Dapr Secret Store
When running with the Dapr sidecar, @purista/dapr-sdk routes secret store operations through Dapr’s secret management API. The backing secret store — Kubernetes secrets, HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager — is configured as a Dapr component, completely decoupled from your PURISTA code.
Capabilities
| Feature | Support |
|---|---|
Read (getSecret) | ✅ |
Write (setSecret) | ✅ (opt-in) |
Delete (removeSecret) | ✅ (opt-in) |
| Backing store | Any Dapr secret component |
| Infrastructure portability | ✅ (swap component, not code) |
Install
npm install @purista/dapr-sdkSetup
Secret store access is configured on the DaprEventBridge alongside the event bridge — no separate constructor needed.
import { DaprEventBridge } from '@purista/dapr-sdk'
const eventBridge = new DaprEventBridge({
daprApiToken: process.env.DAPR_API_TOKEN,
secretStoreName: 'my-secret-store',
configStoreName: 'my-config-store',
stateStoreName: 'my-state-store',
})
const myService = await myV1Service.getInstance(eventBridge)Dapr component definition
Example using Kubernetes secrets as the backing store:
# components/secret-store.yaml
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: my-secret-store
spec:
type: secretstores.kubernetes
version: v1Swap spec.type to secretstores.hashicorp.vault, secretstores.aws.secretsmanager, secretstores.azure.keyvault, etc. without any PURISTA code change.
Usage inside a handler
.setCommandFunction(async function (context, payload) {
const { dbPassword } = await context.secrets.getSecret('dbPassword')
// use dbPassword to connect to your database
})Operational tips
- Use Dapr secret store scopes to restrict which services can access which secrets
- In Kubernetes, Dapr’s Kubernetes secret store accesses native Kubernetes secrets — combine with external-secrets-operator for GitOps-driven secret management
- Dapr handles connection retries to the sidecar automatically; implement graceful startup to handle the case where the sidecar is not yet ready