Skip to content

All Keys, One Secret

To get multiple key-values from an external secret, not having to worry about how many, or what these keys are, we have to use the dataFrom field of the ExternalSecret resource, instead of the data field. We will give an example here with the gcp provider (should work with other providers in the same way).

Please follow the authentication and SecretStore steps of the Google Cloud Secrets Manager guide to setup access to your google cloud account first.

Then create a secret in Google Cloud Secret Manager that contains a JSON string with multiple key values like this:


Let's call this secret all-keys-example-secret on Google Cloud.

Creating dataFrom external secret

Now, when creating our ExternalSecret resource, instead of using the data field, we use the dataFrom field:

kind: ExternalSecret
  name: example
  refreshInterval: 1h           # rate SecretManager pulls GCPSM
    kind: SecretStore
    name: example               # name of the SecretStore (or kind specified)
    name: secret-to-be-created  # name of the k8s Secret to be created
    creationPolicy: Owner
  - extract:
      key: all-keys-example-secret  # name of the GCPSM secret

To check both values we can run:

kubectl get secret secret-to-be-created -n <namespace> -o jsonpath='{.data.username}' | base64 -d
kubectl get secret secret-to-be-created -n <namespace> -o jsonpath='{.data.surname}' | base64 -d