AWS Secrets Manager
Component format
To setup AWS Secrets Manager secret store create a component of type secretstores.aws.secretmanager. See this guide on how to create and apply a secretstore configuration. See this guide on referencing secrets to retrieve and use the secret with Dapr components.
See Authenticating to AWS for information about authentication-related attributes.
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: awssecretmanager
spec:
type: secretstores.aws.secretmanager
version: v1
metadata:
- name: region
value: "[aws_region]"
- name: accessKey
value: "[aws_access_key]"
- name: secretKey
value: "[aws_secret_key]"
- name: sessionToken
value: "[aws_session_token]"
- name: multipleKeyValuesPerSecret
value: "false"
Warning
The above example uses secrets as plain strings. It is recommended to use a local secret store such as Kubernetes secret store or a local file to bootstrap secure key storage.Spec metadata fields
| Field | Required | Details | Example |
|---|---|---|---|
| region | Y | The specific AWS region the AWS Secrets Manager instance is deployed in | "us-east-1" |
| accessKey | Y | The AWS Access Key to access this resource | "key" |
| secretKey | Y | The AWS Secret Access Key to access this resource | "secretAccessKey" |
| sessionToken | N | The AWS session token to use | "sessionToken" |
| multipleKeyValuesPerSecret | N | When set to "true" allows for multiple key value pairs to be stored in a single secret. Defaults to "false" | "true" |
Important
When running the Dapr sidecar (daprd) with your application on EKS (AWS Kubernetes), if you’re using a node/pod that has already been attached to an IAM policy defining access to AWS resources, you must not provide AWS access-key, secret-key, and tokens in the definition of the component spec you’re using.Optional per-request metadata properties
The following optional query parameters can be provided when retrieving secrets from this secret store:
| Query Parameter | Description |
|---|---|
metadata.version_id | Version for the given secret key. |
metadata.version_stage | Version stage for the given secret key. |
Configure multiple key-values per secret
The multipleKeyValuesPerSecret flag determines whether the secret store presents a single value or multiple key-value pairs per secret.
Single value per secret
If multipleKeyValuesPerSecret is false (default), AWS Secrets Manager returns the secret value as-is. Given a secret named database-credentials with the following JSON content:
{
"username": "admin",
"password": "secret123",
"host": "db.example.com"
}
Requesting this secret returns the entire JSON as a single value:
$ curl http://localhost:3500/v1.0/secrets/awssecretmanager/database-credentials
{
"database-credentials": "{\"username\":\"admin\",\"password\":\"secret123\",\"host\":\"db.example.com\"}"
}
Multiple key-value pairs per secret
If multipleKeyValuesPerSecret is true, the secret store parses JSON content stored in AWS Secrets Manager and returns it as multiple key-value pairs.
Requesting the same database-credentials secret from above, the response breaks the JSON object into its own entries, allowing it to be parsed into multiple key-value pairs.
$ curl http://localhost:3500/v1.0/secrets/awssecretmanager/database-credentials
{
"username": "admin",
"password": "secret123",
"host": "db.example.com"
}
Create an AWS Secrets Manager instance
Setup AWS Secrets Manager using the AWS documentation: https://docs.aws.amazon.com/secretsmanager/latest/userguide/tutorials_basic.html.