Merge pull request #3593 from tmacam/Fix3353_SecretStoreQueryParameters

Fix documentation for Secret Stores query parameters.
dapr · Jul 5, 2023 · 1d82e02 · 1d82e02
2 parents 044fac5 + 53b7060
commit 1d82e02
Show file tree

Hide file tree

Showing 8 changed files with 68 additions and 20 deletions.
diff --git a/daprdocs/content/en/reference/api/secrets_api.md b/daprdocs/content/en/reference/api/secrets_api.md
@@ -28,26 +28,20 @@ name | the name of the secret to get
 
 #### Query Parameters
 
-Some secret stores have **optional** metadata properties. metadata is populated using query parameters:
+Some secret stores support **optional**, per-request metadata properties. Use query parameters to provide those properties. For example:
 
 ```
 GET http://localhost:<daprPort>/v1.0/secrets/<secret-store-name>/<name>?metadata.version_id=15
 ```
 
-##### GCP Secret Manager
-The following optional meta can be provided to the GCP Secret Manager component
+Observe that not all secret stores support the same set of parameters. For example:
+- Hashicorp Vault, GCP Secret Manager and AWS Secret Manager support the `version_id` parameter
+- Only AWS Secret Manager supports the `version_stage` parameter 
+- Only Kubernetes Secrets supports the `namespace` parameter
+Check each [secret store's documentation]({{< ref supported-secret-stores.md >}}) for the list of supported parameters.
 
-Query Parameter | Description
---------- | -----------
-metadata.version_id | version for the given secret key
 
-##### AWS Secret Manager
-The following optional meta can be provided to the AWS Secret Manager component
 
-Query Parameter | Description
---------- | -----------
-metadata.version_id | version for the given secret key
-metadata.version_stage | version stage for the given secret key
 
 ### HTTP Response
 
@@ -101,17 +95,11 @@ Code | Description
 ### Examples
 
 ```shell
-curl http://localhost:3500/v1.0/secrets/vault/db-secret
+curl http://localhost:3500/v1.0/secrets/mySecretStore/db-secret
 ```
 
 ```shell
-curl http://localhost:3500/v1.0/secrets/vault/db-secret?metadata.version_id=15&metadata.version_stage=AAA
-```
-
-> Note, in case of deploying into namespace other than  default, the above query will also have to include the namespace metadata (e.g. `production` below)
-
-```shell
-curl http://localhost:3500/v1.0/secrets/vault/db-secret?metadata.version_id=15&?metadata.namespace=production
+curl http://localhost:3500/v1.0/secrets/myAwsSecretStore/db-secret?metadata.version_id=15&metadata.version_stage=production
 ```
 
 ## Get Bulk Secret

diff --git a/...ce/components-reference/supported-secret-stores/alicloud-oos-parameter-store.md b/...ce/components-reference/supported-secret-stores/alicloud-oos-parameter-store.md
@@ -43,6 +43,15 @@ The above example uses secrets as plain strings. It is recommended to use a loca
 | accessKeySecret    | Y        | The AlibabaCloud Access Key Secret to access this resource              | `"accessKeySecret"`  |
 | securityToken      | N        | The AlibabaCloud Security Token to use                                  | `"securityToken"`    |
 
+## Optional per-request metadata properties
+
+The following [optional query parameters]({{< ref "secrets_api.md#query-parameters" >}}) can be provided when retrieving secrets from this secret store:
+
+Query Parameter | Description
+--------- | -----------
+`metadata.version_id` | Version for the given secret key
+`metadata.path` | (For bulk requests only) The path from the metadata. If not set, defaults to root path (all secrets).
+
 ## Create an AlibabaCloud OOS Parameter Store instance
 
 Setup AlibabaCloud OOS Parameter Store using the AlibabaCloud documentation: https://www.alibabacloud.com/help/en/doc-detail/186828.html.

diff --git a/...en/reference/components-reference/supported-secret-stores/aws-secret-manager.md b/...en/reference/components-reference/supported-secret-stores/aws-secret-manager.md
@@ -48,6 +48,15 @@ The above example uses secrets as plain strings. It is recommended to use a loca
 When running the Dapr sidecar (daprd) with your application on EKS (AWS Kubernetes), if you're using a node/pod that has already been attached to an IAM policy defining access to AWS resources, you **must not** provide AWS access-key, secret-key, and tokens in the definition of the component spec you're using.  
 {{% /alert %}}
 
+## Optional per-request metadata properties
+
+The following [optional query parameters]({{< ref "secrets_api#query-parameters" >}}) can be provided when retrieving secrets from this secret store:
+
+Query Parameter | Description
+--------- | -----------
+`metadata.version_id` | Version for the given secret key.
+`metadata.version_stage` | Version stage for the given secret key.
+
 ## Create an AWS Secrets Manager instance
 
 Setup AWS Secrets Manager using the AWS documentation: https://docs.aws.amazon.com/secretsmanager/latest/userguide/tutorials_basic.html.

diff --git a/...ent/en/reference/components-reference/supported-secret-stores/azure-keyvault.md b/...ent/en/reference/components-reference/supported-secret-stores/azure-keyvault.md
@@ -53,6 +53,15 @@ The Azure Key Vault secret store component supports authentication with Azure AD
 
 Additionally, you must provide the authentication fields as explained in the [Authenticating to Azure]({{< ref authenticating-azure.md >}}) document.
 
+## Optional per-request metadata properties
+
+The following [optional query parameters]({{< ref "secrets_api#query-parameters" >}}) can be provided when retrieving secrets from this secret store:
+
+Query Parameter | Description
+--------- | -----------
+`metadata.version_id` | Version for the given secret key.
+`metadata.maxresults` | (For bulk requests only) Number of secrets to return, after which the request will be truncated.
+
 ## Example
 
 ### Prerequisites

diff --git a/...en/reference/components-reference/supported-secret-stores/gcp-secret-manager.md b/...en/reference/components-reference/supported-secret-stores/gcp-secret-manager.md
@@ -61,6 +61,14 @@ The above example uses secrets as plain strings. It is recommended to use a loca
 | client_x509_cert_url | N | The certificate URL for the client | `"https://www.googleapis.com/robot/v1/metadata/x509/<project-name>.iam.gserviceaccount.com"`|
 | private_key | Y | The private key for authentication | `"privateKey"` |
 
+## Optional per-request metadata properties
+
+The following [optional query parameters]({{< ref "secrets_api#query-parameters" >}}) can be provided to the GCP Secret Manager component:
+
+Query Parameter | Description
+--------- | -----------
+`metadata.version_id` | Version for the given secret key.
+
 ## Setup GCP Secret Manager instance
 
 Setup GCP Secret Manager using the GCP documentation: https://cloud.google.com/secret-manager/docs/quickstart.

diff --git a/...nt/en/reference/components-reference/supported-secret-stores/hashicorp-vault.md b/...nt/en/reference/components-reference/supported-secret-stores/hashicorp-vault.md
@@ -66,6 +66,14 @@ The above example uses secrets as plain strings. It is recommended to use a loca
 | enginePath | N | The [engine](https://www.vaultproject.io/api-docs/secret/kv/kv-v2) path in vault. Defaults to `"secret"` | `"kv"`, `"any"` |
 | vaultValueType | N | Vault value type. `map` means to parse the value into `map[string]string`, `text` means to use the value as a string. 'map' sets the `multipleKeyValuesPerSecret` behavior. `text` makes Vault behave as a secret store with name/value semantics.  Defaults to `"map"` | `"map"`, `"text"` |
 
+## Optional per-request metadata properties
+
+The following [optional query parameters]({{< ref "secrets_api#query-parameters" >}}) can be provided to Hashicorp Vault secret store component:
+
+Query Parameter | Description
+--------- | -----------
+`metadata.version_id` | Version for the given secret key.
+
 ## Setup Hashicorp Vault instance
 
 {{< tabs "Self-Hosted" "Kubernetes" >}}

diff --git a/...t/en/reference/components-reference/supported-secret-stores/huaweicloud-csms.md b/...t/en/reference/components-reference/supported-secret-stores/huaweicloud-csms.md
@@ -40,6 +40,15 @@ The above example uses secrets as plain strings. It is recommended to use a loca
 | accessKey       |    Y     | The HuaweiCloud Access Key to access this resource               | `"accessKey"`       |
 | secretAccessKey |    Y     | The HuaweiCloud Secret Access Key to access this resource        | `"secretAccessKey"` |
 
+## Optional per-request metadata properties
+
+The following [optional query parameters]({{< ref "secrets_api#query-parameters" >}}) can be provided when retrieving secrets from this secret store:
+
+Query Parameter | Description
+--------- | -----------
+`metadata.version_id` | Version for the given secret key.
+
+
 ## Setup HuaweiCloud Cloud Secret Management Service (CSMS) instance
 
 Setup HuaweiCloud Cloud Secret Management Service (CSMS) using the HuaweiCloud documentation: https://support.huaweicloud.com/intl/en-us/usermanual-dew/dew_01_9993.html.

diff --git a/...ference/components-reference/supported-secret-stores/kubernetes-secret-store.md b/...ference/components-reference/supported-secret-stores/kubernetes-secret-store.md
@@ -34,6 +34,14 @@ spec:
 ## Spec metadata fields
 For the Kubernetes secret store component, there are no metadata attributes.
 
+## Optional per-request metadata properties
+
+The following [optional query parameters]({{< ref "secrets_api#query-parameters" >}}) can be provided to Kubernetes secret store component:
+
+Query Parameter | Description
+--------- | -----------
+`metadata.namespace`| The namespace of the secret. If not specified, the namespace of the pod is used.
+
 ## Related links
 - [Secrets building block]({{< ref secrets >}})
 - [How-To: Retrieve a secret]({{< ref "howto-secrets.md" >}})