What is Docker Secret Operator (DSO)?

Docker Secret Operator (DSO) is an open-source, CNCF Sandbox project that provides zero-persistence, event-driven secret injection for Docker containers. It allows you to securely inject secrets at runtime without ever writing them to disk.

Is Docker Secret Operator free to use?

Yes, Docker Secret Operator is completely free and open source, licensed under the Apache License 2.0. It is available on GitHub at https://github.com/docker-secret-operator/dso.

How does DSO compare to HashiCorp Vault?

DSO is a lightweight, Docker-native alternative to HashiCorp Vault. While Vault requires complex infrastructure setup, DSO works directly with Docker using a simple CLI. It supports local encrypted vaults as well as cloud providers like AWS Secrets Manager and Azure Key Vault with zero-persistence secret injection.

Which cloud providers does Docker Secret Operator support?

Docker Secret Operator supports AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, Huawei Cloud Secret Manager, and a local encrypted vault mode. All providers use the same CLI workflow.

How do I install Docker Secret Operator?

Install DSO with a single command: curl -fsSL https://dso.skycloudops.in/install.sh | sudo bash. Then run 'docker dso init' to initialize. Full documentation is available at https://dso.skycloudops.in/docs/guide/installation.

What is zero-persistence secret management?

Zero-persistence means secrets are injected directly into container memory at runtime and never written to disk, environment files, or Docker layers. This eliminates the risk of secrets being exposed through file system access, docker inspect, or image layer scanning.

Integration Guide

Huawei Cloud CSMS Integration with Docker Secret Operator

Integrate Docker Secret Operator with Huawei Cloud's Cloud Secret Management Service. Production-ready guides for ECS, polling-based rotation, zero-persistence secret injection.

Why This Integration?

Huawei Cloud teams need robust secret management for Docker deployments, but integrating with CSMS (Cloud Secret Management Service) requires careful orchestration of authentication, permissions, and secret injection workflows. Huawei Cloud + Docker Integration Challenges: - Secrets in environment variables (exposed via docker inspect) - Manual secret rotation requiring container restarts - Complex authentication flows (ECS Agency, IAM credentials) - No unified secret management across development and production - Difficulty implementing zero-persistence architecture Why This Integration Matters: DSO integrates natively with Huawei Cloud's ECS Agency and CSMS, eliminating credential management while providing zero-persistence secret injection. Your containers inherit Huawei Cloud security posture automatically.

Architecture

Overview

DSO + Huawei Cloud CSMS creates a secure, identity-based secret system: 1. Trust Boundary: ECS Agency grants container permission to CSMS 2. Secret Lifecycle: Container authenticates via Agency → Fetches secret → Injection into memory 3. Persistence: Zero - secrets never written to disk, environment, or logs 4. Rotation: Polling-based refresh (default 2 minutes, configurable) 5. Audit Trail: All secret access logged in Huawei Cloud CloudTrace

ECS Agency Flow

Container uses Huawei Cloud ECS Agency (managed identity equivalent) to authenticate without managing credentials.

CSMS Access

ECS Agency authenticates to CSMS, IAM role grants container access to specific secrets.

Memory Injection

DSO receives secret from CSMS, injects into container environment variables at startup.

Polling Rotation

DSO polls CSMS every 2 minutes (configurable), detects changes via hash comparison, applies reload strategy.

Setup Guide

Prerequisites

✓Huawei Cloud account with CSMS enabled
✓Secret created in Cloud Secret Management Service
✓Docker 20.10+ installed locally
✓Docker Compose installed
✓DSO v3.2+ installed
✓Huawei Cloud CLI (optional, for automation)
✓ECS instance with IAM agency (for production) or IAM credentials

Create Secret in CSMS

Create a secret in Huawei Cloud Secret Management Service.


# Using Huawei Cloud Console or CLI
huaweicloud csms create-secret \
  --name my-app-database-password \
  --secret-value "your-secure-password" \
  --region cn-north-4

# List secrets
huaweicloud csms list-secrets --region cn-north-4

# Verify secret created
huaweicloud csms get-secret-value \
  --name my-app-database-password \
  --region cn-north-4

Set Up Huawei Cloud Authentication

Choose between ECS Agency (recommended) or IAM credentials.


# Option A: ECS Agency (Recommended for Huawei ECS instances)
# Automatically discovered—no configuration needed
# Just ensure ECS instance has CSMS read permissions assigned

# Option B: IAM Credentials
export HUAWEI_ACCESS_KEY_ID="your-access-key-id"
export HUAWEI_SECRET_ACCESS_KEY="your-secret-access-key"

# In Huawei Cloud Console:
# My Credentials → Access Keys → Create Access Key

Install DSO Provider

Setup DSO with Huawei Cloud support.


# Install Huawei Cloud provider
docker dso system setup --providers huawei

# Verify installation
docker dso system doctor
# Should show: huawei ... OK

Create dso.yaml

Configure DSO to connect to Huawei Cloud CSMS.


# dso.yaml - Huawei Cloud configuration
provider: huawei

config:
  # Your Huawei Cloud region
  region: cn-north-4
  # Options: cn-north-4, cn-east-3, cn-south-1, ap-southeast-1

# Define secrets to inject
secrets:
  - name: my-app-database-password
    inject: env
    rotation: true
    reload_strategy:
      type: restart  # Options: restart, rolling, signal
    mappings:
      password: DB_PASSWORD

# Optional: configure polling
agent:
  watch:
    polling_interval: 2m  # Check CSMS every 2 minutes (default)

Create docker-compose.yaml

Define application stack with dso:// references.


version: "3.9"

services:
  app:
    image: myapp:latest
    environment:
      - DB_PASSWORD=dso://my-app-database-password
      - APP_ENV=production
    ports:
      - "3000:3000"
    depends_on:
      - postgres

  postgres:
    image: postgres:15
    environment:
      POSTGRES_PASSWORD: dso://my-app-database-password
    volumes:
      - postgres_data:/var/lib/postgresql/data

volumes:
  postgres_data:

Deploy with DSO

Start containers with secrets from Huawei Cloud CSMS.


# Deploy
docker dso up -d

# Check status
docker dso ps

# View logs
docker dso logs app

# Verify injection
docker exec -it app env | grep DB_PASSWORD
# Output: DB_PASSWORD=your-secure-password

Verify Zero-Persistence

Confirm secrets are not persisted.


# Verify secret IS in environment
docker exec -it app env | grep DB_PASSWORD
# Shows: DB_PASSWORD=your-secure-password ✓

# Verify secret is NOT in docker inspect
docker inspect app | grep DB_PASSWORD
# Should show NOTHING ✓

# Verify secret is NOT in logs
docker logs app | grep DB_PASSWORD
# Should show NOTHING ✓

Security Benefits

✓Zero Persistence: Secrets exist only in RAM, never on disk or in logs

✓ECS Agency: No credentials to store; Huawei Cloud manages it automatically

✓RBAC Support: Fine-grained access control via Huawei Cloud IAM

✓CloudTrace Auditing: All secret access visible in Huawei Cloud audit logs

✓Encryption in Transit: TLS 1.2+ for all CSMS communication

✓Regional Isolation: Secrets remain within your chosen region

✓Compliance: Meets Huawei Cloud compliance standards

Common Problems & Solutions

Authentication failed or access denied

For ECS Agency:
1. Verify agency assigned to ECS instance
2. Ensure agency has CSMS read permissions

For IAM Credentials:
1. Verify HUAWEI_ACCESS_KEY_ID is set
2. Verify HUAWEI_SECRET_ACCESS_KEY is set
3. Confirm credentials have CSMS permissions

Secret not found (404 error)

1. Verify secret exists in CSMS:
   huaweicloud csms list-secrets --region cn-north-4

2. Check secret name in dso.yaml matches CSMS:
   grep "name:" dso.yaml

3. Verify region in dso.yaml matches secret location

Permission denied

1. Verify IAM role/agency has CSMS read permissions
2. In Huawei Cloud Console, check:
   - ECS instance agency assignment
   - Agency's IAM role policies
   - Permission scope

3. If permissions changed, restart containers:
   docker dso down && docker dso up -d

Old secret in container after rotation

1. Check polling interval:
   grep polling_interval dso.yaml

2. Wait for interval (default 2 minutes)

3. Verify new secret:
   docker exec -it app env | grep DB_PASSWORD

4. Or force update:
   docker dso down && docker dso up -d

Timeout connecting to CSMS

1. Verify network connectivity:
   docker exec -it app ping api.csms.huaweicloud.com

2. Check firewall/security group rules

3. If using VPC, verify:
   - Network connectivity to CSMS endpoint
   - Security group allows HTTPS outbound
   - No network policies blocking CSMS access

Frequently Asked Questions

Does DSO store Huawei Cloud credentials?

No. When using ECS Agency, Huawei Cloud provides temporary tokens via instance metadata. DSO fetches tokens, uses them once, then discards them. Credentials are never stored on disk.

How does ECS Agency authentication work?

ECS Agency is Huawei Cloud's managed identity service. When you assign an agency to an ECS instance, Huawei Cloud automatically provides authentication tokens via a local endpoint. DSO retrieves these tokens to access CSMS.

What are the supported Huawei Cloud regions?

CSMS is available in: cn-north-4 (Beijing), cn-east-3 (Shanghai), cn-south-1 (Guangzhou), and ap-southeast-1 (Singapore). Specify your region in dso.yaml config.

Does DSO support Huawei Cloud CSMS dynamic secrets?

DSO supports retrieving secrets from CSMS. Dynamic secret generation is handled by CSMS itself. DSO will detect and refresh rotated secrets based on polling interval.

How often does DSO check for secret changes?

By default, every 2 minutes (configurable from 30 seconds to 5 minutes). This is polling-based, not event-driven. When a change is detected, the configured reload_strategy is applied.

Can I audit secret access?

Yes. All GetSecret calls are logged in Huawei Cloud CloudTrace with timestamps, identity information, secret name, and results. Query CloudTrace to view audit trails.

What's the cost of using DSO with Huawei Cloud CSMS?

DSO is free. Huawei Cloud charges for CSMS: approximately $0.40 per secret per month + API call costs. Typical deployments cost less than $1 per month.

Can multiple containers share the same secret?

Yes. Multiple containers can reference the same secret. Huawei Cloud IAM controls which agencies can access which secrets. Different identities can have different permissions.

Ready to Deploy?

Follow the setup guide above to integrate Huawei Cloud CSMS with Docker Secret Operator.

DSO Documentation Huawei Cloud CSMS Docs