Tiger.Secrets is a library integrating AWS Secrets Manager secret values into the Microsoft.Extensions.Configuration configuration ecosystem. Just as values from the command line, environment variables, JSON files, or User Secrets can be integrated into a unified, strongly-typed configuration, secret configuration values from AWS Secrets Manager can be, as well.
Use of AWS Secrets Manager can be summed up in the following three basic points:
- Don't check secret configuration values into code repositories.
- Don't check secret configuration values into code repositories.
- Don't check secret configuration values into code repositories.
There are a few ways to allow an application access to secret configuration values without falling afoul of the three points listed above. One is to check encrypted secret configuration values into the code repository. This is safe, but requires a full deployment if any of these values change. Another is to redirect keys to secret values during deployment, such as with CloudFormation dynamic references. This is also safe, but has the same deployment requirement. By retrieving the values at runtime (and combining them with safe configuration values), these can be changed while the application is running. This is a very nice feature for configuration values such as application-global log level, which – although not a secret value – is useful to change on the fly for anomaly checking.
In short, setup has two parts. One performed in the application (or, better, in CloudFormation), and one performed in Secrets Manager (which may also be performed in CloudFormation).
In the application, the index values for the configuration key Secrets:Ids must be set. (That is, Secrets:Ids:0, Secrets:Ids:1, &c.) These are the identifiers which the library will look for in Secrets Manager. If a specified identifier is not present, the configuration will fail.
Add the Secrets Manager configuration to the application configuration with the extension method for IConfiguration, similar to any other configuration source. For example:
config.AddAWSSecretsManager();This can be added to a reuable host, one like WebHost.CreateDefaultBuilder<TStartup>() from ASP.NET Core. Or see if your favorite hosting library already has one configured.
In Secrets Manager, the values associated with these identifiers must contain valid JSON strings. This library has no support for SecretBinary values. (If the default key/value user interface in the AWS console is used, Secrets Manager stores that as JSON behind the scenes, so it is valid.)
For further details, please consult the wiki. (But don't forget to grant your application the IAM permissions to read these secret values!)
Seriously, though. Thank you for using this software. The author hopes it performs admirably for you.