Home > front end >  What is the Azure Key Vault reference equivalent in AWS Secrets Manager?
What is the Azure Key Vault reference equivalent in AWS Secrets Manager?

Time:08-29

There is a simple integration between Azure Key Vault and Azure Functions that automatically grabs the latest version of a secret and loads it as an environment variable:

@Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret)

This entry needs to be added to the application settings. Azure will also refresh the cached key within 24 hours of rotation.

Does AWS have similar integration and caching functionality for the Secrets Manager client in .NET?

CodePudding user response:

No, unfortunately, AWS Secrets Manager does not have an equivalent for Key Vault references i.e. loading secrets from Secrets Manager for them to be available as Lambda environment variables. This applies to all Lambda function runtimes, not just .NET.

You will have to use the Secrets Manager SDK, preferably reading secret names from your application settings and then loading the secret values on startup.

Or if you need a like-for-like replacement, you can make calls to obtain the secret value(s) during your build pipeline & modify your application settings to contain the secret value.

This would need a compromise on the caching aspect unless you then create a specific, scheduled pipeline that runs every 24 hours to obtain the latest secret(s) value and updates the application settings for your environment(s).

However, for the former preferred option, you can take advantage of the official AWSSDK.SecretsManager.Caching Nuget package for secret caching.

The (configurable) cache item refresh time/TTL is set to 1 hour by default.

For your use case, create an instance of the SecretCacheConfiguration class & set the CacheItemTTL property to 86400000 (24 hours in milliseconds). Then, create your SecretsManagerCache, passing in your secrets manager client & your cache configuration.

This will configure the cache with an auto-refresh interval of 24 hours, resulting in similar behaviour.

For Lambda functions, keeping in mind that the cache will be cleared on cold start invocations, it would be best to create a singleton instance of SecretsManagerCache that is kept alive for the lifetime of the Lambda container.

If you are loading more than 3-5 secrets, I would recommend looking at the layer code referenced by this AWS Prescriptive Guidance pattern or looking at the Github repository for Square's Lambda Secrets Prefetch layer.

Both are Lambda layers that cache secret values, which could potentially reduce your Lambda duration overall. Square details around a 20-25% duration decrease in their blog post, which contains more detailed information. As always, YMMV.

The main difference between the two is that the AWS layer stores the secrets in memory, as opposed to locally in the /tmp directory; functionally, both are pretty much the same.

Take a look at the below official links for more in-depth information:

  1. AWS Secrets Manager User Guide: Retrieve AWS Secrets Manager secrets in .NET applications
  2. AWS Security Blog: How to use AWS Secrets Manager client-side caching in .NET

Page link:https//www.codepudding.com/frontend/525937.html

Prev:Fluent Validate with same method multiple properties
Next:How to make the Script component of a GameObject inherit from its parent, including the Start method
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding