In this sample, we'll see how to retrieve a secret using Dapr's Java SDK. This sample includes two files:
- SecretClient.java (Reads a secret from Dapr's Secret Store)
- Existing Dapr component file in
< repo dir >/examples/components/local_file.yaml
Visit this link for more information about secret stores in Dapr.
In this example, the component used is local file(not recommended for production use), but others are also available.
Visit this link for more information about secret store implementations.
- Dapr and Dapr Cli.
- Java JDK 11 (or greater):
- Apache Maven version 3.x.
Clone this repository:
git clone https://github.com/dapr/java-sdk.git
cd java-sdk
Then build the Maven project:
# make sure you are in the `java-sdk` directory.
mvn install
Then get into the examples directory:
cd examples
Dapr's API for secret store only support read operations. For this sample to run, we will first create a secret file with a JSON string that contains two keys: redisPassword
and randomKey
.
echo '{"redisPassword":"root123","randomKey":"value"}' > ./components/secrets/secret.json
The example's main function is in SecretClient.java
.
public class SecretClient {
/**
* JSON Serializer to print output.
*/
private static final ObjectMapper JSON_SERIALIZER = new ObjectMapper();
/**
* Client to read a secret.
*
* @param args Unused arguments.
*/
public static void main(String[] args) throws Exception {
if (args.length < 2) {
throw new IllegalArgumentException("Required two argument at least: "
+ "one's the secret store name, and the others are secret keys.");
}
final String secretStoreName = args[0];
try (DaprClient client = (new DaprClientBuilder()).build()) {
for (int i = 1; i < args.length; i++) {
String secretKey = args[i];
try {
Map<String, String> secret = client.getSecret(secretStoreName, secretKey).block();
System.out.println(JSON_SERIALIZER.writeValueAsString(secret));
} catch (Exception ex) {
System.out.println(ex.getMessage());
}
}
} catch (Exception ex) {
System.out.println(ex.getMessage());
}
}
}
The program receives two arguments at least: one's the secret store name and the others are secret's keys to be fetched.
After identifying the secret store name that created and the keys to be fetched, it will retrieve them from the pre-defined secret store: < repo dir >/examples/components/secrets/secret.json
.
The secret store's name must match the component's name defined in < repo dir >/examples/components/secrets/local_file.yaml
.
The Dapr client is also within a try-with-resource block to properly close the client at the end.
Execute the following script in order to run the example:
dapr run --components-path ./components/secrets --app-id secrets1 -- java -jar target/dapr-java-sdk-examples-exec.jar io.dapr.examples.secrets.SecretClient localSecretStore redisPassword randomKey
Once running, the program should print the output as follows:
== APP == {"redisPassword":"root123"}
== APP == {"randomKey":"value"}
To close the app either press CTRL+C
or run
dapr stop --app-id secrets1
The example's config.yaml
is as follows:
apiVersion: dapr.io/v1alpha1
kind: Configuration
metadata:
name: daprConfig
spec:
secrets:
scopes:
- storeName: "localSecretStore"
defaultAccess: "deny"
allowedSecrets: ["redisPassword",]
The configuration defines, that the only allowed secret is redisPassword
and all other secrets are denied.
Execute the following script in order to run this example with additional secret scoping:
dapr run --components-path ./components/secrets --config ./src/main/java/io/dapr/examples/secrets/config.yaml --app-id secrets2 -- java -jar target/dapr-java-sdk-examples-exec.jar io.dapr.examples.secrets.SecretClient localSecretStore redisPassword randomKey
Once running, the program should print the output as follows:
== APP == {"redisPassword":"root123"}
== APP == PERMISSION_DENIED: access denied by policy to get "randomKey" from "localSecretStore"
To close the app either press CTRL+C
or run
dapr stop --app-id secrets2
To clean up the local secret file
rm -rf ./components/secrets/secret.json
Thanks for playing.