The documentation you are viewing is for Dapr v0.11 which is an older version of Dapr. For up-to-date documentation, see the latest version.
Azure Key Vault secret store
Note
Azure Managed Identity can be used for Azure Key Vault access on Kubernetes. Instructions here.Prerequisites
Setup Key Vault and service principal
-
Login to Azure and set the default subscription
# Log in Azure az login # Set your subscription to the default subscription az account set -s [your subscription id]
-
Create an Azure Key Vault in a region
az keyvault create --location [region] --name [your_keyvault] --resource-group [your resource group]
-
Create a service principal
Create a service principal with a new certificate and store the 1-year certificate inside your keyvault’s certificate vault. You can skip this step if you want to use an existing service principal for keyvault instead of creating new one
az ad sp create-for-rbac --name [your_service_principal_name] --create-cert --cert [certificate_name] --keyvault [your_keyvault] --skip-assignment --years 1 { "appId": "a4f90000-0000-0000-0000-00000011d000", "displayName": "[your_service_principal_name]", "name": "http://[your_service_principal_name]", "password": null, "tenant": "34f90000-0000-0000-0000-00000011d000" }
Save the both the appId and tenant from the output which will be used in the next step
-
Get the Object Id for [your_service_principal_name]
az ad sp show --id [service_principal_app_id] { ... "objectId": "[your_service_principal_object_id]", "objectType": "ServicePrincipal", ... }
-
Grant the service principal the GET permission to your Azure Key Vault
az keyvault set-policy --name [your_keyvault] --object-id [your_service_principal_object_id] --secret-permissions get
Now that your service principal has access to your keyvault you are ready to configure the secret store component to use secrets stored in your keyvault to access other components securely.
-
Download the certificate in PFX format from your Azure Key Vault either using the Azure portal or the Azure CLI:
-
Using the Azure portal:
Go to your key vault on the Azure portal and navigate to the Certificates tab under Settings. Find the certificate that was created during the service principal creation, named [certificate_name] and click on it.
Click Download in PFX/PEM format to download the certificate.
-
Using the Azure CLI:
az keyvault secret download --vault-name [your_keyvault] --name [certificate_name] --encoding base64 --file [certificate_name].pfx
Configure Dapr component
-
Copy downloaded PFX cert from your Azure Keyvault into your components directory or a secure location on your local disk
-
Create a file called
azurekeyvault.yaml
in the components directoryapiVersion: dapr.io/v1alpha1 kind: Component metadata: name: azurekeyvault namespace: default spec: type: secretstores.azure.keyvault version: v1 metadata: - name: vaultName value: [your_keyvault_name] - name: spnTenantId value: "[your_service_principal_tenant_id]" - name: spnClientId value: "[your_service_principal_app_id]" - name: spnCertificateFile value : "[pfx_certificate_file_local_path]"
Fill in the metadata fields with your Key Vault details from the above setup process.
In Kubernetes mode, you store the certificate for the service principal into the Kubernetes Secret Store and then enable Azure Key Vault secret store with this certificate in Kubernetes secretstore.
-
Create a kubernetes secret using the following command:
kubectl create secret generic [your_k8s_spn_secret_name] --from-file=[pfx_certificate_file_local_path]
[pfx_certificate_file_local_path]
is the path of PFX cert file you downloaded above[your_k8s_spn_secret_name]
is secret name in Kubernetes secret store
- Create a
azurekeyvault.yaml
component file
The component yaml refers to the Kubernetes secretstore using auth
property and secretKeyRef
refers to the certificate stored in Kubernetes secret store.
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: azurekeyvault
namespace: default
spec:
type: secretstores.azure.keyvault
version: v1
metadata:
- name: vaultName
value: [your_keyvault_name]
- name: spnTenantId
value: "[your_service_principal_tenant_id]"
- name: spnClientId
value: "[your_service_principal_app_id]"
- name: spnCertificate
secretKeyRef:
name: [your_k8s_spn_secret_name]
key: [pfx_certificate_file_local_name]
auth:
secretStore: kubernetes
- Apply
azurekeyvault.yaml
component
kubectl apply -f azurekeyvault.yaml
References
- Azure CLI Keyvault CLI
- Create an Azure service principal with Azure CLI
- Secrets building block
- How-To: Retreive a secret
- How-To: Reference secrets in Dapr components
- Secrets API reference