GCP Secret Manager

Detailed information on the GCP Secret Manager secret store component

This document shows how to enable GCP Secret Manager secret store using [Dapr Secrets Component./../concepts/secrets/README.md) for self hosted and Kubernetes mode.

Setup GCP Secret Manager instance

Setup GCP Secret Manager using the GCP documentation: https://cloud.google.com/secret-manager/docs/quickstart.

Setup Dapr component

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4.   name: gcpsecretmanager
  5.   namespace: default
  6. spec:
  7.   type: secretstores.gcp.secretmanager
  8.   version: v1
  9.   metadata:
  10.   - name: type
  11.     value: service_account
  12.   - name: project_id
  13.     value: project_111
  14.   - name: private_key_id
  15.     value: *************
  16.   - name: client_email
  17.     value: name@domain.com
  18.   - name: client_id
  19.     value: '1111111111111111'
  20.   - name: auth_uri
  21.     value: https://accounts.google.com/o/oauth2/auth
  22.   - name: token_uri
  23.     value: https://oauth2.googleapis.com/token
  24.   - name: auth_provider_x509_cert_url
  25.     value: https://www.googleapis.com/oauth2/v1/certs
  26.   - name: client_x509_cert_url
  27.     value: https://www.googleapis.com/robot/v1/metadata/x509/<project-name>.iam.gserviceaccount.com
  28.   - name: private_key
  29.     value: PRIVATE KEY

Warning

The above example uses secrets as plain strings. It is recommended to use a local secret store such as Kubernetes secret store or a local file to bootstrap secure key storage.

Apply the component

To run locally, create a components dir containing the YAML file and provide the path to the dapr run command with the flag --components-path.

To deploy in Kubernetes, save the file above to gcp_secret_manager.yaml and then run:

  1. kubectl apply -f gcp_secret_manager.yaml

Example

This example shows you how to take the Redis password from the GCP Secret Manager secret store. Here, you created a secret named redisPassword in GCP Secret Manager. Note its important to set it both as the name and key properties.

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4.   name: statestore
  5.   namespace: default
  6. spec:
  7.   type: state.redis
  8.   version: v1
  9.   metadata:
  10.   - name: redisHost
  11.     value: "[redis]:6379"
  12.   - name: redisPassword
  13.     secretKeyRef:
  14.       name: redisPassword
  15.       key: redisPassword
  16. auth:
  17.     secretStore: gcpsecretmanager

Related links

Last modified February 16, 2021: Merge pull request #1235 from dapr/update-v0.11 (b4e9fbb)