< Previous Challenge - Home - Next Challenge >
In this challenge, you’re going to add the Dapr secrets management building block.
Almost all non-trivial applications need to securely store secret data like API keys, database passwords, and more. As a best practice, secrets should never be checked into the version control system. But at the same time, they need to be accessible to code running in production. This is generally a challenging requirement, but critical to get right.
Dapr provides a solution to this problem: The Dapr secrets building block. It includes an API and a secrets store.
Here’s how it works:
Popular secret stores include Kubernetes
, Hashicorp Vault
, and Azure KeyVault
.
The following diagram depicts an application requesting the secret called “mysecret” from a secret store called “vault” from a configured cloud secret store:
Note the blue-colored Dapr secrets building block that sits between the application and secret stores.
For this challenge you’ll use a file-based local secret store component. Local stores are meant for development or testing purposes. Never use them in production!
Alternatively, you can implement Azure KeyVault as your secret store in this challenge.
Another way of using secrets, is to reference them from Dapr configuration files. You will use both approaches in this challenge.
To learn more about the secrets building block, read the introduction to this building block in the Dapr documentation. Also, checkout the secrets chapter in the Dapr for .NET Developers guidance eBook.
Update the services to use a Dapr secrets buildling block.
Resources\FineCollectionService\Controllers\CollectionController.cs
code file).FineCollectionService
(CollectionController
class) to pull the license key secret from the Dapr secret component instead of being hard-coded.This challenge targets the operation labeled as number 6 in the end-state setup:
Local
Azure
FineCollectionService
retrieves the license key for the FineCalculator
component it uses from the Dapr secrets management building block.Create a Azure AD service principal for the Dapr sidecar to use to access the KeyVault.
az ad sp create-for-rbac --name dapr-trafficcontrol
az ad sp list --display-name dapr-trafficcontrol
az keyvault set-policy --name kv-daprEventify-ussc-dev --object-id <your-service-principal-id> --secret-permissions get list