Key Concepts
Token Creation: Dapr uses shared tokens for API authentication. While there's no imposed format, the recommended approach is generating a random byte sequence encoded in Base64:
openssl rand 16 | base64
Configuration by Deployment Type
Self-hosted Deployments:
- Uses the
DAPR_API_TOKENenvironment variable - Token enforcement occurs when this variable is set at daprd process launch
- Token rotation requires updating the environment variable and restarting the process
Kubernetes Deployments:
- Leverages Kubernetes secrets to store the shared token
- Requires creating a secret in each namespace where token authentication is needed
- Uses deployment annotations to indicate token usage
Configuration Examples
Self-hosted Setup:
export DAPR_API_TOKEN=<token>
Kubernetes Secret Creation:
kubectl create secret generic dapr-api-token --from-literal=token=<token>
Kubernetes Deployment Annotation:
annotations:
dapr.io/enabled: "true"
dapr.io/api-token-secret: "dapr-api-token"
Token Rotation
Kubernetes Token Rotation:
apiVersion: v1
kind: Secret
metadata:
name: dapr-api-token
type: Opaque
data:
token: <your-new-token>
Apply to namespace and restart deployments:
kubectl apply --file token-secret.yaml --namespace <namespace-name>
kubectl rollout restart deployment/<deployment-name> --namespace <namespace-name>
Client API Usage
HTTP Requests:
curl http://localhost:3500/v1.0/metadata \
--header "dapr-api-token: my-token"
gRPC Protocol:
Token must be included in gRPC metadata as dapr-api-token[0]
Application Access
Kubernetes Environment Variable:
containers:
- name: mycontainer
image: myregistry/myapp
envFrom:
- secretRef:
name: dapr-api-token
Self-hosted Environment Variable:
export DAPR_API_TOKEN=<my-dapr-token>
Reference: https://docs.dapr.io/operations/security/api-token/
Top comments (0)