Protecting your application’s secrets (API keys, third party passwords, etc.) should be a vital part of your development process. If you are using AWS to deploy your applications, the Parameter Store part of the AWS Systems Manager allows you to store strings and retrieve them at runtime. This way, even if someone gains access to your code – or if your code is public on a platform, like GitHub -, your secrets are still safe.
In this tutorial, you will learn how to create this setup in a .NET application, using Visual Studio. If you are using Visual Studio Code, you can follow the first steps of the tutorial here.
Installing the AWS Toolkit for Visual Studio
The first step is to install the AWS Toolkit extension in Visual Studio. This offers you access to functionality such as deploying to Elastic Beanstalk or Lambda, but also to setting up your credentials for AWS in Visual Studio. You can download the extension from the Visual Studio marketplace and then follow the installation process.
Setting up your credentials
Once you installed the toolkit, it’s time to configure your AWS credentials inside Visual Studio, so you can get access to your account’s resources. In the AWS Management Console, search for the ‘IAM’ service:
In the left-side navigation bar, click ‘Users’:
You can use one of your existing users, or create a new one specifically for this job. If you decide to create a new user, make sure to grant it programmatic access:
Also, make sure to grant it the necessary permissions for the services it will use. For the purposes of this tutorial, it will need access to at least ‘ssm:DescribeParameters’ and ‘ssm:GetParameters’; however, depending on what other actions you intend to perform from Visual Studio (such as deploying to Elastic Beanstalk), you might need to offer additional permissions.
If you are only using this account for testing purposes, the easiest way to ensure you will not encounter any permission errors is to grant it administrator access; however, this should not be used in a production environment, as it opens up a lot of security issues.
Once you created your user, you will be shown a pair of ‘key ID’ and ‘secret access key’. This is the only time you will have access to the secret access key, so do not leave this page until you have configured the credentials locally.
In Visual Studio, open the AWS Explorer panel from View -> AWS Explorer. You can create a new profile by clicking the first button next to the ‘Profile’ dropdown:
Pick a name for your profile and then copy-paste your new user’s credentials:
Connecting to the Parameter Store
You are now able to access your AWS resources from Visual Studio. Before writing any code, let’s install the NuGet package that allows us to access the Parameter Store. Right click on your project, click ‘Manage NuGet Packages’, and search for ‘Amazon.SimpleSystemsManagement’:
Finally, let’s create a class that encapsulates the functionality for retrieving a parameter. I called the class ‘AwsParameterStoreClient’, but feel free to follow any naming convention you use in your own application. To keep things generic, I made the constructor take a ‘RegionEndpoint’ parameter, that specifies which AWS region it should get the resources from. Feel free to omit this if all your resources are located in the same region:
The method created a ‘AmazonSimpleSystemsManagementClient’ object, which it then uses to return the parameter with the specified ‘Name’, and decrypting them if necessary (if you are storing it as a secure string). Finally, it returns the value.
To test our setup, let’s first create a parameter in AWS. Search for the ‘Systems Manager’ service:
And then click on ‘Parameter Store’ in the left side navigation bar:
Click the ‘Create new parameter’ button and fill in the information:
The ‘Name’ is what we search the parameters by, and the ‘Value’ is what will be returned. As this example is only meant to teach you how to get values from the store, the ‘String’ type will suffice. If you are using this to store passwords, API keys, or any other sensitive data, choose the ‘SecureString’ type. You can read more about secure strings on the AWS docs. Click the ‘Create parameter’ button.
Now, to get the value from code, we can setup a simple console application, like this:
Running it should display the value in the console:
If you are happy with using the code from this tutorial for accessing the parameter store, you can get access to it from NuGet, by installing the ‘AwsParameterStore’ package:
In ASP.NET Core
If you are planning to use this technique in the ‘ConfigureServices’ method from ASP.NET Core’s Startup class (for getting a DB connection string, for example), you will need to run it synchronously, as the ConfigureServices method cannot be made ‘async’: