Where does AWS Secrets Manager get AWS Credentials?

Question

I'm beginning to work with Secrets Manager and created my first secret in AWS. During the process, it gave me some sample code to work with. I put that in a small application and ran it. The code:

String region = "us-east-1";
string secret = "";

MemoryStream memoryStream = new MemoryStream();
IAmazonSecretsManager client = new AmazonSecretsManagerClient(
                           RegionEndpoint.GetBySystemName(region));

GetSecretValueRequest request = new GetSecretValueRequest();
request.SecretId = "MySecretNameExample";

GetSecretValueResponse response = null;
response = client.GetSecretValue(request);

The problem is that:

1. I was able to successfully retrieve the secret that I created and
2. nowhere am I creating a Credentials object with any valid AWS credential data

Where is this code getting the credential information from?

Answer 1

If you refer to the documenation for the API for this line of code:

IAmazonSecretsManager client = new AmazonSecretsManagerClient(
    RegionEndpoint.GetBySystemName(region));

AmazonSecretsManagerClient

You will find the following description:

Constructs AmazonSecretsManagerClient with the credentials loaded from the application's default configuration, and if unsuccessful from the Instance Profile service on an EC2 instance.

This means that you are either running on an EC2 or ECS service (or related service such as Beanstalk, ...) with a role assigned to the instance or your have configured your credentials in the standard method in a credentials file. The AWS SDK is helping you locate credentials.

This document link will explain in more detail how AWS credentials are managed and selected.

Working with AWS Credentials

I have seen a lot of developers get the little details wrong with how credentials work and how they are used within the SDKs. Given that AWS credentials hold the keys to the AWS kingdom, managing and protecting them is vitally important.

Answer 2

The AWS SDK uses the a resolution strategy that looks in a number of locations until it finds credentials it can use. Typically the DefaultProviderChain class is responsible for performing the resolution. More information is here, but the gist is the lookup is performed in the following order (for Java, other languages are similar):

• environment variables
• Java system properties
• credentials file (e.g. in the home directory)
• instance profile credentials (only available when running in AWS)

When you run within AWS infrastructure, you can assign a profile or role to the resource that's running your code. Doing that makes credentials automatically available to your code. The idea is that they've made it easy to avoid putting credentials directly into your code.