How to Read Kubernetes Secrets

Kubernetes secrets is a great way to store secret values that only Kubernetes can access in your hosted applications.

There are times when you might need to view these secrets in plain-text. This is probably because you want to validate the value or use it manually elsewhere.

In this tutorial we will go through how to achieve this and read Kubernetes secrets using kubectl for the command-line.

tl;dr

kubectl get secret <SECRET_NAME> -o jsonpath="{.data.<DATA>}" | base64 --decode

In the above sample code, simply replace <SECRET_NAME> and <DATA> with your own values.

Authenticate with your Kubernetes cluster

Start by authenticating into your Kubernetes cluster , you may need to first use an assume-role or awsume.

eval $(assume-role <PROFILE>)

If you are using AWS EKS, do this to update your local kubeconfig file:

aws eks --region <AWS_REGION> update-kubeconfig --name <CLUSTER_NAME>

If all else fails, it may be useful to check these authentication strategies.

Now you will need to confirm the context:

kubectl config current-context

List, read, and decode secret data

Let’s pretend that we want to read a secret called yoursecret. To do this we can use the below command to see the names of all the secrets, in order to narrow down what exists.

Let’s find our what our secret is called:

kubectl get secrets

NAME                            TYPE                                  DATA      AGE
yoursecret                      Opaque                                2         3d

Now that we know what our secret is called, we can issue the next command and view it’s value.

Use the describe keyword to view the secret:

kubectl describe secret yoursecret

Name:         yoursecret
Namespace:    default
Labels:       <none>
Annotations:  
Type:         Opaque

Data
====
username: 20 bytes
password: 20 bytes

We now that the data contained in the secret contains a username and password.

This is where we use kubectl to get the outputs to YAML. This data is shown to us in a Base64 encoded string.

kubectl get secret yoursecret -o yaml

apiVersion: v1
data:
  username: YWJjZGVmZ2hpamtsbW5vcHFyc3QK
  password: MTIzNDU2Nzg5MDEyMzQ1Njc4OTAK
...

Use the below command on the command-line to decode the Base64 value back to plain-text:

echo "YWJjZGVmZ2hpamtsbW5vcHFyc3QK" | base64 --decode

abcdefghijklmnopqrst

A shortcut to decoding secret data

While the above is more of a tutorial on the steps to get this done, we can simplify these steps below into a single command:

kubectl get secret yoursecret -o jsonpath="{.data.username}" | base64 --decode

abcdefghijklmnopqrst