From 666ec9e0bfdcee56ee817192bbd21f1dcc89b9e3 Mon Sep 17 00:00:00 2001 From: MyMirelHub <15373565+MyMirelHub@users.noreply.github.com> Date: Wed, 24 Sep 2025 19:41:13 +0200 Subject: [PATCH 1/8] Enhance AWS Secrets Manager documentation and YAML configuration to include support for multiple key-value pairs per secret Signed-off-by: MyMirelHub <15373565+MyMirelHub@users.noreply.github.com> --- .../aws-secret-manager.md | 45 ++++++++++++++++++- .../data/components/secret_stores/aws.yaml | 2 + 2 files changed, 46 insertions(+), 1 deletion(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md index d59af95a5a3..74f47e0e92b 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md @@ -2,7 +2,7 @@ type: docs title: "AWS Secrets Manager" linkTitle: "AWS Secrets Manager" -description: Detailed information on the secret store component +description: Detailed information on the AWS Secrets Manager secret store component aliases: - "/operations/components/setup-secret-store/supported-secret-stores/aws-secret-manager/" --- @@ -30,6 +30,8 @@ spec: value: "[aws_secret_key]" - name: sessionToken value: "[aws_session_token]" + - name: multipleKeyValuesPerSecret + value: "false" ``` {{% alert title="Warning" color="warning" %}} The above example uses secrets as plain strings. It is recommended to use a local secret store such as [Kubernetes secret store]({{% ref kubernetes-secret-store.md %}}) or a [local file]({{% ref file-secret-store.md %}}) to bootstrap secure key storage. @@ -43,6 +45,7 @@ The above example uses secrets as plain strings. It is recommended to use a loca | accessKey | Y | The AWS Access Key to access this resource | `"key"` | | secretKey | Y | The AWS Secret Access Key to access this resource | `"secretAccessKey"` | | sessionToken | N | The AWS session token to use | `"sessionToken"` | +| multipleKeyValuesPerSecret | N | `"true"` sets the multipleKeyValuesPerSecret behavior. Allows parsing JSON objects stored as secrets into multiple key-value pairs. Defaults to `"false"` | `"true"` | {{% alert title="Important" color="warning" %}} When running the Dapr sidecar (daprd) with your application on EKS (AWS Kubernetes), if you're using a node/pod that has already been attached to an IAM policy defining access to AWS resources, you **must not** provide AWS access-key, secret-key, and tokens in the definition of the component spec you're using. @@ -61,6 +64,46 @@ Query Parameter | Description Setup AWS Secrets Manager using the AWS documentation: https://docs.aws.amazon.com/secretsmanager/latest/userguide/tutorials_basic.html. +## Multiple key-values per secret + +The `multipleKeyValuesPerSecret` flag determines whether the secret store presents a single value or multiple key-value pairs per secret. + +### Single value per secret (default) + +If `multipleKeyValuesPerSecret` is `false` (default), AWS Secrets Manager returns the secret value as-is. Given a secret named `database-credentials` with the following JSON content: + +```json +{ + "username": "admin", + "password": "secret123", + "host": "db.example.com" +} +``` + +Requesting this secret returns the entire JSON as a single value: + +```bash +$ curl http://localhost:3501/v1.0/secrets/awssecretmanager/database-credentials +{ + "database-credentials": "{\"username\":\"admin\",\"password\":\"secret123\",\"host\":\"db.example.com\"}" +} +``` + +### Multiple key-values per secret + +If `multipleKeyValuesPerSecret` is `true`, the secret store parses JSON content stored in AWS Secrets Manager and returns it as multiple key-value pairs. + +Using the same `database-credentials` secret from above, the response would be: + +```bash +$ curl http://localhost:3501/v1.0/secrets/awssecretmanager/database-credentials +{ + "username": "admin", + "password": "secret123", + "host": "db.example.com" +} +``` + ## Related links - [Secrets building block]({{% ref secrets %}}) - [How-To: Retrieve a secret]({{% ref "howto-secrets.md" %}}) diff --git a/daprdocs/data/components/secret_stores/aws.yaml b/daprdocs/data/components/secret_stores/aws.yaml index 522b7f64e64..5d08844b8ff 100644 --- a/daprdocs/data/components/secret_stores/aws.yaml +++ b/daprdocs/data/components/secret_stores/aws.yaml @@ -3,6 +3,8 @@ state: Beta version: v1 since: "1.15" + features: + multipleKeyValuesPerSecret: true - component: AWS SSM Parameter Store link: aws-parameter-store state: Alpha From 3bed53cb3f2eb5558e8b6e0d98a7ce995268dbab Mon Sep 17 00:00:00 2001 From: Mirel <15373565+MyMirelHub@users.noreply.github.com> Date: Thu, 9 Oct 2025 13:49:09 +0200 Subject: [PATCH 2/8] Apply suggestion from @alicejgibbons Co-authored-by: Alice Gibbons Signed-off-by: Mirel <15373565+MyMirelHub@users.noreply.github.com> --- .../supported-secret-stores/aws-secret-manager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md index 74f47e0e92b..250a0f90d2a 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md @@ -45,7 +45,7 @@ The above example uses secrets as plain strings. It is recommended to use a loca | accessKey | Y | The AWS Access Key to access this resource | `"key"` | | secretKey | Y | The AWS Secret Access Key to access this resource | `"secretAccessKey"` | | sessionToken | N | The AWS session token to use | `"sessionToken"` | -| multipleKeyValuesPerSecret | N | `"true"` sets the multipleKeyValuesPerSecret behavior. Allows parsing JSON objects stored as secrets into multiple key-value pairs. Defaults to `"false"` | `"true"` | +| multipleKeyValuesPerSecret | N | When set to `"true"` allows for multiple key value pairs to be stored in a single secret. Defaults to `"false"` | `"true"` | {{% alert title="Important" color="warning" %}} When running the Dapr sidecar (daprd) with your application on EKS (AWS Kubernetes), if you're using a node/pod that has already been attached to an IAM policy defining access to AWS resources, you **must not** provide AWS access-key, secret-key, and tokens in the definition of the component spec you're using. From 5113e33562c0dd7eb53cf7a96717cacc332bc8a9 Mon Sep 17 00:00:00 2001 From: Mirel <15373565+MyMirelHub@users.noreply.github.com> Date: Thu, 9 Oct 2025 13:49:22 +0200 Subject: [PATCH 3/8] Apply suggestion from @alicejgibbons Co-authored-by: Alice Gibbons Signed-off-by: Mirel <15373565+MyMirelHub@users.noreply.github.com> --- .../supported-secret-stores/aws-secret-manager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md index 250a0f90d2a..358ad7887ec 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md @@ -64,7 +64,7 @@ Query Parameter | Description Setup AWS Secrets Manager using the AWS documentation: https://docs.aws.amazon.com/secretsmanager/latest/userguide/tutorials_basic.html. -## Multiple key-values per secret +## Configure multiple key-values per secret The `multipleKeyValuesPerSecret` flag determines whether the secret store presents a single value or multiple key-value pairs per secret. From 5378672af115cdc3f78547ffcceb5d187483f322 Mon Sep 17 00:00:00 2001 From: Mirel <15373565+MyMirelHub@users.noreply.github.com> Date: Thu, 9 Oct 2025 13:49:29 +0200 Subject: [PATCH 4/8] Apply suggestion from @alicejgibbons Co-authored-by: Alice Gibbons Signed-off-by: Mirel <15373565+MyMirelHub@users.noreply.github.com> --- .../supported-secret-stores/aws-secret-manager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md index 358ad7887ec..dc0f4b534fe 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md @@ -68,7 +68,7 @@ Setup AWS Secrets Manager using the AWS documentation: https://docs.aws.amazon.c The `multipleKeyValuesPerSecret` flag determines whether the secret store presents a single value or multiple key-value pairs per secret. -### Single value per secret (default) +### Single value per secret If `multipleKeyValuesPerSecret` is `false` (default), AWS Secrets Manager returns the secret value as-is. Given a secret named `database-credentials` with the following JSON content: From aeebcd417193f0bd773de5b4b82860b5c1e49701 Mon Sep 17 00:00:00 2001 From: Mirel <15373565+MyMirelHub@users.noreply.github.com> Date: Thu, 9 Oct 2025 13:49:37 +0200 Subject: [PATCH 5/8] Apply suggestion from @alicejgibbons Co-authored-by: Alice Gibbons Signed-off-by: Mirel <15373565+MyMirelHub@users.noreply.github.com> --- .../supported-secret-stores/aws-secret-manager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md index dc0f4b534fe..31b9ce18a84 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md @@ -83,7 +83,7 @@ If `multipleKeyValuesPerSecret` is `false` (default), AWS Secrets Manager return Requesting this secret returns the entire JSON as a single value: ```bash -$ curl http://localhost:3501/v1.0/secrets/awssecretmanager/database-credentials +$ curl http://localhost:3500/v1.0/secrets/awssecretmanager/database-credentials { "database-credentials": "{\"username\":\"admin\",\"password\":\"secret123\",\"host\":\"db.example.com\"}" } From 88f924e4c3d784e1b58e7c2c6d896872ac67af34 Mon Sep 17 00:00:00 2001 From: Mirel <15373565+MyMirelHub@users.noreply.github.com> Date: Thu, 9 Oct 2025 13:49:43 +0200 Subject: [PATCH 6/8] Apply suggestion from @alicejgibbons Co-authored-by: Alice Gibbons Signed-off-by: Mirel <15373565+MyMirelHub@users.noreply.github.com> --- .../supported-secret-stores/aws-secret-manager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md index 31b9ce18a84..7c0bdcf8f98 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md @@ -89,7 +89,7 @@ $ curl http://localhost:3500/v1.0/secrets/awssecretmanager/database-credentials } ``` -### Multiple key-values per secret +### Multiple key-value pairs per secret If `multipleKeyValuesPerSecret` is `true`, the secret store parses JSON content stored in AWS Secrets Manager and returns it as multiple key-value pairs. From 9f0afc0eed495d88f32e9fc0a1ac554d6d3a9f63 Mon Sep 17 00:00:00 2001 From: Mirel <15373565+MyMirelHub@users.noreply.github.com> Date: Thu, 9 Oct 2025 13:49:49 +0200 Subject: [PATCH 7/8] Apply suggestion from @alicejgibbons Co-authored-by: Alice Gibbons Signed-off-by: Mirel <15373565+MyMirelHub@users.noreply.github.com> --- .../supported-secret-stores/aws-secret-manager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md index 7c0bdcf8f98..5c5e85847dc 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md @@ -93,7 +93,7 @@ $ curl http://localhost:3500/v1.0/secrets/awssecretmanager/database-credentials If `multipleKeyValuesPerSecret` is `true`, the secret store parses JSON content stored in AWS Secrets Manager and returns it as multiple key-value pairs. -Using the same `database-credentials` secret from above, the response would be: +Requesting the same `database-credentials` secret from above, the response breaks the JSON object into its own entries, allowing it to be parsed into multiple key-value pairs. ```bash $ curl http://localhost:3501/v1.0/secrets/awssecretmanager/database-credentials From 6475f4d65d642750a3fd9329a22302e782423a11 Mon Sep 17 00:00:00 2001 From: Mirel <15373565+MyMirelHub@users.noreply.github.com> Date: Thu, 9 Oct 2025 13:49:55 +0200 Subject: [PATCH 8/8] Apply suggestion from @alicejgibbons Co-authored-by: Alice Gibbons Signed-off-by: Mirel <15373565+MyMirelHub@users.noreply.github.com> --- .../supported-secret-stores/aws-secret-manager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md b/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md index 5c5e85847dc..27b5ee7c23c 100644 --- a/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md +++ b/daprdocs/content/en/reference/components-reference/supported-secret-stores/aws-secret-manager.md @@ -96,7 +96,7 @@ If `multipleKeyValuesPerSecret` is `true`, the secret store parses JSON content Requesting the same `database-credentials` secret from above, the response breaks the JSON object into its own entries, allowing it to be parsed into multiple key-value pairs. ```bash -$ curl http://localhost:3501/v1.0/secrets/awssecretmanager/database-credentials +$ curl http://localhost:3500/v1.0/secrets/awssecretmanager/database-credentials { "username": "admin", "password": "secret123",