---
title: Managing Secrets
---
# Managing Secrets
[kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/) are utilized to manage credentials within Tanzu Build Service.
- Registry secret is needed to publish images to a registry
- Git secret is needed to utilize source code stored in a private git repository
Secrets are namespaced and therefore only available to image configurations within the same namespace. Secret management is made easier with the `kp` cli.
```shell
$ kp secret
Secret Commands
Usage:
kp secret [command]
Available Commands:
create Create a secret configuration
delete Delete secret
list List secrets
```
For details about secret synchronization, view [Secrets in Tanzu Build Service](secrets-in-tbs.html).
## Creating Secrets
Secrets can be created interactively using the `kp` cli and can also be scripted by making use of environment variables.
Secrets are created in the kubernetes current-context namespace unless the user explicitly specifies a namespace using the `--namespace` or `-n` flag. Also, these secrets are automatically added to the `default` service account in the same namespace.
We will go through the workflow of creating:
- Docker Hub registry secret
- GCR registry secret
- Registry secret
- Git SSH secret
- Git Basic Auth secret
**Note:** `kp` does not validate the secret against the specified registry or git at the time of secret creation. Incorrect creds will be reported at the time of its usage, during an image build.
### Docker Hub registry secret
Create docker hub secrets with the --dockerhub flag
```shell
$ kp secret create my-dockerhub-creds \
--dockerhub dockerhub-id
dockerhub password:
"my-dockerhub-creds" created
```
Alternatively, use the `DOCKER_PASSWORD` environment variable to bypass the password prompt.
The docker hub registry secret is stored as a `kubernetes.io/dockerconfigjson` secret.
### GCR registry secret
Create gcr secrets with the --gcr flag
```shell
$ kp secret create my-gcr-creds \
--gcr /tmp/my-gcr-service-account.json
"my-gcr-creds" created
```
Alternatively, use the `GCR_SERVICE_ACCOUNT_PATH` environment variable instead of the `--gcr` flag.
The gcr registry secret is stored as a `kubernetes.io/dockerconfigjson` secret.
### Registry secret
You can create artifactory, harbor, or ACR secrets with the --registry set of flags. Users will be prompted to enter the password.
```shell
$ kp secret create my-harbor-creds \
--registry registry.pivotal.io \
--registry-user someuser@pivotal.io
registry password:
"my-harbor-creds" created
```
Alternatively, use the `REGISTRY_PASSWORD` to bypass the password prompt.
The docker registry secret is stored as a `kubernetes.io/dockerconfigjson` secret.
### Git SSH secret
You can create a Git SSH secret by specifying the git userid and private ssh key. As an example, for accessing a private GitHub repo with a deploy key, you can create the secret by running:
```shell
$ kp secret create my-git-ssh-creds \
--git git@github.com \
--git-ssh-key /tmp/private-repo-git-deploy-key
"my-git-ssh-creds" created
```
Alternatively, use the `GIT_SSH_KEY_PATH` environment variable instead of the `--git-ssh-key` flag.
The git ssh secret is stored as a `kubernetes.io/ssh-auth` secret.
### Git Basic Auth secret
You can create a Git Basic Auth secret by providing the username and password when prompted. As an example, for accessing a private GitHub repo, you can create the secret by running:
```shell
$ kp secret create my-git-creds \
--git https://github.com \
--git-user someone@vmware.com
git password:
"my-git-creds" created
```
Alternatively, use the `GIT_PASSWORD` environment variable to bypass the password prompt.
The git basic auth secret is stored as a `kubernetes.io/basic-auth` secret.
## Listing Secrets
The name and the target for secrets can be listed. For example:
```shell
$ kp secret list
NAME TARGET
default-token-qrdbr
my-docker-hub-creds https://index.docker.io/v1/
my-gcr-creds gcr.io
my-git-creds https://github.com
my-git-ssh-creds git@github.com
my-harbor-creds registry.pivotal.io
```
Unless the user explicitly specifies a namespace using the `--namespace` or `-n` flag, secrets are listed for the kubernetes current-context namespace.
The `default-token-xxxxx` is the secret auto added by kubernetes to the default service account.
## Deleting Secrets
Secrets can be deleted using the `kp` cli. There is no confirmation required from the user.
```shell
$ kp secret delete my-gcr-creds
"my-gcr-creds" deleted
```
Unless the user explicitly specifies a namespace using the `--namespace` or `-n` flag, secrets are deleted from the kubernetes current-context namespace.
Sign in with Wallet
Connect another wallet