When deploying and orchestrating services in Container Service, you usually need to configure some sensitive information for the service, such as passwords, TLS certificates, or private keys. Container Service provides a safer way for you to store these sensitive information (that is, secrets in Docker) to Container Service.
Take password storage as an example. Unlike configuring the service to use the plain-text password stored in the environment variable, you can create a secret for storing the password in the Container Service console. You can configure the service to use the created secret when creating an application. During application deployment, Container Service will create a file based on the secret and mount the file to the
/run/secrets/<secret_name> directory of the container running the service. Your service can access this file.
Note: Only a running container with the access permission can access the specified secrets.
You can grant a service permission to access one or more secrets. In addition, you can also grant the service the permission to access other secrets by changing the application configurations, or revoke the permission of the service to access a secret.
When a service in the container stops running, Container Service will unmount the secrets from the memory file system and remove the secrets from the node memory.
In the Container Service console, you can: