Yandex Cloud
Search
Discuss with expertTry it for free
  • Customer Stories
  • Documentation
  • Blog
  • All Services
  • System Status
  • Marketplace
    • Featured
    • Infrastructure & Network
    • Data Platform
    • AI for business
    • Security
    • DevOps tools
    • Serverless
    • Monitoring & Resources
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Center for Technologies and Society
    • Yandex Cloud Partner program
    • Price calculator
    • Pricing plans
  • Customer Stories
  • Documentation
  • Blog
© 2026 Direct Cursus Technology L.L.C.
Yandex Cloud Stackland
  • What's new
  • Installation
    • All tutorials
    • Installing Stackland on Yandex BareMetal
    • Installing Stackland on Yandex Cloud VMs
    • Setting up external access to a pod in a cluster
    • All guides
      • Injecting secrets into environment variables
      • Injecting secrets via ConfigMap
      • Secrets Store diagnostics
    • Projects
    • Resource model
  • Access management
  • Pricing policy
  • Diagnostics and troubleshooting

In this article:

  • Getting started
  • Create ServiceAccount
  • Configure a role in Secrets Store
  • Prepare the deployment
  • Apply the manifests
  • Check the result
  • Using multiple containers
  • Diagnostics
  1. Step-by-step guides
  2. Secrets Store
  3. Injecting secrets into environment variables

Injecting secrets into environment variables (Env mode)

Written by
Yandex Cloud
Updated at June 24, 2026
View in Markdown
  • Getting started
  • Create ServiceAccount
  • Configure a role in Secrets Store
  • Prepare the deployment
  • Apply the manifests
  • Check the result
  • Using multiple containers
  • Diagnostics

This guide explains how to configure secret injection from Secrets Store into pod environment variables using Secrets Injector.

Getting startedGetting started

  1. Make sure the Secrets Store component is installed and active in the cluster.
  2. Secrets Store contains secrets required by your application.

Create ServiceAccountCreate ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: myapp-sa
  namespace: myapp-namespace
kubectl apply -f serviceaccount.yaml

Configure a role in Secrets StoreConfigure a role in Secrets Store

Configure a Secrets Store role with access to the required paths and bind it to the ServiceAccount you created.

Prepare the deploymentPrepare the deployment

Add annotations to spec.template.metadata.annotations in the pod template:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp
  namespace: myapp-namespace
spec:
  replicas: 1
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
      annotations:
        secrets.stackland.yandex.cloud/render-env: "true"
        secrets.stackland.yandex.cloud/role: "myapp"
    spec:
      serviceAccountName: myapp-sa
      containers:
        - name: app
          image: myapp:latest
          # In Env mode, specify _command_ or _args_ with the executable as the first element.
          command:
            - /app/myapp
          args:
            - --config=/config/app.yaml
          resources:
            requests:
              cpu: "100m"
              memory: "128Mi"
            limits:
              cpu: "500m"
              memory: "256Mi"
          env:
            - name: DB_PASSWORD
              value: "secrets:secret/data/myapp/database#password"
            - name: API_KEY
              value: "secrets:secret/data/myapp/api#key"

Key requirements:

  • The secrets.stackland.yandex.cloud/render-configmap: "true" annotation enables Env mode.
  • The secrets.stackland.yandex.cloud/role annotation defines the Secrets Store role.
  • In the container, you must specify either command or args, where the first element of args is the executable. The injector uses these fields to start the application. If neither of these fields is set, the pod will fail with the no command is given error.
  • In the env field, use the secrets:<path>#<key> format for secret references.

Apply the manifestsApply the manifests

kubectl apply -f deployment.yaml

Check the resultCheck the result

Make sure the pod has started and the secrets have been injected:

# Checking the pod status
kubectl get pods -n myapp-namespace

# Checking main container logs (the injector runs as a process wrapper, not as an init-container).
kubectl logs <pod_name> -n myapp-namespace -c app

# Checking the environment variables inside the pod
kubectl exec -n myapp-namespace <pod_name> -- env | grep DB_

If the injection is successful, the output should begin with the following lines:

level=INFO msg="found secret references" count=2
level=INFO msg="successfully injected secrets" count=2
level=INFO msg="spawning process" binary=...

Using multiple containersUsing multiple containers

To inject secrets into specific containers within a multi-container pod, use the containers annotation:

annotations:
  secrets.stackland.yandex.cloud/render-env: "true"
  secrets.stackland.yandex.cloud/role: "myapp"
  secrets.stackland.yandex.cloud/containers: "app,worker"

If the containers annotation is not set and there are multiple containers, the webhook will reject pod creation, causing the deployment to fail.

DiagnosticsDiagnostics

If secret injection fails, see Secrets Store diagnostics.

Was the article helpful?

Previous
Disable
Next
Injecting secrets via ConfigMap
© 2026 Direct Cursus Technology L.L.C.