About controlling access with secret paths

Each secret must have a name. In addition to a name, you can include a path. Including a path allows you to restrict which services can access the secret. If you just provide a name and no path, all services will have access. The following table provides some examples to show how it works.

Secret ID	Service group path	Can service access secret?
`group/secret`	`/marathon-user/service`	No
`group/secret`	`/group/hdfs/service`	Yes
`group/hdfs/secret`	`/group/spark/service`	No

**Note:** Marathon paths begin with `/`, while secret paths do not.

Creating secrets

About creating secrets

The permissions needed to create a secret vary by interface. To create a secret using the web interface, the dcos:superuser permission is required. Creating a secret using the DC/OS CLI or the Secrets API requires only the following.

Permission: dcos:secrets:default:[/path]/name
Action: create

The permission must include the name of the secret the user is allowed to create. Each user must have one permission per secret. The secret itself does not need to exist yet.

It can also optionally include a path. Please see the previous section for more information about secret paths.

Creating secrets via the web interface

Log into the DC/OS web interface as a user with the dcos:superuser permission.
Click to open the System -> Security -> Secrets tab.
Click New Secret.
Provide the name of your secret in the ID box.
Type or paste the secret into the Value box.
When you have completed your entries, the secret should look something like the following.
Click Create.

Creating secrets via the API

This procedure describes how to create a secret called new-secret inside the developer path.

Prerequisites:

DC/OS CLI installed
If your security mode is permissive or strict, you must follow the steps in Obtaining and passing the DC/OS certificate in curl requests before issuing the curl commands in this section. If your security mode is disabled, you must delete --cacert dcos-ca.crt from the commands before issuing them.

Using dcos auth login log into the CLI as a user with one of the following permissions.
- dcos:superuser
- dcos:secrets:default:/developer/new-secret: create or full action

Use the following command to create a secret. In this

curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" -d '{"value":"very-secret"}' $(dcos config show core.dcos_url)/secrets/v1/secret/default/developer/new-secret -H 'Content-Type: application/json'

Creating secrets via the DC/OS CLI

This procedure describes how to create a secret called new-secret inside the developer path.

Prerequisite: You must have the DC/OS CLI installed and the DC/OS Enterprise CLI installed.

Using dcos auth login log into the CLI as a user with one of the following permissions.
- dcos:superuser
- dcos:secrets:default:/developer/new-secret: create or full action

Use the following command to create the new secret.

dcos security secrets create --value=top-secret developer/new-secret