Secrets API reference
Get Secret
This endpoint lets you get the value of a secret for a given secret store.
HTTP Request
GET http://localhost:<daprPort>/v1.0/secrets/<secret-store-name>/<name>
URL Parameters
| Parameter | Description |
|---|---|
| daprPort | the Dapr port |
| secret-store-name | the name of the secret store to get the secret from |
| name | the name of the secret to get |
Note, all URL parameters are case-sensitive.
Query Parameters
Some secret stores support optional, per-request metadata properties. Use query parameters to provide those properties. For example:
GET http://localhost:<daprPort>/v1.0/secrets/<secret-store-name>/<name>?metadata.version_id=15
Observe that not all secret stores support the same set of parameters. For example:
- Hashicorp Vault, GCP Secret Manager and AWS Secret Manager support the
version_idparameter - Only AWS Secret Manager supports the
version_stageparameter - Only Kubernetes Secrets supports the
namespaceparameter Check each secret store’s documentation for the list of supported parameters.
HTTP Response
Response Body
If a secret store has support for multiple key-values in a secret, a JSON payload is returned with the key names as fields and their respective values.
In case of a secret store that only has name/value semantics, a JSON payload is returned with the name of the secret as the field and the value of the secret as the value.
See the classification of secret stores that support multiple keys in a secret and name/value semantics.
Response with multiple keys in a secret (eg. Kubernetes):
curl http://localhost:3500/v1.0/secrets/kubernetes/db-secret
{
"key1": "value1",
"key2": "value2"
}
The above example demonstrates a response from a secret store with multiple keys in a secret. Note that the secret name (db-secret) is not returned as part of the result.
Response from a secret store with name/value semantics:
curl http://localhost:3500/v1.0/secrets/vault/db-secret
{
"db-secret": "value1"
}
The above example demonstrates a response from a secret store with name/value semantics. Compared to the result from a secret store with multiple keys in a secret, this result returns a single key-value pair, with the secret name (db-secret) returned as the key in the key-value pair.
Response Codes
| Code | Description |
|---|---|
| 200 | OK |
| 204 | Secret not found |
| 400 | Secret store is missing or misconfigured |
| 403 | Access denied |
| 500 | Failed to get secret or no secret stores defined |
Examples
curl http://localhost:3500/v1.0/secrets/mySecretStore/db-secret
curl http://localhost:3500/v1.0/secrets/myAwsSecretStore/db-secret?metadata.version_id=15&metadata.version_stage=production
Get Bulk Secret
This endpoint lets you get all the secrets in a secret store. It’s recommended to use token authentication for Dapr if configuring a secret store.
HTTP Request
GET http://localhost:<daprPort>/v1.0/secrets/<secret-store-name>/bulk
URL Parameters
| Parameter | Description |
|---|---|
| daprPort | the Dapr port |
| secret-store-name | the name of the secret store to get the secret from |
Note, all URL parameters are case-sensitive.
HTTP Response
Response Body
The returned response is a JSON containing the secrets. The JSON object will contain the secret names as fields and a map of secret keys and values as the field value.
Response with multiple secrets and multiple key / values in a secret (eg. Kubernetes):
curl http://localhost:3500/v1.0/secrets/kubernetes/bulk
{
"secret1": {
"key1": "value1",
"key2": "value2"
},
"secret2": {
"key3": "value3",
"key4": "value4"
}
}
Response Codes
| Code | Description |
|---|---|
| 200 | OK |
| 400 | Secret store is missing or misconfigured |
| 403 | Access denied |
| 500 | Failed to get secret or no secret stores defined |
Examples
curl http://localhost:3500/v1.0/secrets/vault/bulk
{
"key1": {
"key1": "value1"
},
"key2": {
"key2": "value2"
}
}