Core Reference

Kanject.Core.Secrets

AWS Secrets Manager + SSM Parameter Store retrieval with at-cold-start hydration. Two patterns: bake values into IConfiguration once at startup, or fetch them on-demand for keys that rotate at runtime.

Install

bash

dotnet add package Kanject.Core.Secrets

Register

csharp

using Kanject.Core.Secrets.Extensions;

// Pull every key under /<service>/<stage>/ from Parameter Store and
// merge it over your appsettings — at cold-start, once.
builder.AddAwsSystemManagerParameterStore();

// Optional: register a typed Secrets-Manager-backed accessor for
// rotating secrets that you don't want baked into env at deploy time.
builder.Services.AddAwsSecretsManager(options =>
{
    options.AwsRegion = appSettings.AwsRegion;
});

AddAwsSystemManagerParameterStore reads every key under the path defined in manifest.json → stages.<stage>.parameterStore.path and layers it over appsettings.json. The Lambda runtime never calls SSM again — values are baked into IConfiguration.

On-demand secrets

For values that rotate at runtime (third-party API keys, signing keys), the Secrets Manager accessor fetches the current value with TTL-bounded caching:

csharp

public class StripeService(ISecretsManager secrets, HttpClient http)
{
    public async Task<Charge> ChargeAsync(decimal amount, string currency)
    {
        // Fetched fresh from Secrets Manager (cached for the configured TTL)
        var apiKey = await secrets.GetAsync("stripe/api-key");

        http.DefaultRequestHeaders.Authorization =
            new AuthenticationHeaderValue("Bearer", apiKey);

        // …make the API call
    }
}

What ships with it

Boot-time Parameter Store hydration into IConfiguration
ISecretsManager.GetAsync(name) for runtime-rotating values
Automatic JSON-key extraction (secret-name#field)
Per-secret TTL caching to avoid hammering Secrets Manager from hot paths
IAM-aware error messages when the Lambda role is missing the right policy

← Previous

FileRepository

Queue