> ## Documentation Index > Fetch the complete documentation index at: https://docs.rad.security/llms.txt > Use this file to discover all available pages before exploring further. # Using AWS Secrets Manager To Store Cluster API Keys > Store RAD Security cluster API keys in AWS Secrets Manager instead of Kubernetes secrets Instead of storing RAD Security Cluster API keys as Kubernetes secrets, they can be stored and retrieved from AWS Secrets Manager. Pass the Secret ID into `rad.awsSecretId` in the Helm Chart. ## Secret Format The Secret Manager secret must follow this JSON structure: ```json theme={null} { "access-key-id": "value copied from the RAD Security UI, decoded from base64", "secret-key": "value copied from the RAD Security UI, decoded from base64" } ``` ## Authentication Setup Plugins need AWS authentication configured. Any supported authentication method can be used. ### IRSA (IAM Roles for Service Accounts) IRSA requires a Role with proper OIDC permissions. Set the service account annotations in your `values.yaml`: ```yaml theme={null} guard: serviceAccountAnnotations: eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/role-name-which-can-read-secrets sbom: serviceAccountAnnotations: eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/role-name-which-can-read-secrets sync: serviceAccountAnnotations: eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/role-name-which-can-read-secrets watch: serviceAccountAnnotations: eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/role-name-which-can-read-secrets k9: serviceAccountAnnotations: eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/role-name-which-can-read-secrets runtime: serviceAccountAnnotations: eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/role-name-which-can-read-secrets ``` ### EKS Pod Identity EKS Pod Identity requires less configuration than IRSA. The following service accounts in the rad namespace need access: * `rad-sbom` * `rad-guard` * `agent-rad-k9` * `rad-node-agent` * `rad-sync` * `rad-watch`