Stay organized with collectionsSave and categorize content based on your preferences.
Learn how to create a Secret and configure your Knative serving
services and revisions to use that Secret.
A common use case for a service is to access third-party applications through
usernames and passwords. For Google Kubernetes Engine, it's a best practice to
store this type of sensitive information in a KubernetesSecretobject.
To provide your containers with access to Secrets, you can mount each Secret as
a volume, which makes the entries in the Secret available to the container as
files. You should mount your Secret to ensure that you get the latest version of
each Secret when it is read.
The following steps simply demonstrate how to create a Secret but there are
several ways to create a Secret, as explained in theSecrettopic.
When you create a Secret, make sure you create it in the same namespace as the
cluster that is running your Knative serving service. In these
examples, thedefaultnamespace is used.
To create a Secret in thedefaultnamespace of your cluster:
You can set Secrets using the Google Cloud console or the Google Cloud CLI
command-line tool when you deploy a newserviceor update an existing service and
deploy arevision:
Console
Go to Knative serving in the Google Cloud console:
ClickCreate Serviceif you are configuring a
new service you are deploying to. If you are configuring an
existing service, click on the service, then clickEdit & Deploy New Revision.
UnderAdvanced settings, clickVariables and Secrets.
UnderReference a Secret, select the
desired Secret from the pulldown menu.
In theReference methodpulldown menu, select the way you want to use your Secret, mounted as a
volume or exposed as environment variables.
If you are using mount as a volume, specify the path, then clickDone.
If you are exposing as environment variables:
Supply theNameof the variable and select the corresponding
Secret value from theKeypulldown menu.
ClickAddto add another secret value.
Supply theNameof the variable and select the corresponding
Secret value from theKeypulldown menu.
ClickDone.
ClickNextto continue to the next section.
In theConfigure how this service is triggeredsection,
select which connectivity you would like to use to invoke the service.
ClickCreateto deploy the image to Knative serving and wait
for the deployment to finish.
Command line
You can use the Google Cloud CLI to set Secrets
for new services or to update an existing services:
For existing services, update a Secret by running thegcloud run services updatecommand with one of the following parameters:
KEY1=VALUE1,KEY2=VALUE2with a comma separated
list of name and value pairs for each Secret.
For eachKEYyou specify
the path by starting with a forward slash/to mount a Secret
as a file. Optionally, you can exclude the forward slash to mount the Secret
as anenvironment variable.
For eachVALUE, specify the secret name.How to specify multiple parameters.
Command parameter options
To specify several sets of key-value pairs, you
can specify multiple parameters for readability. Example:
IMAGE_URLwith a reference to the container image, for
example,gcr.io/myproject/my-image:latest.
SERVICEwith the name of your service.
KEY1=VALUE1,KEY2=VALUE2with a comma separated
list of name and value pairs for each Secret.
For eachKEYyou specify
the path by starting with a forward slash/to mount a Secret
as a file. Optionally, you can exclude the forward slash to mount the Secret
as anenvironment variable.
For eachVALUE, specify the secret name.How to specify multiple parameters.
Command parameter options
To specify several sets of key-value pairs, you
can specify multiple parameters for readability. Example:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis document guides you through creating Kubernetes Secrets and configuring Knative serving services and revisions to utilize them for securely managing sensitive information.\u003c/p\u003e\n"],["\u003cp\u003eSecrets can be created using files or directly via the \u003ccode\u003ekubectl\u003c/code\u003e command, and must be created in the same namespace as the cluster running the Knative service.\u003c/p\u003e\n"],["\u003cp\u003eYou can make Secrets accessible to a service either by mounting them as volumes, making their content available as files, or by exposing them as environment variables, though it's advised against using environment variables for sensitive data.\u003c/p\u003e\n"],["\u003cp\u003eThe Google Cloud console and the \u003ccode\u003egcloud\u003c/code\u003e CLI offer methods to set Secrets for both new services and existing services, using parameters like \u003ccode\u003e--set-secrets\u003c/code\u003e, \u003ccode\u003e--update-secrets\u003c/code\u003e, \u003ccode\u003e--remove-secrets\u003c/code\u003e and \u003ccode\u003e--clear-secrets\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eWhen using the \u003ccode\u003egcloud\u003c/code\u003e command to set or update secrets, you can specify multiple secret key-value pairs using either a comma-separated format or multiple \u003ccode\u003e--update-secrets\u003c/code\u003e parameters for better readability.\u003c/p\u003e\n"]]],[],null,["# Using secrets\n\nLearn how to create a Secret and configure your Knative serving\nservices and revisions to use that Secret.\n\nA common use case for a service is to access third-party applications through\nusernames and passwords. For Google Kubernetes Engine, it's a best practice to\nstore this type of sensitive information in a Kubernetes\n[Secret](/kubernetes-engine/docs/concepts/secret) object.\n\nTo provide your containers with access to Secrets, you can mount each Secret as\na volume, which makes the entries in the Secret available to the container as\nfiles. You should mount your Secret to ensure that you get the latest version of\neach Secret when it is read.\n\nYou can also pass a Secret using\n[environment variables](/anthos/run/archive/docs/configuring/environment-variables).\n| **Caution:** Do not use environment variables for sensitive information because environment variables are stored as text and are accessible to the cluster.\n\nCreating a Secret\n-----------------\n\nThe following steps simply demonstrate how to create a Secret but there are\nseveral ways to create a Secret, as explained in the\n[Secret](/kubernetes-engine/docs/concepts/secret) topic.\n\nWhen you create a Secret, make sure you create it in the same namespace as the\ncluster that is running your Knative serving service. In these\nexamples, the `default` namespace is used.\n\nTo create a Secret in the `default` namespace of your cluster:\n\n- Create a Secret using a file:\n\n echo -n 'devuser' \u003e ./username.txt\n echo -n 'S!B\\*d$zDsb' \u003e ./password.txt\n kubectl create secret generic user-creds --from-file=./username.txt --from-file=./password.txt\n\n- Create a Secret using a `kubectl` command only:\n\n kubectl create secret generic user-creds --from-literal=username=devuser --from-literal=password='S!B\\*d$zDsb'\n\nMaking a Secret available to a service\n--------------------------------------\n\nYou can set Secrets using the Google Cloud console or the Google Cloud CLI\ncommand-line tool when you deploy a new\n[service](/anthos/run/archive/docs/deploying#service) or update an existing service and\ndeploy a [revision](/anthos/run/archive/docs/deploying#revision): \n\n### Console\n\n\n1. Go to Knative serving in the Google Cloud console:\n\n [Go to Knative serving](https://console.cloud.google.com/kubernetes/run)\n2. Click **Create Service** if you are configuring a\n new service you are deploying to. If you are configuring an\n existing service, click on the service, then click\n **Edit \\& Deploy New Revision**.\n\n3. Under *Advanced settings* , click **Variables and Secrets**.\n\n4. Under *Reference a Secret*, select the\n desired Secret from the pulldown menu.\n\n - In the *Reference method* pulldown menu, select the way you want to use your Secret, mounted as a volume or exposed as environment variables.\n - If you are using mount as a volume, specify the path, then click **Done**.\n - If you are exposing as environment variables:**Caution** : Do not use [environment\n | variables](/anthos/run/archive/docs/configuring/environment-variables) for sensitive information.\n 1. Supply the *Name* of the variable and select the corresponding Secret value from the *Key* pulldown menu.\n 2. Click **Add** to add another secret value.\n 3. Supply the *Name* of the variable and select the corresponding Secret value from the *Key* pulldown menu.\n 4. Click **Done**.\n\n \u003cbr /\u003e\n\n5. Click **Next** to continue to the next section.\n\n6. In the **Configure how this service is triggered** section,\n select which connectivity you would like to use to invoke the service.\n\n7. Click **Create** to deploy the image to Knative serving and wait\n for the deployment to finish.\n\n### Command line\n\n\nYou can use the Google Cloud CLI to set Secrets\nfor new services or to update an existing services:\n\n\u003cbr /\u003e\n\n- For existing services, update a Secret by running the\n [`gcloud run services update`](/sdk/gcloud/reference/run/services/update)\n command with one of the following parameters:\n\n - [`--clear-secrets`](/sdk/gcloud/reference/run/services/update#--clear-secrets)\n - [`--remove-secrets`](/sdk/gcloud/reference/run/services/update#--remove-secrets)\n - [`--set-secrets`](/sdk/gcloud/reference/run/services/update#--set-secrets)\n - [`--update-secrets`](/sdk/gcloud/reference/run/services/update#--update-secrets)\n\n Example: \n\n ```bash\n gcloud run services update SERVICE --update-secrets KEY1=VALUE1,KEY2=VALUE2\n ```\n\n Replace:\n - \u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e with the name of your service.\n - \u003cvar translate=\"no\"\u003eKEY1=VALUE1,KEY2=VALUE2\u003c/var\u003e with a comma separated list of name and value pairs for each Secret. For each \u003cvar translate=\"no\"\u003eKEY\u003c/var\u003e you specify the path by starting with a forward slash `/` to mount a Secret as a file. Optionally, you can exclude the forward slash to mount the Secret as an [environment variable](/anthos/run/archive/docs/configuring/environment-variables). For each \u003cvar translate=\"no\"\u003eVALUE\u003c/var\u003e, specify the secret name. [How to specify multiple parameters](#command-line). \n\n ### Command parameter options\n\n To specify several sets of key-value pairs, you can specify multiple parameters for readability. Example: \n\n ```bash\n [...]\n --update-secrets \"KEY=VALUE1\" \\\n --update-secrets \"KEY=VALUE2\" \\\n --update-secrets \"KEY=VALUE3\"\n ``` \n OK\n- For new services, set a Secret by running the\n `gcloud run deploy` command with the\n [`--set-secrets`](/sdk/gcloud/reference/run/deploy#--set-secrets)\n parameter:\n\n ```bash\n gcloud run deploy SERVICE --image=IMAGE_URL --set-secrets KEY1=VALUE1,KEY2=VALUE2\n ```\n\n Replace:\n - \u003cvar translate=\"no\"\u003eIMAGE_URL\u003c/var\u003e with a reference to the container image, for example, `gcr.io/myproject/my-image:latest`.\n - \u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e with the name of your service.\n - \u003cvar translate=\"no\"\u003eKEY1=VALUE1,KEY2=VALUE2\u003c/var\u003e with a comma separated list of name and value pairs for each Secret. For each \u003cvar translate=\"no\"\u003eKEY\u003c/var\u003e you specify the path by starting with a forward slash `/` to mount a Secret as a file. Optionally, you can exclude the forward slash to mount the Secret as an [environment variable](/anthos/run/archive/docs/configuring/environment-variables). For each \u003cvar translate=\"no\"\u003eVALUE\u003c/var\u003e, specify the secret name. [How to specify multiple parameters](#command-line). \n\n ### Command parameter options\n\n To specify several sets of key-value pairs, you can specify multiple parameters for readability. Example: \n\n ```bash\n [...]\n --update-secrets \"KEY=VALUE1\" \\\n --update-secrets \"KEY=VALUE2\" \\\n --update-secrets \"KEY=VALUE3\"\n ``` \n OK"]]
