Closed paulomorgado closed 13 hours ago
PR: #3484
I really don't want to add support for putting static credentials in appsettings.json
file. It sets up users for forgetting and checking in their credentials and then pushing them someplace public. We see it way too much and I don't want to make it any easier for it to happen. I recognize somebody could use user secrets but I just know bad accidents will happen.
We support that in .NET Framework with web.config/app.config but that is for legacy reasons when the SDK didn't even support profiles. It also predates the rise of GitHub and people pushing their AWS credentials to a public repo.
@normj,
I really don't want to add support for putting static credentials in
appsettings.json
file. It sets up users for forgetting and checking in their credentials and then pushing them someplace public. We see it way too much and I don't want to make it any easier for it to happen. I recognize somebody could use user secrets but I just know bad accidents will happen.We support that in .NET Framework with web.config/app.config but that is for legacy reasons when the SDK didn't even support profiles. It also predates the rise of GitHub and people pushing their AWS credentials to a public repo.
Users are going to do it whether you provide the code for that or not.
appsettings.json
is just an option for having configuration. In fact, out of the box, appsettings.json
is overridden by secrets, then by environment variables and then by command line arguments.
User don't need to even have those credentials in that file for development time. For that, users should use Safe storage of app secrets in development in ASP.NET Core.
You can even store configuration in AWS using .NET Core configuration provider for AWS Systems Manager.
I get what you are saying users will do stuff like embedded credentials in their app. I can't prevent that from happening but there is a difference in users finding and building their own mechanism for embedding credentials and AWS providing that mechanism.
I know it seems I'm being overly cautious but what is likely to happen is somebody is going to embed credentials, get the credentials leaked and then that customer is really mad and I will have to go up to a VP level to explain why I put in a mechanism that allowed for users to expose their secrets.
By not allowing users to put their secrets in Safe storage of app secrets in development in ASP.NET Core, you are not preventing them from leaking their secrets. You are, effectively, preventing them from keeping their secrets safe.
The .NET configuration system has dedicated APIs to connection strings. In now way it advocates for checking in connection strings. The .NET configuration system is an abstraction over configuration that is more than an appsettings.json
file.
If you think credentials are safer as an environment variable or a file accessible by all processes in a server, the things I could tell you...
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
Describe the feature
Amazon.Extensions.NETCore.Setup.ClientFactory<T>.CreateCredentials(ILogger, AWSOptions)
, when no credentials or profile are provided in theAWSOptions
, usesAmazon.Runtime.FallbackCredentialsFactory.GetCredentials()
to resolve credentials using:AppConfigAWSCredentials
on .NET FrameworkAssumeRoleWithWebIdentityCredentials.FromEnvironmentVariables()
EnvironmentVariablesAWSCredentials
It's not uncommon that on-prem non-containerized applications use the configuration file to store all configuration.
Microsoft.Extensions.Configuration.ConfigurationExtensions.GetAWSOptions
could resolve basic AWS credentials from the configuration.Use Case
appssettings.json:
Proposed Solution
Microsoft.Extensions.Configuration.ConfigurationExtensions.GetAWSOptions
could look for aCredentials
section withAccessKey
andSecretKey
values and create aBasicAWSCredentials
from it.Other Information
No response
Acknowledgements
AWS .NET SDK and/or Package version used
AWSSDK.Extensions.NETCore.Setup version 3.7.301
Targeted .NET Platform
.NET 8
Operating System and version
Window, Linux, etc.