The documentation you are viewing is for Dapr v1.7 which is an older version of Dapr. For up-to-date documentation, see the latest version.
HashiCorp Vault
Detailed information on the HashiCorp Vault secret store component
Create the Vault component
To setup HashiCorp Vault secret store create a component of type secretstores.hashicorp.vault. See this guide on how to create and apply a secretstore configuration. See this guide on referencing secrets to retrieve and use the secret with Dapr components.
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: vault
namespace: default
spec:
type: secretstores.hashicorp.vault
version: v1
metadata:
- name: vaultAddr
value: [vault_address] # Optional. Default: "https://127.0.0.1:8200"
- name: caCert # Optional. This or caPath or caPem
value: "[ca_cert]"
- name: caPath # Optional. This or CaCert or caPem
value: "[path_to_ca_cert_file]"
- name: caPem # Optional. This or CaCert or CaPath
value : "[encoded_ca_cert_pem]"
- name: skipVerify # Optional. Default: false
value : "[skip_tls_verification]"
- name: tlsServerName # Optional.
value : "[tls_config_server_name]"
- name: vaultTokenMountPath # Required if vaultToken not provided. Path to token file.
value : "[path_to_file_containing_token]"
- name: vaultToken # Required if vaultTokenMountPath not provided. Token value.
value : "[path_to_file_containing_token]"
- name: vaultKVPrefix # Optional. Default: "dapr"
value : "[vault_prefix]"
- name: vaultKVUsePrefix # Optional. default: "true"
value: "[true/false]"
- name: enginePath # Optional. default: "secret"
value: "secret"
- name: vaultValueType # Optional. default: "map"
value: "map"
Warning
The above example uses secrets as plain strings. It is recommended to use a local secret store such as Kubernetes secret store or a local file to bootstrap secure key storage.Spec metadata fields
| Field | Required | Details | Example |
|---|---|---|---|
| vaultAddr | N | The address of the Vault server. Defaults to "https://127.0.0.1:8200" |
"https://127.0.0.1:8200" |
| caCert | N | Certificate Authority use only one of the options. The encoded cacerts to use | "cacerts" |
| caPath | N | Certificate Authority use only one of the options. The path to a CA cert file | "path/to/cacert/file" |
| caPem | N | Certificate Authority use only one of the options. The encoded cacert pem to use | "encodedpem" |
| skipVerify | N | Skip TLS verification. Defaults to "false" |
"true", "false" |
| tlsServerName | N | TLS config server name | "tls-server" |
| vaultTokenMountPath | Y | Path to file containing token | "path/to/file" |
| vaultToken | Y | Token for authentication within Vault. | "tokenValue" |
| vaultKVPrefix | N | The prefix in vault. Defaults to "dapr" |
"dapr", "myprefix" |
| vaultKVUsePrefix | N | If false, vaultKVPrefix is forced to be empty. If the value is not given or set to true, vaultKVPrefix is used when accessing the vault. Setting it to false is needed to be able to use the BulkGetSecret method of the store. | "true", "false" |
| enginePath | N | The engine path in vault. Defaults to "secret" |
"kv", "any" |
| vaultValueType | N | Vault value type. map means to parse the value into map[string]string, text means to use the value as a string. Defaults to "map" |
"map", "text" |
Setup Hashicorp Vault instance
Setup Hashicorp Vault using the Vault documentation: https://www.vaultproject.io/docs/install/index.html.
For Kubernetes, you can use the Helm Chart: https://github.com/hashicorp/vault-helm.
Related links
- Secrets building block
- How-To: Retrieve a secret
- How-To: Reference secrets in Dapr components
- Secrets API reference
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
Last modified February 19, 2022: Add enginePath and vaultValueType for vault (#2174) (f70adde7)