Cryptography component specs on Dapr Docs

Azure Key Vault

Mon, 01 Jan 0001 00:00:00 +0000

Component format

A Dapr crypto.yaml component file has the following structure:

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
 name: azurekeyvault
spec:
 type: crypto.azure.keyvault
 metadata:
 - name: vaultName
 value: mykeyvault
 # See authentication section below for all options
 - name: azureTenantId
 value: ${{AzureKeyVaultTenantId}}
 - name: azureClientId
 value: ${{AzureKeyVaultServicePrincipalClientId}}
 - name: azureClientSecret
 value: ${{AzureKeyVaultServicePrincipalClientSecret}}

Warning

The above example uses secrets as plain strings. It is recommended to use a secret store for the secrets, as described here.

Authenticating with Microsoft Entra ID

The Azure Key Vault cryptography component supports authentication with Microsoft Entra ID only. Before you enable this component:

JSON Web Key Sets (JWKS)

Mon, 01 Jan 0001 00:00:00 +0000

Component format

The purpose of this component is to load keys from a JSON Web Key Set (RFC 7517). These are JSON documents that contain 1 or more keys as JWK (JSON Web Key); they can be public, private, or shared keys.

This component supports loading a JWKS:

From a local file; in this case, Dapr watches for changes to the file on disk and reloads it automatically.
From a HTTP(S) URL, which is periodically refreshed.
By passing the actual JWKS in the jwks metadata property, as a string (optionally, base64-encoded).

Note

This component uses the cryptographic engine in Dapr to perform operations. Although keys are never exposed to your application, Dapr has access to the raw key material.

A Dapr crypto.yaml component file has the following structure:

Kubernetes Secrets

Mon, 01 Jan 0001 00:00:00 +0000

Component format

The purpose of this component is to load the Kubernetes secret named after the key name.

Note

This component uses the cryptographic engine in Dapr to perform operations. Although keys are never exposed to your application, Dapr has access to the raw key material.

A Dapr crypto.yaml component file has the following structure:

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
 name: <NAME>
spec:
 type: crypto.dapr.kubernetes.secrets
 version: v1
 metadata:[]

Warning

The above example uses secrets as plain strings. It is recommended to use a secret store for the secrets, as described here.

Spec metadata fields

Field	Required	Details	Example
`defaultNamespace`	N	Default namespace to retrieve secrets from. If unset, the namespace must be specified for each key, as `namespace/secretName/key`	`"default-ns"`
`kubeconfigPath`	N	The path to the kubeconfig file. If not specified, the component uses the default in-cluster config value	`"/path/to/kubeconfig"`

Cryptography building block

Local storage

Mon, 01 Jan 0001 00:00:00 +0000

Component format

The purpose of this component is to load keys from a local directory.

The component accepts as input the name of a folder, and loads keys from there. Each key is in its own file, and when users request a key with a given name, Dapr loads the file with that name.

Supported file formats:

PEM with public and private keys (supports: PKCS#1, PKCS#8, PKIX)
JSON Web Key (JWK) containing a public, private, or symmetric key
Raw key data for symmetric keys

Note

This component uses the cryptographic engine in Dapr to perform operations. Although keys are never exposed to your application, Dapr has access to the raw key material.

A Dapr crypto.yaml component file has the following structure:

Cryptography component specs on Dapr Docs

Azure Key Vault

Component format

Warning

Authenticating with Microsoft Entra ID

JSON Web Key Sets (JWKS)

Component format

Note

Kubernetes Secrets

Component format

Note

Warning

Spec metadata fields

Related links

Local storage

Component format

Note