Get secrets from AWS Secret manager without passing access key and secret key from config

0
votes

I am using AWS Secret Manager Service to retrieve some confidential information like SMTP details or connection strings. However, to get secret value from AWS Secret Manager Service it seems like we need to pass the Access key and secret key apart from which secret we want to retrieve. So I am maintaining those values in config file. 

        public AwsSecretManagerService(IOptions<AwsAppSettings> settings)
        {
            awsAppSettings = settings.Value;
            amazonSecretsManagerClient = new AmazonSecretsManagerClient
                (awsAppSettings.Accesskey, awsAppSettings.SecretKey, RegionEndpoint.GetBySystemName(awsAppSettings.Region));
        }

        public async Task<SecretValueResponse> GetSecretValueAsync(SecretValueRequest secretValueRequest)
        {
            return _mapper.Map<SecretValueResponse>(await amazonSecretsManagerClient.GetSecretValueAsync(_mapper.Map<GetSecretValueRequest>(secretValueRequest)));
        }

So I am thinking I am kind of defeating the whole purpose of using secret manager by maintaining the AWS credentials in app settings file. I am wondering what is the right way to do this

1
amazon-web-services.net-coreaws-secrets-manager
I'm not familiar with the .Net SDK, but for Java, Python, and JavaScript you can create a "default" client that will look in a series of places (environment, config, instance role) for credentials.kdgregory
If you liked any answer and it worked for you, kindly approve it and upvote it as well as recommended by Stack Overflow. Thanks.abdullahkhawer

1 Answers

1
votes

It is not a good practice to pass or add AWS credentials of an IAM User (access key and secret access key) in the code.

Instead, don't pass it and update your code as follows:

amazonSecretsManagerClient = new AmazonSecretsManagerClient
                (RegionEndpoint.GetBySystemName(awsAppSettings.Region));

Question: Then how would it access the AWS services?

Answer: If you are going to execute your code on your local system, install and configure AWS CLI instead of passing AWS credentials via CLI or Terminal, it will use those AWS configured credentials to access the AWS services.

Reference for AWS CLI Installation: Installing the AWS CLI

Reference for AWS CLI Configuration: Configuring the AWS CLI

If you are going to execute your code on an AWS service (e.g., EC2 instance), attach an IAM role with that AWS resource (e.g., EC2 instance) having sufficient permissions, it will use that IAM role to access the AWS services.