dapr · msfussell · Dec 12, 2025 · Dec 4, 2025 · Dec 9, 2025 · Dec 10, 2025
@@ -11,9 +11,7 @@ In addition to [scoping which applications can access a given component]({{% ref
 For more information about configuring a Configuration resource:
 - [Configuration overview]({{% ref configuration-overview.md %}})
 - [Configuration schema]({{% ref configuration-schema.md %}})
-For more information about configuring a Configuration resource:
-- [Configuration overview]({{% ref configuration-overview.md %}})
-- [Configuration schema]({{% ref configuration-schema.md %}})
+
 
 ## Configure secrets access
 
@@ -58,10 +56,8 @@ The `allowedSecrets` and `deniedSecrets` list values take priority over the `def
 
 ### Scenario 1: Deny access to all secrets for a secret store
 
-In a Kubernetes cluster, the native Kubernetes secret store is added to your Dapr application by default. In some scenarios, it may be necessary to deny access to Dapr secrets for a given application. To add this configuration: 
 In a Kubernetes cluster, the native Kubernetes secret store is added to your Dapr application by default. In some scenarios, it may be necessary to deny access to Dapr secrets for a given application. To add this configuration: 
 
-1. Define the following `appconfig.yaml`. 
 1. Define the following `appconfig.yaml`. 
 
    ```yaml
@@ -75,26 +71,8 @@ In a Kubernetes cluster, the native Kubernetes secret store is added to your Dap
          - storeName: kubernetes
            defaultAccess: deny
    ```
-   ```yaml
-   apiVersion: dapr.io/v1alpha1
-   kind: Configuration
-   metadata:
-     name: appconfig
-   spec:
-     secrets:
-       scopes:
-         - storeName: kubernetes
-           defaultAccess: deny
-   ```
-
-1. Apply it to the Kubernetes cluster using the following command:
-
-   ```bash
-   kubectl apply -f appconfig.yaml`.
-   ```
 
-For applications that you need to deny access to the Kubernetes secret store, follow [the Kubernetes instructions]({{% ref kubernetes-overview %}}), adding the following annotation to the application pod.
-1. Apply it to the Kubernetes cluster using the following command:
+2. Apply it to the Kubernetes cluster using the following command:
 
    ```bash
    kubectl apply -f appconfig.yaml`.
@@ -108,7 +86,6 @@ dapr.io/config: appconfig
 
 With this defined, the application no longer has access to Kubernetes secret store.
 
-### Scenario 2: Allow access to only certain secrets in a secret store
 ### Scenario 2: Allow access to only certain secrets in a secret store
 
 To allow a Dapr application to have access to only certain secrets, define the following `config.yaml`:
@@ -126,7 +103,6 @@ spec:
         allowedSecrets: ["secret1", "secret2"]
 ```
 
-This example defines configuration for secret store named `vault`. The default access to the secret store is `deny`. Meanwhile, some secrets are accessible by the application based on the `allowedSecrets` list. Follow [the Sidecar configuration instructions]({{% ref "configuration-overview.md#sidecar-configuration" %}}) to apply configuration to the sidecar.
 This example defines configuration for secret store named `vault`. The default access to the secret store is `deny`. Meanwhile, some secrets are accessible by the application based on the `allowedSecrets` list. Follow [the Sidecar configuration instructions]({{% ref "configuration-overview.md#sidecar-configuration" %}}) to apply configuration to the sidecar.
 
 ### Scenario 3: Deny access to certain sensitive secrets in a secret store
@@ -151,9 +127,3 @@ This configuration explicitly denies access to `secret1` and `secret2` from the
 ## Next steps
 
 {{< button text="Service invocation access control" page="invoke-allowlist.md" >}}
-
-This configuration explicitly denies access to `secret1` and `secret2` from the secret store named `vault,` while allowing access to all other secrets. Follow [the Sidecar configuration instructions]({{% ref "configuration-overview.md#sidecar-configuration" %}}) to apply configuration to the sidecar.
-
-## Next steps
-
-{{< button text="Service invocation access control" page="invoke-allowlist.md" >}}