}}

Configuring services to use secrets

Enterprise DC/OS Preview Updated: February 15, 2017

About configuring services to use secrets

To deploy an application that uses a secret, a user needs the permission to access Marathon and the permission to deploy services from within the designated service group.

Permission Action
dcos:adminrouter:service:marathon full
dcos:service:marathon:marathon:services:/[service-group] full

Tip: For a user to be able to see the Task panel information about a service, the user will also need the dcos:adminrouter:ops:mesos permission (full action). For the user to be able to view the details about the task, including the logs, the user needs the dcos:adminrouter:ops:slave permission (full action).

As long as the path of the secret and the path of the group match up properly, the service will be able to access the secret value.

A user with the necessary permissions can configure a service to use a secret using either of the following methods.

Deploying the service via the web interface

  1. Log into the web interface as a user with the necessary permissions as discussed in the previous section.

  2. Click Services.

  3. Click Deploy Service.

  4. Click to toggle to JSON mode.

  5. You can add the secret using the "env" and "secrets" objects in the JSON as shown below. The following simple application defines a new service inside of the developer group and references a secret stored inside a developer path. It stores the secret under the environment variable "MY_SECRET".

    {  
    "id":"/developer/service",
    "cmd":"env && sleep 100",
    "env":{  
      "MY_SECRET":{  
         "secret":"secret0"
      }
    },
    "secrets":{  
      "secret0":{  
         "source":"developer/secret"
      }
    }
    }
    

    Because the service and the secret paths match, the service will be able to access the secret. See About controlling access with secret paths for more details about the paths.

  6. Click Deploy.

  7. Click the group name of your service; then click the name of your service; then click the Configuration tab.

  8. You will see your secret listed in the Health Checks area.

Deploying the service via Marathon app definition

Prerequisites:

  1. Log into the CLI as a user with the necessary permissions via dcos auth login. Refer to About configuring services to use secrets for more information about the permissions.

  2. Within a text editor, create an application definition for your Marathon service. You can add the secret using the "env" and "secrets" objects as shown below. The following simple application defines a new service inside of the developer group and references a secret stored inside a developer path. It stores the secret under the environment variable "MY_SECRET".

    {  
    "id":"/developer/service",
    "cmd":"env && sleep 100",
    "env":{  
      "MY_SECRET":{  
         "secret":"secret0"
      }
    },
    "secrets":{  
      "secret0":{  
         "source":"developer/secret"
      }
    }
    }
    

    Because the service group and the secret paths match, the service will be able to access the secret. See About controlling access with secret paths for more details about the paths.

  3. Save the file with a descriptive name, such as myservice.json.

  4. Use the Marathon REST API to deploy the app as shown below.

    $ curl -X POST --cacert dcos-ca.crt $(dcos config show core.dcos_url)/service/marathon/v2/apps -d @myservice.json -H "Content-type: application/json" -H "Authorization: token=$(dcos config show core.dcos_acs_token)"
    
  5. Check the web interface to observe the new app deploying.