diff --git a/manifests/metadata.pp b/manifests/metadata.pp
index 15fcb3f..be102a4 100644
--- a/manifests/metadata.pp
+++ b/manifests/metadata.pp
@@ -106,7 +106,7 @@ class ec2api::metadata (
     'metadata/auth_ca_cert':                 value => $auth_ca_cert;
     'metadata/nova_client_cert':             value => $nova_client_cert;
     'metadata/nova_client_priv_key':         value => $nova_client_priv_key;
-    'metadata/metadata_proxy_shared_secret': value => $metadata_proxy_shared_secret;
+    'metadata/metadata_proxy_shared_secret': value => $metadata_proxy_shared_secret, secret => true;
     'DEFAULT/metadata_listen':               value => $metadata_listen;
     'DEFAULT/metadata_listen_port':          value => $metadata_listen_port;
     'DEFAULT/metadata_use_ssl':              value => $metadata_use_ssl;
diff --git a/spec/classes/ec2api_metadata_spec.rb b/spec/classes/ec2api_metadata_spec.rb
index 03704a4..5988e42 100644
--- a/spec/classes/ec2api_metadata_spec.rb
+++ b/spec/classes/ec2api_metadata_spec.rb
@@ -14,7 +14,6 @@ describe 'ec2api::metadata', type: :class do
         metadata/auth_ca_cert
         metadata/nova_client_cert
         metadata/nova_client_priv_key
-        metadata/metadata_proxy_shared_secret
         DEFAULT/metadata_listen
         DEFAULT/metadata_listen_port
         DEFAULT/metadata_use_ssl
@@ -37,6 +36,10 @@ describe 'ec2api::metadata', type: :class do
           is_expected.to contain_ec2api_config('DEFAULT/metadata_workers').with_value(2)
         end
 
+        it 'configures metadata_proxy_shared_secret' do
+          is_expected.to contain_ec2api_config('metadata/metadata_proxy_shared_secret').with_value('<SERVICE DEFAULT>').with_secret(true)
+        end
+
         service_parameters = {
             ensure: 'running',
             enable: true,