrets Manager. Pass the Secret ID into rad.awsSecretId in the Helm Chart.

Secret Format

The Secret Manager secret must follow this JSON structure: 
{
  "access-key-id": "value copied from the RAD Security UI, decoded from base64",
  "secret-key": "value copied from the RAD Security UI, decoded from base64"
}

Authentication Setup

Plugins need AWS authentication configured. Any supported authentication method can be used.

IRSA (IAM Roles for Service Accounts)

IRSA requires a Role with proper OIDC permissions. Set the service account annotations in your values.yaml: 
guard:
  serviceAccountAnnotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/role-name-which-can-read-secrets

sbom:
  serviceAccountAnnotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/role-name-which-can-read-secrets

sync:
  serviceAccountAnnotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/role-name-which-can-read-secrets

watch:
  serviceAccountAnnotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/role-name-which-can-read-secrets

k9:
  serviceAccountAnnotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/role-name-which-can-read-secrets

runtime:
  serviceAccountAnnotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/role-name-which-can-read-secrets

EKS Pod Identity

EKS Pod Identity requires less configuration than IRSA. The following service accounts in the rad namespace need access:
  • rad-sbom
  • rad-guard
  • agent-rad-k9
  • rad-node-agent
  • rad-sync
  • rad-watch