Secret Store service permissions

ENTERPRISE

PREVIEW

This topic details the permissions enforced by the Secret Store service, which control the ability of users to create, read, update, and delete secrets using either the Secrets API or DC/OS Enterprise CLI. The Secret Store enforces these in all security modes.

About Secret Store service permissions

The Secret Store service permissions control the ability of users to create, read, update, and delete secrets using either the Secrets API or the dcos security secrets commands of the DC/OS Enterprise CLI. These permissions are available in all security modes.

Note: The Secret Store service permissions do not affect access to secrets from the DC/OS web interface. At present, only users with the dcos:superuser permission can view or modify secrets from the DC/OS web interface.

Resource Action
dcos:secrets:list:default:/[path] read
Allows a user to view the names of the secrets within the designated path. At a minimum, you must include dcos:secrets:list:default:/, which allows the user to view the names of all secrets. To restrict the view to just the secrets inside a path, use dcos:secrets:list:default:/path.
Resource Action
dcos:secrets:default:[path-name/]secret-name createreadupdatedeletefull
Controls a user's ability to access an individual secret. You must specify the name of the secret and the path, if any exists. The degree of access that the user has over the secret depends upon the action value. The full action gives the user all of the available actions.