How-To: Reference secrets in components

How to securly reference secrets from a component definition

Overview

Components can reference secrets for the spec.metadata section within the components definition.

In order to reference a secret, you need to set the auth.secretStore field to specify the name of the secret store that holds the secrets.

When running in Kubernetes, if the auth.secretStore is empty, the Kubernetes secret store is assumed.

Supported secret stores

Go to this link to see all the secret stores supported by Dapr, along with information on how to configure and use them.

Referencing secrets

While you have the option to use plain text secrets, this is not recommended for production:

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4. name: statestore
  5. namespace: default
  6. spec:
  7. type: state.redis
  8. version: v1
  9. metadata:
  10. - name: redisHost
  11. value: localhost:6379
  12. - name: redisPassword
  13. value: MyPassword

Instead create the secret in your secret store and reference it in the component definition:

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4. name: statestore
  5. namespace: default
  6. spec:
  7. type: state.redis
  8. version: v1
  9. metadata:
  10. - name: redisHost
  11. value: localhost:6379
  12. - name: redisPassword
  13. secretKeyRef:
  14. name: redis-secret
  15. key: redis-password
  16. auth:
  17. secretStore: <SECRET_STORE_NAME>

SECRET_STORE_NAME is the name of the configured secret store component. When running in Kubernetes and using a Kubernetes secret store, the field auth.SecretStore defaults to kubernetes and can be left empty.

The above component definition tells Dapr to extract a secret named redis-secret from the defined secret store and assign the value of the redis-password key in the secret to the redisPassword field in the Component.

Example

Referencing a Kubernetes secret

The following example shows you how to create a Kubernetes secret to hold the connection string for an Event Hubs binding.

  1. First, create the Kubernetes secret:

    1. kubectl create secret generic eventhubs-secret --from-literal=connectionString=*********
  2. Next, reference the secret in your binding:

    1. apiVersion: dapr.io/v1alpha1
    2. kind: Component
    3. metadata:
    4. name: eventhubs
    5. namespace: default
    6. spec:
    7. type: bindings.azure.eventhubs
    8. version: v1
    9. metadata:
    10. - name: connectionString
    11. secretKeyRef:
    12. name: eventhubs-secret
    13. key: connectionString
  3. Finally, apply the component to the Kubernetes cluster:

    1. kubectl apply -f ./eventhubs.yaml

Scoping access to secrets

Dapr can restrict access to secrets in a secret store using its configuration. Read How To: Use secret scoping and How-To: Limit the secrets that can be read from secret stores for more information. This is the recommended way to limit access to secrets using Dapr.

Kubernetes permissions

Default namespace

When running in Kubernetes, Dapr, during installtion, defines default Role and RoleBinding for secrets access from Kubernetes secret store in the default namespace. For Dapr enabled apps that fetch secrets from default namespace, a secret can be defined and referenced in components as shown in the example above.

Non-default namespaces

If your Dapr enabled apps are using components that fetch secrets from non-default namespaces, apply the following resources to that namespace:

  1. ---
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. kind: Role
  4. metadata:
  5. name: secret-reader
  6. namespace: <NAMESPACE>
  7. rules:
  8. - apiGroups: [""]
  9. resources: ["secrets"]
  10. verbs: ["get", "list"]
  11. ---
  12. kind: RoleBinding
  13. apiVersion: rbac.authorization.k8s.io/v1
  14. metadata:
  15. name: dapr-secret-reader
  16. namespace: <NAMESPACE>
  17. subjects:
  18. - kind: ServiceAccount
  19. name: default
  20. roleRef:
  21. kind: Role
  22. name: secret-reader
  23. apiGroup: rbac.authorization.k8s.io

These resources grant Dapr permissions to get secrets from the Kubernetes secret store for the namespace defined in the Role and RoleBinding.

Note

In production scenario to limit Dapr’s access to certain secret resources alone, you can use the resourceNames field. See this link for further explanation.

Related links

Last modified March 18, 2021: Merge pull request #1321 from dapr/aacrawfi/logos (9a399d5)