How To Decode / Decrypt Kubernetes Secret

By Posted on 254 views

Sensitive information such as passwords, SSH keys, API credentials and OAuth tokens are stored as Secrets in Kubernetes. We recently did a guide on how to copy a Kubernetes secret from one namespace to another. When you need to confirm the actual values of the secret you can decode base64 data. In this short guide we will show you how to decode a base64 secret in Kubernetes with kubectl command.

For this demonstration we will create a simple secret with username and password for database.

echo -n 'admin' > ./username
echo -n 'Password' > ./password

Run the kubectl create secret command to create an Secret object the Kubernetes API server.

$ kubectl create secret generic my-user-pass --from-file=./username --from-file=./password
secret/my-user-pass created

You can confirm the secret object was created successfully by running the following kubectl command:

$ kubectl get secret my-user-pass
NAME           TYPE     DATA   AGE
my-user-pass   Opaque   2      6s

$ kubectl get secret my-user-pass -o yaml

Decode the secret data:

# Decode username secret
$ kubectl get secret my-user-pass -o jsonpath=".data.username" | base64 --decode
admin

# Decode password
$ kubectl get secret my-user-pass -o jsonpath=".data.password" | base64 --decode
Password

Or use:

kubectl get secret my-user-pass -o go-template='range $k,$v := .dataprintf "%s: " $kif not $v$velse$v end"\n"end'

This is my command execution output:

password.txt: Password
username.txt: admin

You can as well output encoded data and decode with base64.

$ kubectl get secret my-user-pass -o yaml
apiVersion: v1
data:
  password.txt: UGFzc3dvcmQ=
  username.txt: YWRtaW4=
kind: Secret
....

$ echo 'YWRtaW4=' | base64 --decode
admin

$ echo "UGFzc3dvcmQ=" | base64 --decode
Password

Using jq and base64 dedoce

If you have jq you can use the following command to decode.

$ kubectl get secret my-user-pass -o json | jq '.data | map_values(@base64d)'

  "password.txt": "Password",
  "username.txt": "admin"

Install jq with the command:

--- Ubuntu / Debian ---
$ sudo apt install jq

--- CentOS / Fedora ---
$ sudo yum install jq

That’s how you can easily output the secrets encoded by base64 in Kubernetes.

Gravatar Image
Ben Bennett - https://www.thetodaypost.net
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.