AWS .NET SDK
AWS Guide for .NET Developers

Using Encrypted Connection Strings

AWS Systems Manager provides a centralized store to manage your configuration data, whether plain-text data such as database strings or secrets such as passwords. This enables you to separate your secrets and configuration data from your code. Parameters can be tagged and organized into hierarchies, helping you manage parameters more easily. For example, you can use the same parameter name, "constr", with a different hierarchical path, "/MyWebApp/Development/constr" or "/MyWebApp/Production/constr", to store different values. Values can be encrypted and you can control user and resource access.

If your IAM user account, group, or role is assigned administator permissions, you have access to Systems Manager. If you don't, an administrator must update your IAM account, group, or role.

Create an Encrypted Connection String

To create an encrypted SQL Server connection string using the AWS Management Console:

  1. Open https://console.aws.amazon.com/systems-manager/, and under Shared Reources in the navigation pane, choose Parameter Store.

  2. Choose Create Parameter.

  3. In the Name box, type a hierarchy and a name. You can use the hierarchy to create a unique connection string for different deployment environments. For example, /MyWebApp/Development/constr, /MyWebApp/Test/constr, and /MyWebApp/Production/constr.

  4. Provide a guilabel:Description. For example, Dev environment SQL Server connection string.

  5. Select Secure String.

  6. Type in the SQL Server connection string. At a minimum, you will usually specify server, initial catalog, user id, and password in the connection string. For example, server=myserver.com;Initial Catalog=mydb;User ID=myid;Password=mypwd.

  7. Choose Create parameter.

You can also create a parameter and perform other operations using AWS Tools for Windows PowerShell.

# Create a new connection string; returns parameter version Write-SSMParameter -Name "/MyWebApp/Development/constr" -Value "server=<server>;initial catalog=<db>;user id=<id>;password=<pwd>" -Type SecureString -Overwrise $true # Retrieve all the keys for this app Get-SSMParametersByPath -Path "/MyWebApp" -Recursive $true # Get latest version of a parameter Get-SSMParameter -Name "/MyWebApp/Development/constr" # Get version of a parameter Get-SSMParameter -Name "/MyWebApp/Development/constr:1" # Get parameter value with decryption Get-SSMParameter -Name "/MyWebApp/Development/constr" -WithDecryption $true

To learn more about PowerShell Tools, see AWS Tools for Windows PowerShell <https://docs.aws.amazon.com/powershell/latest/userguide/pstools-welcome.html>.

Read the Encrypted Connection String from .NET

You can get the value from Parameter Store by using the AWS SDK for .NET.

// Add the AWSSDK.SimpleSystemsManagement NuGet package to your project using Amazon.SimpleSystemsManagement; using Amazon.SimpleSystemsManagement.Model; class DbHelper { public static string GetDBConnectionString() { // The parameter name is customized based on the ASPNETCORE_ENVIRONMENT // // You can change this to a fixed string or use a different mechanism // to customize. String parameterName = String.Format("/MyWebApp/{0}/constr", Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT")); // Using USEast1 var ssmClient = new AmazonSimpleSystemsManagementClient(Amazon.RegionEndpoint.USEast1); var response = ssmClient.GetParameter(new GetParameterRequest { Name = parameterName, WithDecryption = true }); return response.Parameter.Value; } }