Reputation: 901
Where does AWS Secrets Manager get AWS Credentials?
I'm beginning to work with Secrets Manager and created my first secret in AWS. During the process, it gave me some sample code to work with. I put that in a small application and ran it. The code:
String region = "us-east-1";
string secret = "";
MemoryStream memoryStream = new MemoryStream();
IAmazonSecretsManager client = new AmazonSecretsManagerClient(
RegionEndpoint.GetBySystemName(region));
GetSecretValueRequest request = new GetSecretValueRequest();
request.SecretId = "MySecretNameExample";
GetSecretValueResponse response = null;
response = client.GetSecretValue(request);
The problem is that:
- I was able to successfully retrieve the secret that I created and
- nowhere am I creating a Credentials object with any valid AWS credential data
Where is this code getting the credential information from?
Upvotes: 4
Views: 7118
Answers (2)
Reputation: 81336
If you refer to the documenation for the API for this line of code:
IAmazonSecretsManager client = new AmazonSecretsManagerClient(
RegionEndpoint.GetBySystemName(region));
You will find the following description:
Constructs AmazonSecretsManagerClient with the credentials loaded from the application's default configuration, and if unsuccessful from the Instance Profile service on an EC2 instance.
This means that you are either running on an EC2 or ECS service (or related service such as Beanstalk, ...) with a role assigned to the instance or your have configured your credentials in the standard method in a credentials file. The AWS SDK is helping you locate credentials.
This document link will explain in more detail how AWS credentials are managed and selected.
I have seen a lot of developers get the little details wrong with how credentials work and how they are used within the SDKs. Given that AWS credentials hold the keys to the AWS kingdom, managing and protecting them is vitally important.
Upvotes: 6
Reputation: 35598
The AWS SDK uses the a resolution strategy that looks in a number of locations until it finds credentials it can use. Typically the DefaultProviderChain class is responsible for performing the resolution. More information is here, but the gist is the lookup is performed in the following order (for Java, other languages are similar):
- environment variables
- Java system properties
- credentials file (e.g. in the home directory)
- instance profile credentials (only available when running in AWS)
When you run within AWS infrastructure, you can assign a profile or role to the resource that's running your code. Doing that makes credentials automatically available to your code. The idea is that they've made it easy to avoid putting credentials directly into your code.
Upvotes: 5
Related Questions
- Parsing secrets from AWS secrets manager using AWS cli
- Unable to retrieve secret from secretsmanager on aws-ec2 using an IAM role
- How to retrieve SecretsManager secret in AWS CDK
- Get secrets from AWS Secret manager without passing access key and secret key from config
- aws - secrets manager - how to secure secrets when I want to access from ec2?
- get all secrets from AWS secret manager
- Retrieve secrets from AWS Secrets Manager
- How does an EC2 instance access the Aws Secrets Manager
- How to find the cache location for AWS Secrets Manager
- Where to keep the Initial Trust credentials of a Secrets Management tool?