diff --git a/daprdocs/content/en/operations/security/api-token.md b/daprdocs/content/en/operations/security/api-token.md index d91a1490fd6..6593f5e729b 100644 --- a/daprdocs/content/en/operations/security/api-token.md +++ b/daprdocs/content/en/operations/security/api-token.md @@ -52,45 +52,12 @@ annotations: When deployed, Dapr sidecar injector will automatically create a secret reference and inject the actual value into `DAPR_API_TOKEN` environment variable. -## Rotate a token - -### Self-hosted - -To rotate the configured token in self-hosted, update the `DAPR_API_TOKEN` environment variable to the new value and restart the `daprd` process. - -### Kubernetes - -To rotate the configured token in Kubernetes, update the previously-created secret with the new token in each namespace. You can do that using `kubectl patch` command, but a simpler way to update these in each namespace is by using a manifest: - -```yaml -apiVersion: v1 -kind: Secret -metadata: - name: dapr-api-token -type: Opaque -data: - token: -``` - -And then apply it to each namespace: - -```shell -kubectl apply --file token-secret.yaml --namespace -``` - -To tell Dapr to start using the new token, trigger a rolling upgrade to each one of your deployments: - -```shell -kubectl rollout restart deployment/ --namespace -``` - -> Assuming your service is configured with more than one replica, the key rotation process does not result in any downtime. ## Adding API token to client API invocations -Once token authentication is configured in Dapr, all clients invoking Dapr API need to append the `dapr-api-token` token to every request. +Once token authentication is configured in Dapr, all clients invoking the Dapr APIs need to append the `dapr-api-token` token to every request. -> **Note:** The Dapr SDKs read the [DAPR_API_TOKEN]({{% ref environment %}}) environment variable and set it for you by default. +> **Note:** The Dapr SDKs read the [DAPR_API_TOKEN]({{% ref environment %}}) environment variable and set it for you by default, however you still must ensure that your app has access to the environment variable. @@ -122,15 +89,18 @@ dapr-api-token[0]. ### Kubernetes -In Kubernetes, it's recommended to mount the secret to your pod as an environment variable, as shown in the example below, where a Kubernetes secret with the name `dapr-api-token` is used to hold the token. +In Kubernetes, it's required to mount the API token on your application pod as an environment variable, when your application is making outbound calls to the Dapr APIs (Service Invocation invoke, Pub/sub publish, etc.), otherwise the request will fail with an `Unauthorized` error. Mounting the environment variable is done by providing the name of the Kubernetes secret in your application pod specification, as shown in the example below, where a Kubernetes secret with the name `dapr-api-token` is used to hold the token. ```yaml containers: - name: mycontainer image: myregistry/myapp - envFrom: - - secretRef: - name: dapr-api-token + env: + - name: DAPR_API_TOKEN + valueFrom: + secretKeyRef: + name: dapr-api-token + key: token ``` ### Self-hosted @@ -141,6 +111,40 @@ In self-hosted mode, you can set the token as an environment variable for your a export DAPR_API_TOKEN= ``` +## Rotate a token + +### Self-hosted + +To rotate the configured token in self-hosted, update the `DAPR_API_TOKEN` environment variable to the new value and restart the `daprd` process. + +### Kubernetes + +To rotate the configured token in Kubernetes, update the previously-created secret with the new token in each namespace. You can do that using `kubectl patch` command, but a simpler way to update these in each namespace is by using a manifest: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: dapr-api-token +type: Opaque +data: + token: +``` + +And then apply it to each namespace: + +```shell +kubectl apply --file token-secret.yaml --namespace +``` + +To tell Dapr to start using the new token, trigger a rolling upgrade to each one of your deployments: + +```shell +kubectl rollout restart deployment/ --namespace +``` + +> Assuming your service is configured with more than one replica, the key rotation process does not result in any downtime. + ## Related Links - Learn about [Dapr security concepts]({{% ref security-concept.md %}})