AWS Systems Manager ASP.NET Core Data Protection Provider

Amazon.AspNetCore.DataProtection.SSM allows you to use AWS Systems Manager‘s Parameter Store to store keys generated by ASP.NET’s Data Protection API. This enables you to scale by allowing multiple web servers to share the keys.

The library introduces the following dependencies:

Getting Started

Follow the examples below to see how the library can be integrated into your application.

ASP.NET Core Example

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
        .PersistKeysToAWSSystemsManager("/MyApplication/DataProtection");

    services.AddMvc();
}

For .NET 9 or later targets, the SSMXmlRepository that this package uses, has been updated to use IDeletableXmlRepository (an extension of IXmlRepository) from Microsoft.AspNetCore.DataProtection.Repositories namespace. IDeletableXmlRepository supports deletion of elements. While it is recommended not deleting data protection keys, in exceptional cases, such as extremely long-running services, applications might need to delete keys that are no longer in use and accepts the risk of data loss in exchange for storage savings. Below example demonstrates possible approach on how to delete keys that have expired within certain time frame.

using Microsoft.AspNetCore.DataProtection;
using Microsoft.AspNetCore.DataProtection.KeyManagement;

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.
builder.Services.AddControllersWithViews();

builder.Services.AddDataProtection()
    .PersistKeysToAWSSystemsManager("/MyApplication/DataProtection");

var app = builder.Build();

var keyManager = app.Services.GetService<IKeyManager>();

if (keyManager is IDeletableKeyManager deletableKeyManager)
{
    var utcNow = DateTimeOffset.UtcNow;
    var yearAgo = utcNow.AddYears(-1);

    if (!deletableKeyManager.DeleteKeys(key => key.ExpirationDate < yearAgo))
    {
        Console.WriteLine("Failed to delete keys.");
    }
    else
    {
        Console.WriteLine("Old keys deleted successfully.");
    }
}
else
{
    Console.WriteLine("Key manager does not support deletion.");
}
...

Getting Help

Please use these community resources for getting help. We use the GitHub issues for tracking bugs and feature requests.

Open a support ticket with AWS Support
If it turns out that you may have found a bug, please open an issue

Permissions

The AWS credentials used must have access to the ssm:PutParameter and ssm:GetParametersByPath service operations from AWS System Manager. Below is an example IAM policy for those actions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "rule1",
            "Effect": "Allow",
            "Action": [
                "ssm:PutParameter",
                "ssm:GetParametersByPath"
            ],
            "Resource": "*"
        }
    ]
}

If the KMSKeyId property is set during the PersistKeysToAWSSystemsManager method then the IAM Policy will also need access to kms:Encrypt for the KMS key used.

For .NET 9 or later targets, the SSMXmlRepository that this package uses has been updated to use IDeletableXmlRepository. If application opts to delete keys, then AWS credentials used must have access to the ssm:DeleteParameter service operation.

Contributing

We welcome community contributions and pull requests. See CONTRIBUTING for information on how to set up a development environment and submit code.

Additional Resources

AWS Developer Center - Explore .NET on AWS Find all the .NET code samples, step-by-step guides, videos, blog content, tools, and information about live events that you need in one place.

AWS Developer Blog - .NET Come see what .NET developers at AWS are up to! Learn about new .NET software announcements, guides, and how-to’s.

@dotnetonaws Follow us on twitter!

License

Libraries in this repository are licensed under the Apache 2.0 License.

See LICENSE and NOTICE for more information.