diff --git a/daprdocs/content/en/developing-applications/building-blocks/secrets/secrets-scopes.md b/daprdocs/content/en/developing-applications/building-blocks/secrets/secrets-scopes.md index f719c73ea..c476e5188 100644 --- a/daprdocs/content/en/developing-applications/building-blocks/secrets/secrets-scopes.md +++ b/daprdocs/content/en/developing-applications/building-blocks/secrets/secrets-scopes.md @@ -9,7 +9,7 @@ type: docs You can read [guidance on setting up secret store components]({{< ref setup-secret-store >}}) to configure a secret store for an application. Once configured, by default *any* secret defined within that store is accessible from the Dapr application. -To limit the secrets to which the Dapr application has access to, you can can define secret scopes by adding a secret scope policy to the application configuration with restrictive permissions. Follow [these instructions]({{< ref configuration-concept.md >}}) to define an application configuration. +To limit the secrets to which the Dapr application has access to, you can define secret scopes by adding a secret scope policy to the application configuration with restrictive permissions. Follow [these instructions]({{< ref configuration-concept.md >}}) to define an application configuration. The secret scoping policy applies to any [secret store]({{< ref supported-secret-stores.md >}}), whether that is a local secret store, a Kubernetes secret store or a public cloud secret store. For details on how to set up a [secret stores]({{< ref setup-secret-store.md >}}) read [How To: Retrieve a secret]({{< ref howto-secrets.md >}}) @@ -18,7 +18,9 @@ Watch this [video](https://youtu.be/j99RN_nxExA?start=2272) for a demo on how to ## Scenario 1 : Deny access to all secrets for a secret store -This example uses Kubernetes. A Kubernetes secret store with name `kubernetes` is added to you Dapr application by default, however, it is strongly encouraged to instead explictly define a Kubernetes secret store (example used here: `mycustomsecretstore`). In some scenarios it may be necessary to deny access to Dapr secrets for a given application. To add this configuration follow the steps below: +In this example all secret access is denied to an application running on a Kubernetes cluster which has a configured [Kubernetes secret store]({{}}) named `mycustomsecretstore`. In the case of Kubernetes, aside from the user defined custom store, the default store named `kubernetes` is also addressed to ensure all secrets are denied access (See [here]({{}}) to learn more about the Kubernetes default secret store). + +To add this configuration follow the steps below: Define the following `appconfig.yaml` configuration and apply it to the Kubernetes cluster using the command `kubectl apply -f appconfig.yaml`. diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md index 3c6f31893..bdb631f2b 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/kubernetes-secret-store.md @@ -7,7 +7,12 @@ aliases: - "/operations/components/setup-secret-store/supported-secret-stores/kubernetes-secret-store/" --- -## Create the Kubernetes Secret Store component +## Default Kubernetes secret store component +When Dapr is deployed to a Kubernetes cluster, a secret store with the name `kubernetes` is automatically provisioned. This is meant to streamline the usage of the native Kubernetes secret store but generally, it is a better practice to create a component definition like the one below with a custom name. Using a custom definition decouples referencing the secret store in your code from the hosting platform (Kubernetes) keeping you code more generic and portable. Additionally, by explicitly defining a Kubernetes secret store component you can connect to a Kubernetes secret store from a local Dapr self-hosted installation. This requires a valid [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file. + +When limiting access to secrets in your application using [secret scopes]({{}}), it's important to remember this store was automatically created and so to include it in the scope definition. + +## Create a custom Kubernetes secret store component To setup a Kubernetes secret store create a component of type `secretstores.kubernetes`. See [this guide]({{< ref "setup-secret-store.md#apply-the-configuration" >}}) on how to create and apply a secretstore configuration. See this guide on [referencing secrets]({{< ref component-secrets.md >}}) to retrieve and use the secret with Dapr components. @@ -23,14 +28,9 @@ spec: metadata: - name: "" ``` -{{% alert title="Warning" color="warning" %}} -When Dapr is deployed to Kubernetes a secret store with name `kubernetes` is automatically provisioned. We discourage use of this secret store. -{{% /alert %}} - ->Note: By explicitly defining a Kubernetes secret store component you can connect to a Kubernetes secret store from a local standalone Dapr installation. This requires a valid [`kubeconfig`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file. - ## Related links - [Secrets building block]({{< ref secrets >}}) - [How-To: Retrieve a secret]({{< ref "howto-secrets.md" >}}) - [How-To: Reference secrets in Dapr components]({{< ref component-secrets.md >}}) - [Secrets API reference]({{< ref secrets_api.md >}}) +- [How To: Use secret scoping]({{}})