About creating secrets

The permissions needed to create a secret vary by interface.

  • DC/OS GUI: dcos:superuser

  • DC/OS CLI or Secrets API: dcos:secrets:default:[/path]/name create (minimum permission), or dcos:secrets:default:[/path]/name full. The permission must include the name of the secret the user is allowed to create. Users need one permission per secret. The secret itself does not need to exist yet, but when it is created its name must match the name in the permission.

Secret should include paths, unless you want to allow all services to access its value. See Spaces for more information about secret paths.

The procedure for creating a secret varies by interface. Refer to the section that corresponds to your desired interface.

Creating secrets via the GUI

  1. Log into the DC/OS GUI as a user with the dcos:superuser permission.

  2. Open the Security -> Secrets tab.

  3. Click the + icon in the top right.

  4. In the ID box, provide the name of your secret and its path, if any. Example, developer/my-secret.

  5. Type or paste the secret into the Value box.

  6. When you have completed your entries, the secret should look something like the following.

    Creating the Secret

  7. Click Create.

Creating secrets via the API

This procedure describes how to create a secret called my-secret inside the developer path.

Prerequisites:

  1. Using dcos auth login log into the CLI as a user with one of the following permissions.

    • dcos:superuser full
    • dcos:secrets:default:/developer/my-secret create
    • dcos:secrets:default:/developer/my-secret full
  2. Use the following command to create the secret.

    curl -X PUT --cacert dcos-ca.crt -H "Authorization: token=$(dcos config show core.dcos_acs_token)" -d '{"value":"very-secret"}' $(dcos config show core.dcos_url)/secrets/v1/secret/default/developer/my-secret -H 'Content-Type: application/json'
    

Creating secrets via the DC/OS Enterprise CLI

This procedure describes how to create a secret called my-secret inside the developer path using the DC/OS Enterprise CLI.

Prerequisite: You must have the DC/OS CLI installed and the DC/OS Enterprise CLI installed.

  1. Using dcos auth login log into the CLI as a user with one of the following permissions.

    • dcos:superuser full
    • dcos:secrets:default:/developer/my-secret create
    • dcos:secrets:default:/developer/my-secret full
  2. Use the following command to create the new secret.

    dcos security secrets create --value=top-secret developer/my-secret