AuthScape

Docs

AWS Secrets Manager

Store production secrets in AWS Secrets Manager.

AWS Secrets Manager provides secure secret storage for AWS-hosted applications.

Create Secret in AWS

bash
aws secretsmanager create-secret \
  --name "authscape/production" \
  --secret-string '{
    "ConnectionStrings__DefaultConnection": "Server=...",
    "AppSettings__Stripe__SecretKey": "sk_live_xxx"
  }'

Install NuGet Package

bash
dotnet add package AWSSDK.SecretsManager
dotnet add package Amazon.Extensions.Configuration.SystemsManager

Configure in Program.cs

csharp
using Amazon;
using Amazon.SecretsManager;
using Amazon.SecretsManager.Model;


var builder = WebApplication.CreateBuilder(args);


if (!builder.Environment.IsDevelopment())
{
    await LoadAwsSecrets(builder.Configuration);
}


async Task LoadAwsSecrets(IConfigurationBuilder config)
{
    var client = new AmazonSecretsManagerClient(RegionEndpoint.USEast1);


    var request = new GetSecretValueRequest
    {
        SecretId = "authscape/production"
    };


    var response = await client.GetSecretValueAsync(request);
    var secrets = JsonSerializer.Deserialize<Dictionary<string, string>>(response.SecretString);


    config.AddInMemoryCollection(secrets);
}

IAM Policy

Grant your application access:

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": "arn:aws:secretsmanager:us-east-1:123456789:secret:authscape/*"
    }
  ]
}

Using with ECS/EKS

For containerized applications, use task roles:

json
{
  "taskRoleArn": "arn:aws:iam::123456789:role/authscape-task-role",
  "containerDefinitions": [
    {
      "secrets": [
        {
          "name": "ConnectionStrings__DefaultConnection",
          "valueFrom": "arn:aws:secretsmanager:us-east-1:123456789:secret:authscape/production:ConnectionStrings__DefaultConnection::"
        }
      ]
    }
  ]
}

Next Steps

  • Priority Order
  • Production Overview