GCP Secret Manager

Detailed information on the GCP Secret Manager secret store component

This document shows how to enable GCP Secret Manager secret store using [Dapr Secrets Component./../concepts/secrets/README.md) for self hosted and Kubernetes mode.

Setup GCP Secret Manager instance

Setup GCP Secret Manager using the GCP documentation: https://cloud.google.com/secret-manager/docs/quickstart.

Setup Dapr component

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4. name: gcpsecretmanager
  5. namespace: default
  6. spec:
  7. type: secretstores.gcp.secretmanager
  8. version: v1
  9. metadata:
  10. - name: type
  11. value: service_account
  12. - name: project_id
  13. value: project_111
  14. - name: private_key_id
  15. value: *************
  16. - name: client_email
  17. value: name@domain.com
  18. - name: client_id
  19. value: '1111111111111111'
  20. - name: auth_uri
  21. value: https://accounts.google.com/o/oauth2/auth
  22. - name: token_uri
  23. value: https://oauth2.googleapis.com/token
  24. - name: auth_provider_x509_cert_url
  25. value: https://www.googleapis.com/oauth2/v1/certs
  26. - name: client_x509_cert_url
  27. value: https://www.googleapis.com/robot/v1/metadata/x509/<project-name>.iam.gserviceaccount.com
  28. - name: private_key
  29. value: PRIVATE KEY

Warning

The above example uses secrets as plain strings. It is recommended to use a local secret store such as Kubernetes secret store or a local file to bootstrap secure key storage.

Apply the component

To run locally, create a components dir containing the YAML file and provide the path to the dapr run command with the flag --components-path.

To deploy in Kubernetes, save the file above to gcp_secret_manager.yaml and then run:

  1. kubectl apply -f gcp_secret_manager.yaml

Example

This example shows you how to take the Redis password from the GCP Secret Manager secret store. Here, you created a secret named redisPassword in GCP Secret Manager. Note its important to set it both as the name and key properties.

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4. name: statestore
  5. namespace: default
  6. spec:
  7. type: state.redis
  8. version: v1
  9. metadata:
  10. - name: redisHost
  11. value: "[redis]:6379"
  12. - name: redisPassword
  13. secretKeyRef:
  14. name: redisPassword
  15. key: redisPassword
  16. auth:
  17. secretStore: gcpsecretmanager

Related links

Last modified February 16, 2021: Merge pull request #1235 from dapr/update-v0.11 (b4e9fbb)