Sensitive information such as passwords, SSH keys, API credentials and OAuth tokens are stored as Secrets in Kubernetes. We recently did a guide on how to copy a Kubernetes secret from one namespace to another. When you need to confirm the actual values of the secret you can decode base64 data. In this short guide we will show you how to decode a base64 secret in Kubernetes with kubectl command.

For this demonstration we will create a simple secret with username and password for database.

echo -n 'admin' > ./username
echo -n 'Password' > ./password

Run the kubectl create secret command to create an Secret object the Kubernetes API server.

$ kubectl create secret generic my-user-pass --from-file=./username --from-file=./password
secret/my-user-pass created

You can confirm the secret object was created successfully by running the following kubectl command:

$ kubectl get secret my-user-pass
NAME           TYPE     DATA   AGE
my-user-pass   Opaque   2      6s

$ kubectl get secret my-user-pass -o yaml

Decode the secret data:

# Decode username secret
$ kubectl get secret my-user-pass -o jsonpath="{.data.username}" | base64 --decode
admin

# Decode password
$ kubectl get secret my-user-pass -o jsonpath="{.data.password}" | base64 --decode
Password

Or use:

kubectl get secret my-user-pass -o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'

This is my command execution output:

password.txt: Password
username.txt: admin

You can as well output encoded data and decode with base64.

$ kubectl get secret my-user-pass -o yaml
apiVersion: v1
data:
  password.txt: UGFzc3dvcmQ=
  username.txt: YWRtaW4=
kind: Secret
....

$ echo 'YWRtaW4=' | base64 --decode
admin

$ echo "UGFzc3dvcmQ=" | base64 --decode
Password

Using jq and base64 dedoce

If you have jq you can use the following command to decode.

$ kubectl get secret my-user-pass -o json | jq '.data | map_values(@base64d)'
{
  "password.txt": "Password",
  "username.txt": "admin"

}

Install jq with the command:

--- Ubuntu / Debian ---
$ sudo apt install jq

--- CentOS / Fedora ---
$ sudo yum install jq

That’s how you can easily output the secrets encoded by base64 in Kubernetes.

Below are the other articles we have on Kubernetes.

Deploying Prometheus on EKS Kubernetes Cluster

How To Copy Kubernetes Secret Between Namespaces

Using Horizontal Pod Autoscaler on Kubernetes EKS Cluster

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!


As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.

LEAVE A REPLY

Please enter your comment!
Please enter your name here