Dapr Secret input binding for Azure Functions
The Dapr secret input binding allows you to read secrets data as input during function execution.
For information on setup and configuration details of the Dapr extension, see the Dapr extension overview.
Example
A C# function can be created using one of the following C# modes:
| Execution model | Description |
|---|---|
| Isolated worker model | Your function code runs in a separate .NET worker process. Use with supported versions of .NET and .NET Framework. To learn more, see Develop .NET isolated worker process functions. |
| In-process model | Your function code runs in the same process as the Functions host process. Supports only Long Term Support (LTS) versions of .NET. To learn more, see Develop .NET class library functions. |
[FunctionName("RetrieveSecret")]
public static void Run(
[DaprServiceInvocationTrigger] object args,
[DaprSecret("kubernetes", "my-secret", Metadata = "metadata.namespace=default")] IDictionary<string, string> secret,
ILogger log)
{
log.LogInformation("C# function processed a RetrieveSecret request from the Dapr Runtime.");
}
The following example creates a "RetreveSecret" function using the DaprSecretInput binding with the DaprServiceInvocationTrigger:
@FunctionName("RetrieveSecret")
public void run(
@DaprServiceInvocationTrigger(
methodName = "RetrieveSecret") Object args,
@DaprSecretInput(
secretStoreName = "kubernetes",
key = "my-secret",
metadata = "metadata.namespace=default")
Map<String, String> secret,
final ExecutionContext context)
In the following example, the Dapr secret input binding is paired with a Dapr invoke trigger, which is registered by the app object:
const { app, trigger } = require('@azure/functions');
app.generic('RetrieveSecret', {
trigger: trigger.generic({
type: 'daprServiceInvocationTrigger',
name: "payload"
}),
extraInputs: [daprSecretInput],
handler: async (request, context) => {
context.log("Node function processed a RetrieveSecret request from the Dapr Runtime.");
const daprSecretInputValue = context.extraInputs.get(daprSecretInput);
// print the fetched secret value
for (var key in daprSecretInputValue) {
context.log(`Stored secret: Key=${key}, Value=${daprSecretInputValue[key]}`);
}
}
});
The following examples show Dapr triggers in a function.json file and PowerShell code that uses those bindings.
Here's the function.json file for daprServiceInvocationTrigger:
{
"bindings":
{
"type": "daprSecret",
"direction": "in",
"name": "secret",
"key": "my-secret",
"secretStoreName": "localsecretstore",
"metadata": "metadata.namespace=default"
}
}
For more information about function.json file properties, see the Configuration section.
In code:
using namespace System
using namespace Microsoft.Azure.WebJobs
using namespace Microsoft.Extensions.Logging
using namespace Microsoft.Azure.WebJobs.Extensions.Dapr
using namespace Newtonsoft.Json.Linq
param (
$payload, $secret
)
# PowerShell function processed a CreateNewOrder request from the Dapr Runtime.
Write-Host "PowerShell function processed a RetrieveSecretLocal request from the Dapr Runtime."
# Convert the object to a JSON-formatted string with ConvertTo-Json
$jsonString = $secret | ConvertTo-Json
Write-Host "$jsonString"
The following example shows a Dapr Secret input binding, which uses the v2 Python programming model. To use the daprSecret binding alongside the daprServiceInvocationTrigger in your Python function app code:
import logging
import json
import azure.functions as func
app = func.FunctionApp()
@app.function_name(name="RetrieveSecret")
@app.dapr_service_invocation_trigger(arg_name="payload", method_name="RetrieveSecret")
@app.dapr_secret_input(arg_name="secret", secret_store_name="localsecretstore", key="my-secret", metadata="metadata.namespace=default")
def main(payload, secret: str) :
# Function should be invoked with this command: dapr invoke --app-id functionapp --method RetrieveSecret --data '{}'
logging.info('Python function processed a RetrieveSecret request from the Dapr Runtime.')
secret_dict = json.loads(secret)
for key in secret_dict:
logging.info("Stored secret: Key = " + key +
', Value = ' + secret_dict[key])
Attributes
In the in-process model, use the DaprSecret to define a Dapr secret input binding, which supports these parameters:
| Parameter | Description |
|---|---|
| SecretStoreName | The name of the secret store to get the secret. |
| Key | The key identifying the name of the secret to get. |
| Metadata | Optional. An array of metadata properties in the form "key1=value1&key2=value2". |
Annotations
The DaprSecretInput annotation allows you to have your function access a secret.
| Element | Description |
|---|---|
| secretStoreName | The name of the Dapr secret store. |
| key | The secret key value. |
| metadata | Optional. The metadata values. |
Configuration
The following table explains the binding configuration properties that you set in the code.
| Property | Description |
|---|---|
| key | The secret key value. |
| secretStoreName | Name of the secret store as defined in the local-secret-store.yaml component file. |
| metadata | The metadata namespace. |
The following table explains the binding configuration properties that you set in the function.json file.
| function.json property | Description |
|---|---|
| key | The secret key value. |
| secretStoreName | Name of the secret store as defined in the local-secret-store.yaml component file. |
| metadata | The metadata namespace. |
See the Example section for complete examples.
Usage
To use the Dapr secret input binding, start by setting up a Dapr secret store component. You can learn more about which component to use and how to set it up in the official Dapr documentation.
To use the daprSecret in Python v2, set up your project with the correct dependencies.
In your
requirements.textfile, add the following line:azure-functions==1.18.0b3In the terminal, install the Python library.
pip install -r .\requirements.txtModify your
local.setting.jsonfile with the following configuration:"PYTHON_ISOLATE_WORKER_DEPENDENCIES":1