How to Decode a Kubernetes Secret
Kubernetes secrets are a way to store sensitive information like passwords, OAuth tokens, and SSH keys. They are encoded in base64 format for safe transmission and storage. In this guide, we'll walk through how to decode these secrets to access the original values.
Prerequisites
You'll need:
- Access to a Kubernetes cluster
kubectlinstalled and configured- Basic command-line skills
Why Are Kubernetes Secrets Encoded?
Kubernetes stores secrets as base64-encoded strings. This is not encryption - it's just a way to safely transmit binary or special characters in YAML. You need to decode these values to read the actual secret data.
Viewing a Secret in Kubernetes
To see the raw data in a secret, use:
kubectl get secret <secret-name> -n <namespace> -o yaml
Replace <secret-name> and <namespace> with your actual secret and namespace. The output will show base64-encoded values under the data: field.
Decoding a Secret Value
Suppose you have a secret named db-credentials in the default namespace. To decode the password field, you can use this command:
kubectl get secret db-credentials -n default -o jsonpath='{.data.password}' | base64 --decode; echo
This command does the following:
- Uses
kubectlto extract the base64-encoded value of thepasswordkey - Pipes it to
base64 --decodeto get the original value - Adds
echoto print a newline for readability
Decoding All Keys in a Secret
If you want to see all key-value pairs in a secret, you can use a loop:
kubectl get secret db-credentials -n default -o json | jq -r '.data | to_entries[] | "\(.key): \(.value | @base64d)"'
Here's what happens:
- The secret is fetched as JSON
jqiterates over each key in.data, decodes the value, and prints it inkey: valueformat
If you don't have jq, you can install it with brew install jq on macOS or use your package manager on Linux.
Visualizing the Secret Decoding Process
When you decode a secret, the flow looks like this:
+-------------------+
| base64-encoded |
| secret value |
+-------------------+
|
v
+-------------------+
| base64 decode |
+-------------------+
|
v
+-------------------+
| original secret |
+-------------------+
Security Tips
- Never commit decoded secrets to version control.
- Use RBAC to restrict who can view secrets in your cluster.
- Remember that base64 is not encryption - treat secrets as sensitive data at all times.
Next Steps
Explore how to create and update secrets securely, or look into using external secret management tools like HashiCorp Vault or Azure Key Vault for production environments.
Related Resources
We earn commissions when you shop through the links below.
DigitalOcean
Cloud infrastructure for developers
Simple, reliable cloud computing designed for developers
DevDojo
Developer community & tools
Join a community of developers sharing knowledge and tools
SMTPfast
Developer-first email API
Send transactional and marketing email through a clean REST API. Detailed logs, webhooks, and embeddable signup forms in one dashboard.
QuizAPI
Developer-first quiz platform
Build, generate, and embed quizzes with a powerful REST API. AI-powered question generation and live multiplayer.
Want to support DevOps Daily and reach thousands of developers?
Become a SponsorFound an issue?
Related Posts
Also worth your time on this topic
How to Update a Kubernetes Secret Generated from a File
Learn how to update an existing Kubernetes secret when its data comes from a file, with practical kubectl commands and tips for safe secret management.
Secrets Management
How do you securely manage secrets (passwords, API keys, certificates) in a DevOps environment?
mid
Helm Charts and Kubernetes Package Management
Learn Kubernetes application deployment and management using Helm charts with templates, values, and lifecycle management.
90 minutes