public static async Task <string> GetSecret() { const string secretName = "Test"; const string region = "us-east-2"; IAmazonSecretsManager client = new AmazonSecretsManagerClient(RegionEndpoint.GetBySystemName(region)); var request = new GetSecretValueRequest { SecretId = secretName }; var response = await client.GetSecretValueAsync(request); // Decrypts secret using the associated KMS CMK. // Depending on whether the secret is a string or binary, one of these fields will be populated. if (response.SecretString != null) { return(response.SecretString); } else { using var memoryStream = response.SecretBinary; using var reader = new StreamReader(memoryStream); var result = await reader.ReadToEndAsync(); return(Encoding.UTF8.GetString(Convert.FromBase64String(result))); } }
public void SecretsManagerDescribeSecret() { #region to-retrieve-the-details-of-a-secret-1524000138629 var client = new AmazonSecretsManagerClient(); var response = client.DescribeSecret(new DescribeSecretRequest { SecretId = "MyTestDatabaseSecret" }); string arn = response.ARN; string description = response.Description; string kmsKeyId = response.KmsKeyId; DateTime lastAccessedDate = response.LastAccessedDate; DateTime lastChangedDate = response.LastChangedDate; DateTime lastRotatedDate = response.LastRotatedDate; string name = response.Name; bool rotationEnabled = response.RotationEnabled; string rotationLambdaARN = response.RotationLambdaARN; RotationRulesType rotationRules = response.RotationRules; List <Tag> tags = response.Tags; Dictionary <string, List <string> > versionIdsToStages = response.VersionIdsToStages; #endregion }
public static IServiceCollection AddPostMortemContext(this IServiceCollection services) { string connectionString = ""; if (!string.IsNullOrWhiteSpace(Environment.GetEnvironmentVariable("AWS_REGION"))) { using (var client = new AmazonSecretsManagerClient()) { var request = new GetSecretValueRequest() { SecretId = "PostMortem/Db" }; var response = client.GetSecretValueAsync(request).Result; var responseDict = JsonConvert.DeserializeObject <Dictionary <string, string> >(response.SecretString); connectionString = responseDict["connectionstring"]; } } else { connectionString = "server=localhost;database=postmortem;user=root;password=mysql;SslMode=None"; } services.AddDbContext <PostMortemContext>(o => o.UseMySql(connectionString)); return(services); }
public void OneTimeSetUp() { _testServer = new TestServer(); _httpClient = _testServer.CreateClient(); var secretsClient = new AmazonSecretsManagerClient(RegionEndpoint.USWest2); var secretResponse = secretsClient.GetSecretValueAsync(new GetSecretValueRequest { SecretId = TestUserSecretId }).Result; _testUserCreds = JsonConvert.DeserializeObject <TestUserCreds>(secretResponse.SecretString); _emailAdapter = new EmailAdapter(); _user = new AwsCognitoUser { FirstName = "test", LastName = "user", PhoneNumber = "+12223334444", UserName = _testUserCreds.TraceTestUserEmail, Password = _testUserCreds.TraceTestUserPassword }; var serviceProvider = _testServer.GetTestServiceProvider(); _authAdapter = serviceProvider.GetRequiredService <IAuthAdapter>(); _httpHandler = new HttpHandler(_clientConfig, _httpClient); _apiClient = new TraceApiClient(_httpHandler); }
public override void Load() { var config = new AWSSecretsConfiguration(); ConfigAction(config); MemoryStream memoryStream = new MemoryStream(); // Initialize an empty secret store Data = new Dictionary <string, string>(); IAmazonSecretsManager client = new AmazonSecretsManagerClient(RegionEndpoint.GetBySystemName(config.Region)); foreach (var secretId in config.Secrets) { var request = new GetSecretValueRequest { SecretId = secretId }; var response = Task.Run(() => client.GetSecretValueAsync(request)).Result; var data = JsonConvert.DeserializeObject <Dictionary <string, string> >(response.SecretString); foreach (var kvp in data) { Data.Add($"{secretId}:{kvp.Key}", kvp.Value); } } }
private async Task <Boolean> GetSecrets() { IAmazonSecretsManager client = new AmazonSecretsManagerClient(primaryRegion); GetSecretValueRequest request = new GetSecretValueRequest(); request.SecretId = secretName; request.VersionStage = secretAlias; try { GetSecretValueResponse response = await client.GetSecretValueAsync(request); secrets = JsonConvert.DeserializeObject <Secrets>(response.SecretString); return(true); } catch (Exception error) { await SendFailureAsync("GetSecrets", error.Message); Console.WriteLine("ERROR : GetSecretValue : " + error.Message); Console.WriteLine("ERROR : GetSecretValue : " + error.StackTrace); return(false); } }
public void SetVaultCredential(string credential) { if (_configuration != null) { try { _logger.Information($"Configuring plugin {Name} for the AWS vault"); var region = Amazon.RegionEndpoint.GetBySystemName(_configuration[AwsRegion]); if (region.DisplayName == "Unknown") { throw new Exception("Specified region is unknown."); } var accessKeyId = _configuration[AccessKeyId]; //this client doesn't create a connection until it is used. _awsClient = new AmazonSecretsManagerClient(accessKeyId, credential, region); _logger.Information($"Plugin {Name} has been successfully configured for the AWS vault."); } catch (Exception ex) { _logger.Error(ex, $"Plugin configuration failed: {ex.Message}"); } } else { _logger.Error("The plugin is missing the configuration."); } }
public static string Get(string secretName) { var config = new AmazonSecretsManagerConfig { RegionEndpoint = RegionEndpoint.USEast1 }; var credentials = new StoredProfileAWSCredentials("getSecretForRdsUser"); var client = new AmazonSecretsManagerClient(credentials, config); var request = new GetSecretValueRequest { SecretId = secretName }; GetSecretValueResponse response = null; try { response = client.GetSecretValueAsync(request).Result; } catch (ResourceNotFoundException) { Console.WriteLine("The requested secret " + secretName + " was not found"); } catch (InvalidRequestException e) { Console.WriteLine("The request was invalid due to: " + e.Message); } catch (InvalidParameterException e) { Console.WriteLine("The request had invalid params: " + e.Message); } return(response?.SecretString); }
/// <summary> /// Creates a new Secrets Manager client using the provided profile information /// </summary> /// <param name="profileName"></param> /// <param name="awsRegionSystemName"></param> /// <returns></returns> public virtual AmazonSecretsManagerClient SetSecretClient(RegionEndpoint region, string profileName) { if (string.IsNullOrEmpty(profileName)) { profileName = "default"; } _logger.Info(string.Format(DeploySoftware_LaunchPad_AWS_Resources.SecretHelper_GetSecretClient_ProfileName, profileName)); _logger.Info(string.Format(DeploySoftware_LaunchPad_AWS_Resources.SecretHelper_GetSecretClient_Region, profileName)); AmazonSecretsManagerClient client = null; try { var credentials = GetAwsCredentials(profileName); client = new AmazonSecretsManagerClient(credentials, region); } catch (AmazonSecretsManagerException smEx) { _logger.Info(string.Format(DeploySoftware_LaunchPad_AWS_Resources.SecretHelper_GetSecretClient_Exception_GetAwsCredentials, smEx.Message)); } if (client == null) // try to load using local environment or EC2 information { _logger.Info(DeploySoftware_LaunchPad_AWS_Resources.SecretHelper_GetSecretClient_SecretClient_IsNull); client = SetSecretClient(region); } return(client); }
public static async Task <Secrets> GetSecretAsync() { string secretName = "dotnet-twitter-bot"; string region = "ap-southeast-2"; using (var client = new AmazonSecretsManagerClient(RegionEndpoint.GetBySystemName(region))) { var request = new GetSecretValueRequest() { SecretId = secretName }; GetSecretValueResponse response = await client.GetSecretValueAsync(request); string secret = null; if (response.SecretString != null) { secret = response.SecretString; } else { using (var reader = new StreamReader(response.SecretBinary)) { secret = Encoding.UTF8.GetString(Convert.FromBase64String(await reader.ReadToEndAsync())); } } return(JsonConvert.DeserializeObject <Secrets>(secret)); } }
private static async Task <string> GetConnectionString() { if (string.IsNullOrEmpty(ConnectionString)) { var endpoint = _configuration["rdsendpoint"]; var secretArn = _configuration["rdssecretarn"]; var client = new AmazonSecretsManagerClient(); var response = await client.GetSecretValueAsync(new GetSecretValueRequest() { SecretId = secretArn }); var secret = JsonDocument.Parse(response.SecretString).RootElement; var username = secret.GetProperty("username").GetString(); var password = secret.GetProperty("password").GetString(); var builder = new SqlConnectionStringBuilder { DataSource = endpoint, InitialCatalog = "adoptions", UserID = username, Password = password }; ConnectionString = builder.ConnectionString; } return(ConnectionString); }
static string ObtainRuntimeIdentitySecret(IConfiguration config) { var request = new GetSecretValueRequest { SecretId = config["Aws:Secrets:Id"] }; try { using (var client = new AmazonSecretsManagerClient( RuntimeIdentity.Credentials, RuntimeIdentity.Region)) { var response = client.GetSecretValueAsync(request).RiskDeadlockAndAwaitResult(); if (response.SecretString.IsEmpty()) { throw new Exception("AWS SecretString was empty!"); } return(response.SecretString); } } catch (Exception ex) { throw new Exception("Failed to obtain the AWS secret: " + request.SecretId, ex); } }
public string Get(string secretName) { var config = new AmazonSecretsManagerConfig { RegionEndpoint = RegionEndpoint.APSoutheast1 }; var client = new AmazonSecretsManagerClient(config); var request = new GetSecretValueRequest { SecretId = secretName }; GetSecretValueResponse response = null; try { response = Task.Run(async() => await client.GetSecretValueAsync(request)).Result; } catch (ResourceNotFoundException) { Console.WriteLine("The requested secret " + secretName + " was not found"); } catch (InvalidRequestException e) { Console.WriteLine("The request was invalid due to: " + e.Message); } catch (InvalidParameterException e) { Console.WriteLine("The request had invalid params: " + e.Message); } return(response?.SecretString); }
internal static void SetSecret(AmazonSecretsManagerClient client, string secretId, string token) { Console.WriteLine("Attempting to retrieve secret value for AWSPENDING " + token); var pendingSecretValue = JsonConvert.DeserializeObject <SecretString>(GetSecret(client, secretId, "AWSPENDING", token).SecretString); Console.WriteLine("Attempting to retrieve secret value for AWSCURRENT"); var currentSecretValue = JsonConvert.DeserializeObject <SecretString>(GetSecret(client, secretId, "AWSCURRENT").SecretString); string connectionString = $"Server=tcp:{currentSecretValue.Host},{currentSecretValue.Port};Initial Catalog={currentSecretValue.DbName};Persist Security Info=True;" + $"User ID={currentSecretValue.Username};Password={currentSecretValue.Password}"; //Using SMO as T-SQL methods forced to use dynamic SQL and had various possible SQL Injection routes var connection = new ServerConnection(new SqlConnection(connectionString)); var server = new Server(connection); var logins = server.Logins; foreach (Login user in logins) { if (user.Name.ToLower() == currentSecretValue.Username.ToLower()) { user.ChangePassword(currentSecretValue.Password, pendingSecretValue.Password); user.Alter(); user.Refresh(); Console.WriteLine($"Successfully changed password for username {currentSecretValue.Username}"); break; } } }
void Download() { var request = new GetSecretValueRequest { SecretId = SecretId }; try { using (var client = new AmazonSecretsManagerClient( RuntimeIdentity.Credentials, RuntimeIdentity.Region)) { var response = client.GetSecretValueAsync(request).RiskDeadlockAndAwaitResult(); if (response.SecretString.IsEmpty()) { throw new Exception("AWS SecretString was empty!"); } SecretString = response.SecretString; } } catch (Exception ex) { throw new Exception("Failed to obtain the AWS secret: " + request.SecretId, ex); } }
public override void Invoke(AWSCredentials creds, RegionEndpoint region, int maxItems) { AmazonSecretsManagerConfig config = new AmazonSecretsManagerConfig(); config.RegionEndpoint = region; ConfigureClient(config); AmazonSecretsManagerClient client = new AmazonSecretsManagerClient(creds, config); ListSecretsResponse resp = new ListSecretsResponse(); do { ListSecretsRequest req = new ListSecretsRequest { NextToken = resp.NextToken , MaxResults = maxItems }; resp = client.ListSecrets(req); CheckError(resp.HttpStatusCode, "200"); foreach (var obj in resp.SecretList) { AddObject(obj); } }while (!string.IsNullOrEmpty(resp.NextToken)); }
static void Main(string[] args) { var secretName = "TestSecret1"; var config = new AmazonSecretsManagerConfig(); config.RegionEndpoint = RegionEndpoint.USWest2; var client = new AmazonSecretsManagerClient(config); var secretValueRequest = new GetSecretValueRequest(); secretValueRequest.SecretId = secretName; var secretValueResponse = GetSecretValueResponseAsync(client, secretValueRequest); if (secretValueResponse.Result.SecretString != null) { Console.WriteLine("Secret String: " + secretValueResponse.Result.SecretString); } else if (secretValueResponse.Result.SecretBinary != null) { Console.WriteLine("SecretBinary saved to variable."); var secretBinary = secretValueResponse.Result.SecretBinary; //Do something with the SecretBinary in your code } else { Console.WriteLine("Secret String and Secret Binary are null."); //Do something with the SecretString in your code } }
public Function() { if (builder != null) { return; } //read aud, kid and iss from env vars var aud = Environment.GetEnvironmentVariable("Audience"); var iss = Environment.GetEnvironmentVariable("Issuer"); var kid = Environment.GetEnvironmentVariable("KeyId"); var client = new AmazonSecretsManagerClient(); GetSecretValueResponse response; try { response = client.GetSecretValueAsync(new GetSecretValueRequest { SecretId = "RsaKeypair" }).Result; } catch (Exception ex) { LambdaLogger.Log("Error trying to fetch RSA keys from SM: " + ex.Message); throw; } var json = JsonDocument.Parse(response.SecretString); var privKey = Convert.FromBase64String(json.RootElement.GetProperty("privateKey").GetString()); var pubKey = Convert.FromBase64String(json.RootElement.GetProperty("publicKey").GetString()); builder = new JwtBuilder(privKey, pubKey, aud, kid, iss); }
private void Initialise() { try { IAmazonSecretsManager client = new AmazonSecretsManagerClient(_accessKey, _secretKey, RegionEndpoint.GetBySystemName(_region)); var request = new GetSecretValueRequest() { SecretId = _secretName, VersionStage = "AWSCURRENT" }; var response = client.GetSecretValueAsync(request).Result; if (response.SecretString != null) { var secret = response.SecretString; _secretDictionary = JsonConvert.DeserializeObject <Dictionary <string, string> >(secret); } else { var memoryStream = response.SecretBinary; var reader = new StreamReader(memoryStream); var decodedBinarySecret = Encoding.UTF8.GetString(Convert.FromBase64String(reader.ReadToEnd())); _secretDictionary = JsonConvert.DeserializeObject <Dictionary <string, string> >(decodedBinarySecret); } } catch (Exception e) { Console.WriteLine(e.Message); } }
static async Task Test() { var function = new LetsEncryptAccountKeySecretRotationFunction(); var secretsManager = new AmazonSecretsManagerClient(); var secretArn = string.Empty; secretArn = "arn:aws:secretsmanager:us-west-2:1234567890:secret:TestSecret-636999565209208171-icM7qC"; if (string.IsNullOrEmpty(secretArn)) { var createResult = await secretsManager.CreateSecretAsync(new CreateSecretRequest { Name = $"TestSecret-{DateTime.UtcNow.Ticks}", SecretString = "{}" }); secretArn = createResult.ARN; } var @event = new SecretRotationEvent { ClientRequestToken = Guid.NewGuid().ToString(), SecretId = secretArn, Step = "createSecret" }; var context = new TestContext(); try { await function.Handler(@event, context); @event.Step = "setSecret"; await function.Handler(@event, context); @event.Step = "testSecret"; await function.Handler(@event, context); @event.Step = "finishSecret"; await function.Handler(@event, context); } catch (Exception ex) { Console.Write(ex); throw; } finally { await secretsManager.DeleteSecretAsync(new DeleteSecretRequest { SecretId = secretArn, ForceDeleteWithoutRecovery = true }); } }
// This method gets called by the runtime. Use this method to add services to the container. public virtual void ConfigureServices(IServiceCollection services) { var cognitoConfigKey = Configuration.GetSection("AWS").GetSection("Secrets")["CognitoConfig"]; var secretsClient = new AmazonSecretsManagerClient(RegionEndpoint.USWest2); var cognitoConfigSecretResponse = secretsClient.GetSecretValueAsync(new GetSecretValueRequest { SecretId = cognitoConfigKey }).Result; var cognitoAdapterConfig = JsonConvert.DeserializeObject <AwsCognitoAdapterConfig>(cognitoConfigSecretResponse.SecretString); var validIssuer = Configuration.GetValidIssuer(cognitoAdapterConfig.UserPoolId); services.Configure <CookiePolicyOptions>(options => { // This lambda determines whether user consent for non-essential cookies is needed for a given request. //options.CheckConsentNeeded = context => true; options.MinimumSameSitePolicy = SameSiteMode.None; }); services .AddMvc().AddApplicationPart(typeof(Startup).Assembly) //need this to make the integrations tests work: https://stackoverflow.com/a/58079778 .SetCompatibilityVersion(CompatibilityVersion.Version_2_1); services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddJwtBearer(options => { options.TokenValidationParameters = new TokenValidationParameters { IssuerSigningKeyResolver = (s, token, identifier, parameters) => { var json = new WebClient().DownloadString($"{validIssuer}/.well-known/jwks.json"); var keys = JsonConvert.DeserializeObject <JsonWebKeySet>(json).Keys; return(keys); }, ClockSkew = TimeSpan.FromMinutes(5), LifetimeValidator = (notBefore, expires, token, parameters) => { if (expires != null) { if (DateTime.UtcNow < expires) { return(true); } } return(false); }, ValidateIssuer = true, ValidateAudience = false, ValidateLifetime = true, ValidateIssuerSigningKey = true, ValidIssuer = validIssuer }; }); services.AddScoped(s => cognitoAdapterConfig); services.AddScoped <IAwsCognitoAdapterHelper, AwsCognitoAdapterHelper>(); services.AddScoped <IAmazonCognitoIdentityProvider, AmazonCognitoIdentityProviderClient>(); services.AddScoped <IAuthAdapter, AwsCognitoAdapter>(); }
public CadastroSecretsManagerService() { _config = new AmazonSecretsManagerConfig() { RegionEndpoint = RegionEndpoint.SAEast1 }; _client = new AmazonSecretsManagerClient(_config); }
internal static DescribeSecretResponse DescribeSecret(AmazonSecretsManagerClient client, string secretId) { var asyncResult = client.DescribeSecretAsync(new DescribeSecretRequest { SecretId = secretId }); return(asyncResult.Result); }
public webapiContext() { AmazonSecretsManagerClient client = new AmazonSecretsManagerClient(); secretResponseTask = client.GetSecretValueAsync(new GetSecretValueRequest { SecretId = $"{Environment.GetEnvironmentVariable("SECRETS_NAMESPACE")}dbPassword" }); }
internal static GetSecretValueResponse GetSecret(AmazonSecretsManagerClient client, string secretId, string stage, string token = null) { var asyncResult = client.GetSecretValueAsync( new GetSecretValueRequest { SecretId = secretId, VersionId = token, VersionStage = stage } ); return(asyncResult.Result); }
public static async Task <T> GetSecret <T>(string secretId) { var request = new GetSecretValueRequest { SecretId = secretId }; var client = new AmazonSecretsManagerClient(); var response = await client.GetSecretValueAsync(request); return(JsonSerializer.Deserialize <T>(response.SecretString)); }
// ******************************************************************* // Constructors. // ******************************************************************* #region Constructors /// <summary> /// This constructor creates a new instance of the <see cref="SecretRepository"/> /// class. /// </summary> public SecretRepository( AmazonSecretsManagerClient secretClient ) { // Validate the parameters before attempting to use them. Guard.Instance().ThrowIfNull(secretClient, nameof(secretClient)); // Save the references. SecretClient = secretClient; }
public Startup(IConfiguration configuration) { Configuration = configuration; // Configuration AwsOpts = Configuration.GetAWSOptions(); Config = new GeneralConfig(); Configuration.Bind("GeneralConfig", Config); OpenIdConnectConfig = new OidcConfig(); Configuration.Bind("CognitoOIDC", OpenIdConnectConfig); SecManager = new AmazonSecretsManagerClient(AwsOpts.Region); }
/// <summary> /// Adds an <see cref="IConfigurationProvider"/> that reads configuration values from the AWS Secret Manager. /// </summary> /// <param name="accessKeyId">AWS Access Key ID</param> /// <param name="accessKeySecret">AWS Secret Access Key</param> /// <param name="region"> The system name of the service like "us-west-1". The default value is us-east-2</param> /// <param name="cacheSize">The maximum number of items the Cache can contain before evicting using LRU. The default value is 1024.</param> /// <param name="cacheItemTTL">The TTL of a Cache item in milliseconds.The default value is 3600000 ms, or 1 hour</param> public SecretsManagerConfigurationSource(string accessKeyId, string accessKeySecret, string region = "us-east-2", ushort cacheSize = 1024, uint cacheItemTTL = 3600000u) { var config = new AmazonSecretsManagerConfig { RegionEndpoint = RegionEndpoint.GetBySystemName(region) }; _client = new AmazonSecretsManagerClient(accessKeyId, accessKeySecret, config); _cacheSize = cacheSize; _cacheItemTTL = cacheItemTTL; }
// This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { services.AddCors(); services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2); // configure strongly typed settings objects var appSettingsSection = Configuration.GetSection("AppSettings"); services.Configure <AppSettings>(appSettingsSection); // configure jwt authentication var appSettings = appSettingsSection.Get <AppSettings>(); var request = new GetSecretValueRequest { SecretId = appSettings.JwtKey }; IAmazonSecretsManager _secretsManager = new AmazonSecretsManagerClient(RegionEndpoint.GetBySystemName(appSettings.Region)); var response = _secretsManager.GetSecretValueAsync(request).GetAwaiter().GetResult(); var key = Encoding.ASCII.GetBytes(response.SecretString); services.AddAuthentication(x => { x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(x => { x.RequireHttpsMetadata = false; x.SaveToken = true; x.TokenValidationParameters = new TokenValidationParameters { ValidateIssuerSigningKey = true, IssuerSigningKey = new SymmetricSecurityKey(key), ValidateIssuer = false, ValidateAudience = false }; }); services.AddAWSService <IAmazonDynamoDB>(); services.AddAWSService <IAmazonS3>(); services.AddAWSService <IAmazonSecretsManager>(); services.AddDefaultAWSOptions( new AWSOptions { Region = RegionEndpoint.GetBySystemName(appSettings.Region) }); services.AddSingleton <IUserRepository, UserRepository>(); services.AddSingleton <IS3Service, S3Service>(); services.AddSingleton <IUserService, UserService>(); services.AddSingleton <ISecretService, SecretService>(); }