Sensitive information storage in Kubernetes using Cloud Code for IntelliJ
Stay organized with collections
Save and categorize content based on your preferences.
This page provides a quick introduction to what Kubernetes secrets are, and how
Cloud Code helps enable the Secret Manager API to
create, use, and store them.
Introduction to Kubernetes secrets
When creating Kubernetes applications, it's often necessary to pass small
amounts of sensitive data for passwords, SSH keys, or OAuth tokens. Rather than
store this information in a pod specification or container image, Kubernetes
secrets can be created to store the sensitive data.
By default, Kubernetes secrets are stored unencrypted in the API server's
underlying data store. Anyone with API access can retrieve or modify a secret.
The Kubernetes Secrets documentation
recommends taking at least the following steps in order to safely use
Kubernetes secrets:
Cloud Code helps you use the Secret Manager API to
create, version, and store your secrets with
encryption at rest
from within your IDE.
You can use Secret Manager exclusively in Cloud Code, or
in addition to other tools you already use for secret management.
Actions available within your IDE with Cloud Code include:
To submit feedback or report an issue in your IntelliJ IDE, go to
Tools > Cloud Code > Help / About > Submit
feedback or report an issue to report an issue on GitHub.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eKubernetes secrets are used to store sensitive data like passwords and tokens, rather than storing them directly in pod specifications or container images.\u003c/p\u003e\n"],["\u003cp\u003eBy default, Kubernetes secrets are stored unencrypted, so it is highly recommended to enable encryption at rest, configure RBAC rules, restrict access to specific containers, and consider external secret store providers for better security.\u003c/p\u003e\n"],["\u003cp\u003eCloud Code's integration with Secret Manager API allows users to create, version, and store secrets with encryption at rest directly from their IDE.\u003c/p\u003e\n"],["\u003cp\u003eCloud Code provides actions such as enabling the Secret Manager API, creating secrets, managing versions, and accessing secrets from applications.\u003c/p\u003e\n"]]],[],null,["# Sensitive information storage in Kubernetes using Cloud Code for IntelliJ\n\nThis page provides a quick introduction to what Kubernetes secrets are, and how\nCloud Code helps enable the Secret Manager API to\ncreate, use, and store them.\n\nIntroduction to Kubernetes secrets\n----------------------------------\n\nWhen creating Kubernetes applications, it's often necessary to pass small\namounts of sensitive data for passwords, SSH keys, or OAuth tokens. Rather than\nstore this information in a pod specification or container image, Kubernetes\nsecrets can be created to store the sensitive data.\n\nBy default, Kubernetes secrets are stored unencrypted in the API server's\nunderlying data store. Anyone with API access can retrieve or modify a secret.\nThe [Kubernetes Secrets documentation](https://kubernetes.io/docs/concepts/configuration/secret/)\nrecommends taking at least the following steps in order to safely use\nKubernetes secrets:\n\n- [Enable Encryption at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/) for Secrets.\n- [Enable or configure RBAC rules](https://kubernetes.io/docs/reference/access-authn-authz/authorization/) with least-privilege access to Secrets.\n- Restrict Secret access to specific containers.\n- [Consider using external Secret store providers](https://secrets-store-csi-driver.sigs.k8s.io/concepts.html#provider-for-the-secrets-store-csi-driver).\n\nSecret Manager in Cloud Code\n----------------------------\n\nCloud Code helps you use the Secret Manager API to\ncreate, version, and store your secrets with\n[encryption at rest](/secret-manager/docs/encryption)\nfrom within your IDE.\nYou can use Secret Manager exclusively in Cloud Code, or\nin addition to other tools you already use for secret management.\n\nActions available within your IDE with Cloud Code include:\n\n- [Enable the Secret Manager API](/code/docs/intellij/secret-manager#enabling).\n- [Create Kubernetes secrets](/code/docs/intellij/secret-manager#creating_secrets) using the Secret Manager view or the editor view.\n- [Version](/code/docs/intellij/secret-manager#creating_new_versions_of_secrets), view, and delete secrets.\n- [Access secrets from your application](/code/docs/intellij/secret-manager#accessing_secrets_from_your_application).\n\nWork with Kubernetes secrets in Cloud Code\n------------------------------------------\n\nFor step-by-step instructions on creating, versioning, using, and deleting\nsecrets in Cloud Code, see [Manage secrets](/code/docs/intellij/secret-manager).\n\nWhat's next\n-----------\n\n- Read more about Kubernetes secrets in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/secret/).\n- Familiarize yourself with [good practices for Kubernetes secrets](https://kubernetes.io/docs/concepts/security/secrets-good-practices/).\n- Consider using a [service account token](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens) or other [alternatives](https://kubernetes.io/docs/concepts/configuration/secret/#alternatives-to-secrets) to secrets.\n\nGet support\n-----------\n\nTo submit feedback or report an issue in your IntelliJ IDE, go to **Tools** \\\u003e **Cloud Code** \\\u003e **Help / About** \\\u003e **Submit\nfeedback or report an issue** to report an issue on [GitHub](https://github.com/GoogleCloudPlatform/cloud-code-intellij/issues)."]]
