diff --git a/plan/task/exec.go b/plan/task/exec.go
index e529b526..9ab12066 100644
--- a/plan/task/exec.go
+++ b/plan/task/exec.go
@@ -260,10 +260,19 @@ func (t *execTask) mountSecret(pctx *plancontext.Context, dest string, mnt *comp
 		return nil, err
 	}
 
-	// FIXME: handle uid, gid, optional
+	opts := struct {
+		UID  int
+		GID  int
+		Mask int
+	}{}
+
+	if err := mnt.Decode(&opts); err != nil {
+		return nil, err
+	}
+
 	return llb.AddSecret(dest,
 		llb.SecretID(contents.ID()),
-		llb.SecretFileOpt(0, 0, 0400), // uid, gid, mask)
+		llb.SecretFileOpt(opts.UID, opts.GID, opts.Mask),
 	), nil
 }
 
diff --git a/stdlib/europa/dagger/engine/exec.cue b/stdlib/europa/dagger/engine/exec.cue
index 00152fe7..fc6c883b 100644
--- a/stdlib/europa/dagger/engine/exec.cue
+++ b/stdlib/europa/dagger/engine/exec.cue
@@ -63,9 +63,9 @@ package engine
 	} | {
 		type:     "secret"
 		contents: #Secret
-		uid:      uint32 | *0
-		gid:      uint32 | *0
-		optional: true | *false
+		uid:      int | *0
+		gid:      int | *0
+		mask:     int | *0o400
 	}
 }
 
diff --git a/tests/tasks/exec/mount_secret.cue b/tests/tasks/exec/mount_secret.cue
index 34f9c7b3..74bb04ef 100644
--- a/tests/tasks/exec/mount_secret.cue
+++ b/tests/tasks/exec/mount_secret.cue
@@ -21,8 +21,29 @@ engine.#Plan & {
 				"sh", "-c",
 				#"""
 					test "$(cat /run/secrets/test)" = "hello world"
+					ls -l /run/secrets/test | grep -- "-r--------"
 					"""#,
 			]
 		}
+
+		verifyPerm: engine.#Exec & {
+			input: image.output
+			mounts: secret: {
+				dest:     "/run/secrets/test"
+				contents: context.secrets.testSecret.contents
+				uid:      42
+				gid:      24
+				mask:     0o666
+			}
+			args: [
+				"sh", "-c",
+				#"""
+					ls -l /run/secrets/test | grep -- "-rw-rw-rw-"
+					ls -l /run/secrets/test | grep -- "42"
+					ls -l /run/secrets/test | grep -- "24"
+					"""#,
+			]
+		}
+
 	}
 }