How to Inject a Kubernetes Secret as Environment Variables
A Kubernetes Secret exists in the cluster but the app still has no credentials - because Secrets are not automatically available to pods. You have to wire them in explicitly, either key-by-key or all at once with envFrom. Here's how to do it.
Secrets are passive - you have to project them
Creating a Secret stores encrypted data in etcd. Nothing shows up in a container until you tell the pod spec where to put it. There are two ways:
envFrom+secretRef- projects every key in the Secret as an env varenv+secretKeyRef- pulls individual keys by name
envFrom is the fast, concise choice when you want the whole Secret available.
The envFrom pattern
Given a Secret named db-creds with keys DB_HOST, DB_USER, and
DB_PASSWORD, wire it in with envFrom:
apiVersion: apps/v1
kind: Deployment
metadata:
name: api
spec:
replicas: 1
selector:
matchLabels:
app: api
template:
metadata:
labels:
app: api
spec:
containers:
- name: api
image: my-app:latest
envFrom:
- secretRef:
name: db-creds
Apply it and confirm the variables are present:
kubectl apply -f deployment.yaml
kubectl exec deploy/api -- env | grep DB_
You should see DB_HOST, DB_USER, and DB_PASSWORD in the output.
Per-key injection with secretKeyRef
When you only need specific keys - or need to rename them - use secretKeyRef
under env instead:
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: db-creds
key: DB_HOST
This gives you fine control: pick the key, set the env var name, and leave the rest of the Secret out of the container's environment.
Creating the Secret
If the Secret does not exist yet, create it from literal values:
kubectl create secret generic db-creds \
--from-literal=DB_HOST=postgres.internal \
--from-literal=DB_USER=app \
--from-literal=DB_PASSWORD=s3cr3t
Or from a file of key=value pairs with --from-env-file=.env.
Common mistakes
- Wrong Secret name - the
secretRef.namemust match exactly; a typo leaves the pod inCreateContainerConfigError. - Secret in the wrong namespace - a pod can only reference Secrets in its own namespace.
- Existing pods are not updated - after editing the Deployment spec, run
kubectl rollout restart deployment/apiif the pod was already running and the change did not trigger a rollout.
Want to try it hands-on? HeyDevJob gives you this exact setup in a live cloud workspace in your browser - edit it, run it, and see it work. Free, nothing to install.
Try it in a workspace →What you'll practice
- Adding envFrom with a secretRef to a Deployment container spec
- Verifying env var injection with kubectl exec deploy/api -- env
- Choosing between envFrom (whole Secret) and secretKeyRef (single key)
FAQ
How do I inject a Kubernetes Secret as environment variables?
Add an envFrom entry with a secretRef pointing to your Secret name in the container spec. Every key in the Secret becomes an env var in the container. Apply the updated Deployment and verify with kubectl exec.
What is the difference between envFrom and secretKeyRef?
envFrom with secretRef projects all keys from a Secret into the container at once. secretKeyRef under env lets you pick individual keys and rename them. Use envFrom for convenience, secretKeyRef for precise control.
Why does my pod show CreateContainerConfigError after adding envFrom?
The Secret named in secretRef does not exist or is in the wrong namespace. Run kubectl get secret to confirm the name and namespace, create the Secret if missing, then re-apply the Deployment.
Keep learning
Learn it by doing. Open this in a live cloud workspace, make the change yourself, and keep a record of the work you can share.
Open the workspace →