Secrets API reference

Detailed documentation on the secrets API

Get Secret

This endpoint lets you get the value of a secret for a given secret store.

HTTP Request

  1. GET http://localhost:<daprPort>/v1.0/secrets/<secret-store-name>/<name>

URL Parameters

ParameterDescription
daprPortthe Dapr port
secret-store-namethe name of the secret store to get the secret from
namethe name of the secret to get

Note, all URL parameters are case-sensitive.

Query Parameters

Some secret stores have optional metadata properties. metadata is populated using query parameters:

  1. GET http://localhost:<daprPort>/v1.0/secrets/<secret-store-name>/<name>?metadata.version_id=15
GCP Secret Manager

The following optional meta can be provided to the GCP Secret Manager component

Query ParameterDescription
metadata.version_idversion for the given secret key
AWS Secret Manager

The following optional meta can be provided to the AWS Secret Manager component

Query ParameterDescription
metadata.version_idversion for the given secret key
metadata.version_stageversion stage for the given secret key

HTTP Response

Response Body

If a secret store has support for multiple key-values in a secret, a JSON payload is returned with the key names as fields and their respective values.

In case of a secret store that only has name/value semantics, a JSON payload is returned with the name of the secret as the field and the value of the secret as the value.

See the classification of secret stores that support multiple keys in a secret and name/value semantics.

Response with multiple keys in a secret (eg. Kubernetes):
  1. curl http://localhost:3500/v1.0/secrets/kubernetes/db-secret
  1. {
  2. "key1": "value1",
  3. "key2": "value2"
  4. }

The above example demonstrates a response from a secret store with multiple keys in a secret. Note that the secret name (db-secret) is not returned as part of the result.

Response from a secret store with name/value semantics:
  1. curl http://localhost:3500/v1.0/secrets/vault/db-secret
  1. {
  2. "db-secret": "value1"
  3. }

The above example demonstrates a response from a secret store with name/value semantics. Compared to the result from a secret store with multiple keys in a secret, this result returns a single key-value pair, with the secret name (db-secret) returned as the key in the key-value pair.

Response Codes

CodeDescription
200OK
204Secret not found
400Secret store is missing or misconfigured
403Access denied
500Failed to get secret or no secret stores defined

Examples

  1. curl http://localhost:3500/v1.0/secrets/vault/db-secret
  1. curl http://localhost:3500/v1.0/secrets/vault/db-secret?metadata.version_id=15&metadata.version_stage=AAA

Note, in case of deploying into namespace other than default, the above query will also have to include the namespace metadata (e.g. production below)

  1. curl http://localhost:3500/v1.0/secrets/vault/db-secret?metadata.version_id=15&?metadata.namespace=production

Get Bulk Secret

This endpoint lets you get all the secrets in a secret store. It’s recommended to use token authentication for Dapr if configuring a secret store.

HTTP Request

  1. GET http://localhost:<daprPort>/v1.0/secrets/<secret-store-name>/bulk

URL Parameters

ParameterDescription
daprPortthe Dapr port
secret-store-namethe name of the secret store to get the secret from

Note, all URL parameters are case-sensitive.

HTTP Response

Response Body

The returned response is a JSON containing the secrets. The JSON object will contain the secret names as fields and a map of secret keys and values as the field value.

Response with multiple secrets and multiple key / values in a secret (eg. Kubernetes):
  1. curl http://localhost:3500/v1.0/secrets/kubernetes/bulk
  1. {
  2. "secret1": {
  3. "key1": "value1",
  4. "key2": "value2"
  5. },
  6. "secret2": {
  7. "key3": "value3",
  8. "key4": "value4"
  9. }
  10. }

Response Codes

CodeDescription
200OK
400Secret store is missing or misconfigured
403Access denied
500Failed to get secret or no secret stores defined

Examples

  1. curl http://localhost:3500/v1.0/secrets/vault/bulk
  1. {
  2. "key1": {
  3. "key1": "value1"
  4. },
  5. "key2": {
  6. "key2": "value2"
  7. }
  8. }

Last modified October 11, 2022: Update SecretStore API documentation to account for Features feature. (#2863) (8f08e681)