[pojzon]

> We load secrets from Secrets Manager

And how your apps authenticate to Secrets Manager ? Did you ever call `env` on a pod that has IRSA configured ?

This is just a middle step to do exactly the same thing but instead of using envFromSecret you use envFromSM

[maccard]

Not OP but an IAM role with scoped access to secrets. Better again, using secretsFrom in the task definition which injects the secret as an environment variable for you.

[pojzon]

IRSA in pods and containers is translated to env vars. That was the point.

That if you dont want to pull in k8s dependencies to the code, at the end every approach ends up as a mounted file or env vars.