Retrieve Secrets from AWS Secrets Manager in ASP.NET Core¶

This recipe moves sensitive settings out of Elastic Beanstalk environment properties and into AWS Secrets Manager. The application reads a secret at runtime by using the instance profile.

Prerequisites¶

Running .NET Elastic Beanstalk environment.
Secret already stored in AWS Secrets Manager.
Instance profile permission for secretsmanager:GetSecretValue.

What You'll Build¶

You will build:

Environment property that stores only the secret identifier.
AWS SDK code to retrieve the secret value.
A pattern that keeps secrets out of source bundles and Elastic Beanstalk console output.

Steps¶

Set the secret identifier as an environment property.

eb setenv DB_SECRET_ID="guideapi/prod/database"

Add the SDK package.

dotnet add GuideApi.csproj package AWSSDK.SecretsManager

Register the Secrets Manager client.

builder.Services.AddAWSService<IAmazonSecretsManager>();

Retrieve the secret value at runtime.

app.MapGet("/secret-check", async (IAmazonSecretsManager secretsManager, IConfiguration configuration) =>
{
    var response = await secretsManager.GetSecretValueAsync(new GetSecretValueRequest
    {
        SecretId = configuration["DB_SECRET_ID"]
    });

    return Results.Ok(new { secret = "retrieved", length = response.SecretString?.Length ?? 0 });
});

Deploy and verify.

eb deploy "$ENV_NAME" --staged
curl --silent "http://$CNAME/secret-check"

flowchart LR
    A[Elastic Beanstalk App] --> B[Instance Profile]
    B --> C[AWS Secrets Manager]
    D[DB_SECRET_ID Property] --> A

Verification¶

Use these checks after deployment:

eb printenv
eb logs --all
curl --silent "http://$CNAME/secret-check"

Expected outcomes:

Only the secret identifier appears in environment properties.
The application can retrieve the secret at runtime.
Secret contents are not written to logs or returned to clients.

Sources¶

Using AWS Secrets Manager secrets in Elastic Beanstalk environments