Sensitive information such as passwords, SSH keys, API credentials and OAuth tokens are stored as Secrets in Kubernetes. We recently did a guide on how to copy a Kubernetes secret from one namespace to another. When you need to confirm the actual values of the secret you can decode base64 data. In this short guide we will show you how to decode a base64 secret in Kubernetes with kubectl command.
For this demonstration we will create a simple secret with username and password for database.
echo -n 'admin' > ./username.txt
echo -n 'Password' > ./password.txtRun the kubectl create secret command to create an Secret object the Kubernetes API server.
$ kubectl create secret generic my-user-pass --from-file=./username.txt --from-file=./password.txt
secret/my-user-pass createdYou can confirm the secret object was created successfully by running the following kubectl command:
$ kubectl get secretDecode the secret data:
kubectl get secret $secret_name -o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"n"}}{{end}}'This is my command execution output:
password.txt: Password
username.txt: adminIf you have jq you can use the following command to decode.
$ kubectl get secret my-user-pass -o json | jq '.data | map_values(@base64d)'
{
"password.txt": "Password",
"username.txt": "admin"
}Install jq with the command:
--- Ubuntu / Debian ---
$ sudo apt install jq
--- CentOS / Fedora ---
$ sudo yum install jqThat’s how you can easily output the secrets encoded by base64 in Kubernetes.
Below are the other articles we have on Kubernetes.
Deploying Prometheus on EKS Kubernetes Cluster
