Skip to content

Using AWS Parameter Store for ASP.NET Core Data Protection Keys

Sponsor: Do you build complex software systems? See how NServiceBus makes it easier to design, build, and manage software systems that use message queues to achieve loose coupling. Get started for free.

Learn more about Software Architecture & Design.
Join thousands of developers getting weekly updates to increase your understanding of software architecture and design concepts.


Using AWS Parameter Store for ASP.NET Core Data Protection Keys

If you’re using ASP.NET Core in AWS under any type of load balanced scenario, either through Elastic Beanstalk or an ALB with and ECS, etc, you will need to share the data protection keys. This is because each instance of your application needs to be using the exact same keys.

This isn’t an issue if you are using a single instance as the keys will be stored in memory.

If you haven’t yet used the AWS SDK, I highly recommend first checking out my quick start on configuring AWS SDK in ASP.NET Core.

AWS Systems Manager Parameter Store

One option is to use Parameter store to store the data protection keys. Thankfully AWS has released a nice little package to make this really simple.

First, add the Amazon.AspNetCore.DataProtection.SSM package to your csproj.

Now you can use the PersistKeysToAWSSystemsManager method passing the prefix as the parameter.

That’s it! That simple. Now when you run your application, you will see that a new parameter has been created with the prefix you specified followed by key-{GUID}.

ASP.NET Core Data Protection

If you want to persist data protection keys to somewhere like S3, check out this other post.

If you have any questions or comments, please let me know on twitter as I will focus my posts on those questions and comments.

Related Links:

Learn more about Software Architecture & Design.
Join thousands of developers getting weekly updates to increase your understanding of software architecture and design concepts.


Leave a Reply

Your email address will not be published. Required fields are marked *