Enable API token authentication in Dapr

    By default, Dapr relies on the network boundary to limit access to its public API. If you plan on exposing the Dapr API outside of that boundary, or if your deployment demands an additional level of security, consider enabling the token authentication for Dapr APIs. This will cause Dapr to require every incoming gRPC and HTTP request for its APIs for to include authentication token, before allowing that request to pass through.

    Dapr uses shared tokens for API authentication. You are free to define the API token to use.

    Although Dapr does not impose any format for the shared token, a good idea is to generate a random byte sequence and encode it to Base64. For example, this command generates a random 32-byte key and encodes that as Base64:

    Configure API token authentication in Dapr

    The token authentication configuration is slightly different for either Kubernetes or self-hosted Dapr deployments:

    In self-hosting scenario, Dapr looks for the presence of environment variable. If that environment variable is set when the daprd process launches, Dapr enforces authentication on its public APIs:

    1. export DAPR_API_TOKEN=<token>

    To rotate the configured token, update the DAPR_API_TOKEN environment variable to the new value and restart the daprd process.

    Kubernetes

    1. kubectl create secret generic dapr-api-token --from-literal=token=<token>

    To indicate to Dapr to use that secret to secure its public APIs, add an annotation to your Deployment template spec:

    1. annotations:
    2.   dapr.io/enabled: "true"
    3.   dapr.io/api-token-secret: "dapr-api-token" # name of the Kubernetes secret

    When deployed, Dapr sidecar injector will automatically create a secret reference and inject the actual value into environment variable.

    To rotate the configured token in self-hosted, update the DAPR_API_TOKEN environment variable to the new value and restart the daprd process.

    Kubernetes

    To rotate the configured token in Kubernates, update the previously-created secret with the new token in each namespace. You can do that using kubectl patch command, but a simpler way to update these in each namespace is by using a manifest:

    And then apply it to each namespace:

    1. kubectl apply --file token-secret.yaml --namespace <namespace-name>
    1. kubectl rollout restart deployment/<deployment-name> --namespace <namespace-name>

    Adding API token to client API invocations

    Once token authentication is configured in Dapr, all clients invoking Dapr API will have to append the API token token to every request:

    In case of HTTP, Dapr requires the API token in the dapr-api-token header. For example:

    1. dapr-api-token: <token>

    Using curl, you can pass the header using the (or -H) option. For example:

    gRPC

    When using gRPC protocol, Dapr will inspect the incoming calls for the API token on the gRPC metadata:

    1. dapr-api-token[0].

    In Kubernetes, it’s recommended to mount the secret to your pod as an environment variable, as shown in the example below, where a Kubernetes secret with the name dapr-api-token is used to hold the token.

    1. containers:
    2.   - name: mycontainer
    3.     image: myregistry/myapp
    4.     envFrom:
    5.     - secretRef:

    Self-hosted

    1. export DAPR_API_TOKEN=<my-dapr-token>
    • Learn about