Getting a Secret within a Kubernetes Cluster Quickstart
This Quickstart shows how to inject a secret from Akeyless into a Kubernetes container using the Akeyless Kubernetes Secrets Injector. Your application will read the secret from a file inside the container’s filesystem; the injector handles authentication and secret retrieval.
Prerequisites
You will need:
- A running Kubernetes cluster (v1.21 or later recommended)
kubectlconfigured- An Akeyless Gateway reachable from the cluster within a namespace titled
akeyless - An Akeyless API Key (Access ID + Access Key) with an appropriate Role associated
- A Static Secret in Akeyless
Step 1: Install the Injector
Before injecting secrets into containers, you must install and configure the Akeyless Kubernetes Secrets Injector. This component authenticates workloads to Akeyless and writes secrets into the container filesystem.
- Run the following commands to update the Helm repositories in your local Helm environment:
helm repo updateYou previously should have already added the official Akeyless Helm chart repository in order to install the Akeyless Gateway.
Sample Output:
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "akeyless" chart repository
Update Complete. ⎈Happy Helming!⎈- Run the following command to save the default configuration values of the Akeyless Kubernetes Secrets Injector Helm chart to your current directory as a new file called
values.yaml:
helm show values akeyless/akeyless-secrets-injection --version "1.17.5" > values.yamlThere should be no command output.
- Using your text editor of choice, edit the
values.yamlfile.- Under the
envkey:- Set
AKEYLESS_ACCESS_IDto the Access ID of your API Key. - Set
AKEYLESS_ACCESS_TYPEtoapi_key. - Uncomment
AKEYLESS_API_KEY(by removing the#) and replace<api-keywith the value to the Access Key of your API Key.
- Set
- Under the
In all of these instances, you should leave the quotation marks in place (").
Sample File Section:
env:
AKEYLESS_URL: "https://vault.akeyless.io"
AKEYLESS_ACCESS_ID: "p-h8kyauyqvow2am"
AKEYLESS_ACCESS_TYPE: "api_key" # azure_ad/aws_iam/api_key/k8s
# AKEYLESS_API_GW_URL: "https://api-gw-url"
# AKEYLESS_POD_ACCESS_PATH: "<location-to-access-secrets-per-pod-name>"
# AKEYLESS_NAMESPACE_ACCESS_PATH: "<location-to-access-secrets-per-namespace>"
# AKEYLESS_SECRET_DIR_NAME: "<path>"
AKEYLESS_API_KEY: "GCz5fLEgc0tJftA/7W1WnywbgorEc30V92xQ3dOGNME="
# AKEYLESS_CRASH_POD_ON_ERROR: "enable"
# AKEYLESS_K8S_AUTH_CONF_NAME: "K8s_conf_name"
# the gw base64 certificate file e.g: 'cat my-gw.crt | base64'
# AKEYLESS_GW_CERTIFICATE:
AKEYLESS_AGENT_LIMITS_CPU: "500m"
AKEYLESS_AGENT_REQUESTS_CPU: "250m"
AKEYLESS_AGENT_LIMITS_MEM: "128Mi"
AKEYLESS_AGENT_REQUESTS_MEM: "64Mi"- Save the file.
- Run the following command to install the Akeyless Kubernetes Secrets Injector Helm chart using the
values.yamlfile that you edited:
helm install secret-injector akeyless/akeyless-secrets-injection --version "1.17.5" --namespace akeyless -f values.yamlSample Output:
NAME: secret-injector
LAST DEPLOYED: Thu Nov 20 13:52:33 2025
NAMESPACE: akeyless
STATUS: deployed
REVISION: 1
DESCRIPTION: Install complete
TEST SUITE: NoneStep 2: Verify Pods for the Secret Injector
- Wait for the Akeyless Kubernetes Secret Injector pods to be ready. This will likely take about one minute.
- Run the following command to check that the pods are ready:
kubectl get pods -n akeylessSample Output:
NAME READY STATUS RESTARTS AGE
gw-akeyless-gateway-cache-7bc7c7556b-rdwzx 1/1 Running 0 155m
secret-injector-akeyless-secrets-injection-8464b9f585-p9r5x 1/1 Running 0 111s
secret-injector-akeyless-secrets-injection-8464b9f585-x882c 1/1 Running 0 111s
unified-gw-akeyless-gateway-695dbb7f67-bflsz 1/1 Running 0 155m
unified-gw-akeyless-gateway-695dbb7f67-n6kbx 1/1 Running 0 155mNote that the Akeyless Gateway pods are also included in the sample output.
Step 3: Verify the Secret
If you have not yet, create a Static Secret named /QuickSecret and ensure your API Key's associated Role has access to retrieve its value.
Step 4: Create a Kubernetes Deployment
- Create a new manifest file called
akeyless-secret-quickstart.yamlthat defines our Deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: akeyless-secret-quickstart
namespace: akeyless
spec:
replicas: 1
selector:
matchLabels:
app: akeyless-secret-quickstart
template:
metadata:
labels:
app: akeyless-secret-quickstart
annotations:
akeyless/enabled: "true"
akeyless/inject_file: "QuickSecret"
spec:
containers:
- name: quickstart
image: alpine:3.19
command:
- "sh"
- "-c"
- "echo $MY_SECRET && echo going to sleep... && sleep 10000"
env:
- name: MY_SECRET
value: akeyless:QuickSecret- Apply the manifest file and create the Deployment:
kubectl apply -f akeyless-secret-quickstart.yamlSample Output:
deployment.apps/akeyless-secret-quickstart createdStep 5: Verify the Pod Started
Wait about one minute to verify the Quickstart pod is created:
kubectl get pods -n akeylessStep 6: Read the Secret from the Container
Run the following command to see your Static Secret be retrieved:
kubectl logs -n akeyless deploy/akeyless-secret-quickstartSample Output:
Defaulted container "quickstart" out of: quickstart, akeyless-init (init)
2025/11/21 01:50:44 [INFO] Secret QuickSecret was successfully written to: /akeyless/secrets/QuickSecret
Super Secret
going to sleep...In this example, we have injected the Static Secret's value as both a file and and an environment variable to illustrate your options. In a production environment, injecting the secret value as a file is the preferred method.
Step 7: Clean Up
kubectl delete -f akeyless-secret-quickstart.yamlSample Output:
deployment.apps "akeyless-secret-quickstart" deleted from akeyless namespaceYou have successfully:
- Installed the Akeyless Kubernetes Secrets Injector
- Created a demo deployment using annotation-based secret retrieval
- Retrieved an Akeyless secret value directly inside a container
Updated about 5 hours ago