diff --git a/api/types/container/secret.go b/api/types/container/secret.go
index eee5bf89d2..da86577f9c 100644
--- a/api/types/container/secret.go
+++ b/api/types/container/secret.go
@@ -6,7 +6,7 @@ type ContainerSecret struct {
 	Name   string
 	Target string
 	Data   []byte
-	Uid    int
-	Gid    int
+	UID    int
+	GID    int
 	Mode   os.FileMode
 }
diff --git a/api/types/swarm/secret.go b/api/types/swarm/secret.go
index 86a6beafeb..1f842c32ca 100644
--- a/api/types/swarm/secret.go
+++ b/api/types/swarm/secret.go
@@ -1,5 +1,7 @@
 package swarm
 
+import "os"
+
 // Secret represents a secret.
 type Secret struct {
 	ID string
@@ -14,17 +16,15 @@ type SecretSpec struct {
 	Data []byte
 }
 
-type SecretReferenceMode int
-
-const (
-	SecretReferenceSystem SecretReferenceMode = 0
-	SecretReferenceFile   SecretReferenceMode = 1
-	SecretReferenceEnv    SecretReferenceMode = 2
-)
+type SecretReferenceFileTarget struct {
+	Name string
+	UID  string
+	GID  string
+	Mode os.FileMode
+}
 
 type SecretReference struct {
 	SecretID   string
-	Mode       SecretReferenceMode
-	Target     string
 	SecretName string
+	Target     SecretReferenceFileTarget
 }
diff --git a/cli/command/service/parse.go b/cli/command/service/parse.go
index 71d6fb1958..5a22ed352c 100644
--- a/cli/command/service/parse.go
+++ b/cli/command/service/parse.go
@@ -54,8 +54,13 @@ func parseSecrets(client client.APIClient, requestedSecrets []string) ([]*swarmt
 
 		secretRef := &swarmtypes.SecretReference{
 			SecretName: n,
-			Mode:       swarmtypes.SecretReferenceFile,
-			Target:     t,
+			// TODO (ehazlett): parse these from cli request
+			Target: swarmtypes.SecretReferenceFileTarget{
+				Name: t,
+				UID:  "0",
+				GID:  "0",
+				Mode: 0444,
+			},
 		}
 
 		if _, exists := secretRefs[t]; exists {
diff --git a/daemon/cluster/convert/container.go b/daemon/cluster/convert/container.go
index 6436b01c60..1a6121c240 100644
--- a/daemon/cluster/convert/container.go
+++ b/daemon/cluster/convert/container.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/Sirupsen/logrus"
 	container "github.com/docker/docker/api/types/container"
 	mounttypes "github.com/docker/docker/api/types/mount"
 	types "github.com/docker/docker/api/types/swarm"
@@ -79,15 +80,17 @@ func containerSpecFromGRPC(c *swarmapi.ContainerSpec) types.ContainerSpec {
 func secretReferencesToGRPC(sr []*types.SecretReference) []*swarmapi.SecretReference {
 	refs := []*swarmapi.SecretReference{}
 	for _, s := range sr {
-		mode := swarmapi.SecretReference_FILE
-		if s.Mode == types.SecretReferenceSystem {
-			mode = swarmapi.SecretReference_SYSTEM
-		}
 		refs = append(refs, &swarmapi.SecretReference{
 			SecretID:   s.SecretID,
 			SecretName: s.SecretName,
-			Target:     s.Target,
-			Mode:       mode,
+			Target: &swarmapi.SecretReference_File{
+				File: &swarmapi.SecretReference_FileTarget{
+					Name: s.Target.Name,
+					UID:  s.Target.UID,
+					GID:  s.Target.GID,
+					Mode: s.Target.Mode,
+				},
+			},
 		})
 	}
 
@@ -96,18 +99,21 @@ func secretReferencesToGRPC(sr []*types.SecretReference) []*swarmapi.SecretRefer
 func secretReferencesFromGRPC(sr []*swarmapi.SecretReference) []*types.SecretReference {
 	refs := []*types.SecretReference{}
 	for _, s := range sr {
-		var mode types.SecretReferenceMode
-		switch s.Mode {
-		case swarmapi.SecretReference_SYSTEM:
-			mode = types.SecretReferenceSystem
-		default:
-			mode = types.SecretReferenceFile
+		target := s.GetFile()
+		if target == nil {
+			// not a file target
+			logrus.Warnf("secret target not a file: secret=%s", s.SecretID)
+			continue
 		}
 		refs = append(refs, &types.SecretReference{
 			SecretID:   s.SecretID,
 			SecretName: s.SecretName,
-			Target:     s.Target,
-			Mode:       mode,
+			Target: types.SecretReferenceFileTarget{
+				Name: target.Name,
+				UID:  target.UID,
+				GID:  target.GID,
+				Mode: target.Mode,
+			},
 		})
 	}
 
diff --git a/daemon/cluster/executor/container/adapter.go b/daemon/cluster/executor/container/adapter.go
index 1cdb6429f2..02c327f8a1 100644
--- a/daemon/cluster/executor/container/adapter.go
+++ b/daemon/cluster/executor/container/adapter.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"strconv"
 	"strings"
 	"syscall"
 	"time"
@@ -227,18 +228,29 @@ func (c *containerAdapter) create(ctx context.Context) error {
 		}
 
 		name := sec.Spec.Annotations.Name
-		target := s.Target
-		if target == "" {
-			target = name
+		target := s.GetFile()
+		if target == nil {
+			logrus.Warnf("secret target was not a file: secret=%s", s.SecretID)
+			continue
 		}
+		// convert uid / gid string to int
+		uid, err := strconv.Atoi(target.UID)
+		if err != nil {
+			return err
+		}
+
+		gid, err := strconv.Atoi(target.GID)
+		if err != nil {
+			return err
+		}
+
 		secrets = append(secrets, &containertypes.ContainerSecret{
 			Name:   name,
-			Target: target,
+			Target: target.Name,
 			Data:   sec.Spec.Data,
-			// TODO (ehazlett): enable configurable uid, gid, mode
-			Uid:  0,
-			Gid:  0,
-			Mode: 0444,
+			UID:    uid,
+			GID:    gid,
+			Mode:   target.Mode,
 		})
 	}
 
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
index 163dede7a1..ac6b6ad1ad 100644
--- a/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go
@@ -191,7 +191,7 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
 			return errors.Wrap(err, "error injecting secret")
 		}
 
-		if err := os.Chown(fPath, s.Uid, s.Gid); err != nil {
+		if err := os.Chown(fPath, s.UID, s.GID); err != nil {
 			return errors.Wrap(err, "error setting ownership for secret")
 		}
 	}