terraform/website/docs/language/settings/backends/kubernetes.html.md

---
layout: "language"
page_title: "Backend Type: Kubernetes"
sidebar_current: "docs-backends-types-standard-kubernetes"
description: |-
  Terraform can store state remotely in Kubernetes and lock that state.
---

# kubernetes

-> **Note:** This backend is limited by Kubernetes' maximum Secret size of 1MB. See [Secret restrictions](https://kubernetes.io/docs/concepts/configuration/secret/#restrictions) for details.

**Kind: Standard (with locking)**

Stores the state in a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/) with locking done using a Lease resource.

## Example Configuration

```hcl
terraform {
  backend "kubernetes" {
    secret_suffix    = "state"
    config_path      = "~/.kube/config"
  }
}
```

This assumes the user/service account running terraform has [permissions](https://kubernetes.io/docs/reference/access-authn-authz/authorization/) to read/write secrets in the [namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) used to store the secret.

If the `config_path` or `config_paths` attribute is set the backend will attempt to use a [kubeconfig file](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) to gain access to the cluster.  

If the `in_cluster_config` flag is set the backend will attempt to use a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) to access the cluster. This can be used if Terraform is being run from within a pod running in the Kubernetes cluster. 

For most use cases either `in_cluster_config`, `config_path`, or `config_paths` will need to be set. If all flags are set the configuration at `config_path` will be used.

Note that for the access credentials we recommend using a [partial configuration](/docs/language/settings/backends/configuration.html#partial-configuration).


## Example Referencing

```hcl
data "terraform_remote_state" "foo" {
  backend = "kubernetes"
  config = {
    secret_suffix    = "state"
    load_config_file = true
  }
}
```

## Configuration variables

The following configuration options are supported:

* `secret_suffix` - (Required) Suffix used when creating secrets. Secrets will be named in the format: `tfstate-{workspace}-{secret_suffix}`.
* `labels` - (Optional) Map of additional labels to be applied to the secret and lease.
* `namespace` - (Optional) Namespace to store the secret and lease in. Can be sourced from `KUBE_NAMESPACE`.
* `in_cluster_config` - (Optional) Used to authenticate to the cluster from inside a pod. Can be sourced from `KUBE_IN_CLUSTER_CONFIG`.
* `host` - (Optional) The hostname (in form of URI) of Kubernetes master. Can be sourced from `KUBE_HOST`. Defaults to `https://localhost`.
* `username` - (Optional) The username to use for HTTP basic authentication when accessing the Kubernetes master endpoint. Can be sourced from `KUBE_USER`.
* `password` - (Optional) The password to use for HTTP basic authentication when accessing the Kubernetes master endpoint. Can be sourced from `KUBE_PASSWORD`.
* `insecure` - (Optional) Whether server should be accessed without verifying the TLS certificate. Can be sourced from `KUBE_INSECURE`. Defaults to `false`.
* `client_certificate` - (Optional) PEM-encoded client certificate for TLS authentication. Can be sourced from `KUBE_CLIENT_CERT_DATA`.
* `client_key` - (Optional) PEM-encoded client certificate key for TLS authentication. Can be sourced from `KUBE_CLIENT_KEY_DATA`.
* `cluster_ca_certificate` - (Optional) PEM-encoded root certificates bundle for TLS authentication. Can be sourced from `KUBE_CLUSTER_CA_CERT_DATA`.
* `config_path` - (Optional) Path to the kube config file. Can be sourced from `KUBE_CONFIG_PATH`.
* `config_paths` - (Optional) List of paths to kube config files. Can be sourced from `KUBE_CONFIG_PATHS`.
* `config_context` - (Optional) Context to choose from the config file. Can be sourced from `KUBE_CTX`.
* `config_context_auth_info` - (Optional) Authentication info context of the kube config (name of the kubeconfig user, `--user` flag in `kubectl`). Can be sourced from `KUBE_CTX_AUTH_INFO`.
* `config_context_cluster` - (Optional) Cluster context of the kube config (name of the kubeconfig cluster, `--cluster` flag in `kubectl`). Can be sourced from `KUBE_CTX_CLUSTER`.
* `token` - (Optional) Token of your service account.  Can be sourced from `KUBE_TOKEN`.
* `exec` - (Optional) Configuration block to use an [exec-based credential plugin] (https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins), e.g. call an external command to receive user credentials.
  * `api_version` - (Required) API version to use when decoding the ExecCredentials resource, e.g. `client.authentication.k8s.io/v1beta1`.
  * `command` - (Required) Command to execute.
  * `args` - (Optional) List of arguments to pass when executing the plugin.
  * `env` - (Optional) Map of environment variables to set when executing the plugin.
Add kubernetes backend Co-authored-by: Dan Ramich <danold215@gmail.com> 2020-04-13 22:17:17 +02:00			`---`
website: Adopt a ton of pages into the "language" layout As of this commit, that layout doesn't exist yet, but I'm isolating the one-line changes to their own commit to try and keep your eyes from glazing over. 2020-08-15 03:51:06 +02:00			`layout: "language"`
Add kubernetes backend Co-authored-by: Dan Ramich <danold215@gmail.com> 2020-04-13 22:17:17 +02:00			`page_title: "Backend Type: Kubernetes"`
			`sidebar_current: "docs-backends-types-standard-kubernetes"`
			`description: \|-`
			`Terraform can store state remotely in Kubernetes and lock that state.`
			`---`

			`# kubernetes`

			`-> Note: This backend is limited by Kubernetes' maximum Secret size of 1MB. See [Secret restrictions](https://kubernetes.io/docs/concepts/configuration/secret/#restrictions) for details.`

			`Kind: Standard (with locking)`

Fix errors in kubernetes backend documentation 2020-06-10 20:00:01 +02:00			`Stores the state in a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/) with locking done using a Lease resource.`
Add kubernetes backend Co-authored-by: Dan Ramich <danold215@gmail.com> 2020-04-13 22:17:17 +02:00
			`## Example Configuration`

			```hcl
			`terraform {`
			`backend "kubernetes" {`
			`secret_suffix = "state"`
Add config_paths and drop KUBECONFIG env variable in kubernetes backend (#26997) 2021-04-20 16:05:45 +02:00			`config_path = "~/.kube/config"`
Add kubernetes backend Co-authored-by: Dan Ramich <danold215@gmail.com> 2020-04-13 22:17:17 +02:00			`}`
			`}`
			```

			`This assumes the user/service account running terraform has [permissions](https://kubernetes.io/docs/reference/access-authn-authz/authorization/) to read/write secrets in the [namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) used to store the secret.`

Add config_paths and drop KUBECONFIG env variable in kubernetes backend (#26997) 2021-04-20 16:05:45 +02:00			If the `config_path` or `config_paths` attribute is set the backend will attempt to use a [kubeconfig file](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) to gain access to the cluster.
Add kubernetes backend Co-authored-by: Dan Ramich <danold215@gmail.com> 2020-04-13 22:17:17 +02:00
			If the `in_cluster_config` flag is set the backend will attempt to use a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) to access the cluster. This can be used if Terraform is being run from within a pod running in the Kubernetes cluster.

Add config_paths and drop KUBECONFIG env variable in kubernetes backend (#26997) 2021-04-20 16:05:45 +02:00			For most use cases either `in_cluster_config`, `config_path`, or `config_paths` will need to be set. If all flags are set the configuration at `config_path` will be used.
Add kubernetes backend Co-authored-by: Dan Ramich <danold215@gmail.com> 2020-04-13 22:17:17 +02:00
website: Language: Remove several ghost pages, update links During the language/CLI docs reorg, we noticed several pages that were no longer viable; some were redundant, some useless, and some just very obsolete. Since we were trying to avoid breaking links at the time, we opted to remove them from the navs and leave them as "ghost pages" — still accessible, but not findable. This commit finally cleans these ghosts up and updates any remaining links to relevant modern pages. Bustin' makes me feel good. 👻🚫 2021-01-16 00:41:43 +01:00			`Note that for the access credentials we recommend using a [partial configuration](/docs/language/settings/backends/configuration.html#partial-configuration).`
Add kubernetes backend Co-authored-by: Dan Ramich <danold215@gmail.com> 2020-04-13 22:17:17 +02:00

			`## Example Referencing`

			```hcl
			`data "terraform_remote_state" "foo" {`
			`backend = "kubernetes"`
			`config = {`
			`secret_suffix = "state"`
			`load_config_file = true`
			`}`
			`}`
			```

			`## Configuration variables`

			`The following configuration options are supported:`

			* `secret_suffix` - (Required) Suffix used when creating secrets. Secrets will be named in the format: `tfstate-{workspace}-{secret_suffix}`.
Fix errors in kubernetes backend documentation 2020-06-10 20:00:01 +02:00			* `labels` - (Optional) Map of additional labels to be applied to the secret and lease.
			* `namespace` - (Optional) Namespace to store the secret and lease in. Can be sourced from `KUBE_NAMESPACE`.
Add kubernetes backend Co-authored-by: Dan Ramich <danold215@gmail.com> 2020-04-13 22:17:17 +02:00			* `in_cluster_config` - (Optional) Used to authenticate to the cluster from inside a pod. Can be sourced from `KUBE_IN_CLUSTER_CONFIG`.
			* `host` - (Optional) The hostname (in form of URI) of Kubernetes master. Can be sourced from `KUBE_HOST`. Defaults to `https://localhost`.
			* `username` - (Optional) The username to use for HTTP basic authentication when accessing the Kubernetes master endpoint. Can be sourced from `KUBE_USER`.
			* `password` - (Optional) The password to use for HTTP basic authentication when accessing the Kubernetes master endpoint. Can be sourced from `KUBE_PASSWORD`.
			* `insecure` - (Optional) Whether server should be accessed without verifying the TLS certificate. Can be sourced from `KUBE_INSECURE`. Defaults to `false`.
			* `client_certificate` - (Optional) PEM-encoded client certificate for TLS authentication. Can be sourced from `KUBE_CLIENT_CERT_DATA`.
			* `client_key` - (Optional) PEM-encoded client certificate key for TLS authentication. Can be sourced from `KUBE_CLIENT_KEY_DATA`.
			* `cluster_ca_certificate` - (Optional) PEM-encoded root certificates bundle for TLS authentication. Can be sourced from `KUBE_CLUSTER_CA_CERT_DATA`.
Add config_paths and drop KUBECONFIG env variable in kubernetes backend (#26997) 2021-04-20 16:05:45 +02:00			* `config_path` - (Optional) Path to the kube config file. Can be sourced from `KUBE_CONFIG_PATH`.
			* `config_paths` - (Optional) List of paths to kube config files. Can be sourced from `KUBE_CONFIG_PATHS`.
Add kubernetes backend Co-authored-by: Dan Ramich <danold215@gmail.com> 2020-04-13 22:17:17 +02:00			* `config_context` - (Optional) Context to choose from the config file. Can be sourced from `KUBE_CTX`.
			* `config_context_auth_info` - (Optional) Authentication info context of the kube config (name of the kubeconfig user, `--user` flag in `kubectl`). Can be sourced from `KUBE_CTX_AUTH_INFO`.
			* `config_context_cluster` - (Optional) Cluster context of the kube config (name of the kubeconfig cluster, `--cluster` flag in `kubectl`). Can be sourced from `KUBE_CTX_CLUSTER`.
			* `token` - (Optional) Token of your service account. Can be sourced from `KUBE_TOKEN`.
			* `exec` - (Optional) Configuration block to use an [exec-based credential plugin] (https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins), e.g. call an external command to receive user credentials.
			* `api_version` - (Required) API version to use when decoding the ExecCredentials resource, e.g. `client.authentication.k8s.io/v1beta1`.
			* `command` - (Required) Command to execute.
			* `args` - (Optional) List of arguments to pass when executing the plugin.
			* `env` - (Optional) Map of environment variables to set when executing the plugin.