How To: Retrieve a secret

Use the secret store building block to securely retrieve a secret

This article provides guidance on using Dapr’s secrets API in your code to leverage the secrets store building block. The secrets API allows you to easily retrieve secrets in your application code from a configured secret store.

Set up a secret store

Before retrieving secrets in your application’s code, you must have a secret store component configured. For the purposes of this guide, as an example you will configure a local secret store which uses a local JSON file to store secrets.

Note: The component used in this example is not secured and is not recommended for production deployments. You can find other alternatives here.

Create a file named mysecrets.json with the following contents:

  1. {
  2. "my-secret" : "I'm Batman"
  3. }

Create a directory for your components file named components and inside it create a file named localSecretStore.yaml with the following contents:

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4. name: my-secrets-store
  5. namespace: default
  6. spec:
  7. type: secretstores.local.file
  8. version: v1
  9. metadata:
  10. - name: secretsFile
  11. value: <PATH TO SECRETS FILE>/mysecrets.json
  12. - name: nestedSeparator
  13. value: ":"

Make sure to replace <PATH TO SECRETS FILE> with the path to the JSON file you just created.

Note: the path to the secret store JSON is relative to where you call dapr run from.

To configure a different kind of secret store see the guidance on how to configure a secret store and review supported secret stores to see specific details required for different secret store solutions.

Get a secret

Now run the Dapr sidecar (with no application)

  1. dapr run --app-id my-app --dapr-http-port 3500 --components-path ./components

And now you can get the secret by calling the Dapr sidecar using the secrets API:

  1. curl http://localhost:3500/v1.0/secrets/my-secrets-store/my-secret

For a full API reference, go here.

Calling the secrets API from your code

Once you have a secret store set up, you can call Dapr to get the secrets from your application code. Here are a few examples in different programming languages:

  1. import (
  2. "fmt"
  3. "net/http"
  4. )
  5. func main() {
  6. url := "http://localhost:3500/v1.0/secrets/my-secrets-store/my-secret"
  7. res, err := http.Get(url)
  8. if err != nil {
  9. panic(err)
  10. }
  11. defer res.Body.Close()
  12. body, _ := ioutil.ReadAll(res.Body)
  13. fmt.Println(string(body))
  14. }
  1. require('isomorphic-fetch');
  2. const secretsUrl = `http://localhost:3500/v1.0/secrets`;
  3. fetch(`${secretsUrl}/my-secrets-store/my-secret`)
  4. .then((response) => {
  5. if (!response.ok) {
  6. throw "Could not get secret";
  7. }
  8. return response.text();
  9. }).then((secret) => {
  10. console.log(secret);
  11. });
  1. import requests as req
  2. resp = req.get("http://localhost:3500/v1.0/secrets/my-secrets-store/my-secret")
  3. print(resp.text)
  1. #![deny(warnings)]
  2. use std::{thread};
  3. #[tokio::main]
  4. async fn main() -> Result<(), reqwest::Error> {
  5. let res = reqwest::get("http://localhost:3500/v1.0/secrets/my-secrets-store/my-secret").await?;
  6. let body = res.text().await?;
  7. println!("Secret:{}", body);
  8. thread::park();
  9. Ok(())
  10. }
  1. var client = new HttpClient();
  2. var response = await client.GetAsync("http://localhost:3500/v1.0/secrets/my-secrets-store/my-secret");
  3. response.EnsureSuccessStatusCode();
  4. string secret = await response.Content.ReadAsStringAsync();
  5. Console.WriteLine(secret);
  1. <?php
  2. require_once __DIR__.'/vendor/autoload.php';
  3. $app = \Dapr\App::create();
  4. $app->run(function(\Dapr\SecretManager $secretManager, \Psr\Log\LoggerInterface $logger) {
  5. $secret = $secretManager->retrieve(secret_store: 'my-secret-store', name: 'my-secret');
  6. $logger->alert('got secret: {secret}', ['secret' => $secret]);
  7. });

Last modified August 2, 2021 : Fix Java SDK link (#1695) (2c67fd1)