Enterprise DC/OS Updated: April 18, 2017

Use the Enterprise DC/OS Secret Store to secure sensitive information like database passwords, API tokens, and private keys. Storing secrets in secret paths allows you to restrict which services can retrieve the value.

Authorized Marathon services can retrieve the secrets at deployment and store their values under environment variables.

In addition, the Secrets API allows you to seal/unseal and reinitialize the Secret Store.

You can also find information about secrets in the Overview and Permissions sections.

Creating secrets

About creating secrets The permissions needed to create a secret vary by interface. DC/OS web interface: dcos:superuser DC/OS CLI or Secrets API: dcos:secrets:default:[/path]/name ...

Configuring services and pods to use secrets

About configuring services and pods to use secrets The permissions that a user will need to deploy a service or pod that uses a secret vary by security mode. Permission Enforced in...

Sealing the Secret Store

You may want to manually seal the Secret Store to protect its contents from an intruder. Sealed Secret Stores cannot be accessed from the web interface. Secret values cannot be ret...

Unsealing the Secret Store

About unsealing the Secret Store The Secret Store can become sealed under the following circumstances. After being manually sealed. After a power outage. A sealed Secret Store cann...

Secrets API

About the Secrets API The Secrets API allows you to manage secrets and perform some backend functions such as sealing and unsealing the Secret Store. It offers more functionality t...