This topic explains how to store sensitive data in aKubernetes secretand retrieve the data from flow
variables in an API proxy flow.
Introduction
There are times when you want to store data for retrieval at runtime—non-expiring data
that shouldn't be hard-coded in your API proxy logic. One option is to use the
hybridkey-value map (KVM) feature. If you are already using Kubernetes
for secret management in a custom vault for sensitive data, you might want to consider using
the Kubernetes secret feature described in this topic. Just like with KVM data, you can access
the Kubernetes secret data in API proxy flow variables.
What kinds of data can be stored in a Kubernetes secret?
Apigee hybrid limits you to storing the following kinds of data files in a Kubernetes secret. They
include:
File format
Supported file extensions
TLS certificate and key files
*.crt,*.key, and*.pem
Property files
*.properties
Property files are files that contain key/value pairs. For example:
username=admin
password=1f2d1e2e7df
Creating a Kubernetes secret
This section explains how to create a Kubernetes secret for storing sensitive data
in the cluster.
After creation, it may take up to 90 seconds for the change to be reflected in all the clusters.
The message processors poll for secret changes every 30 seconds. If they detect a change, the cache is updated.
Retrieving data from a secret
Once the secret is created and available (usually about 90 seconds after creation), you can
access the secret data in a flow variable in an API proxy flow in the organization/environment
in which the secret is stored.
For example, assume your secret contains a*.propertiesfile calledcredentials.propertieswith an API key in it, as follows:
apikey=OrxYQptBMlY1TqmiGLTtyFiaLzzrD25Z
You can then retrieve the API key from a flow
variable using a policy likeAssign Message. For example:
The variable name referenced in theRefelement,private.secret.credential.properties.apikey, is composed of these parts:
Variable name part
Description
private.secret
The fixed namespace of the variable. All Kubernetes secrets stored in the
hybrid cluster share this namespace.
credential.properties
The name of a file stored in the Kubernetes secret.
apikey
The name of a key stored in a properties file.
In this example, the Assign Message policy retireves theapikeyvalueOrxYQptBMlY1TqmiGLTtyFiaLzzrD25Zand
stores it in the flow variablemy-apikey.
Updating a secret
Becausekubectldoes not support updating Kubernetes secrets, you must first
delete the existing secret and recreate it by following the steps inCreating a Kubernetes secret.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-08 UTC."],[[["\u003cp\u003eThis documentation explains how to store sensitive data in Kubernetes secrets for retrieval in API proxy flows, offering an alternative to the key-value map (KVM) feature.\u003c/p\u003e\n"],["\u003cp\u003eKubernetes secrets in Apigee hybrid can store TLS certificate and key files (\u003ccode\u003e*.crt\u003c/code\u003e, \u003ccode\u003e*.key\u003c/code\u003e, \u003ccode\u003e*.pem\u003c/code\u003e) and property files (\u003ccode\u003e*.properties\u003c/code\u003e) containing key/value pairs.\u003c/p\u003e\n"],["\u003cp\u003eYou can create a Kubernetes secret using the \u003ccode\u003ekubectl create secret generic\u003c/code\u003e command, specifying the namespace, organization, environment, and file paths.\u003c/p\u003e\n"],["\u003cp\u003eAfter creating a secret, data can be retrieved in API proxy flows using flow variables, with a variable naming convention that includes the \u003ccode\u003eprivate.secret\u003c/code\u003e namespace, file name, and key.\u003c/p\u003e\n"],["\u003cp\u003eUpdating Kubernetes secrets requires deleting the existing secret and recreating it because \u003ccode\u003ekubectl\u003c/code\u003e does not support direct secret updates.\u003c/p\u003e\n"]]],[],null,["| You are currently viewing version 1.2 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\n\nThis topic explains how to store sensitive data in a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/) and retrieve the data from flow\nvariables in an API proxy flow.\n\nIntroduction\n\n\nThere are times when you want to store data for retrieval at runtime---non-expiring data\nthat shouldn't be hard-coded in your API proxy logic. One option is to use the\nhybrid [key-value map (KVM) feature](/apigee/docs/api-platform/cache/key-value-maps). If you are already using Kubernetes\nfor secret management in a custom vault for sensitive data, you might want to consider using\nthe Kubernetes secret feature described in this topic. Just like with KVM data, you can access\nthe Kubernetes secret data in API proxy flow variables.\n\nWhat kinds of data can be stored in a Kubernetes secret?\n\n\nApigee hybrid limits you to storing the following kinds of data files in a Kubernetes secret. They\ninclude:\n\n| File format | Supported file extensions |\n|-------------------------------|-------------------------------|\n| TLS certificate and key files | `*.crt`, `*.key`, and `*.pem` |\n| Property files | `*.properties` |\n\n\nProperty files are files that contain key/value pairs. For example: \n\n```\nusername=admin\npassword=1f2d1e2e7df\n```\n\nCreating a Kubernetes secret\n\nThis section explains how to create a Kubernetes secret for storing sensitive data\nin the cluster.\n| **NOTE:**The Kubernetes secret is environment scoped only; organization and proxy scoped secrets are not supported.\n\n1. Create the file or files that you wish to store in the Kubernetes secret. The files must be one of the supported formats with the file extensions listed in [What kinds of\n data can be stored in a Kubernetes secret](#whatkindsofdata).\n2. Execute the `kubectl create secret generic` command. For example: \n\n ```\n kubectl -n namespace create secret generic org-env-policy-secret \\\n --from-file=filepath/prop-file.properties \\\n --from-file=filepath/key-file.key \\\n --from-file=\"filepath/cert-file.pem\n ```\n\n\n Where:\n - \u003cvar translate=\"no\"\u003enamespace\u003c/var\u003e: The Kubernetes namespace where your runtime components are deployed.\n - \u003cvar translate=\"no\"\u003eorg\u003c/var\u003e: Your Apigee organization name.\n - \u003cvar translate=\"no\"\u003eenv\u003c/var\u003e: The name of an environment in your org.\n - \u003cvar translate=\"no\"\u003efilepath\u003c/var\u003e: The path to the file you wish to include in the secret. You must specify at least one file to include in the secret.\n - \u003cvar translate=\"no\"\u003eprop-file\u003c/var\u003e: The name of a properties file to include in the secret.\n - \u003cvar translate=\"no\"\u003ekey-file\u003c/var\u003e: The name of a TLS key file to include in the secret.\n - \u003cvar translate=\"no\"\u003ecert-file\u003c/var\u003e: The name of a TLS certificate file to include in the secret.\n\n\n You can include one or more files in the secret. For example: \n\n ```\n kubectl -n apigee create secret generic myorg-test-policy-secret \\\n --from-file=\"$policy_secrets_path\"/credential.properties \\\n --from-file=\"$policy_secrets_path\"/secrets.properties \\\n --from-file=\"$policy_secrets_path\"/public.key \\\n --from-file=\"$policy_secrets_path\"/fullchain.pem\n ```\n3. After creation, it may take up to 90 seconds for the change to be reflected in all the clusters. The message processors poll for secret changes every 30 seconds. If they detect a change, the cache is updated.\n\nRetrieving data from a secret\n\n\nOnce the secret is created and available (usually about 90 seconds after creation), you can\naccess the secret data in a flow variable in an API proxy flow in the organization/environment\nin which the secret is stored.\nFor example, assume your secret contains a `*.properties`\nfile called `credentials.properties`\nwith an API key in it, as follows: \n\n```\napikey=OrxYQptBMlY1TqmiGLTtyFiaLzzrD25Z\n```\n\nYou can then retrieve the API key from a flow\nvariable using a policy like [Assign Message](/apigee/docs/api-platform/reference/policies/assign-message-policy). For example: \n\n```gdscript\n\u003cAssignMessage name=\"assignvariable-2\"\u003e\n \u003cAssignVariable\u003e\n \u003cName\u003emy-apikey\u003c/Name\u003e\n \u003cRef\u003eprivate.secret.credential.properties.apikey\u003c/Ref\u003e\n \u003c/AssignVariable\u003e\n\u003c/AssignMessage\u003e\n```\n\n\nThe variable name referenced in the `Ref` element,\n`private.secret.credential.properties.apikey`, is composed of these parts:\n\n| Variable name part | Description |\n|-------------------------|----------------------------------------------------------------------------------------------------------------|\n| `private.secret` | The fixed namespace of the variable. All Kubernetes secrets stored in the hybrid cluster share this namespace. |\n| `credential.properties` | The name of a file stored in the Kubernetes secret. |\n| `apikey` | The name of a key stored in a properties file. |\n\n\nIn this example, the Assign Message policy retireves the `apikey` value `OrxYQptBMlY1TqmiGLTtyFiaLzzrD25Z` and\nstores it in the flow variable `my-apikey`.\n\nUpdating a secret\n\n\nBecause `kubectl` does not support updating Kubernetes secrets, you must first\ndelete the existing secret and recreate it by following the steps in\n[Creating a Kubernetes secret](#creating-a-kubernetes-secret)."]]
