We expect users of this guide to have operational awareness of using ASM and monitoring the CSI

driver daemonsets.

You MUST do the following:

• Set up ASM in the same AWS account as your Vault deployment.

• Use an EKS cluster with an OIDC provider, so that the Vault Pods can assume their roles and

access ASM during Pod creation.

• Make sure that there is network access to both the Secrets Manager endpoint and the AWS

IAM endpoint from within the cluster that you will run the Vault Installer/Operator in.

To set up the CSI drivers (the default driver and the ASM-specific provider), see the following

guides:

• AWS tutorial: Create and mount an AWS Secrets Manager secret in an Amazon EKS pod

• AWS Secrets Manager and Config Provider for Secret Store CSI Driver readme (aws/secretsstore-csi driver-provider-aws GitHub) - for details and the commands to run