For example, this will add a root Secrets:secret containing the value stored in the secret string within AWS SecretsManager at test/secret:
.AddSecretsManager()
Ensure your application receives AWS standard environment variables to set your credentials. Alternatively, customize via the options object.
Add environment variables to create the mapping.
For example, this will add a root Secrets:secret containing the value stored in the secret string within AWS SecretsManager at test/secret:
AWSSM_ID_Secrets__secret=test/secret
Use configuration as normal, including IOptionsMonitor<> to receive notifications when configuration is refreshed from AWS.
Environment Variables
Environment variables are used to keep your configuration flexible at run-time.
Credentials
If an AWS_PROFILE environment variable is provided, the credentials and region are loaded from the AWS Credential Profile Store Chain.
If an AWS_SSO_PROFILE environment variable is provided, the credentials and region are loaded from the AWS Credential Profile Store Chain from an AWS SSO login.
If both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables are provided, they are used.
If an AWS_DEFAULT_REGION environment variable is provided, the region specified overrides other environment variables.
Configuration Mapping
By default, the following environment variables are used to create configuration entries. (This is configurable via EnvironmentVariableLoadConfiguration.) After a prefix, environment variable naming corresponds to that for Microsoft.Extensions.Configuration.EnvironmentVariables.
AWSSM_ID_ - the name of the secret within Secrets Manager.
AWSSM_FORMAT_ - the Format Transform to use when loading the secret into the configuration.
AWSSM_ARG_ - the argument passed to the format transform.
Advanced Configuration
While .AddSecretsManager() makes it easy to use the default settings via environment variables, there are some situations where you may wish to customize your secrets further. You may add the secrets manager configuration provider through this additional call:
.AddSecretsManager(options =>
{
// configure options here
}, optional: false)
Specifing optional: true means that if credentials are not supplied or any secrets are not accessible when the application launches, the secrets manager configuration will not be processed.
If no secrets are configured in the Map (either through advanced configuration or environment variables), credentials are not checked.
Options
CredentialsProfile - Helper property to set load a credentails profile from your system's AWS configuration
CredentialProfileOptions - Helper property to create credentials with advanced configuration
Region - Helper property to set the region endpoint based on AWS's well-known region names
Credentials - Sets AWS credentials directly
RegionEndpoint - Sets the AWS region endpoint directly
SecretsManagerClientFactory - Allows overriding of the SecretsManagerClientFactory. Mostly useful only for unit tests.
ConfigureSecretsManagerClientConfig - Allows further changes to the underlying AmazonSecretsManagerConfig before the client is created.
ReloadInterval - Determines duration for caching as well as change notifications for all keys in this secrets manager configuration provider.
EnvironmentVariableLoadConfiguration - Determines environment variable prefixes to create the map automatically. Set this to null to disable environment variable configuration mapping.
SecretIdPrefix - Sets the secret name environment variable prefix. (Defaults to AWSSM_ID_.)
SecretFormatPrefix - Sets the secret format transform environment variable prefix. (Defaults to AWSSM_FORMAT_.)
Map - Provides a programmatic mapping from configuration keys to AWS secret ids for custom structuring of your configuration. Keys are .NET Configuration paths.
SecretId - The name of the secret id within AWS.
Format - Transforms the value in the secret before adding it to the config. See FormatTransforms.
Argument - The argument passed to the format transform.
FormatTransforms - A dictionary containing format mappings. Each mapping implements the IFormatTransform. Preregistered transforms include:
noop - Passes the raw value of the secret as a string within the configuration key
Json - Expands a Json object into multiple configuration keys nested underneath the main key for the secret. Alternatively, if an argument is provided, extract only the property named in the argument as the value.
RDS-sqlserver - Expects an RDS secret from SecretsManager and transforms it into a SqlConnection ConnectionString.
RDS-npgsql - Expects an RDS secret from SecretsManager and transforms it into a Npgsql ConnectionString.
DefaultFormatter - The default formatter to use when loading a secret. (Defaults to "Json")