Secrets API reference

Detailed documentation on the secrets API

Get Secret

This endpoint lets you get the value of a secret for a given secret store.

HTTP Request

GET http://localhost:<daprPort>/v1.0/secrets/<secret-store-name>/<name>

URL Parameters

ParameterDescription
daprPortthe Dapr port
secret-store-namethe name of the secret store to get the secret from
namethe name of the secret to get

Note, all URL parameters are case-sensitive.

Query Parameters

Some secret stores have optional metadata properties. metadata is populated using query parameters:

GET http://localhost:<daprPort>/v1.0/secrets/<secret-store-name>/<name>?metadata.version_id=15
GCP Secret Manager

The following optional meta can be provided to the GCP Secret Manager component

Query ParameterDescription
metadata.version_idversion for the given secret key
AWS Secret Manager

The following optional meta can be provided to the AWS Secret Manager component

Query ParameterDescription
metadata.version_idversion for the given secret key
metadata.version_stageversion stage for the given secret key

HTTP Response

Response Body

If a secret store has support for multiple keys in a secret, a JSON payload is returned with the key names as fields and their respective values.

In case of a secret store that only has name/value semantics, a JSON payload is returned with the name of the secret as the field and the value of the secret as the value.

Response with multiple keys in a secret (eg. Kubernetes):
curl http://localhost:3500/v1.0/secrets/kubernetes/db-secret
{
  "key1": "value1",
  "key2": "value2"
}
Response with no keys in a secret:
curl http://localhost:3500/v1.0/secrets/vault/db-secret
{
  "db-secret": "value1"
}

Response Codes

CodeDescription
200OK
204Secret not found
400Secret store is missing or misconfigured
403Access denied
500Failed to get secret or no secret stores defined

Examples

curl http://localhost:3500/v1.0/secrets/vault/db-secret \
curl http://localhost:3500/v1.0/secrets/vault/db-secret?metadata.version_id=15&metadata.version_stage=AAA \

Note, in case of deploying into namespace other than default, the above query will also have to include the namespace metadata (e.g. production` below)

curl http://localhost:3500/v1.0/secrets/vault/db-secret?metadata.version_id=15&?metadata.namespace=production

Get Bulk Secret

This endpoint lets you get all the secrets in a secret store. It’s recommended to use token authentication for Dapr if configuring a secret store.

HTTP Request

GET http://localhost:<daprPort>/v1.0/secrets/<secret-store-name>/bulk

URL Parameters

ParameterDescription
daprPortthe Dapr port
secret-store-namethe name of the secret store to get the secret from

Note, all URL parameters are case-sensitive.

HTTP Response

Response Body

The returned response is a JSON containing the secrets. The JSON object will contain the secret names as fields and a map of secret keys and values as the field value.

Response with multiple secrets and multiple key / values in a secret (eg. Kubernetes):
curl http://localhost:3500/v1.0/secrets/kubernetes/bulk
{
    "secret1": {
        "key1": "value1",
        "key2": "value2"
    },
    "secret2": {
        "key3": "value3",
        "key4": "value4"
    }
}

Response Codes

CodeDescription
200OK
400Secret store is missing or misconfigured
403Access denied
500Failed to get secret or no secret stores defined

Examples

curl http://localhost:3500/v1.0/secrets/vault/bulk \
{
    "key1": {
        "key1": "value1"
    },
    "key2": {
        "key2": "value2"
    }
}