This page provides a quick introduction to what Kubernetes secrets are, and howCloud Code helps enable the Secret Manager API tocreate, use, and store them.

Introduction to Kubernetes secrets

When creating Kubernetes applications, it's often necessary to pass smallamounts of sensitive data for passwords, SSH keys, or OAuth tokens. Rather thanstore this information in a pod specification or container image, Kubernetessecrets can be created to store the sensitive data.

By default, Kubernetes secrets are stored unencrypted in the API server'sunderlying data store. Anyone with API access can retrieve or modify a secret.TheKubernetes Secrets documentationrecommends taking at least the following steps in order to safely useKubernetes secrets:

• Enable Encryption at Restfor Secrets.
• Enable or configure RBAC ruleswith least-privilege access to Secrets.
• Restrict Secret access to specific containers.
• Consider using external Secret store providers.

Secret Manager in Cloud Code

Cloud Code helps you use the Secret Manager API tocreate, version, and store your secrets withencryption at rest from within your IDE.You can use Secret Manager exclusively in Cloud Code, orin addition to other tools you already use for secret management.

Actions available within your IDE with Cloud Code include:

• Enable the Secret Manager API.
• Create Kubernetes secrets using theSecret Manager view or the editor view.
• Version, view, and deletesecrets.
• Access secrets from your application.
• Add secrets as environment variables.
• Mount a secret as a volume.

Work with Kubernetes secrets in Cloud Code

For step-by-step instructions on creating, versioning, using, and deletingsecrets in Cloud Code, seeManage secrets.

What's next

• Read more about Kubernetes secrets in theKubernetes documentation.
• Familiarize yourself withgood practices for Kubernetes secrets.
• Consider using aservice account token or otheralternatives to secrets.