Dapr Secret input binding for Azure Functions

Important

The Dapr Extension for Azure Functions is currently in preview and only supported in Azure Container Apps environments.

The Dapr secret input binding allows you to read secrets data as input during function execution.

For information on setup and configuration details of the Dapr extension, see the Dapr extension overview.

Example

A C# function can be created using one of the following C# modes:

Execution model	Description
Isolated worker model	Your function code runs in a separate .NET worker process. Use with supported versions of .NET and .NET Framework. To learn more, see Develop .NET isolated worker process functions.
In-process model	Your function code runs in the same process as the Functions host process. Supports only Long Term Support (LTS) versions of .NET. To learn more, see Develop .NET class library functions.

In-process

[FunctionName("RetrieveSecret")]
public static void Run(
    [DaprServiceInvocationTrigger] object args,
    [DaprSecret("kubernetes", "my-secret", Metadata = "metadata.namespace=default")] IDictionary<string, string> secret,
    ILogger log)
{
    log.LogInformation("C# function processed a RetrieveSecret request from the Dapr Runtime.");
}

Isolated process

More samples for the Dapr input secret binding are available in the GitHub repository.

[Function("RetrieveSecret")]
public static void Run(
    [DaprServiceInvocationTrigger] object args,
    [DaprSecretInput("kubernetes", "my-secret", Metadata = "metadata.namespace=default")] IDictionary<string, string> secret, 
    FunctionContext functionContext)
{
    var log = functionContext.GetLogger("RetrieveSecret");
    log.LogInformation("C# function processed a RetrieveSecret request from the Dapr Runtime.");

    // print the fetched secret value
    // this is only for demo purpose
    // please do not log any real secret in your production code        
    foreach (var kvp in secret)
    {
        log.LogInformation("Stored secret: Key = {0}, Value = {1}", kvp.Key, kvp.Value);
    }

}

The following example creates a "RetreveSecret" function using the DaprSecretInput binding with the DaprServiceInvocationTrigger:

@FunctionName("RetrieveSecret")
public void run(
    @DaprServiceInvocationTrigger(
        methodName = "RetrieveSecret") Object args,
    @DaprSecretInput(
        secretStoreName = "kubernetes", 
        key = "my-secret", 
        metadata = "metadata.namespace=default") 
        Map<String, String> secret,
    final ExecutionContext context)

Node.js v4

In the following example, the Dapr secret input binding is paired with a Dapr invoke trigger, which is registered by the app object:

const { app, trigger } = require('@azure/functions');

app.generic('RetrieveSecret', {
    trigger: trigger.generic({
        type: 'daprServiceInvocationTrigger',
        name: "payload"
    }),
    extraInputs: [daprSecretInput],
    handler: async (request, context) => {
        context.log("Node function processed a RetrieveSecret request from the Dapr Runtime.");
        const daprSecretInputValue = context.extraInputs.get(daprSecretInput);

        // print the fetched secret value
        for (var key in daprSecretInputValue) {
            context.log(`Stored secret: Key=${key}, Value=${daprSecretInputValue[key]}`);
        }
    }
});

Node.js v3

The following examples show Dapr triggers in a function.json file and JavaScript code that uses those bindings.

Here's the function.json file for daprServiceInvocationTrigger:

{
  "bindings": 
    {
      "type": "daprSecret",
      "direction": "in",
      "name": "secret",
      "key": "my-secret",
      "secretStoreName": "localsecretstore",
      "metadata": "metadata.namespace=default"
    }
}

For more information about function.json file properties, see the Configuration section.

Here's the JavaScript code:

module.exports = async function (context) {
    context.log("Node function processed a RetrieveSecret request from the Dapr Runtime.");

    // print the fetched secret value
    for( var key in context.bindings.secret)
    {
        context.log(`Stored secret: Key = ${key}, Value =${context.bindings.secret[key]}`);
    }
};

The following examples show Dapr triggers in a function.json file and PowerShell code that uses those bindings.

Here's the function.json file for daprServiceInvocationTrigger:

{
  "bindings": 
    {
      "type": "daprSecret",
      "direction": "in",
      "name": "secret",
      "key": "my-secret",
      "secretStoreName": "localsecretstore",
      "metadata": "metadata.namespace=default"
    }
}

For more information about function.json file properties, see the Configuration section.

In code:

using namespace System
using namespace Microsoft.Azure.WebJobs
using namespace Microsoft.Extensions.Logging
using namespace Microsoft.Azure.WebJobs.Extensions.Dapr
using namespace Newtonsoft.Json.Linq

param (
    $payload, $secret
)

# PowerShell function processed a CreateNewOrder request from the Dapr Runtime.
Write-Host "PowerShell function processed a RetrieveSecretLocal request from the Dapr Runtime."

# Convert the object to a JSON-formatted string with ConvertTo-Json
$jsonString = $secret | ConvertTo-Json

Write-Host "$jsonString"

Python v2

The following example shows a Dapr Secret input binding, which uses the v2 Python programming model. To use the daprSecret binding alongside the daprServiceInvocationTrigger in your Python function app code:

import logging
import json
import azure.functions as func

app = func.FunctionApp()

@app.function_name(name="RetrieveSecret")
@app.dapr_service_invocation_trigger(arg_name="payload", method_name="RetrieveSecret")
@app.dapr_secret_input(arg_name="secret", secret_store_name="localsecretstore", key="my-secret", metadata="metadata.namespace=default")
def main(payload, secret: str) :
    # Function should be invoked with this command: dapr invoke --app-id functionapp --method RetrieveSecret  --data '{}'
    logging.info('Python function processed a RetrieveSecret request from the Dapr Runtime.')
    secret_dict = json.loads(secret)

    for key in secret_dict:
        logging.info("Stored secret: Key = " + key +
                     ', Value = ' + secret_dict[key])

Python v1

The following example shows a Dapr Secret input binding, which uses the v1 Python programming model.

Here's the function.json file for daprSecret:

{
  "scriptFile": "__init__.py",
  "bindings":
    {
      "type": "daprSecret",
      "direction": "in",
      "name": "secret",
      "key": "my-secret",
      "secretStoreName": "localsecretstore",
      "metadata": "metadata.namespace=default"
    }
}

For more information about function.json file properties, see the Configuration section.

Here's the Python code:

import logging
import json
import azure.functions as func

def main (payload, secret) -> None:
    logging.info('Python function processed a RetrieveSecret request from the Dapr Runtime.')
    secret_dict = json.loads(secret)

    for key in secret_dict:
        logging.info("Stored secret: Key = " + key + ', Value = '+ secret_dict[key])

Attributes

In-process

In the in-process model, use the DaprSecret to define a Dapr secret input binding, which supports these parameters:

Parameter	Description
SecretStoreName	The name of the secret store to get the secret.
Key	The key identifying the name of the secret to get.
Metadata	Optional. An array of metadata properties in the form "key1=value1&key2=value2".

Isolated process

In the isolated worker model, use the DaprSecretInput to define a Dapr secret input binding, which supports these parameters:

Parameter	Description
SecretStoreName	The name of the secret store to get the secret.
Key	The key identifying the name of the secret to get.
Metadata	Optional. An array of metadata properties in the form "key1=value1&key2=value2".

Annotations

The DaprSecretInput annotation allows you to have your function access a secret.

Element	Description
secretStoreName	The name of the Dapr secret store.
key	The secret key value.
metadata	Optional. The metadata values.

Configuration

Node.js v4

The following table explains the binding configuration properties that you set in the code.

Property	Description
key	The secret key value.
secretStoreName	Name of the secret store as defined in the local-secret-store.yaml component file.
metadata	The metadata namespace.

Node.js v3

The following table explains the binding configuration properties that you set in the function.json file.

function.json property	Description
key	The secret key value.
secretStoreName	Name of the secret store as defined in the local-secret-store.yaml component file.
metadata	The metadata namespace.

The following table explains the binding configuration properties that you set in the function.json file.

function.json property	Description
key	The secret key value.
secretStoreName	Name of the secret store as defined in the local-secret-store.yaml component file.
metadata	The metadata namespace.

Python v2

The following table explains the binding configuration properties for @dapp.dapr_secret_input that you set in your Python code.

Property	Description
secret_store_name	The name of the secret store.
key	The secret key value.
metadata	The metadata namespace.

Python v1

The following table explains the binding configuration properties that you set in the function.json file.

function.json property	Description
key	The secret key value.
secretStoreName	Name of the secret store as defined in the local-secret-store.yaml component file.
metadata	The metadata namespace.

See the Example section for complete examples.

Usage

To use the Dapr secret input binding, start by setting up a Dapr secret store component. You can learn more about which component to use and how to set it up in the official Dapr documentation.

• Dapr secret store component specs
• How to: Retrieve a secret

Python v2

To use the daprSecret in Python v2, set up your project with the correct dependencies.

1. Create and activate a virtual environment.

2. In your requirements.text file, add the following line:

   azure-functions==1.18.0b3
   

3. In the terminal, install the Python library.

   pip install -r .\requirements.txt
   

4. Modify your local.setting.json file with the following configuration:

   "PYTHON_ISOLATE_WORKER_DEPENDENCIES":1
   

Python v1

The Python v1 model requires no additional changes, aside from setting up the secret store.

Next steps

Learn more about Dapr secrets.