概述

General overview on set up of secret stores for Dapr

Dapr integrates with secret stores to provide apps and other components with secure store and access to secrets such as access keys and passwords. Each secret store component has a name and this name is used when accessing a secret.

As with other building block components, secret store components are extensible and can be found in the components-contrib repo.

A secret store in Dapr is described using a Component file with the following fields:

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4. name: secretstore
  5. namespace: default
  6. spec:
  7. type: secretstores.<NAME>
  8. version: v1
  9. metadata:
  10. - name: <KEY>
  11. value: <VALUE>
  12. - name: <KEY>
  13. value: <VALUE>
  14. ...

The type of secret store is determined by the type field, and things like connection strings and other metadata are put in the .metadata section.

Different supported secret stores will have different specific fields that would need to be configured. For example, when configuring a secret store which uses AWS Secrets Manager the file would look like this:

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4. name: awssecretmanager
  5. namespace: default
  6. spec:
  7. type: secretstores.aws.secretmanager
  8. version: v1
  9. metadata:
  10. - name: region
  11. value: "[aws_region]"
  12. - name: accessKey
  13. value: "[aws_access_key]"
  14. - name: secretKey
  15. value: "[aws_secret_key]"
  16. - name: sessionToken
  17. value: "[aws_session_token]"

Apply the configuration

Once you have created the component’s YAML file, follow these instructions to apply it based on your hosting environment:

To run locally, create a components dir containing the YAML file and provide the path to the dapr run command with the flag --components-path.

To deploy in Kubernetes, assuming your component file is named secret-store.yaml, run:

  1. kubectl apply -f secret-store.yaml

Related links

Last modified January 1, 0001