Base64 to YAML Decoder Online — Decode YAML

Decode Base64-encoded YAML configs straight from kubectl get secret -o yaml, Helm secrets, Sealed Secrets, and CI/CD vaults — all in your browser, no base64 -d shell required.

What is a Base64 to YAML decoder?

A Base64 to YAML decoder reverses Base64 encoding to recover the original byte stream — typically a YAML configuration that lived inside a Kubernetes Secret data field. Every value under data: in a Secret manifest is Base64-encoded so it can carry binary content and multi-line text safely through the API. Decoding restores the human-readable YAML.

The whole Kubernetes Secret workflow lives or dies on this decode step. The same applies to Helm-rendered Secrets, Sealed Secrets, ExternalSecret-fetched values, and any CI/CD vault that returns YAML configuration as Base64. The OpenFormatter decoder handles standard Base64 and URL-safe Base64url, decodes through UTF-8 so multi-byte characters survive, and runs entirely in your browser — important when the Secret carries database passwords or cloud credentials.

How to decode Base64 to YAML — 4 steps

  1. Get the Base64. Run kubectl get secret <name> -o yaml and copy the value (after the key:) from the data: map. Or click Load Sample for a demo ConfigMap-style value.
  2. Paste here. Both standard Base64 and Base64url are accepted — paste exactly what kubectl returned.
  3. Click Decode. The tool decodes through UTF-8 and shows the original YAML in the Output panel.
  4. Validate or copy. Send the result to the YAML Validator to confirm syntax, or copy it for further use.

Sample input and output

Base64 input (Secret data value)

YXBpVmVyc2lvbjogdjEKa2luZDog
Q29uZmlnTWFwCm1ldGFkYXRhOgog
IG5hbWU6IGFwcC1jb25maWcKZGF0
YToKICBkYXRhYmFzZV91cmw6ICJw
b3N0Z3Jlczovi2RiOjU0MzIvYXBw
Igog

Decoded YAML output

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  database_url: "postgres://db:5432/app"
  log_level: info

K8s Secret Inspection

Designed for the kubectl get secret workflow — paste a value from data: and read the original YAML without shelling out.

UTF-8 Safe

Decoded through decodeURIComponent(escape(atob(...))) so multi-byte characters in passwords or configs survive intact.

Local Decoding

Decode happens in your browser. Database URLs, signing keys, and tokens stored in Secrets stay on your device.

Common use cases

  • check_circleDecoding values from kubectl get secret <name> -o yaml during incident response
  • check_circleInspecting Sealed Secret payloads after the controller has decrypted them
  • check_circleReading ExternalSecrets-fetched values from AWS Secrets Manager or GCP Secret Manager
  • check_circleDecoding Helm-rendered Secret manifests during chart development
  • check_circleReading Argo CD or Flux GitOps manifests where Secret values appear as Base64
  • check_circleInspecting Vault Agent injected Secret payloads in pod logs
  • check_circleDecoding YAML configuration stored as Base64 in CI/CD pipeline variables
  • check_circleReading Base64-encoded YAML stored in cloud parameter stores (SSM Parameter Store, Azure App Configuration)

Base64 to YAML vs base64 -d on the CLI

The CLI equivalent is echo "..." | base64 -d or kubectl get secret -o jsonpath="{.data.<key>}" | base64 -d. Both work but require a shell, copy-paste-fitting the value into a terminal where it sometimes wraps awkwardly, and they offer no UI for spotting whether the result is YAML, JSON, a PEM key, or binary. The browser-based decoder removes the friction and shows the result side-by-side. For non-YAML payloads, a plain Base64 decoder works just as well.

More you can do with the YAML?

Validate, format, or convert the decoded YAML with the rest of OpenFormatter — all browser-side.

YAML ValidatorYAML FormatterYAML to Base64

Frequently Asked Questions

How do I decode a Kubernetes Secret value?

Run kubectl get secret <name> -o yaml. Each value under data: is a Base64 string. Copy a single value (everything after key:), paste it here, and click Decode. The decoded YAML — or any text content — appears in the output panel. Equivalent CLI: kubectl get secret <name> -o jsonpath="{.data.<key>}" | base64 -d, but no terminal is required here.

Why does Kubernetes Base64-encode secrets if it does not encrypt them?

Base64 is encoding, not encryption. Kubernetes uses Base64 because Secret values can contain arbitrary bytes (binary keys, certificates, multi-line YAML configs) that would otherwise need escaping inside the YAML manifest. Encryption-at-rest in etcd is configured separately via EncryptionConfiguration. Anyone with API access to the Secret can decode it instantly — that is by design.

What is the difference between data and stringData?

data: holds Base64-encoded values — what you decode here. stringData: lets you write raw text and Kubernetes encodes it for you on apply. When you read the Secret back via kubectl, both end up under data: as Base64. So whether the manifest used data or stringData, the round-trip lands here as Base64.

How do I decode every value in a Secret at once?

For batch decoding, kubectl get secret <name> -o go-template='{{range $k,$v := .data}}{{$k}}: {{$v | base64decode}}{{"\n"}}{{end}}' shells out everything at once. This tool handles one value per run, which matters when only some entries are YAML and others are PEM keys, JSON, or binary.

Does this support Base64url variants?

Yes. The decoder normalises - to + and _ to / and re-pads if needed. Some GitOps tools and ExternalSecret backends emit URL-safe Base64 — paste either flavour and it decodes.

My decoded value contains tabs — is that valid YAML?

No. YAML forbids tabs as indentation. If a Secret-stored YAML contains tabs the original was already broken — common when an editor silently inserted them. Run the decoded text through the YAML Validator to confirm it parses.

What if the decoded value is not YAML at all?

The decoder shows the raw decoded text whatever it is. Secrets often hold PEM certificates, JSON service accounts, plain database URLs, or htpasswd files — none of which are YAML. Use the matching tool (Base64 to JSON, plain Base64 decoder) for non-YAML payloads.

Is the Secret value sent anywhere?

No. atob and the UTF-8 conversion run inside the browser tab. Kubernetes Secret values often contain database passwords, cloud credentials, or signing keys — verify in DevTools Network tab that nothing leaves the page when you click Decode.

Related Tools

YAML to Base64

Encode YAML for K8s Secret data fields

YAML Formatter

Beautify and normalise YAML

YAML Validator

Check YAML syntax with line errors

Base64 to JSON

Decode Base64 JSON and JWT payloads

Base64 to XML

Decode Base64 SOAP envelopes

All YAML Tools

Browse the full YAML toolkit

Developer Insights

From the Blog

View all articlesarrow_forward
Formats8 min read

YAML vs JSON in 2024: When to Use Each

A definitive guide on choosing the right data serialization format for modern infrastructure.

Read articlearrow_forward
Engineering6 min read

Why JSON Formatting Matters More Than You Think

How proper JSON structure prevents production bugs, improves debugging, and makes code reviews faster.

Read articlearrow_forward
Privacy4 min read

The Case for 100% Client-Side Data Processing

Why we built OpenFormatter to process all data locally, and what that means for your workflow security.

Read articlearrow_forward
Base64 to YAML Decoder Online — Decode YAML