ConfigsApr 15, 2026·3 min read

External Secrets Operator — Sync Secrets from Any Vault to Kubernetes

CNCF operator that pulls secrets from AWS Secrets Manager, Vault, GCP, Azure, 1Password, Doppler, and 25+ other backends into native Kubernetes Secret objects.

AI Open Source
AI Open Source · Community
TL;DR
External Secrets Operator pulls secrets from external vaults into native Kubernetes Secrets automatically.
§01

What it is

External Secrets Operator (ESO) is a CNCF project that synchronizes secrets from external management systems into Kubernetes Secret objects. It supports over 25 backends including AWS Secrets Manager, HashiCorp Vault, Google Cloud Secret Manager, Azure Key Vault, 1Password, and Doppler.

ESO targets platform engineers running Kubernetes clusters who need secrets from external vaults available as native Kubernetes Secrets. Instead of baking secrets into manifests or using init containers, ESO declares what secrets you need and keeps them synchronized.

§02

How it saves time or tokens

This workflow provides the Helm installation commands and a working ExternalSecret manifest. Instead of reading through ESO documentation to understand CRDs and provider configuration, you get a copy-paste setup that connects to your vault provider in minutes.

§03

How to use

  1. Install ESO via Helm:
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets \
  -n external-secrets --create-namespace
  1. Create a SecretStore that points to your vault provider:
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: aws-secrets
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-east-1
      auth:
        secretRef:
          accessKeyIDSecretRef:
            name: aws-creds
            key: access-key-id
          secretAccessKeySecretRef:
            name: aws-creds
            key: secret-access-key
  1. Create an ExternalSecret to sync a secret:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: my-app-secrets
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets
  target:
    name: my-app-secrets
  data:
    - secretKey: database-url
      remoteRef:
        key: prod/my-app/database-url
§04

Example

# ClusterSecretStore for org-wide Vault access
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: vault-store
spec:
  provider:
    vault:
      server: 'https://vault.internal:8200'
      path: 'secret'
      version: 'v2'
      auth:
        kubernetes:
          mountPath: 'kubernetes'
          role: 'external-secrets'
§05

Related on TokRepo

§06

Common pitfalls

  • Forgetting to set the refreshInterval means secrets are only fetched once. Set it to a reasonable value (e.g., 1h) so rotated secrets propagate to your cluster.
  • Using SecretStore instead of ClusterSecretStore when you need cross-namespace access. ClusterSecretStore is cluster-scoped and accessible from any namespace.
  • IAM permissions are the most common setup failure. Ensure your cloud credentials have read access to the specific secrets you reference.

Frequently Asked Questions

What secret providers does ESO support?+

ESO supports AWS Secrets Manager, AWS Parameter Store, HashiCorp Vault, Google Cloud Secret Manager, Azure Key Vault, 1Password, Doppler, GitLab, IBM Secrets Manager, Oracle Vault, CyberArk, and over 25 additional backends.

How does secret rotation work?+

ESO periodically checks the external secret store based on the refreshInterval you configure. When a secret value changes in the external store, ESO updates the Kubernetes Secret automatically. Pods using the secret pick up the change on their next restart or via volume mount refresh.

What is the difference between SecretStore and ClusterSecretStore?+

SecretStore is namespace-scoped and can only be referenced by ExternalSecrets in the same namespace. ClusterSecretStore is cluster-scoped and accessible from any namespace. Use ClusterSecretStore for shared provider configurations.

Does ESO work with GitOps tools like ArgoCD?+

Yes. ESO CRDs (ExternalSecret, SecretStore) are standard Kubernetes resources that ArgoCD can manage. The actual Secret objects are created by ESO, not committed to Git, so sensitive values never appear in your repository.

Can I template the generated Secret?+

Yes. ESO supports templates in the target section of ExternalSecret. You can construct connection strings, config files, or any structured data by combining multiple remote secrets with Go template syntax.

Citations (3)
  • ESO GitHub— External Secrets Operator syncs secrets from 25+ backends to Kubernetes
  • ESO Documentation— CNCF project for secret management in Kubernetes
  • ESO Provider Docs— Supports AWS, Vault, GCP, Azure, 1Password providers
Related on TokRepo
Security toolsDevOps toolsFeatured workflows

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Conda — Cross-Platform Package and Environment Manager

Install, update, and manage packages and isolated environments for Python, R, C/C++, and hundreds of other languages from a single tool.

AI Open Source

Sphinx — Python Documentation Generator

Generate professional documentation from reStructuredText and Markdown with cross-references, API autodoc, and multiple output formats.

AI Open Source

Neutralinojs — Lightweight Cross-Platform Desktop Apps

Build desktop applications with HTML, CSS, and JavaScript using a tiny native runtime instead of bundling Chromium.

AI Open Source
Home🔍Search👤Me