DEV Community


Posted on

Easily Decode Kubernetes Secrets with a Handy One-Liner


Working with Kubernetes often involves managing secrets. During debugging we often need to show their contents. I'll share a handy command that has been a time-saver when decoding secrets in Kubernetes at least for me :) I'll show you two versions of the command, one using jq and the other using kubectl's built-in JSONPath functionality.


Some time ago, we encountered an issue with secrets, which led to problems connecting to Vault. We needed to inspect the JWT token within the cluster multiple times. As a result, I decided to share a simple method for accessing the secret content using either jq or kubectl's JSONPath, followed by decoding it with base64 -d.

In future posts, I will write about how we are handling our secrets with vault, how we organize them for multiple projects and which solution we are using for secret injection.

I also plan to write how our incident process is setup, which roles are involved and how such a process could help during stressful situations.

Now, let's get to the command.

The Command:

You can use either jq or JSONPath to get the same result. I'll show you both examples, but I usually like jq.

List secrets in namespace:

kubectl get secrets
Enter fullscreen mode Exit fullscreen mode

I'm using kubectx and kubens. This way I don't need to specify the namespace on every command.
Maybe I will write something about that, too :)

If you haven't installed it you need to specify the namespace with -n <namespace>

Print output as json
Ok ... To find which path should be extracted. Following command can be used:

kubectl get secrets <secret-name> -o json
Enter fullscreen mode Exit fullscreen mode

As you could imagine -o jsonsays that the output should be json.
You need to take a closer look on the output to identify the path.

In our example it is data.token.

The whole command:
We want to read a value from data.token, which is stored in <secret-name>, and change it from base64 to plaintext, Kubernetes is storing secrets base64 encoded.

Using jq:

kubectl get secrets <secret-name> -o json | jq -r 'data.token' | base64 -d
Enter fullscreen mode Exit fullscreen mode

Using JSONPath:

kubectl get secrets <secret-name> -o jsonpath='{.data.token}' | base64 -d
Enter fullscreen mode Exit fullscreen mode

kubectl get secrets <secret-name> -o json returns the secret in JSON format, which we then pipe into jq.
jq -r 'data.token' extracts the token, and we pipe it further into base64 to decode it.
Now you can see the secret displayed in plain text.

Keep an eye out for more posts where I'll share insights, tips, and tricks related to Kubernetes and problems we are facing during our day2day work.

Top comments (0)