Share Kubernetes Secrets Securely

The problem

Kubernetes secrets and kubeconfig files contain cluster credentials, service account tokens, and TLS certificates that grant direct access to your infrastructure. Sharing them over Slack or email exposes your entire cluster. A leaked kubeconfig file gives an attacker the ability to deploy, modify, or destroy workloads.

How Vaulted helps

Vaulted encrypts your Kubernetes secrets client-side with AES-256-GCM before transmission. The self-destructing link ensures cluster credentials are available only until the recipient retrieves them. The zero-knowledge architecture guarantees that the Vaulted server never sees your plaintext cluster configuration.

How to do it

1. Paste your Kubernetes secret, kubeconfig, or service account token into Vaulted
2. Set a single-view limit and a short expiration for maximum security
3. Share the encrypted link with the engineer who needs cluster access
4. They configure kubectl with the credentials, and the link is permanently destroyed

Share Kubernetes secrets from the terminal

Use the Vaulted CLI to share cluster credentials without leaving the terminal: cat kubeconfig.yaml | npx vaulted-cli --views 1 --expires 1h. Or pass the content directly: npx vaulted-cli "$(kubectl get secret my-secret -o jsonpath={.data})" -v 1. Install from npm: npm install -g vaulted-cli.

Share Kubernetes secrets in GitHub Actions

Use the Vaulted GitHub Action to share cluster credentials in CI/CD pipelines: uses: vaulted-fyi/share-secret@v1 with your Kubernetes secret as the input. Encrypted client-side with self-destructing links. Available on GitHub Marketplace.