← Back to blog
bpdubuntu

How to Access Kubernetes Secrets: A Grafana Password Example

5 February 2026bpd · ubuntu

Securely Managing and Retrieving Sensitive Information

Kubernetes uses a resource called a ‘Secret’ to store sensitive data like passwords, API keys, and TLS certificates. The ‘Ubuntu System Administration Guide’ provides a practical example of how to retrieve the auto-generated administrator password for a Grafana instance that was installed via a Helm chart.

Understanding Secrets

It’s important to know that, by default, Kubernetes Secrets are not encrypted at rest. They are simply Base64 encoded. This prevents you from accidentally seeing the password in plain text, but it is not a form of encryption.

Retrieving the Secret

The process involves two steps:

  1. Get the Secret: First, you use `kubectl get secret <secret-name> -o yaml` to view the Secret’s data. You will see the password as a long Base64 encoded string.
  2. Decode the Value: You then copy that string and decode it using the `base64` command-line tool. 
    echo 'your-base64-string==' | base64 --decode

This will reveal the plain-text password, allowing you to log in to your Grafana dashboard for the first time.

This post is based from content of the book Ubuntu System adminstration guide. And the book can be found here https://www.amazon.com/stores/Mattias-Hemmingsson/author/B0FF5CQX13