Menu
I have a .Net Core application that is running on an EC2 Instance. I want to use the Secrets Manager to contain my secrets for the web application such as "connection string" etc. The AWS Secrets Manager documentation isn't very useful, I can't seem to find a tutorial that will show / explain how to use the secrets manager on EC2.
I have successfully been able to extract "Secret" using postman and using the following code: However the Access Key and Secrets Key are both hard coded in.
I don't want this to be the case. I have installed the SDK and loaded the access key and secret key into this profile.
Essentially my question is how do I pull the access key and secret key down from SDK to sign the request?
if (secretsDetail == null)
{
return "Please provide SecretsDetails.";
}
string secretName = "";
string secret = "";
MemoryStream memoryStream = new MemoryStream();
AmazonSecretsManagerConfig amazonSecretsManagerConfig = new AmazonSecretsManagerConfig();
amazonSecretsManagerConfig.ServiceURL = secretsDetail.ServiceURL;
IAmazonSecretsManager client = new AmazonSecretsManagerClient(RegionEndpoint.GetBySystemName("eu-west-2"));
GetSecretValueRequest request = new GetSecretValueRequest();
request.SecretId = secretName;
request.VersionStage = secretsDetail.VersionStage == null ? "AWSCURRENT" : secretsDetail.VersionStage; // VersionStage defaults to AWSCURRENT if unspecified.
GetSecretValueResponse response = null;
try
{
response = client.GetSecretValueAsync(request).Result;
}
catch (DecryptionFailureException)
{
// Secrets Manager can't decrypt the protected secret text using the provided KMS key.
// Deal with the exception here, and/or rethrow at your discretion
throw;
}
catch (InternalServiceErrorException)
{
// An error occurred on the server side.
// Deal with the exception here, and/or rethrow at your discretion
throw;
}
catch (InvalidParameterException)
{
// You provided an invalid value for a parameter.
// Deal with the exception here, and/or rethrow at your discretion
throw;
}
catch (InvalidRequestException)
{
// You provided a parameter value that is not valid for the current state of the resource.
// Deal with the exception here, and/or rethrow at your discretion.
throw;
}
catch (ResourceNotFoundException)
{
// We can't find the resource that you asked for.
// Deal with the exception here, and/or rethrow at your discretion.
throw;
}
catch (System.AggregateException)
{
// More than one of the above exceptions were triggered.
// Deal with the exception here, and/or rethrow at your discretion.
throw;
}
// Decrypts secret using the associated KMS CMK.
// Depending on whether the secret is a string or binary, one of these fields will be populated.
if (response.SecretString != null)
{
return secret = response.SecretString;
}
else
{
memoryStream = response.SecretBinary;
StreamReader reader = new StreamReader(memoryStream);
string decodedBinarySecret = System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(reader.ReadToEnd()));
return decodedBinarySecret;
}
You don't have to provide access/secret key when using SDK within EC2/Lambda. For accessing services like Secrets Manager inside an EC2 or Lambda, you attach a role to the resource (EC2, Lambda), and attach policies to it.
You can skip this step if you already have a role for your EC2/Lambda.
Selected the type (EC2):
For new instance, you can select the IAM role you created as below.
For existing instance, select the instance and change the IAM Role as below:
By doing these steps, your instance will be able to use SDK without explicitly providing the access/secret keys. You can later attach new policies to the role as you need to use new resources, like SQS for example.
162
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
