sigs.k8s.io/cluster-api-provider-aws@v1.5.5/docs/book/src/topics/eks/encryption.md

sigs.k8s.io/cluster-api-provider-aws@v1.5.5/docs/book/src/topics/eks/encryption.md (about)

     1  # Enabling Encryption
     2  
     3  To enable encryption when creating a cluster you need to create a new KMS key that has an alias name starting with `cluster-api-provider-aws-`.
     4  
     5  For example, `arn:aws:kms:eu-north-1:12345678901:alias/cluster-api-provider-aws-key1`.
     6  
     7  You then need to specify the **key ARN**  in the `encryptionConfig` of the `AWSManagedControlPlane`:
     8  
     9  ```yaml
    10  kind: AWSManagedControlPlane
    11  apiVersion: controlplane.cluster.x-k8s.io/v1beta1
    12  metadata:
    13    name: "capi-managed-test-control-plane"
    14  spec:
    15    ...
    16    encryptionConfig:
    17      provider: "arn:aws:kms:eu-north-1:12345678901:key/351f5544-6130-42e4-8786-2c85e546fc2d"
    18      resources:
    19      - "secrets"
    20  ```
    21  
    22  > You must use the ARN of the key and not the ARN of the alias.
    23  
    24  ## Custom KMS Alias Prefix
    25  
    26  If you would like to use a different alias prefix then you can use the `kmsAliasPrefix` in the optional configuration file for **clusterawsadm**:
    27  
    28  ```bash
    29  clusterawsadm bootstrap iam create-stack --config custom-prefix.yaml
    30  
    31  ```
    32  
    33  And the contents of the configuration file:
    34  
    35  ```yaml
    36  apiVersion: bootstrap.aws.infrastructure.cluster.x-k8s.io/v1beta1
    37  kind: AWSIAMConfiguration
    38  spec:
    39    eks:
    40      enable: true
    41      kmsAliasPrefix: "my-prefix-*
    42  
    43  ```