Accessing Secrets in Functions

Functions can access Kubernetes Secrets and ConfigMaps.

Use secrets for things like API keys, authentication tokens, and so on.

Use config maps for any other configuration that doesn’t need to be a secret.

Create A Secret or a ConfigMap

You can create a Secret or ConfigMap with the Kubernetes CLI:

$ kubectl -n default create secret generic my-secret --from-literal=TEST_KEY="TESTVALUE"

$ kubectl -n default create configmap my-configmap --from-literal=TEST_KEY="TESTVALUE"

Or, use kubectl create -f <filename.yaml> to create these from a YAML file.

apiVersion: v1
kind: Secret
  namespace: default
  name: my-secret
  TEST_KEY: VEVTVFZBTFVF # value after base64 encode
type: Opaque

apiVersion: v1
kind: ConfigMap
  namespace: default
  name: my-configmap

Accessing Secrets and ConfigMaps

Secrets and configmaps are accessed similarly. Each secret or configmap is a set of key value pairs. Fission sets these up as files you can read from your function.

# Secret path

# ConfigMap path

From the previous example, the paths are:

# secret my-secret

# confimap my-configmap

Now, let’s create a simple python function ( that returns the value of Secret my-secret and ConfigMap my-configmap.


def main():
    path = "/configs/default/my-configmap/TEST_KEY"
    f = open(path, "r")
    config =

    path = "/secrets/default/my-secret/TEST_KEY"
    f = open(path, "r")
    secret =

    msg = "ConfigMap: %s\nSecret: %s" % (config, secret)

    return msg, 200

Create an environment and a function:

# create python env
$ fission env create --name python --image fission/python-env

# create function named "leaker"
$ fission fn create --name leaker --env python --code --secret my-secret --configmap my-configmap

The fission CLI doesnt support providing two configmaps for a function for now, but it can be achieved through the fission spec. We can provide two configmaps for a function in the fission spec yaml.

Run the function, and the output should look like this:

$ fission function test --name leaker

If the Secret or ConfigMap value is updated, the function may not get the updated value for some time; it may get a cached older value.