☸️ How to decode / decrypt Kubernetes secret

Sensitive information such as passwords, SSH keys, API credentials, and OAuth tokens are stored in Kubernetes as secrets. We recently made a guide on how to copy a Kubernetes secret from one namespace to another. ☸️ How to copy Kubernetes secrets between namespaces When you need to confirm the actual secret values, you can decode the base64 data. In this quick tutorial, we’ll show you how to decode a base64 secret in Kubernetes using the kubectl command.

For demonstration purposes, we will create a simple username and password secret for the database.

echo -n 'admin' > ./username.txt
echo -n 'Password' > ./password.txt

Run the kubectl create secret command to create a secret object on the Kubernetes API server.

$ kubectl create secret generic my-user-pass --from-file=./username.txt --from-file=./password.txt
secret/my-user-pass created

You can confirm that the object was created successfully by running the following kubectl command:

$ kubectl get secret

Decrypt secret data:

kubectl get secret $secret_name -o go-template="{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"n"}}{{end}}"

This is the output of my command:

password.txt: Password
username.txt: admin

If you have jq you can use the following command to decode.

$ kubectl get secret my-user-pass -o json | jq '.data | map_values(@base64d)'
{
  "password.txt": "Password",
  "username.txt": "admin"

}

Install jq using command:

--- Ubuntu / Debian ---
$ sudo apt install jq

--- CentOS / Fedora ---
$ sudo yum install jq

This is how you can easily output base64 encoded secrets to Kubernetes.

Sidebar