Enterprise DC/OS Preview Updated: March 30, 2017
Each secret must have a name. In addition to a name, you can include a path. Including a path allows you to restrict which services can access the secret. If you just provide a name and no path, all services will have access. The following table provides some examples to show how it works.
| Secret ID | Service group path | Can service access secret? |
|---|---|---|
group/secret |
/marathon-user/service |
No |
group/secret |
/group/hdfs/service |
Yes |
group/hdfs/secret |
/group/spark/service |
No |
Note: Marathon paths begin with /, while secret paths do not.
The permissions needed to create a secret vary by interface. To create a secret using the web interface, the dcos:superuser permission is required. Creating a secret using the DC/OS CLI or the Secrets API requires only the following.
dcos:secrets:default:[/path]/namecreateThe permission must include the name of the secret the user is allowed to create. Each user must have one permission per secret. The secret itself does not need to exist yet.
It can also optionally include a path. Please see the previous section for more information about secret paths.
dcos:superuser permission.
Click to open the System -> Security -> Secrets tab.
Click New Secret.
Provide the name of your secret in the ID box.
Type or paste the secret into the Value box.
When you have completed your entries, the secret should look something like the following.
Click Create.
This procedure describes how to create a secret called new-secret inside the developer path.
Prerequisites:
If your security mode is permissive or strict, you must follow the steps in Obtaining and passing the DC/OS certificate in curl requests before issuing the curl commands in this section. If your security mode is disabled, you must delete --cacert dcos-ca.crt from the commands before issuing them.
Using dcos auth login log into the CLI as a user with one of the following permissions.
dcos:superuserdcos:secrets:default:/developer/new-secret: create or full actioncurl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" -d '{"value":"very-secret"}' $(dcos config show core.dcos_url)/secrets/v1/secret/default/developer/new-secret -H 'Content-Type: application/json'
This procedure describes how to create a secret called new-secret inside the developer path.
Prerequisite: You must have the DC/OS CLI installed and the Enterprise DC/OS CLI installed.
dcos auth login log into the CLI as a user with one of the following permissions.
dcos:superuserdcos:secrets:default:/developer/new-secret: create or full actiondcos security secrets create --value=top-secret developer/new-secret