CNO for Visibility: Storing the instance credentials in AWS Secrets ManagerThe informer program running in the Kubernetes cluster connects to the ServiceNow instance using credentials provided by the user. By default, those credentials are stored as a Kubernetes secret. However, when the Kubernetes cluster is hosted on Amazon Elastic Kubernetes Service (EKS), it is possible to pull the credentials from AWS Secrets Manager. Creating a Secret using AWS Secrets Manager In your AWS console, Look for the service called “Secrets Manager” and press on “Store new secret”. Choose “Other type of secret”. Then add two key/value pairs with keys username and password. Those should hold the credentials to your ServiceNow instance. In the example below, we created a secret named aws-secrets. Once the secret is created, keep the secret's ARN. Creating an IAM Role If you already have an IAM role that has read access to the secret, keep the role ARN and skip to the next section. Find the OpenID Connect Provider In your AWS console, open your cluster screen, and identify the OpenID Connect Provider URL: Create an IAM Identity Provider Navigate to IAM / Identity Providers and add a new provider.In the “Provider type” select “OpenID Connect”, the provider URL should include the URL found in the previous step (press on the Get thumbprint button after entering the URL). The audience is sts.amazonaws.com. Create a Policy with Access to Secrets in the Secrets Manager Navigate to IAM / Policies and create a new policy. The policy should have at least the following permissions: secretsmanager:GetSecretValue secretsmanager:DescribeSecret In this example, the policy name is SecretManagerPolicy Create a Role with Access to Secrets in the Secrets Manager Navigate to IAM / Roles, and create a new role. Select Trusted entity type to be Web Identity, the audience is sts.amazonwas.com and the Identity provider is the one created in the previous steps. Click on “Add permissions” and associate the role with the policy created in the previous step (SecretManagerPolicy in this example) Keep the ARN of the role you just created. Installing AWS Secret and Configuration Provider (ASCP) For this feature to work, ASCP must be installed in your EKS cluster. Follow the instructions to complete this task. Installing the Informer When using Helm chart, add the following command line arguments: --set secretProvider=aws --set awsSecretManagerSecretArn=<The secret ARN> example: "arn:aws:secretsmanager:eu-central-1:405311743945:secret:aws-secrets-7vzPh1" --set awsSecretManagerRoleArn=<The role ARN> example: "arn:aws:iam::405311743945:role/EKSSecrets" When using the Kubernetes YAML file: Create a new file with the following content. Replace INSTANCE_NAME and the ROLE_ARN: apiVersion: secrets-store.csi.x-k8s.io/v1kind: SecretProviderClassmetadata: name: k8s-informer-aws-INSTANCE_NAMEspec: provider: aws parameters: objects: | - objectName: SECRET_ARN jmesPath: - path: username objectAlias: .user - path: password objectAlias: .password Run kubectl apply -f <file name> to deploy this file In k8s_informer.yaml, add an annotation to the ServiceAccount section. Replace ROLE_ARN by the ARN of the role you created. annotations: eks.amazonaws.com/role-arn: ROLE_ARN In the Deployment section in k8s_informer.yaml replace this part: secret: secretName: k8s-informer-cred-INSTANCE_NAME By those lines: csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: k8s-informer-aws-INSTANCE_NAME