Issue
I have a .Net Core application that is running on an EC2 Instance. I want to use the Secrets Manager to contain my secrets for the web application such as "connection string" etc. The AWS Secrets Manager documentation isn't very useful, I can't seem to find a tutorial that will show / explain how to use the secrets manager on EC2.
I have successfully been able to extract "Secret" using postman and using the following code: However the Access Key and Secrets Key are both hard coded in.
I don't want this to be the case. I have installed the SDK and loaded the access key and secret key into this profile.
Essentially my question is how do I pull the access key and secret key down from SDK to sign the request?
if (secretsDetail == null)
{
return "Please provide SecretsDetails.";
}
string secretName = "";
string secret = "";
MemoryStream memoryStream = new MemoryStream();
AmazonSecretsManagerConfig amazonSecretsManagerConfig = new AmazonSecretsManagerConfig();
amazonSecretsManagerConfig.ServiceURL = secretsDetail.ServiceURL;
IAmazonSecretsManager client = new AmazonSecretsManagerClient(RegionEndpoint.GetBySystemName("eu-west-2"));
GetSecretValueRequest request = new GetSecretValueRequest();
request.SecretId = secretName;
request.VersionStage = secretsDetail.VersionStage == null ? "AWSCURRENT" : secretsDetail.VersionStage; // VersionStage defaults to AWSCURRENT if unspecified.
GetSecretValueResponse response = null;
try
{
response = client.GetSecretValueAsync(request).Result;
}
catch (DecryptionFailureException)
{
// Secrets Manager can't decrypt the protected secret text using the provided KMS key.
// Deal with the exception here, and/or rethrow at your discretion
throw;
}
catch (InternalServiceErrorException)
{
// An error occurred on the server side.
// Deal with the exception here, and/or rethrow at your discretion
throw;
}
catch (InvalidParameterException)
{
// You provided an invalid value for a parameter.
// Deal with the exception here, and/or rethrow at your discretion
throw;
}
catch (InvalidRequestException)
{
// You provided a parameter value that is not valid for the current state of the resource.
// Deal with the exception here, and/or rethrow at your discretion.
throw;
}
catch (ResourceNotFoundException)
{
// We can't find the resource that you asked for.
// Deal with the exception here, and/or rethrow at your discretion.
throw;
}
catch (System.AggregateException)
{
// More than one of the above exceptions were triggered.
// Deal with the exception here, and/or rethrow at your discretion.
throw;
}
// Decrypts secret using the associated KMS CMK.
// Depending on whether the secret is a string or binary, one of these fields will be populated.
if (response.SecretString != null)
{
return secret = response.SecretString;
}
else
{
memoryStream = response.SecretBinary;
StreamReader reader = new StreamReader(memoryStream);
string decodedBinarySecret = System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(reader.ReadToEnd()));
return decodedBinarySecret;
}
Solution
The short answer to your question is that you don't. The SDK will automatically get credentials for you. Using Credentials in an Application. You can use any of the methods described here, but #4 is the preferred, most secure option.
For applications running on an Amazon EC2 instance, credentials stored in an instance profile.
Answered By - Jason Wadsworth
