Creating secrets

ENTERPRISE

Creating secrets with a key-value pair or file

You can create secrets in DC/OS by using a key-value pair or as a file. Both methods add a name and secret value to the secret store. You may find it convenient to add a secret as a file if you already have a secret value stored in a file locally and want to avoid cutting-and-pasting.

See Configuring services and pods to use secrets for information on how to reference these secrets in your app or pod definition.

Creating secrets

The sections below explain how to create secrets as both key/value pairs and as files using the web interface, CLI, and the Secrets API.

Secrets should include paths, unless you want to allow all services to access its value. See Spaces for more information about secret paths.

Prerequisites

DC/OS web interface

  • The dcos:superuser permission.

DC/OS CLI or Secrets API

Creating key-value pair secrets using the web interface

  1. Log in to the DC/OS web interface as a user with the dcos:superuser permission.

  2. Open the Secrets tab.

  3. Click the + icon in the top right.

    New Secret

    Figure 1. New Secret icon

  4. In the ID box, provide the name of your secret and its path, if any.

  5. Type or paste the secret into the Value box.

    Secret ID/Value Fields

    Figure 2. Creating a new Secret

  6. Click Create.

Creating key-value pair secrets using the API

This procedure describes how to create a secret called my-secret inside the developer path.

Note: If your security mode is permissive or strict, you must follow the steps in Obtaining the DC/OS CA bundle before issuing the curl commands in this section. If your security mode is disabled, you must delete --cacert dcos-ca.crt from the commands before issuing them.

  1. Use dcos auth login log in to the CLI.

  2. Use the following command to create the secret.

    curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" -d '{"value":"very-secret"}' $(dcos config show core.dcos_url)/secrets/v1/secret/default/developer/my-secret -H 'Content-Type: application/json'
    

Creating key/value pair secrets via the DC/OS Enterprise CLI

This procedure describes how to create a key/value pair secret called my-secret inside the developer path using the DC/OS Enterprise CLI.

  1. Use dcos auth login to log into the CLI. You can find more information about this command in the CLI Reference.

  2. Use the following command to create the new secret.

    dcos security secrets create --value=top-secret developer/my-secret
    

Creating secrets from a file via the DC/OS Enterprise CLI

This procedure describes how to use a file to create a secret called my-secret inside the developer path using the DC/OS Enterprise CLI.

The contents of the file (referred to below as my-secret.txt) can be any text value.

Note: As of DC/OS 1.10, you can only upload a secret as a file from the DC/OS CLI. The maximum file size for a secret is approximately one MiB, subtracting approximately one KB for the secret store metadata.

  1. Use dcos auth login to log into the CLI. You can find more information about this command in the CLI Reference.

  2. Use the following command to create the new secret.

dcos security secrets create -f my-secret.txt developer/my-secret
Important: The maximum file size for a secret is approximately one MB, subtracting approximately one KB for the secret store metadata.