Helm Secrets

A helm plugin that help manage secrets with Git workflow and store them anywhere
Alternatives To Helm Secrets
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
Helm Secrets921
6 days ago1apache-2.0Shell
A helm plugin that help manage secrets with Git workflow and store them anywhere
Vault Secrets Gen317
a month ago17August 11, 20222mitGo
A Vault secrets plugin for generating high entropy passwords and passphrases.
Serverless Kubeless299642a year ago53January 26, 202142apache-2.0JavaScript
This plugin enables support for Kubeless within the Serverless Framework.
Wp Graphql Jwt Authentication269
2 months ago10May 16, 202260gpl-3.0PHP
Authentication for WPGraphQL using JWT (JSON Web Tokens)
Hidden Secrets Gradle Plugin259
5 months ago10mitKotlin
🔒 Deeply hide secrets on Android
Hashicorp Vault Plugin204
2 months ago86mitJava
Jenkins plugin to populate environment variables from secrets stored in HashiCorp's Vault.
Kubectl View Secret196
2 months ago12April 28, 20222mitGo
Kubernetes CLI plugin to decode Kubernetes secrets
Awesome Vault Tools181
2 years agoapache-2.0
Awesome tools around HashiCorp Vault
Network Manager Wireguard172
3 years ago24otherC
NetworkManager VPN Plugin: Wireguard
a month ago4June 08, 202225apache-2.0Go
Store and access your secrets the Kubernetes native way with any external KMS.
Alternatives To Helm Secrets
Select To Compare

Alternative Project Comparisons

CI License Current Release GitHub all releases GitHub issues GitHub pull requests codecov Artifact Hub



helm-secrets is a Helm plugin for decrypt encrypted Helm value files on the fly.

  • Use sops to encrypt value files and store them into git.
  • Store your secrets a cloud native secret manager like AWS SecretManager, Azure KeyVault or HashiCorp Vault and inject them inside value files or templates.
  • Use helm-secret in your favorite deployment tool or GitOps Operator like ArgoCD

Whos actually using helm-secrets? If you are using helm-secrets in your company or organization, we would like to invite you to create a PR to add your information to this file.


See Installation for more information.


For full documentation, read GitHub wiki.

Decrypt secrets via protocol handler

Run decrypted command on specific value files. This is method is preferred over the plugin command below. This mode is used in ArgoCD environments.

On Windows, the command helm secrets patch windows needs to be run first.

helm upgrade name . -f secrets://secrets.yaml

See Usage for more information

Decrypt secrets via plugin command

Wraps the whole helm command. Slow on multiple value files.

helm secrets upgrade name . -f secrets.yaml

Evaluate secret reference inside helm template

requires helm 3.9+; vals 0.20+

helm-secrets supports evaluating vals expressions inside Helm templates by enable the flag --evaluate-templates.


apiVersion: v1
kind: Secret
  name: secret
type: Opaque
  password: "ref+awsssm://foo/bar?mode=singleparam#/BAR"


helm secrets --evaluate-templates upgrade name .

Cloud support

Use AWS Secrets Manager or Azure KeyVault for storing secrets securely and reference them inside values.yaml

helm secrets --backend vals template bitnami/mysql --name-template mysql \
  --set auth.rootPassword=ref+awsssm://foo/bar?mode=singleparam#/BAR

See Cloud Integration for more information.

ArgoCD support

For running helm-secrets with ArgoCD, see ArgoCD Integration for more information.


apiVersion: argoproj.io/v1alpha1
kind: Application
  name: app
        - secrets+gpg-import:///helm-secrets-private-keys/key.asc?secrets.yaml
        - secrets+gpg-import-kubernetes://argocd/helm-secrets-private-keys#key.asc?secrets.yaml
        - secrets://secrets.yaml
      # fileParameters (--set-file) are supported, too. 
        - name: config
          path: secrets://secrets.yaml
        # directly reference values from Cloud Providers
        - name: mysql.rootPassword
          path: secrets+literal://ref+azurekeyvault://my-vault/secret-a

Terraform support

The Terraform Helm provider does not support downloader plugins.

helm-secrets can be used together with the Terraform external data source provider.


data "external" "helm-secrets" {
  program = ["helm", "secrets", "decrypt", "--terraform", "../../examples/sops/secrets.yaml"]

resource "helm_release" "example" {

  values = [

An example of how to use helm-secrets with Terraform could be found in examples/terraform.

Secret backends

helm-secrets support multiple secret backends. Currently, sops and vals are supported.

See Secret-Backends how to use them.


An additional documentation, resources and examples can be found here.

Moving parts of project

  • scripts/run.sh - Main helm-secrets plugin code for all helm-secrets plugin actions available in helm secrets help after plugin install
  • scripts/backends - Location of the in-tree secrets backends
  • scripts/commands - Sub Commands of helm secrets are defined here.
  • scripts/lib - Common functions used by helm secrets.
  • scripts/wrapper - Wrapper scripts for Windows systems.
  • tests - Test scripts to check if all parts of the plugin work. Using test assets with PGP keys to make real tests on real data with real encryption/decryption. See tests/README.md for more informations.
  • examples - Some example secrets.yaml

Copyright and license

2020-2022 Jan-Otto Krpke (jkroepke)

2017-2020 Zendesk

Licensed under the Apache License, Version 2.0

Popular Secret Projects
Popular Plugin Projects
Popular Security Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Helm Charts
Secret Management
Kubernetes Secrets