Enterprise DC/OS Updated: May 17, 2017

Use the Enterprise DC/OS Secret Store to secure sensitive information like database passwords, API tokens, and private keys. Storing secrets in secret paths allows you to restrict which services can retrieve the value.

Authorized Marathon services can retrieve the secrets at deployment and store their values under environment variables.

In addition, the Secrets API allows you to seal/unseal and reinitialize the Secret Store.

You can also find information about secrets in the Overview and Permissions sections.

Creating secrets

About creating secrets The permissions needed to create a secret vary by interface. DC/OS GUI: dcos:superuser DC/OS CLI or Secrets API: dcos:secrets:default:[/path]/name create (mi...

Configuring services and pods to use secrets

The permissions that a user will need to deploy a service or pod that uses a secret vary by security mode. Permission Enforced in dcos:adminrouter:service:marathon full All securit...

Sealing the Secret Store

You may want to manually seal the Secret Store to protect its contents from an intruder. Sealed Secret Stores cannot be accessed from the GUI. Secret values cannot be retrieved usi...

Unsealing the Secret Store

About unsealing the Secret Store The Secret Store can become sealed under the following circumstances. After being manually sealed. After a power outage. A sealed Secret Store cann...

Secrets API

About the Secrets API The Secrets API allows you to manage secrets and perform some backend functions such as sealing and unsealing the Secret Store. It offers more functionality t...