Skip to content
This repository contains a provider for Microsoft.Extensions.Configuration that retrieves secrets stored in AWS Secrets Manager.
Branch: master
Clone or download
Latest commit 591c5bd Apr 19, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
samples Uses the Region from the default profile (#10) Apr 19, 2019
tests/Tests.Extensions.Configuration.AWSSecretsManager Support for JSON arrays (#14) Apr 19, 2019
tools First commit Apr 14, 2018
.gitignore Improved CI setup (#13) Apr 19, 2019
GitVersion.yml Improved CI setup (#13) Apr 19, 2019
LICENSE Initial commit Apr 14, 2018 Update Apr 19, 2019
SecretsManager.sln Added SampleWeb to solution May 5, 2018
appveyor.yml Fix to appveyor.yml Apr 19, 2019
build.cake Improved CI setup (#13) Apr 19, 2019

Build status NuGet version

This repository contains a provider for Microsoft.Extensions.Configuration that retrieves secrets stored in AWS Secrets Manager.


Every application has some kind of setting that should never be checked into the source control like a database connection string or some external API credentials. Yet, your application needs that setting to be able to properly perform its job.

.NET Core natively supports the ingestion of settings from different sources. This allows the customization of the application according to the current environment. The typical example is the connection string to a database that can vary so that each environment can connect to a specific database.

Developers working on .NET Core often take advantage of the secret manager for their development environment. On the other hand, settings for the production environment are often stored in environment variables.

AWS Secrets Manager offers a serverless managed solution to the problem.

Kralizek.Extensions.Configuration.AWSSecretsManager offers an convenient method to access your secrets stored in AWS Secrets Manager.

This is how your ASP.NET Core 2.0 application will look like. Notice the config.AddSecretsManager(); in the delegate passed to the ConfigureAppConfiguration method.

public class Program
    public static void Main(string[] args)

    public static IWebHost BuildWebHost(string[] args) =>
                .ConfigureAppConfiguration((hostingContext, config) =>  

This code is also available in this sample.

You can use AddSecretsManager also in a classic console application.

static void Main(string[] args)
    var builder = new ConfigurationBuilder();

    var configuration = builder.Build();

    Console.WriteLine("Hello World!");

This code is also available in this sample.

Note: the snippets above assume that some AWS credentials are available by default to your application. Here you can see how to setup your environment.


This library offers the possibility to customize how the setting values are retrieved from AWS Secrets Manager and added to the Configuration provider.

AWS Credentials

By default, this library let the AWS SDK decide which credentials should be used according to available settings. You can customize that by providing your own set of credentials.

Here are some samples.

Basic credentials

You can provide your AWS access and secret key directly by using the BasicAWSCredentials class.

Note You should avoid this. After all, the intent of this library is to remove our secrets from the source code.

var credentials = new BasicAWSCredentials("my-accessKey", "my-secretKey");
builder.AddSecretsManager(credentials: credentials);

Using credentials connected to a profile (old)

You can use a specific profile by using the StoredProfileAWSCredentials class.

Note The StoredProfileAWSCredentials has been marked as obsolete and will be removed in a later release.

var credentials = new StoredProfileAWSCredentials("my_profile_name");
builder.AddSecretsManager(credentials: credentials);

Using credentials connected to a profile (current)

You can use the CredentialProfileStoreChain class to fetch a profile from the different sources available.

var chain = new Amazon.Runtime.CredentialManagement.CredentialProfileStoreChain();

if (chain.TryGetAWSCredentials("my_profile_name", out var credentials))

You can see an example here.

AWS Region

By default, this library fetches the secrets registered in the AWS region associated with the default profile. You can change that by passing the desired region.

builder.AddSecretsManager(region: RegionEndpoint.EUWest1);

You can see an example here.

Filtering secrets before they are retrieved

Best practices suggest that you use IAM roles to restrict the list of secrets that your application has access to. This is not always doable, especially in older setups (e.g. multiple applications sitting on the same EC2 instance sharing the permissions via EC2 instance profile).

In this case, it's still possible to restrict which secrets should be retrieved by your application by providing a predicate to be applied on each secret returned.

Note Retrieving the list of available secrets and their secret value happens in two different moments so you can prevent your application from ever accessing the value of the secrets you don't need.

var acceptedARNs = new[]

builder.AddSecretsManager(configurator: options =>
    options.SecretFilter = entry => acceptedARNs.Contains(entry.ARN);

You can see an example here.

Altering how the values are added to the Configuration

Sometimes we are not in control of the full system. Maybe we are forced to use secrets defined by someone else that uses a different convention.

In this case, you can provide a function that gets invoked every time a value is discovered. This function allows you to customize which key should be used.

As an example, here we are converting all incoming keys to upper case

builder.AddSecretsManager(configurator: options =>
    options.KeyGenerator = (entry, key) => key.ToUpper();

You can see an example here.


This library follows Semantic Versioning 2.0.0 for the public releases (published to the

How to build

This project uses Cake as a build engine.

If you would like to build Nybus locally, just execute the build.cake script.

You can do it by using the .NET tool created by CAKE authors and use it to execute the build script.

dotnet tool install -g Cake.Tool
dotnet cake
You can’t perform that action at this time.