AWS Secrets Manager

Detailed information on the secret store component

Component format

To setup AWS Secrets Manager secret store create a component of type secretstores.aws.secretmanager. See this guide on how to create and apply a secretstore configuration. See this guide on referencing secrets to retrieve and use the secret with Dapr components.

See Authenticating to AWS for information about authentication-related attributes.

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4. name: awssecretmanager
  5. spec:
  6. type: secretstores.aws.secretmanager
  7. version: v1
  8. metadata:
  9. - name: region
  10. value: "[aws_region]"
  11. - name: accessKey
  12. value: "[aws_access_key]"
  13. - name: secretKey
  14. value: "[aws_secret_key]"
  15. - name: sessionToken
  16. value: "[aws_session_token]"

Warning

The above example uses secrets as plain strings. It is recommended to use a local secret store such as Kubernetes secret store or a local file to bootstrap secure key storage.

Spec metadata fields

FieldRequiredDetailsExample
regionYThe specific AWS region the AWS Secrets Manager instance is deployed in“us-east-1”
accessKeyYThe AWS Access Key to access this resource“key”
secretKeyYThe AWS Secret Access Key to access this resource“secretAccessKey”
sessionTokenNThe AWS session token to use“sessionToken”

Important

When running the Dapr sidecar (daprd) with your application on EKS (AWS Kubernetes), if you’re using a node/pod that has already been attached to an IAM policy defining access to AWS resources, you must not provide AWS access-key, secret-key, and tokens in the definition of the component spec you’re using.

Create an AWS Secrets Manager instance

Setup AWS Secrets Manager using the AWS documentation: https://docs.aws.amazon.com/secretsmanager/latest/userguide/tutorials_basic.html.

Last modified June 19, 2023: Merge pull request #3565 from dapr/aacrawfi/skip-secrets-close (b1763bf)