I want to store sensitive data in my .Net Core C# app in AWS secret manager. I have created my secret in the portal but when I try to access it with the following code:
var config = new AmazonSecretsManagerConfig
{
ProxyHost = "MyProxyHost",
ProxyPort = 8080,
ProxyCredentials = CredentialCache.DefaultCredentials,
Timeout = TimeSpan.FromMinutes(5),
MaxErrorRetry = 1,
RegionEndpoint = RegionEndpoint.MyRegion,
};
var client = new AmazonSecretsManagerClient(config);
I then get this message when trying to use the secret manager client:
Unable to get IAM security credentials from EC2 Instance Metadata Service
This is unsurprising as I haven't given any information that indicates I should be able to access secrets manager. I can gain access with the following code:
var config = new AmazonSecretsManagerConfig
{
ProxyHost = "MyProxyHost",
ProxyPort = 8080,
ProxyCredentials = CredentialCache.DefaultCredentials,
Timeout = TimeSpan.FromMinutes(5),
MaxErrorRetry = 1,
RegionEndpoint = RegionEndpoint.MyRegion,
};
var client = new AmazonSecretsManagerClient("MyAWSAccessKeyId", "MyAWSSecretAccessKey", config);
This though means that I have to store my sensitive data in my application, which is what I wanted to avoid in the first place. In Azure, using KeyVault this could be avoided using the right NuGet package and managed identities. I am wondering if there is a similar solution for AWS for both applications hosted in AWS and local development?
You can use IAM roles
Create an IAM role which has necessary permissions and attach the role to your EC2 instance. AmazonSecretsManagerClient will assume this IAM role when code is executed from an EC2 instance.
For local development : You can configure aws credentials with IAM role so that this role will be assumed when your code is executed from local machine.