About controlling access with secret paths
Each secret must have a name. In addition to a name, you can include a path. Including a path allows you to restrict which services can access the secret. If you just provide a name and no path, all services will have access. The following table provides some examples to show how it works.
Secret ID | Service group path | Can service access secret? |
---|---|---|
group/secret |
/marathon-user/service |
No |
group/secret |
/group/hdfs/service |
Yes |
group/hdfs/secret |
/group/spark/service |
No |
Creating secrets
About creating secrets
The permissions needed to create a secret vary by interface. To create a secret using the web interface, the dcos:superuser
permission is required. Creating a secret using the DC/OS CLI or the Secrets API requires only the following.
- Permission:
dcos:secrets:default:[/path]/name
- Action:
create
The permission must include the name of the secret the user is allowed to create. Each user must have one permission per secret. The secret itself does not need to exist yet.
It can also optionally include a path. Please see the previous section for more information about secret paths.
Creating secrets via the web interface
-
Log into the DC/OS web interface as a user with the
dcos:superuser
permission. -
Click to open the System -> Security -> Secrets tab.
-
Click New Secret.
-
Provide the name of your secret in the ID box.
-
Type or paste the secret into the Value box.
-
When you have completed your entries, the secret should look something like the following.
-
Click Create.
Creating secrets via the API
This procedure describes how to create a secret called new-secret
inside the developer
path.
Prerequisites:
-
If your security mode is
permissive
orstrict
, you must follow the steps in Obtaining and passing the DC/OS certificate in curl requests before issuing the curl commands in this section. If your security mode isdisabled
, you must delete--cacert dcos-ca.crt
from the commands before issuing them.
-
Using
dcos auth login
log into the CLI as a user with one of the following permissions.dcos:superuser
dcos:secrets:default:/developer/new-secret
:create
orfull
action
-
Use the following command to create a secret. In this
curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" -d '{"value":"very-secret"}' $(dcos config show core.dcos_url)/secrets/v1/secret/default/developer/new-secret -H 'Content-Type: application/json'
Creating secrets via the DC/OS CLI
This procedure describes how to create a secret called new-secret
inside the developer
path.
Prerequisite: You must have the DC/OS CLI installed and the DC/OS Enterprise CLI installed.
-
Using
dcos auth login
log into the CLI as a user with one of the following permissions.dcos:superuser
dcos:secrets:default:/developer/new-secret
:create
orfull
action
-
Use the following command to create the new secret.
dcos security secrets create --value=top-secret developer/new-secret