Dapr's secret scoping feature lets you control which specific secrets applications can access within a secret store. Instead of giving apps access to all secrets, you can implement fine-grained permissions using allowedSecrets and deniedSecrets lists.
How It Works
Configure secret access through Dapr's Configuration resource:
apiVersion: dapr.io/v1alpha1
kind: Configuration
metadata:
name: ecommerce-config
spec:
secrets:
scopes:
- storeName: azure-keyvault
defaultAccess: deny
allowedSecrets: ["payment-api-key", "shipping-webhook-secret"]
- storeName: redis-secrets
defaultAccess: allow
deniedSecrets: ["admin-token"]
Key Rules
-
allowedSecretstakes priority - only listed secrets are accessible -
deniedSecretsblocks specific secrets while allowing others - Lists override the
defaultAccesssetting
Common Patterns
Whitelist approach (recommended for production):
defaultAccess: deny
allowedSecrets: ["service-specific-secrets"]
Blacklist approach (good for development):
defaultAccess: allow
deniedSecrets: ["sensitive-admin-secrets"]
This feature helps implement least-privilege access without changing your application code - just apply the configuration to your Dapr sidecar.
Top comments (0)