Dapr's secret scoping feature lets you control which specific secrets applications can access within a secret store. Instead of giving apps access to all secrets, you can implement fine-grained permissions using allowedSecrets and deniedSecrets lists.
How It Works
Configure secret access through Dapr's Configuration resource:
apiVersion: dapr.io/v1alpha1 kind: Configuration metadata: name: ecommerce-config spec: secrets: scopes: - storeName: azure-keyvault defaultAccess: deny allowedSecrets: ["payment-api-key", "shipping-webhook-secret"] - storeName: redis-secrets defaultAccess: allow deniedSecrets: ["admin-token"] Key Rules
-
allowedSecretstakes priority - only listed secrets are accessible -
deniedSecretsblocks specific secrets while allowing others - Lists override the
defaultAccesssetting
Common Patterns
Whitelist approach (recommended for production):
defaultAccess: deny allowedSecrets: ["service-specific-secrets"] Blacklist approach (good for development):
defaultAccess: allow deniedSecrets: ["sensitive-admin-secrets"] This feature helps implement least-privilege access without changing your application code - just apply the configuration to your Dapr sidecar.
Top comments (0)