Dapr Secrets management is a feature that provides a secure and scalable way to manage application secrets, such as API keys, passwords, and tokens. You can use different cloud providers and environments such as Azure Key Vault, AWS Secrets Manager, HashiCorp Vault, or Kubernetes Secrets.
In our example, we'll use a JSON file (not recommended in production!) to store the following secrets:
"httpbindingtoken": "my auth token", "ConnectionStrings": { "SqlServer": "Server=sqlserver;Database=CustomersDb;User Id=sa;Password=admin12345!;TrustServerCertificate=true", "PostgreSQL": "Server=postgres;Port=5432;Database=ProductsDb;User Id=admin;Password=admin12345;", "MongoDb": "mongodb://mongo:27017" }, "MongoDb": { "DatabaseName": "OrderDb", "OrdersCollectionName": "Orders" }
}
We have two way to retrieve them:
- declaratively, in the components spec files
- programmatically, using the Dapr APIs
We had a glimpse of the first approach in the previous article, where we configured the Http Output Binding component.
Quick recall:
apiVersion: dapr.io/v1alph
kind: Component
metadata:
name: httpbinding
spec:
type: bindings.http
version: v1
metadata:
- name: url
value: http://echorestbot.azurewebsites.net/microdelivery
- name: securityToken
secretKeyRef:
name: httpbindingtoken
key: httpbindingtoken
- name: securityTokenHeader
value: "Authorization"
auth:
secretStore: localsecretstore
Here we are configuring some metadata and you may notice that for the item securityToken instead of directly inserting the value, we are declaring that we want to use the key httpbindingtoken retrieve in localsecretstore.
Localsecretstore is the name of the component for secret management, configured as usual in the YAML file
apiVersion: dapr.io/v1alpha
kind: Component
metadata: name: localsecretstore
spec: type: secretstores.local.file version: v1 metadata: - name: secretsFile value: components/secrets.json - name: nestedSeparator value: ":"
Here we are basically declaring where we store the secrets (in the file secrets.json) and what is the separator character for nested configuration (colon is the default).
To use it programmatically, we have to add the Nuget package Dapr.Extensions.Configuration in our project and register it with the following lines of code
var builder = WebApplication.CreateBuilder(args)
builder.Configuration.AddDaprSecretStore(
"localsecretstore",
new DaprClientBuilder().Build(),
new[] { ":" });
Once done, we can access our secret simply using the standard IConfiguration.
public OrdersRepository(IConfiguration configuration
{
var clientSettings = MongoClientSettings
.FromConnectionString(configuration
.GetConnectionString("MongoDb")); var client = new MongoClient(clientSettings); var database = client
.GetDatabase(configuration
.GetValue<string>("MongoDb:DatabaseName"));
this.orders = database.GetCollection<Order>(configuration
.GetValue<string>("MongoDb:OrdersCollectionName"));
})
That's it!
In the next article, we'll see how to leverage the resiliency feature of Dapr.