| title | Dapr Secret input binding for Azure Functions |
|---|---|
| description | Learn how to access Dapr Secret input binding data during function execution in Azure Functions. |
| ms.topic | reference |
| ms.date | 05/10/2024 |
| ms.author | nigreenf |
| ms.reviewer | hannahhunter |
| ms.subservice | dapr |
| ms.devlang | csharp |
| ms.custom | devx-track-csharp, devx-track-python, devx-track-dotnet, devx-track-extended-java, devx-track-js, build-2024 |
| zone_pivot_groups | programming-languages-set-functions-lang-workers |
The Dapr secret input binding allows you to read secrets data as input during function execution.
For information on setup and configuration details of the Dapr extension, see the Dapr extension overview.
::: zone pivot="programming-language-csharp"
A C# function can be created using one of the following C# modes:
[!INCLUDE dotnet-execution]
[FunctionName("RetrieveSecret")]
public static void Run(
[DaprServiceInvocationTrigger] object args,
[DaprSecret("kubernetes", "my-secret", Metadata = "metadata.namespace=default")] IDictionary<string, string> secret,
ILogger log)
{
log.LogInformation("C# function processed a RetrieveSecret request from the Dapr Runtime.");
}More samples for the Dapr input secret binding are available in the GitHub repository.
:::code language="csharp" source="~/azure-functions-dapr-extension/samples/dotnet-isolated-azurefunction/InputBinding/RetrieveSecret.cs" range="18-35":::
::: zone-end
::: zone pivot="programming-language-java"
The following example creates a "RetrieveSecret" function using the DaprSecretInput binding with the DaprServiceInvocationTrigger:
@FunctionName("RetrieveSecret")
public void run(
@DaprServiceInvocationTrigger(
methodName = "RetrieveSecret") Object args,
@DaprSecretInput(
secretStoreName = "kubernetes",
key = "my-secret",
metadata = "metadata.namespace=default")
Map<String, String> secret,
final ExecutionContext context)::: zone-end
::: zone pivot="programming-language-javascript"
In the following example, the Dapr secret input binding is paired with a Dapr invoke trigger, which is registered by the app object:
const { app, trigger } = require('@azure/functions');
app.generic('RetrieveSecret', {
trigger: trigger.generic({
type: 'daprServiceInvocationTrigger',
name: "payload"
}),
extraInputs: [daprSecretInput],
handler: async (request, context) => {
context.log("Node function processed a RetrieveSecret request from the Dapr Runtime.");
const daprSecretInputValue = context.extraInputs.get(daprSecretInput);
// print the fetched secret value
for (var key in daprSecretInputValue) {
context.log(`Stored secret: Key=${key}, Value=${daprSecretInputValue[key]}`);
}
}
});The following examples show Dapr triggers in a function.json file and JavaScript code that uses those bindings.
Here's the function.json file for daprServiceInvocationTrigger:
{
"bindings":
{
"type": "daprSecret",
"direction": "in",
"name": "secret",
"key": "my-secret",
"secretStoreName": "localsecretstore",
"metadata": "metadata.namespace=default"
}
}For more information about function.json file properties, see the Configuration section.
Here's the JavaScript code:
module.exports = async function (context) {
context.log("Node function processed a RetrieveSecret request from the Dapr Runtime.");
// print the fetched secret value
for( var key in context.bindings.secret)
{
context.log(`Stored secret: Key = ${key}, Value =${context.bindings.secret[key]}`);
}
};::: zone-end
::: zone pivot="programming-language-powershell"
The following examples show Dapr triggers in a function.json file and PowerShell code that uses those bindings.
Here's the function.json file for daprServiceInvocationTrigger:
{
"bindings":
{
"type": "daprSecret",
"direction": "in",
"name": "secret",
"key": "my-secret",
"secretStoreName": "localsecretstore",
"metadata": "metadata.namespace=default"
}
}For more information about function.json file properties, see the Configuration section.
In code:
using namespace System
using namespace Microsoft.Azure.WebJobs
using namespace Microsoft.Extensions.Logging
using namespace Microsoft.Azure.WebJobs.Extensions.Dapr
using namespace Newtonsoft.Json.Linq
param (
$payload, $secret
)
# PowerShell function processed a CreateNewOrder request from the Dapr Runtime.
Write-Host "PowerShell function processed a RetrieveSecretLocal request from the Dapr Runtime."
# Convert the object to a JSON-formatted string with ConvertTo-Json
$jsonString = $secret | ConvertTo-Json
Write-Host "$jsonString"::: zone-end
::: zone pivot="programming-language-python"
The following example shows a Dapr Secret input binding, which uses the v2 Python programming model. To use the daprSecret binding alongside the daprServiceInvocationTrigger in your Python function app code:
import logging
import json
import azure.functions as func
app = func.FunctionApp()
@app.function_name(name="RetrieveSecret")
@app.dapr_service_invocation_trigger(arg_name="payload", method_name="RetrieveSecret")
@app.dapr_secret_input(arg_name="secret", secret_store_name="localsecretstore", key="my-secret", metadata="metadata.namespace=default")
def main(payload, secret: str) :
# Function should be invoked with this command: dapr invoke --app-id functionapp --method RetrieveSecret --data '{}'
logging.info('Python function processed a RetrieveSecret request from the Dapr Runtime.')
secret_dict = json.loads(secret)
for key in secret_dict:
logging.info("Stored secret: Key = " + key +
', Value = ' + secret_dict[key])The following example shows a Dapr Secret input binding, which uses the v1 Python programming model.
Here's the function.json file for daprSecret:
{
"scriptFile": "__init__.py",
"bindings":
{
"type": "daprSecret",
"direction": "in",
"name": "secret",
"key": "my-secret",
"secretStoreName": "localsecretstore",
"metadata": "metadata.namespace=default"
}
}For more information about function.json file properties, see the Configuration section.
Here's the Python code:
import logging
import json
import azure.functions as func
def main (payload, secret) -> None:
logging.info('Python function processed a RetrieveSecret request from the Dapr Runtime.')
secret_dict = json.loads(secret)
for key in secret_dict:
logging.info("Stored secret: Key = " + key + ', Value = '+ secret_dict[key])::: zone-end
::: zone pivot="programming-language-csharp"
In the in-process model, use the DaprSecret to define a Dapr secret input binding, which supports these parameters:
| Parameter | Description |
|---|---|
| SecretStoreName | The name of the secret store to get the secret. |
| Key | The key identifying the name of the secret to get. |
| Metadata | Optional. An array of metadata properties in the form "key1=value1&key2=value2". |
In the isolated worker model, use the DaprSecretInput to define a Dapr secret input binding, which supports these parameters:
| Parameter | Description |
|---|---|
| SecretStoreName | The name of the secret store to get the secret. |
| Key | The key identifying the name of the secret to get. |
| Metadata | Optional. An array of metadata properties in the form "key1=value1&key2=value2". |
::: zone-end
::: zone pivot="programming-language-java"
The DaprSecretInput annotation allows you to have your function access a secret.
| Element | Description |
|---|---|
| secretStoreName | The name of the Dapr secret store. |
| key | The secret key value. |
| metadata | Optional. The metadata values. |
::: zone-end
::: zone pivot="programming-language-javascript, programming-language-powershell, programming-language-python"
::: zone-end
::: zone pivot="programming-language-javascript"
The following table explains the binding configuration properties that you set in the code.
| Property | Description |
|---|---|
| key | The secret key value. |
| secretStoreName | Name of the secret store as defined in the local-secret-store.yaml component file. |
| metadata | The metadata namespace. |
The following table explains the binding configuration properties that you set in the function.json file.
| function.json property | Description |
|---|---|
| key | The secret key value. |
| secretStoreName | Name of the secret store as defined in the local-secret-store.yaml component file. |
| metadata | The metadata namespace. |
::: zone-end
::: zone pivot="programming-language-powershell"
The following table explains the binding configuration properties that you set in the function.json file.
| function.json property | Description |
|---|---|
| key | The secret key value. |
| secretStoreName | Name of the secret store as defined in the local-secret-store.yaml component file. |
| metadata | The metadata namespace. |
::: zone-end
::: zone pivot="programming-language-python"
The following table explains the binding configuration properties for @dapp.dapr_secret_input that you set in your Python code.
| Property | Description |
|---|---|
| secret_store_name | The name of the secret store. |
| key | The secret key value. |
| metadata | The metadata namespace. |
The following table explains the binding configuration properties that you set in the function.json file.
| function.json property | Description |
|---|---|
| key | The secret key value. |
| secretStoreName | Name of the secret store as defined in the local-secret-store.yaml component file. |
| metadata | The metadata namespace. |
::: zone-end
See the Example section for complete examples.
To use the Dapr secret input binding, start by setting up a Dapr secret store component. You can learn more about which component to use and how to set it up in the official Dapr documentation.
::: zone pivot="programming-language-python"
To use the daprSecret in Python v2, set up your project with the correct dependencies.
-
In your
requirements.textfile, add the following line:azure-functions==1.18.0b3
-
In the terminal, install the Python library.
pip install -r .\requirements.txt -
Modify your
local.setting.jsonfile with the following configuration:"PYTHON_ISOLATE_WORKER_DEPENDENCIES":1
The Python v1 model requires no additional changes, aside from setting up the secret store.
::: zone-end