# Docker Swarm Secret Not Found: How to Create and Manage Secrets
Your Swarm service fails to deploy because a referenced secret doesn't exist:
Error response from daemon: rpc error: code = 2 desc = secret db_password not foundOr:
service myapp: failed to update service: secret not found: api_keyDocker Swarm secrets provide secure storage for sensitive data, but services fail if referenced secrets aren't created first. Let me show you how to fix this.
Introduction
This article covers troubleshooting steps and solutions for Docker Swarm Secret Not Found: How to Create and Manage Secrets. The error typically occurs in production environments and can cause service disruptions if not addressed promptly.
Symptoms
Common error messages include:
Error response from daemon: rpc error: code = 2 desc = secret db_password not foundservice myapp: failed to update service: secret not found: api_key```bash # List all secrets docker secret ls
# Output: # ID NAME DRIVER CREATED # abc123def456 db_password 2 hours ago
# Inspect a specific secret (limited info) docker secret inspect db_password ```
Common Causes
- Configuration misconfiguration
- Missing or incorrect credentials
- Network connectivity issues
- Version compatibility problems
- Resource exhaustion or limits
- Permission or access denied
Step-by-Step Fix
Understanding Docker Swarm Secrets
Secrets in Swarm are:
- Created on manager nodes
- Encrypted and stored in the Raft log
- Delivered to containers via files in /run/secrets/
- Never visible in docker inspect output
Step 1: List Existing Secrets
Check what secrets are already in the Swarm:
```bash # List all secrets docker secret ls
# Output: # ID NAME DRIVER CREATED # abc123def456 db_password 2 hours ago
# Inspect a specific secret (limited info) docker secret inspect db_password ```
Step 2: Create Missing Secrets
If the secret doesn't exist, create it:
```bash # Create from file docker secret create db_password ./password.txt
# Create from stdin echo "my_secret_password" | docker secret create db_password -
# Create from stdin with echo suppression docker secret create db_password - <<< "my_secret_password"
# Verify creation docker secret ls | grep db_password ```
Important: Secrets are immutable. Once created, you cannot update them. To change a secret's value, create a new secret with a different name.
Step 3: Fix Service Configuration
Update your service to reference the correct secret:
```bash # Check current service configuration docker service inspect myapp --format '{{json .Spec.TaskTemplate.ContainerSpec.Secrets}}'
# Update service with correct secret reference docker service update --secret-add source=db_password,target=db_password myapp ```
In docker-compose.yml:
```yaml version: '3.8' secrets: db_password: external: true # Must exist in Swarm
services: app: image: myapp:latest secrets: - db_password ```
If using external secrets, create them before deploying:
docker secret create db_password -
docker stack deploy -c docker-compose.yml myappStep 4: Create Secrets in Compose Files
Alternatively, let Compose create secrets from files:
```yaml version: '3.8' secrets: db_password: file: ./secrets/db_password.txt # Create from file
services: app: image: myapp:latest secrets: - source: db_password target: db_password.txt uid: '1000' gid: '1000' mode: 0400 ```
Note: file secrets work with docker-compose for non-Swarm deployment, but Swarm requires external or uses file when creating the stack.
Step 5: Access Secrets in Containers
Inside containers, secrets appear as files:
```bash # Check where secrets are mounted docker exec <container> ls -la /run/secrets/
# Read secret content docker exec <container> cat /run/secrets/db_password
# In your application code password = open('/run/secrets/db_password').read().strip() ```
Step 6: Handle Secret Updates
Secrets cannot be modified. To update a secret value:
```bash # Create a new secret version docker secret create db_password_v2 - <<< "new_password"
# Update service to use new secret docker service update \ --secret-rm db_password \ --secret-add source=db_password_v2,target=db_password \ myapp
# Remove old secret after migration docker secret rm db_password ```
Or use a naming convention:
# Rotate secrets systematically
docker secret create myapp_db_password_20260403 - <<< "password"
docker service update --secret-add myapp_db_password_20260403 myappStep 7: Debug Secret Issues
If services fail due to secrets:
```bash # Check service logs docker service logs myapp
# Inspect service task docker service ps myapp
# Check task error message docker service ps myapp --no-trunc
# Look for: "secret not found" or similar ```
Verify secret is in Swarm:
```bash # List secrets docker secret ls
# Check secret ID matches service reference docker service inspect myapp --format '{{json .Spec.TaskTemplate.ContainerSpec.Secrets}}' ```
Step 8: Remove Unused Secrets
Clean up secrets no longer needed:
```bash # List secrets with no references docker secret ls
# Check which services use a secret docker service ls --format "{{.Name}}" | while read s; do docker service inspect $s --format '{{range .Spec.TaskTemplate.ContainerSpec.Secrets}}{{.SecretName}}{{"\n"}}{{end}}' done | grep -c db_password
# Remove secret docker secret rm db_password ```
Note: You cannot remove a secret that's actively used by running services.
Step 9: Secret Target Configuration
Configure how secrets appear in containers:
```bash # Basic secret reference docker service create \ --name myapp \ --secret db_password \ myimage:latest
# With custom target path docker service create \ --name myapp \ --secret source=db_password,target=/etc/app/password \ myimage:latest
# With specific permissions docker service create \ --name myapp \ --secret source=db_password,target=password,uid=1000,gid=1000,mode=0400 \ myimage:latest ```
In docker-compose.yml:
```yaml secrets: db_password: external: true
services: app: secrets: - source: db_password target: /etc/app/password uid: '1000' gid: '1000' mode: 0400 ```
Step 10: Grant Secret Access to Services
Services must explicitly request secrets:
```yaml # WRONG: Secret referenced but not granted access secrets: api_key: external: true
services: app: # Missing secrets section
# CORRECT: Explicitly grant secret access secrets: api_key: external: true
services: app: secrets: - api_key ```
Common Error Patterns and Fixes
| Error | Cause | Fix |
|---|---|---|
secret not found | Secret doesn't exist in Swarm | Create secret first |
invalid secret reference | Wrong secret ID or name | Update service with correct name |
secret in use | Cannot remove active secret | Remove service first |
secret file not found | Compose file path wrong | Verify file exists |
Complete Secret Workflow
```bash # 1. Create secret echo "my_password" | docker secret create db_password -
# 2. Verify docker secret ls
# 3. Deploy service with secret docker service create --name myapp --secret db_password myimage
# 4. Verify secret is accessible docker exec $(docker ps -q -f name=myapp) cat /run/secrets/db_password
# 5. Update secret (create new version) echo "new_password" | docker secret create db_password_v2 -
# 6. Update service docker service update --secret-rm db_password --secret-add db_password_v2 myapp ```
Best Practices for Secret Management
- 1.Use meaningful names with version suffixes
- 2.Rotate secrets regularly by creating new versions
- 3.Limit secret permissions (mode 0400, specific uid/gid)
- 4.Never log secret contents in application code
- 5.Create secrets before deploying stacks
- 6.Document secret creation for team members
Verification
| Task | Command |
|---|---|
| List secrets | docker secret ls |
| Create secret | docker secret create NAME - |
| Create from file | docker secret create NAME file.txt |
| Inspect secret | docker secret inspect NAME |
| Remove secret | docker secret rm NAME |
| Add to service | docker service update --secret-add NAME service |
| Remove from service | docker service update --secret-rm NAME service |
| Check secret in container | docker exec CONTAINER cat /run/secrets/NAME |
Secret errors are resolved by creating the secret before referencing it in services. Remember that secrets are immutable—you need to create new versions for updates.
Related Articles
- [Fix docker build cache invalidated unnecessary layers Issue in Docker-Errors](docker-build-cache-invalidated-unnecessary-layers)
- [Fix Docker Build Cache Invalidation Optimization Issue in Docker](docker-build-cache-invalidation-optimization)
- [Fix docker build context slow large files Issue in Docker-Errors](docker-build-context-slow-large-files)
- [Fix docker build multi stage copy from not found Issue in Docker-Errors](docker-build-multi-stage-copy-from-not-found)
- [Fix docker buildkit export local tar layer missing Issue in Docker-Errors](docker-buildkit-export-local-tar-layer-missing)
<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Docker Swarm Secret Not Found: How to Create and Manage Secrets", "description": "Troubleshoot Docker Swarm secret errors. Learn to create secrets, fix service configurations, and manage sensitive data properly.", "url": "https://www.fixwikihub.com/fix-docker-swarm-secret-not-found", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2025-11-13T14:24:44.169Z", "dateModified": "2025-11-13T14:24:44.169Z" } </script>