This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Configuration store component specs

The supported configuration stores that interface with Dapr

Table headers to note:

Header Description Example
Status Component certification status Alpha
Beta
Stable
Component version The version of the component v1
Since runtime version The version of the Dapr runtime when the component status was set or updated 1.11

Generic

Component Status Component version Since runtime version
PostgreSQL Stable v1 1.11
Redis Stable v1 1.11

Microsoft Azure

Component Status Component version Since runtime version
Azure App Configuration Alpha v1 1.9

1 - Azure App Configuration

Detailed information on the Azure App Configuration configuration store component

Component format

To set up an Azure App Configuration configuration store, create a component of type configuration.azure.appconfig.

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: <NAME>
spec:
  type: configuration.azure.appconfig
  version: v1
  metadata:
  - name: host # host should be used when Azure Authentication mechanism is used.
    value: <HOST>
  - name: connectionString # connectionString should not be used when Azure Authentication mechanism is used.
    value: <CONNECTIONSTRING>
  - name: maxRetries
    value: # Optional
  - name: retryDelay
    value: # Optional
  - name: maxRetryDelay
    value: # Optional
  - name: azureEnvironment # Optional, defaults to AZUREPUBLICCLOUD
    value: "AZUREPUBLICCLOUD"
  # See authentication section below for all options
  - name: azureTenantId # Optional
    value: "[your_service_principal_tenant_id]"
  - name: azureClientId # Optional
    value: "[your_service_principal_app_id]"
  - name: azureCertificateFile # Optional
    value : "[pfx_certificate_file_fully_qualified_local_path]"
  - name: subscribePollInterval # Optional
    value: #Optional [Expected format example - 24h]

Spec metadata fields

Field Required Details Example
connectionString Y* Connection String for the Azure App Configuration instance. No Default. Can be secretKeyRef to use a secret reference. *Mutally exclusive with host field. *Not to be used when Azure Authentication is used Endpoint=https://foo.azconfig.io;Id=osOX-l9-s0:sig;Secret=00000000000000000000000000000000000000000000
host N* Endpoint for the Azure App Configuration instance. No Default. *Mutally exclusive with connectionString field. *To be used when Azure Authentication is used https://dapr.azconfig.io
maxRetries N Maximum number of retries before giving up. Defaults to 3 5, 10
retryDelay N RetryDelay specifies the initial amount of delay to use before retrying an operation. The delay increases exponentially with each retry up to the maximum specified by MaxRetryDelay. Defaults to 4 seconds; "-1" disables delay between retries. 4s
maxRetryDelay N MaxRetryDelay specifies the maximum delay allowed before retrying an operation. Typically the value is greater than or equal to the value specified in RetryDelay. Defaults to 120 seconds; "-1" disables the limit 120s
subscribePollInterval N subscribePollInterval specifies the poll interval in nanoseconds for polling the subscribed keys for any changes. This will be updated in the future to Go Time format. Default polling interval is set to 24 hours. 24h

Note: either host or connectionString must be specified.

Authenticating with Connection String

Access an App Configuration instance using its connection string, which is available in the Azure portal. Since connection strings contain credential information, you should treat them as secrets and use a secret store.

Authenticating with Microsoft Entra ID

The Azure App Configuration configuration store component also supports authentication with Microsoft Entra ID. Before you enable this component:

  • Read the Authenticating to Azure document.
  • Create an Microsoft Entra ID application (also called Service Principal).
  • Alternatively, create a managed identity for your application platform.

Set up Azure App Configuration

You need an Azure subscription to set up Azure App Configuration.

  1. Start the Azure App Configuration creation flow. Log in if necessary.

  2. Click Create to kickoff deployment of your Azure App Configuration instance.

  3. Once your instance is created, grab the Host (Endpoint) or your Connection string:

    • For the Host: navigate to the resource’s Overview and copy Endpoint.
    • For your connection string: navigate to Settings > Access Keys and copy your Connection string.

  4. Add your host or your connection string to an azappconfig.yaml file that Dapr can apply.

    Set the host key to [Endpoint] or the connectionString key to the values you saved earlier.

Azure App Configuration request metadata

In Azure App Configuration, you can use labels to define different values for the same key. For example, you can define a single key with different values for development and production. You can specify which label to load when connecting to App Configuration

The Azure App Configuration store component supports the following optional label metadata property:

label: The label of the configuration to retrieve. If not present, the configuration store returns the configuration for the specified key and a null label.

The label can be populated using query parameters in the request URL:

GET curl http://localhost:<daprPort>/v1.0/configuration/<store-name>?key=<key name>&metadata.label=<label value>

2 - PostgreSQL

Detailed information on the PostgreSQL configuration store component

Component format

To set up an PostgreSQL configuration store, create a component of type configuration.postgresql

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: <NAME>
spec:
  type: configuration.postgresql
  version: v1
  metadata:
    # Connection string
    - name: connectionString
      value: "host=localhost user=postgres password=example port=5432 connect_timeout=10 database=config"
    # Name of the table which holds configuration information
    - name: table
      value: "[your_configuration_table_name]" 
    # Individual connection parameters - can be used instead to override connectionString parameters
    #- name: host
    #  value: "localhost"
    #- name: hostaddr
    #  value: "127.0.0.1"
    #- name: port
    #  value: "5432"
    #- name: database
    #  value: "my_db"
    #- name: user
    #  value: "postgres"
    #- name: password
    #  value: "example"
    #- name: sslRootCert
    #  value: "/path/to/ca.crt"
    # Timeout for database operations, in seconds (optional)
    #- name: timeoutInSeconds
    #  value: 20
    # Name of the table where to store the state (optional)
    #- name: tableName
    #  value: "state"
    # Name of the table where to store metadata used by Dapr (optional)
    #- name: metadataTableName
    #  value: "dapr_metadata"
    # Cleanup interval in seconds, to remove expired rows (optional)
    #- name: cleanupIntervalInSeconds
    #  value: 3600
    # Maximum number of connections pooled by this component (optional)
    #- name: maxConns
    #  value: 0
    # Max idle time for connections before they're closed (optional)
    #- name: connectionMaxIdleTime
    #  value: 0
    # Controls the default mode for executing queries. (optional)
    #- name: queryExecMode
    #  value: ""
    # Uncomment this if you wish to use PostgreSQL as a state store for actors (optional)
    #- name: actorStateStore
    #  value: "true"

Spec metadata fields

Authenticate using a connection string

The following metadata options are required to authenticate using a PostgreSQL connection string.

Field Required Details Example
connectionString Y The connection string for the PostgreSQL database. See the PostgreSQL documentation on database connections for information on how to define a connection string. "host=localhost user=postgres password=example port=5432 connect_timeout=10 database=my_db"

Authenticate using individual connection parameters

In addition to using a connection string, you can optionally specify individual connection parameters. These parameters are equivalent to the standard PostgreSQL connection parameters.

Field Required Details Example
host Y The host name or IP address of the PostgreSQL server "localhost"
hostaddr N The IP address of the PostgreSQL server (alternative to host) "127.0.0.1"
port Y The port number of the PostgreSQL server "5432"
database Y The name of the database to connect to "my_db"
user Y The PostgreSQL user to connect as "postgres"
password Y The password for the PostgreSQL user "example"
sslRootCert N Path to the SSL root certificate file "/path/to/ca.crt"

Authenticate using Microsoft Entra ID

Authenticating with Microsoft Entra ID is supported with Azure Database for PostgreSQL. All authentication methods supported by Dapr can be used, including client credentials (“service principal”) and Managed Identity.

Field Required Details Example
useAzureAD Y Must be set to true to enable the component to retrieve access tokens from Microsoft Entra ID. "true"
connectionString Y The connection string for the PostgreSQL database.
This must contain the user, which corresponds to the name of the user created inside PostgreSQL that maps to the Microsoft Entra ID identity; this is often the name of the corresponding principal (e.g. the name of the Microsoft Entra ID application). This connection string should not contain any password.		 "host=mydb.postgres.database.azure.com user=myapplication port=5432 database=my_db sslmode=require"
azureTenantId N ID of the Microsoft Entra ID tenant "cd4b2887-304c-…"
azureClientId N Client ID (application ID) "c7dd251f-811f-…"
azureClientSecret N Client secret (application password) "Ecy3X…"

Authenticate using AWS IAM

Authenticating with AWS IAM is supported with all versions of PostgreSQL type components. The user specified in the connection string must be an already existing user in the DB, and an AWS IAM enabled user granted the rds_iam database role. Authentication is based on the AWS authentication configuration file, or the AccessKey/SecretKey provided. The AWS authentication token will be dynamically rotated before it’s expiration time with AWS.

Field Required Details Example
useAWSIAM Y Must be set to true to enable the component to retrieve access tokens from AWS IAM. This authentication method only works with AWS Relational Database Service for PostgreSQL databases. "true"
connectionString Y The connection string for the PostgreSQL database.
This must contain an already existing user, which corresponds to the name of the user created inside PostgreSQL that maps to the AWS IAM policy. This connection string should not contain any password. Note that the database name field is denoted by dbname with AWS.		 "host=mydb.postgres.database.aws.com user=myapplication port=5432 dbname=my_db sslmode=require"
awsRegion N This maintains backwards compatibility with existing fields. It will be deprecated as of Dapr 1.17. Use ‘region’ instead. The AWS Region where the AWS Relational Database Service is deployed to. "us-east-1"
awsAccessKey N This maintains backwards compatibility with existing fields. It will be deprecated as of Dapr 1.17. Use ‘accessKey’ instead. AWS access key associated with an IAM account "AKIAIOSFODNN7EXAMPLE"
awsSecretKey N This maintains backwards compatibility with existing fields. It will be deprecated as of Dapr 1.17. Use ‘secretKey’ instead. The secret key associated with the access key "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
awsSessionToken N This maintains backwards compatibility with existing fields. It will be deprecated as of Dapr 1.17. Use ‘sessionToken’ instead. AWS session token to use. A session token is only required if you are using temporary security credentials. "TOKEN"

Other metadata options

Field Required Details Example
table Y Table name for configuration information, must be lowercased. configtable
timeout N Timeout for operations on the database, as a Go duration. Integers are interpreted as number of seconds. Defaults to 20s "30s", 30
maxConns N Maximum number of connections pooled by this component. Set to 0 or lower to use the default value, which is the greater of 4 or the number of CPUs. "4"
connectionMaxIdleTime N Max idle time before unused connections are automatically closed in the connection pool. By default, there’s no value and this is left to the database driver to choose. "5m"
queryExecMode N Controls the default mode for executing queries. By default Dapr uses the extended protocol and automatically prepares and caches prepared statements. However, this may be incompatible with proxies such as PGBouncer. In this case it may be preferrable to use exec or simple_protocol. "simple_protocol"

Set up PostgreSQL as Configuration Store

  1. Start the PostgreSQL Database

  2. Connect to the PostgreSQL database and setup a configuration table with following schema:

    Field Datatype Nullable Details
    KEY VARCHAR N Holds "Key" of the configuration attribute
    VALUE VARCHAR N Holds Value of the configuration attribute
    VERSION VARCHAR N Holds version of the configuration attribute
    METADATA JSON Y Holds Metadata as JSON 
    CREATE TABLE IF NOT EXISTS table_name (
  KEY VARCHAR NOT NULL,
  VALUE VARCHAR NOT NULL,
  VERSION VARCHAR NOT NULL,
  METADATA JSON
);

  3. Create a TRIGGER on configuration table. An example function to create a TRIGGER is as follows:

    CREATE OR REPLACE FUNCTION notify_event() RETURNS TRIGGER AS $$
    DECLARE 
        data json;
        notification json;

    BEGIN

        IF (TG_OP = 'DELETE') THEN
            data = row_to_json(OLD);
        ELSE
            data = row_to_json(NEW);
        END IF;

        notification = json_build_object(
                          'table',TG_TABLE_NAME,
                          'action', TG_OP,
                          'data', data);
        PERFORM pg_notify('config',notification::text);
        RETURN NULL; 
    END;
$$ LANGUAGE plpgsql;

  4. Create the trigger with data encapsulated in the field labeled as data:

    notification = json_build_object(
  'table',TG_TABLE_NAME,
  'action', TG_OP,
  'data', data
);

  5. The channel mentioned as attribute to pg_notify should be used when subscribing for configuration notifications

  6. Since this is a generic created trigger, map this trigger to configuration table

    CREATE TRIGGER config
AFTER INSERT OR UPDATE OR DELETE ON configtable
    FOR EACH ROW EXECUTE PROCEDURE notify_event();

  7. In the subscribe request add an additional metadata field with key as pgNotifyChannel and value should be set to same channel name mentioned in pg_notify. From the above example, it should be set to config

3 - Redis

Detailed information on the Redis configuration store component

Component format

To setup Redis configuration store create a component of type configuration.redis. See this guide on how to create and apply a configuration store configuration.

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: <NAME>
spec:
  type: configuration.redis
  version: v1
  metadata:
  - name: redisHost
    value: <address>:6379
  - name: redisPassword
    value: **************
  - name: useEntraID
    value: "true"
  - name: enableTLS
    value: <bool>

Spec metadata fields

Field Required Details Example
redisHost Y Output The Redis host address
redisPassword N Output The Redis password
redisUsername N Output Username for Redis host. Defaults to empty. Make sure your Redis server version is 6 or above, and have created acl rule correctly.
enableTLS N Output If the Redis instance supports TLS with public certificates it can be configured to enable or disable TLS. Defaults to "false"
clientCert N Output The content of the client certificate, used for Redis instances that require client-side certificates. Must be used with clientKey and enableTLS must be set to true. It is recommended to use a secret store as described here
clientKey N Output The content of the client private key, used in conjunction with clientCert for authentication. It is recommended to use a secret store as described here
failover N Output Property to enable failover configuration. Needs sentinelMasterName to be set. Defaults to "false"
sentinelMasterName N Output The Sentinel master name. See Redis Sentinel Documentation
sentinelUsername N Output Username for Redis Sentinel. Applicable only when “failover” is true, and Redis Sentinel has authentication enabled
sentinelPassword N Output Password for Redis Sentinel. Applicable only when “failover” is true, and Redis Sentinel has authentication enabled
redisType N Output The type of Redis. There are two valid values, one is "node" for single node mode, the other is "cluster" for Redis cluster mode. Defaults to "node".
redisDB N Output Database selected after connecting to Redis. If "redisType" is "cluster", this option is ignored. Defaults to "0".
redisMaxRetries N Output Maximum number of times to retry commands before giving up. Default is to not retry failed commands.
redisMinRetryInterval N Output Minimum backoff for Redis commands between each retry. Default is "8ms"; "-1" disables backoff.
redisMaxRetryInterval N Output Maximum backoff for Redis commands between each retry. Default is "512ms";"-1" disables backoff.
dialTimeout N Output Dial timeout for establishing new connections. Defaults to "5s".
readTimeout N Output Timeout for socket reads. If reached, Redis commands fail with a timeout instead of blocking. Defaults to "3s", "-1" for no timeout.
writeTimeout N Output Timeout for socket writes. If reached, Redis commands fail with a timeout instead of blocking. Defaults is readTimeout.
poolSize N Output Maximum number of socket connections. Default is 10 connections per every CPU as reported by runtime.NumCPU.
poolTimeout N Output Amount of time client waits for a connection if all connections are busy before returning an error. Default is readTimeout + 1 second.
maxConnAge N Output Connection age at which the client retires (closes) the connection. Default is to not close aged connections.
minIdleConns N Output Minimum number of idle connections to keep open in order to avoid the performance degradation associated with creating new connections. Defaults to "0".
idleCheckFrequency N Output Frequency of idle checks made by idle connections reaper. Default is "1m". "-1" disables idle connections reaper.
idleTimeout N Output Amount of time after which the client closes idle connections. Should be less than server’s timeout. Default is "5m". "-1" disables idle timeout check.

Setup Redis

Dapr can use any Redis instance: containerized, running on your local dev machine, or a managed cloud service.

A Redis instance is automatically created as a Docker container when you run dapr init

You can use Helm to quickly create a Redis instance in our Kubernetes cluster. This approach requires Installing Helm.

  1. Install Redis into your cluster. Note that we’re explicitly setting an image tag to get a version greater than 5, which is what Dapr’ pub/sub functionality requires. If you’re intending on using Redis as just a state store (and not for pub/sub), you do not have to set the image version.

    helm repo add bitnami https://charts.bitnami.com/bitnami
helm install redis bitnami/redis --set image.tag=6.2

  2. Run kubectl get pods to see the Redis containers now running in your cluster.

  3. Add redis-master:6379 as the redisHost in your redis.yaml file. For example:

        metadata:
    - name: redisHost
      value: redis-master:6379

  4. Next, get the Redis password, which is slightly different depending on the OS we’re using:

    • Windows: Run kubectl get secret --namespace default redis -o jsonpath="{.data.redis-password}" > encoded.b64, which creates a file with your encoded password. Next, run certutil -decode encoded.b64 password.txt, which will put your redis password in a text file called password.txt. Copy the password and delete the two files.

    • Linux/MacOS: Run kubectl get secret --namespace default redis -o jsonpath="{.data.redis-password}" | base64 --decode and copy the outputted password.

    Add this password as the redisPassword value in your redis.yaml file. For example:

        metadata:
    - name: redisPassword
      value: lhDOkwTlp0

AWS Redis

  1. Create an Azure Cache for Redis instance using the official Microsoft documentation.

  2. Once your instance is created, grab the Host name (FQDN) and your access key from the Azure portal.

    • For the Host name:
      • Navigate to the resource’s Overview page.
      • Copy the Host name value.
    • For your access key:
      • Navigate to Settings > Access Keys.
      • Copy and save your key.

  3. Add your key and your host name to a redis.yaml file that Dapr can apply to your cluster.

    • If you’re running a sample, add the host and key to the provided redis.yaml.
    • If you’re creating a project from the ground up, create a redis.yaml file as specified in the Component format section.

  4. Set the redisHost key to [HOST NAME FROM PREVIOUS STEP]:6379 and the redisPassword key to the key you saved earlier.

    Note: In a production-grade application, follow secret management instructions to securely manage your secrets.

  5. Enable EntraID support:

    • Enable Entra ID authentication on your Azure Redis server. This may takes a few minutes.
    • Set useEntraID to "true" to implement EntraID support for Azure Cache for Redis.

  6. Set enableTLS to "true" to support TLS.

Note:useEntraID assumes that either your UserPrincipal (via AzureCLICredential) or the SystemAssigned managed identity have the RedisDataOwner role permission. If a user-assigned identity is used, you need to specify the azureClientID property.

GCP Cloud MemoryStore