How to Inject a Kubernetes Secret as Environment Variables

A Kubernetes Secret exists in the cluster but the app still has no credentials - because Secrets are not automatically available to pods. You have to wire them in explicitly, either key-by-key or all at once with envFrom. Here's how to do it.

Kubernetes Engineerkuberneteskubectlsecrets

Secrets are passive - you have to project them

Creating a Secret stores encrypted data in etcd. Nothing shows up in a container until you tell the pod spec where to put it. There are two ways:

envFrom is the fast, concise choice when you want the whole Secret available.

The envFrom pattern

Given a Secret named db-creds with keys DB_HOST, DB_USER, and DB_PASSWORD, wire it in with envFrom:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: api
spec:
  replicas: 1
  selector:
    matchLabels:
      app: api
  template:
    metadata:
      labels:
        app: api
    spec:
      containers:
      - name: api
        image: my-app:latest
        envFrom:
        - secretRef:
            name: db-creds

Apply it and confirm the variables are present:

kubectl apply -f deployment.yaml
kubectl exec deploy/api -- env | grep DB_

You should see DB_HOST, DB_USER, and DB_PASSWORD in the output.

Per-key injection with secretKeyRef

When you only need specific keys - or need to rename them - use secretKeyRef under env instead:

env:
- name: DATABASE_URL
  valueFrom:
    secretKeyRef:
      name: db-creds
      key: DB_HOST

This gives you fine control: pick the key, set the env var name, and leave the rest of the Secret out of the container's environment.

Creating the Secret

If the Secret does not exist yet, create it from literal values:

kubectl create secret generic db-creds \
  --from-literal=DB_HOST=postgres.internal \
  --from-literal=DB_USER=app \
  --from-literal=DB_PASSWORD=s3cr3t

Or from a file of key=value pairs with --from-env-file=.env.

Common mistakes

Want to try it hands-on? HeyDevJob gives you this exact setup in a live cloud workspace in your browser - edit it, run it, and see it work. Free, nothing to install.

Try it in a workspace →

What you'll practice

FAQ

How do I inject a Kubernetes Secret as environment variables?

Add an envFrom entry with a secretRef pointing to your Secret name in the container spec. Every key in the Secret becomes an env var in the container. Apply the updated Deployment and verify with kubectl exec.

What is the difference between envFrom and secretKeyRef?

envFrom with secretRef projects all keys from a Secret into the container at once. secretKeyRef under env lets you pick individual keys and rename them. Use envFrom for convenience, secretKeyRef for precise control.

Why does my pod show CreateContainerConfigError after adding envFrom?

The Secret named in secretRef does not exist or is in the wrong namespace. Run kubectl get secret to confirm the name and namespace, create the Secret if missing, then re-apply the Deployment.

Keep learning

Fix a Kubernetes CrashLoopBackOffKubernetes projectHeal a Kubernetes Service With No EndpointsKubernetes projectFix a Kubernetes ImagePullBackOffKubernetes projectKubernetes roadmapStep by step to hiredKubernetes interview questionsSTAR answersAll Kubernetes projectsProjects hub

Learn it by doing. Open this in a live cloud workspace, make the change yourself, and keep a record of the work you can share.

Open the workspace →