Skip to main content

Adding a secret to an application

The aim of this guide is to walkthrough the process of adding a secret (in this example, AWS credentials) to a previously deployed application in the Cloud Platform.

This article walks you through the process of creating a secret manually. In practice, many of the secrets you will use in your applications are created automatically (e.g. database credentials).


This guide assumes the following:

Configuring secrets

This article covers encoding values into kubernetes secret objects.

See kuberenetes using secrets as environment variables for detailed information on providing values from kubernetes secrets to pods.

Create your AWS Credentials access key (making a note of the aws_access_key_id and aws_secret_access_key)

Base64-encode your secret

In this example aws_access_key_id is ‘AKIAFTKSAW15HJLOGD’. Issue the following command to base64-encode:

echo -n 'AKIAFTKSAW15HJLOGD' | base64

This will return the encoded id ‘QUtJQUZUS1NBVzE1SEpMT0dE’

In this example the aws_secret_access_key is ‘G8HJPMHVGFHK4547GFDSHHJJ’. Issue the following command to base64-encode:

echo -n 'G8HJPMHVGFHK4547GFDSHHJJ' | base64

This will return the encoded secret ‘RzhISlBNSFZHRkhLNDU0N0dGRFNISEpK’

Creating the secret

Create a secrets.yaml file similar to:

apiVersion: v1
kind: Secret
  name: demosecret
type: Opaque
  aws_access_key_id: QUtJQUZUS1NBVzE1SEpMT0dE
  aws_secret_access_key: RzhISlBNSFZHRkhLNDU0N0dGRFNISEpK

issue the following command:

$ kubectl -n yournamespace apply -f secrets.yaml
secret "demosecret" created

Listing the secrets in a namespace

$ kubectl -n yournamespace get secrets
NAME                                          TYPE                                  DATA      AGE
default-token-hz7z7                    3         26d
demosecret                                    Opaque                                2         5d

Updating the secret

You can update an existing secrets file by creating a secrets.yaml file, updating secret name to point to an existing secret and appending new entries to the file.

Decoding a secret

Secrets can be retrieved via the kubectl get secret command. For example, to retrieve the secret you created:

$ kubectl  -n yournamespace get secret demosecret  -o yaml
apiVersion: v1
  aws_access_key_id: QUtJQUZUS1NBVzE1SEpMT0dE
  aws_secret_access_key: RzhISlBNSFZHRkhLNDU0N0dGRFNISEpK
kind: Secret
  annotations: |
  creationTimestamp: "2020-04-28T14:24:27Z"
  name: demosecret
  namespace: yournamespace
  resourceVersion: "239748077"
  selfLink: /api/v1/namespaces/dstest/secrets/demosecret
  uid: 5bd08c63-5f29-452f-a0ec-4d26404411e6
type: Opaque

In this case, the values will be shown Base64-encoded

You can also use the cloud-platform CLI tool to view and Base64-decode the secret, like this:

cloud-platform decode-secret -n yournamespace -s demosecret

This will output the secret as JSON, with the values base64-decoded.

Using the secret in your applications

To use a secret you need to tell kubernetes to put its value in an environment variable which your application container can access. You will usually specify this in your application’s deployment.yaml file.

The following example sets an AWS_ACCESS_KEY_ID environment variable in the environment of the django-demo-container.

The value of AWS_ACCESS_KEY_ID comes from the secret called demosecret which is a hash with a key called aws_access_key_id, and the value of that key will become the value of the environment variable AWS_ACCESS_KEY_ID.

        - name: django-demo-container
            - containerPort: 8000
            - name: AWS_ACCESS_KEY_ID
                  name: demosecret
                  key: aws_access_key_id
            - name: AWS_SECRET_ACCESS_KEY
                  name: demosecret
                  key: aws_secret_access_key

When you reference a secret in this way, kubernetes takes care of the base64-decoding for you - you don’t need to base64-decode the value in your code.

This page was last reviewed on 1 March 2023. It needs to be reviewed again on 1 June 2023 .
This page was set to be reviewed before 1 June 2023. This might mean the content is out of date.