How To: Retrieve a secret
Use the secret store building block to securely retrieve a secret
This article provides guidance on using Dapr’s secrets API in your code to leverage the secrets store building block. The secrets API allows you to easily retrieve secrets in your application code from a configured secret store.
Set up a secret store
Before retrieving secrets in your application’s code, you must have a secret store component configured. For the purposes of this guide, as an example you will configure a local secret store which uses a local JSON file to store secrets.
Note: The component used in this example is not secured and is not recommended for production deployments. You can find other alternatives here.
Create a file named secrets.json
with the following contents:
{
"my-secret" : "I'm Batman"
}
Create a directory for your components file named components
and inside it create a file named localSecretStore.yaml
with the following contents:
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: my-secrets-store
namespace: default
spec:
type: secretstores.local.file
version: v1
metadata:
- name: secretsFile
value: <PATH TO SECRETS FILE>/mysecrets.json
- name: nestedSeparator
value: ":"
Make sure to replace <PATH TO SECRETS FILE>
with the path to the JSON file you just created.
To configure a different kind of secret store see the guidance on how to configure a secret store and review supported secret stores to see specific details required for different secret store solutions.
Get a secret
Now run the Dapr sidecar (with no application)
dapr run --app-id my-app --dapr-http-port 3500 --components-path ./components
And now you can get the secret by calling the Dapr sidecar using the secrets API:
curl http://localhost:3500/v1.0/secrets/my-secrets-store/my-secret
For a full API reference, go here.
Calling the secrets API from your code
Once you have a secret store set up, you can call Dapr to get the secrets from your application code. Here are a few examples in different programming languages:
import (
"fmt"
"net/http"
)
func main() {
url := "http://localhost:3500/v1.0/secrets/my-secrets-store/my-secret"
res, err := http.Get(url)
if err != nil {
panic(err)
}
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(string(body))
}
require('isomorphic-fetch');
const secretsUrl = `http://localhost:3500/v1.0/secrets`;
fetch(`${secretsUrl}/my-secrets-store/my-secret`)
.then((response) => {
if (!response.ok) {
throw "Could not get secret";
}
return response.text();
}).then((secret) => {
console.log(secret);
});
import requests as req
resp = req.get("http://localhost:3500/v1.0/secrets/my-secrets-store/my-secret")
print(resp.text)
#![deny(warnings)]
use std::{thread};
#[tokio::main]
async fn main() -> Result<(), reqwest::Error> {
let res = reqwest::get("http://localhost:3500/v1.0/secrets/my-secrets-store/my-secret").await?;
let body = res.text().await?;
println!("Secret:{}", body);
thread::park();
Ok(())
}
var client = new HttpClient();
var response = await client.GetAsync("http://localhost:3500/v1.0/secrets/my-secrets-store/my-secret");
response.EnsureSuccessStatusCode();
string secret = await response.Content.ReadAsStringAsync();
Console.WriteLine(secret);
<?php
require_once __DIR__.'/vendor/autoload.php';
$app = \Dapr\App::create();
$app->run(function(\Dapr\SecretManager $secretManager, \Psr\Log\LoggerInterface $logger) {
$secret = $secretManager->retrieve(secret_store: 'my-secret-store', name: 'my-secret');
$logger->alert('got secret: {secret}', ['secret' => $secret]);
});
Related links
- Dapr secrets overview
- Secrets API reference
- Configure a secret store
- Supported secrets
- Using secrets in components
- Secret stores quickstart
Last modified March 18, 2021: Merge pull request #1321 from dapr/aacrawfi/logos (9a399d5)