Implement AWS Secrets Manager In ASP.NET Core

In today’s world, we have to secure our secrets in such a way that they’ll be protected from hackers. Here comes AWS Secrets Manager which helps in keeping confidential data safe. Let us store it in AWS and see how to set it up in Asp.Net Core and use it.

Step 1

Store secrets in the AWS by clicking on the Store a new secret button

Implement AWS Secrets Manager in Asp.Net Core

Choose secret type

Implement AWS Secrets Manager in Asp.Net Core

Now, select the Plaintext, enter the secret value and click on Next button.

Implement AWS Secrets Manager in Asp.Net Core

Enter the Secret name and click on Next button.

Implement AWS Secrets Manager in Asp.Net Core

Leave Configure rotation – optional as it is and click on Next button.

Implement AWS Secrets Manager in Asp.Net Core

Now, time to review and click on Store button.

Implement AWS Secrets Manager in Asp.Net Core

You’ll see the newly created secret stored and appearing on the list. You may need to click on refresh button next to Store a new secret button.

Implement AWS Secrets Manager in Asp.Net Core

Now, that secrets are stored we need to make arrangements for pulling the secrets from AWS.

Step 2

Open a new project in Visual Studio and install the following package

  1. Install package AWSSDK.SecretsManager
  2. Install package Kralizek.Extensions.Configuration.AWSSecretsManager

Step 3

Adding settings in appsettings.json file

"UserManagement": {
    "RowPerPage": 10,
    "ApiKey": ""
}

Step 4

Now we shall pull the data from appsettings.json using Options Pattern

Here, we’ll be making use of Options Pattern for injecting the configuration values in our controller.

First, we’ll define a class with the properties Count and ApiKey as shown below

public class UserManagementOptions {
    public string RowPerPage {
        get;
        set;
    }
    public string ApiKey {
        get;
        set;
    }
}

Now, we need to register the UsermanagementOptions class in the Program.cs file

builder.Services.AddOptions<UserManagementOptions>().BindConfiguration("UserManagement");

Since the configuration is all done, it can be used from any of the class using dependency injection. I am going to use it in my controller below.

private readonly UserManagementOptions _options;
public UserManagementController(IOptions < UserManagementOptions > options) {
    this._options = options.Value;
}

Step 5

Now, we are going to configure AWS Secrets Manager in the application

We can configure AWS secrets manager easily using the AddSecretsManager method in Program.cs where the application initialization code lives.

builder.Configuration.AddSecretsManager(null, RegionEndpoint.USWest2, configurator: config => {
    config.KeyGenerator = (secret, name) => name.Replace("__", ":");
});

In .Net, the colon(:) is used to indicate hierarchies. However, AWS Secret Names must contain only alphanumeric characters /_+=.@-

So, when we need to create hierarchical keys in AWS Secrets Manager, we will have to choose a different separator. In my case I have used double underscore (__). So the secret name will be created as UserManagement__Count and UserManagement__ApiKey.

To use AWS Secrets Manager in the application, we’ll have to map it with the application configuration. Using KeyGenerator we can map AWS Secret Key with the application configuration.

Automatic Refresh

Once the application is up and running, any changes to the Secret value will not reflect in the application until we restart the application.

So, to refresh the AWS Secrets, we need to use PollingInterval property when configuring the AWS Secrets Manager in the application.

builder.Configuration.AddSecretsManager(null, RegionEndpoint.USWest2, configurator: config => {
    config.KeyGenerator = (secret, name) => name.Replace("__", ":");
    config.PollingInterval = TimeSpan.FromMinutes(30);
});

The above code will help to automatically refresh the AWS Secrets every 30 minutes and update the value to the latest.

Local Development Environment

In the local development environment where we don’t need connecting with AWS Secrets manager, we can use Manage User Secrets in visual studio.

Implement AWS Secrets Manager in Asp.Net Core

With the following code added in the Program.cs file, it’ll activate Secret Manager. Once it is done then the information can be stored in secrets.json file which lives outside of the source code and repository.

if (builder.Environment.IsDevelopment()) builder.Configuration.AddUserSecrets < Program > ();
else builder.Configuration.AddSecretsManager(null, RegionEndpoint.USWest2, configurator: config => {
    config.KeyGenerator = (secret, name) => name.Replace("__", ":");
});

I hope this helps you to get started with AWS Secrets Manager and seamlessly use this in .NET Application.