How To: Retrieve a secret

Use the secret store building block to securely retrieve a secret

This article provides guidance on using Dapr’s secrets API in your code to leverage the secrets store building block. The secrets API allows you to easily retrieve secrets in your application code from a configured secret store.

Set up a secret store

Before retrieving secrets in your application’s code, you must have a secret store component configured. For the purposes of this guide, as an example you will configure a local secret store which uses a local JSON file to store secrets.

Note: The component used in this example is not secured and is not recommended for production deployments. You can find other alternatives here.

Create a file named secrets.json with the following contents:

{
   "my-secret" : "I'm Batman"
}

Create a directory for your components file named components and inside it create a file named localSecretStore.yaml with the following contents:

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: my-secrets-store
  namespace: default
spec:
  type: secretstores.local.file
  version: v1
  metadata:
  - name: secretsFile
    value: <PATH TO SECRETS FILE>/mysecrets.json
  - name: nestedSeparator
    value: ":"

Make sure to replace <PATH TO SECRETS FILE> with the path to the JSON file you just created.

To configure a different kind of secret store see the guidance on how to configure a secret store and review supported secret stores to see specific details required for different secret store solutions.

Get a secret

Now run the Dapr sidecar (with no application)

dapr run --app-id my-app --dapr-http-port 3500 --components-path ./components

And now you can get the secret by calling the Dapr sidecar using the secrets API:

curl http://localhost:3500/v1.0/secrets/my-secrets-store/my-secret

For a full API reference, go here.

Calling the secrets API from your code

Once you have a secret store set up, you can call Dapr to get the secrets from your application code. Here are a few examples in different programming languages:

• Go
• Javascript
• Python
• Rust
• C#
• PHP

import (
  "fmt"
  "net/http"
)
func main() {
  url := "http://localhost:3500/v1.0/secrets/my-secrets-store/my-secret"
  res, err := http.Get(url)
  if err != nil {
    panic(err)  
  }
  defer res.Body.Close()
  body, _ := ioutil.ReadAll(res.Body)
  fmt.Println(string(body))
}

require('isomorphic-fetch');
const secretsUrl = `http://localhost:3500/v1.0/secrets`;
fetch(`${secretsUrl}/my-secrets-store/my-secret`)
        .then((response) => {
            if (!response.ok) {
                throw "Could not get secret";
            }
            return response.text();
        }).then((secret) => {
            console.log(secret);
        });

import requests as req
resp = req.get("http://localhost:3500/v1.0/secrets/my-secrets-store/my-secret")
print(resp.text)

#![deny(warnings)]
use std::{thread};
#[tokio::main]
async fn main() -> Result<(), reqwest::Error> {
    let res = reqwest::get("http://localhost:3500/v1.0/secrets/my-secrets-store/my-secret").await?;
    let body = res.text().await?;
    println!("Secret:{}", body);
    thread::park();
    Ok(())
}

var client = new HttpClient();
var response = await client.GetAsync("http://localhost:3500/v1.0/secrets/my-secrets-store/my-secret");
response.EnsureSuccessStatusCode();
string secret = await response.Content.ReadAsStringAsync();
Console.WriteLine(secret);

<?php
require_once __DIR__.'/vendor/autoload.php';
$app = \Dapr\App::create();
$app->run(function(\Dapr\SecretManager $secretManager, \Psr\Log\LoggerInterface $logger) {
    $secret = $secretManager->retrieve(secret_store: 'my-secret-store', name: 'my-secret');
    $logger->alert('got secret: {secret}', ['secret' => $secret]);
});

Related links

• Dapr secrets overview
• Secrets API reference
• Configure a secret store
• Supported secrets
• Using secrets in components
• Secret stores quickstart

Last modified March 18, 2021: Merge pull request #1321 from dapr/aacrawfi/logos (9a399d5)