我的书签
添加书签
移除书签How To: Use secret scoping
You can read guidance on setting up secret store components to configure a secret store for an application. Once configured, by default any secret defined within that store is accessible from the Dapr application.
To limit the secrets to which the Dapr application has access to, you can can define secret scopes by adding a secret scope policy to the application configuration with restrictive permissions. Follow to define an application configuration.
The secret scoping policy applies to any secret store, whether that is a local secret store, a Kubernetes secret store or a public cloud secret store. For details on how to set up a read How To: Retrieve a secret
Watch this for a demo on how to use secret scoping with your application.
Define the following configuration and apply it to the Kubernetes cluster using the command kubectl apply -f appconfig.yaml.
For applications that need to be denied access to the Kubernetes secret store, follow these instructions, and add the following annotation to the application pod.
With this defined, the application no longer has access to any secrets in the Kubernetes secret store.
This example uses a secret store that is named vault. For example this could be a Hashicorp secret store component that has been set on your application. To allow a Dapr application to have access to only certain secrets secret1 and secret2 in the secret store, define the following appconfig.yaml:
Define the following :
This example uses a secret store that is named vault. The above configuration explicitly denies access to secret1 and secret2 from the secret store named vault while allowing access to all other secrets. Follow to apply configuration to the sidecar.
The allowedSecrets and list values take priority over the defaultAccess policy.
- Overview of secret stores
howto-secrets/
