HashiCorp Vault

To setup HashiCorp Vault secret store create a component of type . See this guide on how to create and apply a secretstore configuration. See this guide on to retrieve and use the secret with Dapr components.

Warning

The above example uses secrets as plain strings. It is recommended to use a local secret store such as or a local file to bootstrap secure key storage.

Spec metadata fields

Setup Hashicorp Vault using the Vault documentation: https://www.vaultproject.io/docs/install/index.html.

Multiple key-values per secret

HashiCorp Vault supports multiple key-values in a secret. While this behavior is ultimately dependent on the underlying secret engine configured by enginePath, it may change the way you store and retrieve keys from Vault. For instance, multiple key-values in a secret is the behavior exposed in the secret engine, the default engine configured by the enginePath field.

When retrieving secrets, a JSON payload is returned with the key names as fields and their respective values.

Suppose you add a secret to your Vault setup as follows:

Notice that the name of the secret (mysecret) is not repeated in the result.

The fields skipVerify, tlsServerName, caCert, caPath, and caPem control if and how Dapr verifies the vault server’s certificate while connecting using TLS/HTTPS.

The field value should be the contents of the PEM CA certificate you want to use. Given PEM certificates are made of multiple lines, defining that value might seem challenging at first. YAML allows for a few ways of .