Intent.Aws.SecretsManager

Overview

The AWS Secrets Manager module integrates Secrets Manager with .NET IConfiguration, so secrets can be read just like values from appsettings.json. Typical use cases include passwords, API keys, and connection strings.

Configuration

To connect to Secrets Manager, include the following configuration in your appsettings.json file (the module will automatically scaffold this)

"SecretsManager": {
    "Enabled": true,
    "Secrets": [
      {
        "Region": "us-east-1",
        "SecretName": "demo/sample/secrets"
      }
    ]
  }

Configuration Parameters

  • Enabled: Determines whether the Secrets Manager integration is active.
  • Secrets: One or more secrets to load.
    • Region: AWS region where the secret is stored (e.g., us-east-1).
    • SecretName: The name/ARN of the secret.

Authentication

In addition to the above, valid credentials need to be configured to authenticate with AWS. The credential and profile resolution, and subsequent authentication happens automatically by the underlying AWS SDK - details available here.

Two typical methods are (refer to the AWS documentation for detailed information on the authentication methods):

  • AWS IAM Identity Center (SSO) / Profiles (recommended for local dev) Configure a profile, run aws sso login, then run the app with AWS_PROFILE=<your-profile>.
  • Environment variables (common in CI/containers) AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN (required for temporary creds). Also set AWS_REGION or specify Region in config.

Accessing Secrets

Given this JSON stored as a secret:

{
  "AccessKey" : "123456789",
  "ConnectionStrings" : [
    {
      "Name": "dbOne",
      "ConnectionString" : "connection-string-one"
    },
    {
      "Name": "dbTwo",
      "ConnectionString" : "connection-string-two"
    }
  ]
}

The values can be read via IConfiguration

// Scalars
var accessKey = configuration["AccessKey"]; // "123456789"

// Arrays (indexer-style)
var firstConn = configuration["ConnectionStrings:0:ConnectionString"]; // "connection-string-one"

// Strongly typed binding
var conns = configuration.GetSection("ConnectionStrings").Get<List<DbConn>>();

Where DbConn is defined as:

public sealed class DbConn
{
    public string Name { get; set; } = default!;
    public string ConnectionString { get; set; } = default!;
}