Sensitive information storage in Kubernetes using Cloud Code for VS Code
Stay organized with collectionsSave and categorize content based on your preferences.
This page provides a quick introduction to what Kubernetes secrets are, and how
Cloud Code helps enable the Secret Manager API to
create, use, and store them.
Introduction to Kubernetes secrets
When creating Kubernetes applications, it's often necessary to pass small
amounts of sensitive data for passwords, SSH keys, or OAuth tokens. Rather than
store this information in a pod specification or container image, Kubernetes
secrets can be created to store the sensitive data.
By default, Kubernetes secrets are stored unencrypted in the API server's
underlying data store. Anyone with API access can retrieve or modify a secret.
TheKubernetes Secrets documentationrecommends taking at least the following steps in order to safely use
Kubernetes secrets:
Cloud Code helps you use the Secret Manager API to
create, version, and store your secrets withencryption at restfrom within your IDE.
You can use Secret Manager exclusively in Cloud Code, or
in addition to other tools you already use for secret management.
Actions available within your IDE with Cloud Code include:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eKubernetes secrets are used to store sensitive data like passwords and tokens, rather than storing them directly in pod specifications or container images.\u003c/p\u003e\n"],["\u003cp\u003eBy default, Kubernetes secrets are stored unencrypted, so it is recommended to enable encryption at rest, configure RBAC rules, and consider external secret store providers.\u003c/p\u003e\n"],["\u003cp\u003eCloud Code enables users to leverage the Secret Manager API to create, version, and securely store secrets with encryption at rest directly from within the IDE.\u003c/p\u003e\n"],["\u003cp\u003eWith Cloud Code, you can enable the Secret Manager API, create and manage Kubernetes secrets, add them as environment variables, and mount them as volumes.\u003c/p\u003e\n"],["\u003cp\u003eThe Kubernetes Documentation provides further insight into the good practices and alternatives to secrets, such as service account tokens.\u003c/p\u003e\n"]]],[],null,["# Sensitive information storage in Kubernetes using Cloud Code for VS Code\n\nThis page provides a quick introduction to what Kubernetes secrets are, and how\nCloud Code helps enable the Secret Manager API to\ncreate, use, and store them.\n\nIntroduction to Kubernetes secrets\n----------------------------------\n\nWhen creating Kubernetes applications, it's often necessary to pass small\namounts of sensitive data for passwords, SSH keys, or OAuth tokens. Rather than\nstore this information in a pod specification or container image, Kubernetes\nsecrets can be created to store the sensitive data.\n\nBy default, Kubernetes secrets are stored unencrypted in the API server's\nunderlying data store. Anyone with API access can retrieve or modify a secret.\nThe [Kubernetes Secrets documentation](https://kubernetes.io/docs/concepts/configuration/secret/)\nrecommends taking at least the following steps in order to safely use\nKubernetes secrets:\n\n- [Enable Encryption at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/) for Secrets.\n- [Enable or configure RBAC rules](https://kubernetes.io/docs/reference/access-authn-authz/authorization/) with least-privilege access to Secrets.\n- Restrict Secret access to specific containers.\n- [Consider using external Secret store providers](https://secrets-store-csi-driver.sigs.k8s.io/concepts.html#provider-for-the-secrets-store-csi-driver).\n\nSecret Manager in Cloud Code\n----------------------------\n\nCloud Code helps you use the Secret Manager API to\ncreate, version, and store your secrets with\n[encryption at rest](/secret-manager/docs/encryption)\nfrom within your IDE.\nYou can use Secret Manager exclusively in Cloud Code, or\nin addition to other tools you already use for secret management.\n\nActions available within your IDE with Cloud Code include:\n\n- [Enable the Secret Manager API](/code/docs/vscode/secret-manager#enabling).\n- [Create Kubernetes secrets](/code/docs/vscode/secret-manager#creating_secrets) using the Secret Manager view or the editor view.\n- [Version](/code/docs/vscode/secret-manager#creating_new_versions_of_secrets), view, and delete secrets.\n- [Access secrets from your application](/code/docs/vscode/secret-manager#accessing_secrets_from_your_application).\n- [Add secrets as environment variables](/code/docs/vscode/secret-manager#adding_a_secret_as_an_environment_variable).\n- [Mount a secret as a volume](/code/docs/vscode/secret-manager#mounting_a_secret_as_a_volume).\n\nWork with Kubernetes secrets in Cloud Code\n------------------------------------------\n\nFor step-by-step instructions on creating, versioning, using, and deleting\nsecrets in Cloud Code, see [Manage secrets](/code/docs/vscode/secret-manager).\n\nWhat's next\n-----------\n\n- Read more about Kubernetes secrets in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/secret/).\n- Familiarize yourself with [good practices for Kubernetes secrets](https://kubernetes.io/docs/concepts/security/secrets-good-practices/).\n- Consider using a [service account token](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens) or other [alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets) to secrets.\n\nGet Support\n-----------\n\nTo send feedback, report issues on [GitHub](https://github.com/GoogleCloudPlatform/cloud-code-vscode/issues), or ask a question on [Stack Overflow](https://stackoverflow.com/questions/ask?tags=cloud-code-vscode)."]]
