This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Dapr resource specs

Detailed information and specifications on Dapr resources

1 - Component spec

The basic spec for a Dapr component

Dapr defines and registers components using a resource specifications. All components are defined as a resource and can be applied to any hosting environment where Dapr is running, not just Kubernetes.

Typically, components are restricted to a particular namespace and restricted access through scopes to any particular set of applications. The namespace is either explicit on the component manifest itself, or set by the API server, which derives the namespace through context with applying to Kubernetes.

Format

apiVersion: dapr.io/v1alpha1
kind: Component
auth: 
 secretstore: <REPLACE-WITH-SECRET-STORE-NAME>
metadata:
  name: <REPLACE-WITH-COMPONENT-NAME>
  namespace: <REPLACE-WITH-COMPONENT-NAMESPACE>
spec:
  type: <REPLACE-WITH-COMPONENT-TYPE>
  version: v1
  initTimeout: <REPLACE-WITH-TIMEOUT-DURATION>
  ignoreErrors: <REPLACE-WITH-BOOLEAN>
  metadata:
  - name: <REPLACE-WITH-METADATA-NAME>
    value: <REPLACE-WITH-METADATA-VALUE>
scopes:
  - <REPLACE-WITH-APPID>
  - <REPLACE-WITH-APPID>

Spec fields

FieldRequiredDetailsExample
apiVersionYThe version of the Dapr (and Kubernetes if applicable) API you are callingdapr.io/v1alpha1
kindYThe type of resource. For components is must always be ComponentComponent
authNThe name of a secret store where secretKeyRef in the metadata lookup the name of secrets used in the componentSee How-to: Reference secrets in components
scopesNThe applications the component is limited to, specified by their app IDsorder-processor, checkout
metadata-Information about the component registration
metadata.nameYThe name of the componentprod-statestore
metadata.namespaceNThe namespace for the component for hosting environments with namespacesmyapp-namespace
spec-Detailed information on the component resource
spec.typeYThe type of the componentstate.redis
spec.versionYThe version of the componentv1
spec.initTimeoutNThe timeout duration for the initialization of the component. Default is 5s5m, 1h, 20s
spec.ignoreErrorsNTells the Dapr sidecar to continue initialization if the component fails to load. Default is falsefalse
spec.metadata-A key/value pair of component specific configuration. See your component definition for fields
spec.metadata.nameYThe name of the component-specific property and its value- name: secretsFile
value: secrets.json

Templated metadata values

Metadata values can contain template tags that are resolved on Dapr sidecar startup. The table below shows the current templating tags that can be used in components.

TagDetailsExample use case
{uuid}Randomly generated UUIDv4When you need a unique identifier in self-hosted mode; for example, multiple application instances consuming a shared MQTT subscription
{podName}Name of the pod containing the Dapr sidecarUse to have a persisted behavior, where the ConsumerID does not change on restart when using StatefulSets in Kubernetes
{namespace}Namespace where the Dapr sidecar resides combined with its appIdUsing a shared clientId when multiple application instances consume a Kafka topic in Kubernetes
{appID}The configured appID of the resource containing the Dapr sidecarHaving a shared clientId when multiple application instances consumer a Kafka topic in self-hosted mode

Below is an example of using the {uuid} tag in an MQTT pubsub component. Note that multiple template tags can be used in a single metadata value.

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: messagebus
spec:
  type: pubsub.mqtt3
  version: v1
  metadata:
    - name: consumerID
      value: "{uuid}"
    - name: url
      value: "tcp://admin:public@localhost:1883"
    - name: qos
      value: 1
    - name: retain
      value: "false"
    - name: cleanSession
      value: "false"

2 - Subscription spec

The basic spec for a Dapr subscription

The Subscription Dapr resource allows you to subscribe declaratively to a topic using an external component YAML file.

This guide demonstrates two subscription API versions:

  • v2alpha1 (default spec)
  • v1alpha1 (deprecated)

v2alpha1 format

The following is the basic v2alpha1 spec for a Subscription resource. v2alpha1 is the default spec for the subscription API.

apiVersion: dapr.io/v2alpha1
kind: Subscription
metadata:
  name: <REPLACE-WITH-NAME>
spec:
  topic: <REPLACE-WITH-TOPIC-NAME> # Required
  routes: # Required
    rules:
      - match: <REPLACE-WITH-CEL-FILTER>
        path: <REPLACE-WITH-PATH>
  pubsubname: <REPLACE-WITH-PUBSUB-NAME> # Required
  deadLetterTopic: <REPLACE-WITH-DEADLETTERTOPIC-NAME> # Optional
  bulkSubscribe: # Optional
    enabled: <REPLACE-WITH-BOOLEAN-VALUE>
    maxMessagesCount: <REPLACE-WITH-VALUE>
    maxAwaitDurationMs: <REPLACE-WITH-VALUE>
  metadata: <REPLACE-WITH-METADATA-OBJECT> # Optional
scopes:
- <REPLACE-WITH-SCOPED-APPIDS>

Spec fields

FieldRequiredDetailsExample
topicYThe name of the topic to which your component subscribes.orders
routesYThe routes configuration for this topic, including specifying the condition for sending a message to a specific path. Includes the following fields:
  • match: The CEL expression used to match the event. If not specified, the route is considered the default.
  • path: The path for events that match this rule.
The endpoint to which all topic messages are sent.		match: event.type == "widget"
path: /widgets
pubsubnameNThe name of your pub/sub component.pubsub
deadLetterTopicNThe name of the dead letter topic that forwards undeliverable messages.poisonMessages
bulkSubscribeNEnable bulk subscribe properties.true, false
metadataNSet subscribe metadata.{"key": "value"}

v1alpha1 format

The following is the basic version v1alpha1 spec for a Subscription resource. v1alpha1 is now deprecated.

apiVersion: dapr.io/v1alpha1
kind: Subscription
metadata:
  name: <REPLACE-WITH-RESOURCE-NAME>
spec:
  topic: <REPLACE-WITH-TOPIC-NAME> # Required
  route: <REPLACE-WITH-ROUTE-NAME> # Required
  pubsubname: <REPLACE-WITH-PUBSUB-NAME> # Required
  deadLetterTopic: <REPLACE-WITH-DEAD-LETTER-TOPIC-NAME> # Optional
  metadata: <REPLACE-WITH-METADATA-OBJECT> # Optional
  bulkSubscribe: # Optional
  - enabled: <REPLACE-WITH-BOOLEAN-VALUE>
  - maxMessagesCount: <REPLACE-WITH-VALUE>
  - maxAwaitDurationMs: <REPLACE-WITH-VALUE>
scopes:
- <REPLACE-WITH-SCOPED-APPIDS>

Spec fields

FieldRequiredDetailsExample
topicYThe name of the topic to which your component subscribes.orders
routeYThe endpoint to which all topic messages are sent./checkout
pubsubnameNThe name of your pub/sub component.pubsub
deadlettertopicNThe name of the dead letter topic that forwards undeliverable messages.poisonMessages
metadataNSet subscribe metadata.{"key": "value"}
bulksubscribeNEnable bulk subscribe properties.true, false

3 - Resiliency spec

The basic spec for a Dapr resiliency resource

The Resiliency Dapr resource allows you to define and apply fault tolerance resiliency policies. Resiliency specs are applied when the Dapr sidecar starts.

Format

apiVersion: dapr.io/v1alpha1
kind: Resiliency
metadata:
  name: <REPLACE-WITH-RESOURCE-NAME>
version: v1alpha1
scopes:
  - <REPLACE-WITH-SCOPED-APPIDS>
spec:
  policies: # Required
    timeouts:
      timeoutName: <REPLACE-WITH-TIME-VALUE> # Replace with any unique name
    retries:
      retryName: # Replace with any unique name
        policy: <REPLACE-WITH-VALUE>
        duration: <REPLACE-WITH-VALUE>
        maxInterval: <REPLACE-WITH-VALUE>
        maxRetries: <REPLACE-WITH-VALUE>
        matching:
          httpStatusCodes: <REPLACE-WITH-VALUE>
          gRPCStatusCodes: <REPLACE-WITH-VALUE>
    circuitBreakers:
      circuitBreakerName: # Replace with any unique name
        maxRequests: <REPLACE-WITH-VALUE>
        timeout: <REPLACE-WITH-VALUE> 
        trip: <REPLACE-WITH-CONSECUTIVE-FAILURE-VALUE>
targets: # Required
    apps:
      appID: # Replace with scoped app ID
        timeout: <REPLACE-WITH-TIMEOUT-NAME>
        retry: <REPLACE-WITH-RETRY-NAME>
        circuitBreaker: <REPLACE-WITH-CIRCUIT-BREAKER-NAME>
    actors:
      myActorType: 
        timeout: <REPLACE-WITH-TIMEOUT-NAME>
        retry: <REPLACE-WITH-RETRY-NAME>
        circuitBreaker: <REPLACE-WITH-CIRCUIT-BREAKER-NAME>
        circuitBreakerCacheSize: <REPLACE-WITH-VALUE>
    components:
      componentName: # Replace with your component name
        outbound:
          timeout: <REPLACE-WITH-TIMEOUT-NAME>
          retry: <REPLACE-WITH-RETRY-NAME>
          circuitBreaker: <REPLACE-WITH-CIRCUIT-BREAKER-NAME>

Spec fields

FieldRequiredDetailsExample
policiesYThe configuration of resiliency policies, including:
  • timeouts
  • retries
  • circuitBreakers

See more examples with all of the built-in policies		timeout: general
retry: retryForever
circuit breaker: simpleCB
targetsYThe configuration for the applications, actors, or components that use the resiliency policies.
See more examples in the resiliency targets guide		apps
components
actors

Learn more about resiliency policies and targets

4 - MCPServer spec

The basic spec for a Dapr MCPServer resource

The MCPServer is a Dapr resource that declares a connection to an MCP (Model Context Protocol) server. Dapr loads these at startup, discovers the server’s tools, and registers built-in durable workflow orchestrations for each one: dapr.internal.mcp.<server>.ListTools for tool discovery and dapr.internal.mcp.<server>.CallTool.<tool> per discovered tool for durable tool execution. Callers invoke them through the standard Dapr Workflow API.

Format

Exactly one of streamableHTTP, sse, or stdio must be set under endpoint.

Streamable HTTP transport

apiVersion: dapr.io/v1alpha1
kind: MCPServer
metadata:
  name: <NAME>
spec:
  ignoreErrors: <REPLACE-WITH-BOOL> # Optional. When true, daprd keeps running if this MCPServer fails to load.
  endpoint:
    streamableHTTP:
      url: <REPLACE-WITH-URL> # Required. The endpoint URL of the MCP server.
      protocolVersion: <REPLACE-WITH-VERSION> # Optional. MCP spec version (e.g. "2025-06-18").
      timeout: <REPLACE-WITH-TIMEOUT> # Optional. Per-call deadline (e.g. "30s").
      headers: # Optional
        - name: <REPLACE-WITH-HEADER-NAME>
          value: <REPLACE-WITH-HEADER-VALUE>
        - name: <REPLACE-WITH-HEADER-NAME>
          secretKeyRef:
            name: <REPLACE-WITH-SECRET-NAME>
            key: <REPLACE-WITH-SECRET-KEY>
      auth: # Optional
        secretStore: <REPLACE-WITH-SECRETSTORE>
        oauth2:
          issuer: <REPLACE-WITH-TOKEN-ENDPOINT>
          clientID: <REPLACE-WITH-CLIENT-ID> # Optional. OAuth2 client identifier.
          audience: <REPLACE-WITH-AUDIENCE>
          scopes:
            - <REPLACE-WITH-SCOPE>
          secretKeyRef:
            name: <REPLACE-WITH-SECRET-NAME>
            key: <REPLACE-WITH-SECRET-KEY>
        spiffe:
          jwt:
            header: <REPLACE-WITH-HEADER-NAME>
            headerValuePrefix: <REPLACE-WITH-PREFIX>
            audience: <REPLACE-WITH-AUDIENCE>
  middleware: # Optional
    beforeCallTool:
      - workflow:
          workflowName: <REPLACE-WITH-WORKFLOW-NAME>
          appID: <REPLACE-WITH-APP-ID> # Optional. Remote app.
        mutate: <REPLACE-WITH-BOOL> # Optional. When true, hook return value replaces the arguments.
    afterCallTool:
      - workflow:
          workflowName: <REPLACE-WITH-WORKFLOW-NAME>
        mutate: <REPLACE-WITH-BOOL> # Optional. When true, hook return value replaces the result.
    beforeListTools:
      - workflow:
          workflowName: <REPLACE-WITH-WORKFLOW-NAME>
    afterListTools:
      - workflow:
          workflowName: <REPLACE-WITH-WORKFLOW-NAME>
        mutate: <REPLACE-WITH-BOOL> # Optional. When true, hook return value replaces the result.
  catalog: # Optional. Informational only.
    displayName: <REPLACE-WITH-DISPLAY-NAME>
    description: <REPLACE-WITH-DESCRIPTION>
    owner:
      team: <REPLACE-WITH-TEAM>
      contact: <REPLACE-WITH-CONTACT>
    tags:
      - <REPLACE-WITH-TAG>
    links:
      docs: <REPLACE-WITH-URL>
scopes: # Optional
  - <REPLACE-WITH-SCOPED-APPIDS>

SSE transport

apiVersion: dapr.io/v1alpha1
kind: MCPServer
metadata:
  name: <NAME>
spec:
  endpoint:
    sse:
      url: <REPLACE-WITH-URL>
      protocolVersion: <REPLACE-WITH-VERSION> # Optional
      timeout: <REPLACE-WITH-TIMEOUT> # Optional
      headers: # Optional. Same format as streamableHTTP.
        - name: <REPLACE-WITH-HEADER-NAME>
          value: <REPLACE-WITH-HEADER-VALUE>
      auth: # Optional. Same format as streamableHTTP.
        secretStore: <REPLACE-WITH-SECRETSTORE>

Stdio transport

This is not supported in Kubernetes-hosted modes.

apiVersion: dapr.io/v1alpha1
kind: MCPServer
metadata:
  name: <NAME>
spec:
  endpoint:
    stdio:
      command: <REPLACE-WITH-COMMAND> # Required.
      args: # Optional
        - <REPLACE-WITH-ARG>
      env: # Optional
        - name: <REPLACE-WITH-ENV-NAME>
          value: <REPLACE-WITH-ENV-VALUE>
        - name: <REPLACE-WITH-ENV-NAME>
          secretKeyRef:
            name: <REPLACE-WITH-SECRET-NAME>
            key: <REPLACE-WITH-SECRET-KEY>

Spec fields

Top-level

FieldRequiredDetailsExample
ignoreErrorsNWhen true, daprd keeps running if this MCPServer fails validation or secret resolution. When false (default), such failures cause daprd to exit gracefully.true
endpointYThe transport and target of the MCP server. See Endpoint below.
middlewareNOptional workflow hooks invoked around tool and list operations. See Middleware fields below.
catalogNInformational governance metadata. See Catalog fields below.

Endpoint

FieldRequiredDetailsExample
endpoint.streamableHTTPN*Configuration for the streamable HTTP transport.See format above
endpoint.sseN*Configuration for the legacy SSE transport.See format above
endpoint.stdioN*Configuration for the stdio subprocess transport.See format above

* Exactly one of streamableHTTP, sse, or stdio must be set.

Streamable HTTP / SSE fields

FieldRequiredDetailsExample
urlYThe endpoint URL of the MCP server."https://mcp.example.com/"
protocolVersionNMCP spec version in date format. When unset, the SDK negotiates automatically."2025-06-18"
timeoutNPer-call deadline for MCP requests."30s"
headersNHTTP headers injected on all outbound requests. Supports value, secretKeyRef, and envRef.name: "Authorization" secretKeyRef.name: "my-secret" secretKeyRef.key: "token"
authNAuthentication configuration. See auth fields below.

Auth fields

FieldRequiredDetailsExample
auth.secretStoreNDapr secret store for resolving secretKeyRef entries in headers. Defaults to "kubernetes"."my-secret-store"
auth.oauth2.issuerY (if oauth2)Token endpoint of the authorization server."https://auth.example.com/token"
auth.oauth2.clientIDNOAuth2 client identifier sent to the token endpoint. Required by RFC 6749 for standard client_credentials flow; may be left empty for non-standard flows."my-client-id"
auth.oauth2.audienceNAudience claim for the token request."mcp://payments"
auth.oauth2.scopesNScopes requested in the token.["read", "write"]
auth.oauth2.secretKeyRefNReference to the client secret in the secret store.name: "oauth-secret" key: "clientSecret"
auth.spiffe.jwt.headerY (if spiffe)HTTP header name to inject the JWT into."Authorization"
auth.spiffe.jwt.headerValuePrefixNString prepended to the JWT value."Bearer "
auth.spiffe.jwt.audienceY (if spiffe)Intended audience for the JWT."mcp://payments"

Stdio fields

FieldRequiredDetailsExample
stdio.commandYThe executable to run."npx"
stdio.argsNCommand-line arguments.["-y", "@modelcontextprotocol/server-filesystem"]
stdio.envNEnvironment variables for the subprocess. Supports value, secretKeyRef, and envRef.name: "API_KEY" value: "secret"

Middleware fields

Middleware hooks are executed in array order. Error behavior differs by hook type:

  • beforeCallTool errors abort the chain; the workflow completes with CallToolResult{isError: true} so the caller can self-correct.
  • beforeListTools errors abort the chain and the error is returned.
  • afterCallTool errors fail the workflow — these hooks can act as authorization gates that block the response.
  • afterListTools errors are logged but do not affect the result.
FieldRequiredDetailsExample
middleware.beforeCallToolNHooks invoked before each CallTool.See format above
middleware.afterCallToolNHooks invoked after each CallTool.See format above
middleware.beforeListToolsNHooks invoked before each ListTools.See format above
middleware.afterListToolsNHooks invoked after each ListTools.See format above

Each hook entry:

FieldRequiredDetailsExample
workflow.workflowNameYName of the workflow to invoke."rbac-check"
workflow.appIDNTarget a remote Dapr app. When unset, runs locally."auth-service"
mutateNWhen true, the hook’s return value replaces the data flowing through the pipeline (arguments for beforeCallTool; result for afterCallTool and afterListTools). When false (default), the hook is observe-only. Not supported on beforeListTools.true

Catalog fields

Catalog fields are purely informational and have no effect on runtime behavior.

FieldRequiredDetailsExample
catalog.displayNameNHuman-readable display name."Payments MCP"
catalog.descriptionNDescription of the MCP server."Payment processing tools"
catalog.owner.teamNTeam responsible for the MCP server."platform-team"
catalog.owner.contactNContact information."platform@example.com"
catalog.tagsNTags for categorization.["payments", "production"]
catalog.linksNNamed URLs (docs, runbook, dashboard).docs: "https://..."

5 - HTTPEndpoint spec

The basic spec for a Dapr HTTPEndpoint resource

The HTTPEndpoint is a Dapr resource that is used to enable the invocation of non-Dapr endpoints from a Dapr application.

Format

apiVersion: dapr.io/v1alpha1
kind: HTTPEndpoint
metadata:
  name: <NAME>  
spec:
  baseUrl: <REPLACE-WITH-BASEURL> # Required. Use "http://" or "https://" prefix.
  headers: # Optional
  - name: <REPLACE-WITH-A-HEADER-NAME>
    value: <REPLACE-WITH-A-HEADER-VALUE>
  - name: <REPLACE-WITH-A-HEADER-NAME>
    secretKeyRef:
      name: <REPLACE-WITH-SECRET-NAME>
      key: <REPLACE-WITH-SECRET-KEY>
  clientTLS:
    rootCA:
      secretKeyRef:
        name: <REPLACE-WITH-SECRET-NAME>
        key: <REPLACE-WITH-SECRET-KEY>
    certificate:
      secretKeyRef:
        name: <REPLACE-WITH-SECRET-NAME>
        key: <REPLACE-WITH-SECRET-KEY>
    privateKey:
      secretKeyRef:
        name: <REPLACE-WITH-SECRET-NAME>
        key: <REPLACE-WITH-SECRET-KEY>
scopes: # Optional
  - <REPLACE-WITH-SCOPED-APPIDS>
auth: # Optional
  secretStore: <REPLACE-WITH-SECRETSTORE>

Spec fields

FieldRequiredDetailsExample
baseUrlYBase URL of the non-Dapr endpoint"https://api.github.com", "http://api.github.com"
headersNHTTP request headers for service invocationname: "Accept-Language" value: "en-US"
name: "Authorization" secretKeyRef.name: "my-secret" secretKeyRef.key: "myGithubToken"
clientTLSNEnables TLS authentication to an endpoint with any standard combination of root certificate, client certificate and private key

Learn how to invoke non-Dapr endpoints.

6 - Configuration spec

The basic spec for a Dapr Configuration resource

The Configuration is a Dapr resource that is used to configure the Dapr sidecar, control plane, and others.

Sidecar format

apiVersion: dapr.io/v1alpha1
kind: Configuration
metadata:
  name: <REPLACE-WITH-NAME>
  namespace: <REPLACE-WITH-NAMESPACE>
spec:
  api:
    allowed:
      - name: <REPLACE-WITH-API>
        version: <VERSION>
        protocol: <HTTP-OR-GRPC>
  tracing:
    samplingRate: <REPLACE-WITH-INTEGER>
    stdout: true
    otel:
      endpointAddress: <REPLACE-WITH-ENDPOINT-ADDRESS>
      isSecure: <TRUE-OR-FALSE>
      protocol: <HTTP-OR-GRPC>
      headers:
        - name: <HEADER-NAME>
          value: <HEADER-VALUE>
        - name: <HEADER-NAME>
          secretKeyRef:
            name: <SECRET-STORE-NAME>
            key: <SECRET-KEY>
      timeout: <DURATION>
  metrics:
    enabled: <TRUE-OR-FALSE>
    rules:
      - name: <METRIC-NAME>
        labels:
          - name: <LABEL-NAME>
            regex: {}
    recordErrorCodes: <TRUE-OR-FALSE>
    latencyDistributionBuckets:
      - <BUCKET-VALUE-MS-0>
      - <BUCKET-VALUE-MS-1>
    http:
      increasedCardinality: <TRUE-OR-FALSE>
      pathMatching: 
        - <PATH-A>
        - <PATH-B>
      excludeVerbs: <TRUE-OR-FALSE>
  httpPipeline: # for incoming http calls
    handlers:
      - name: <HANDLER-NAME>
        type: <HANDLER-TYPE>
  appHttpPipeline: # for outgoing http calls
    handlers:
      - name: <HANDLER-NAME>
        type: <HANDLER-TYPE>
  nameResolution:
    component: <NAME-OF-NAME-RESOLUTION-COMPONENT>
    version: <NAME-RESOLUTION-COMPONENT-VERSION>
    configuration:
     <NAME-RESOLUTION-COMPONENT-METADATA-CONFIGURATION>
  secrets:
    scopes:
      - storeName: <NAME-OF-SCOPED-STORE>
        defaultAccess: <ALLOW-OR-DENY>
        deniedSecrets: <REPLACE-WITH-DENIED-SECRET>
  components:
    deny:
      - <COMPONENT-TO-DENY>
  features:
    - name: <FEATURE-NAME>
      enabled: <TRUE-OR-FALSE>
  accessControl:
    defaultAction: <ALLOW-OR-DENY>
    trustDomain: <REPLACE-WITH-TRUST-DOMAIN>
    policies:
      - appId: <APP-NAME>
        defaultAction: <ALLOW-OR-DENY>
        trustDomain: <REPLACE-WITH-TRUST-DOMAIN>
        namespace: "default"
        operations:
          - name: <OPERATION-NAME>
            httpVerb: ['POST', 'GET']
            action: <ALLOW-OR-DENY>

Spec fields

FieldRequiredDetailsExample
accessControlNApplied to Dapr sidecar for the called application. Enables the configuration of policies that restrict what operations calling applications can perform (via service invocation) on the called appliaction.Learn more about the accessControl configuration.
apiNUsed to enable only the Dapr sidecar APIs used by the application.Learn more about the api configuration.
httpPipelineNConfigure API middleware pipelinesMiddleware pipeline configuration overview
Learn more about the httpPipeline configuration.
appHttpPipelineNConfigure application middleware pipelinesMiddleware pipeline configuration overview
Learn more about the appHttpPipeline configuration.
componentsNUsed to specify a denylist of component types that can’t be initialized.Learn more about the components configuration.
featuresNEnables or disables Dapr features, including preview features and on-by-default features such as HotReload.Learn more about the features configuration.
loggingNConfigure how logging works in the Dapr runtime.Learn more about the logging configuration.
metricsNEnable or disable metrics for an application.Learn more about the metrics configuration.
nameResolutionNName resolution configuration spec for the service invocation building block.Learn more about the nameResolution configuration per components.
secretsNLimit the secrets to which your Dapr application has access.Learn more about the secrets configuration.
tracingNTurns on tracing for an application.Learn more about the tracing configuration.

Control plane format

The daprsystem configuration file installed with Dapr applies global settings and is only set up when Dapr is deployed to Kubernetes.

apiVersion: dapr.io/v1alpha1
kind: Configuration
metadata:
  name: daprsystem
  namespace: default
spec:
  mtls:
    enabled: true
    allowedClockSkew: 15m
    workloadCertTTL: 24h

Spec fields

FieldRequiredDetailsExample
mtlsNDefines the mTLS configurationallowedClockSkew: 15m
workloadCertTTL:24h
Learn more about the mtls configuration.

7 - WorkflowAccessPolicy spec

The basic spec for a Dapr WorkflowAccessPolicy resource

The WorkflowAccessPolicy is a Dapr resource that controls which applications can schedule workflows and activities cross-app on a target application. Policies are a pure allow-list: a call is permitted if any loaded rule matches.

Format

apiVersion: dapr.io/v1alpha1
kind: WorkflowAccessPolicy
metadata:
  name: <REPLACE-WITH-NAME>
  namespace: <NAMESPACE>
scopes:
  - <TARGET-APP-ID>
spec:
  rules:
    - callers:
        - appID: <CALLER-APP-ID>
      workflows:
        - name: <WORKFLOW-NAME-OR-GLOB-PATTERN>
          operations: [schedule]
      activities:
        - name: <ACTIVITY-NAME-OR-GLOB-PATTERN>

Spec fields

Fields are listed in the order they appear in the YAML document.

FieldRequiredTypeDescriptionExample
scopesNlistTarget App IDs that this policy applies to. If omitted or empty, the policy applies to all applications. The policy is enforced on the callee (target) side.["order-service"]
rulesNlistAllow-list of rules. A call is permitted if any rule matches. If rules is omitted or empty while policies are loaded, all cross-app calls are denied.See below
rules[].callersYlistList of caller objects that this rule applies to. Must contain at least one entry.See below
rules[].callers[].appIDYstringThe Dapr App ID of the calling application. The caller must be in the same namespace as the target; cross-namespace workflow calls are always denied and are not supported.frontend-app
rules[].workflowsN*listWorkflow rules granted to the matched callers.See below
rules[].workflows[].nameYstringExact name or glob pattern of the workflow. Supports *, ?, and [abc] character classes.OrderWF, Report*
rules[].workflows[].operationsYlistSet to [schedule]. The CRD also accepts terminate, raise, pause, resume, purge, get, rerun for forward compatibility; these have no effect today because the matching public workflow APIs do not route cross-app.[schedule]
rules[].activitiesN*listActivity rules granted to the matched callers. Activities only support scheduling, so there is no operations field.See below
rules[].activities[].nameYstringExact name or glob pattern of the activity.ChargePayment, Refund*

* At least one of workflows or activities must be present in each rule.

Example

The policy below applies to the order-service application. It grants frontend-app and api-gateway permission to schedule OrderWF, CheckoutWF, and the ProcessPayment activity. A second rule grants admin-app permission to schedule any workflow or activity on order-service.

apiVersion: dapr.io/v1alpha1
kind: WorkflowAccessPolicy
metadata:
  name: order-processing-policy
  namespace: production
scopes:
  - order-service
spec:
  rules:
    - callers:
        - appID: frontend-app
        - appID: api-gateway
      workflows:
        - name: OrderWF
          operations: [schedule]
        - name: CheckoutWF
          operations: [schedule]
      activities:
        - name: ProcessPayment
    - callers:
        - appID: admin-app
      workflows:
        - name: "*"
          operations: [schedule]
      activities:
        - name: "*"