.NET Core 3.x setting development AWS credentials

Question

I have EC2 instances (via Elastic Beanstalk) running my ASP.Net Core 3.1 web app without a problem. AWS credentials are included in the key pair configured with the instance.

I want to now store my Data Protection keys in a S3 bucket that I created for them, so I can share the keys among all of the EC2 instances. However, when I add this service in my Startup.ConfigureServices, I get a runtime error locally:

services.AddDefaultAWSOptions(Configuration.GetAWSOptions("AWS"));
services.AddAWSService<IAmazonS3>();
services.AddDataProtection()
    .SetApplicationName("Crums")
    .PersistKeysToAWSSystemsManager("/CrumsWeb/DataProtection");

My app runs fine locally if I comment out the .PersistKeysToAWSSystemsManager("/CrumsWeb/DataProtection"); line above. When I uncomment the line, the error occurs. So it has something to do with that, but I can't seem to figure it out.

I was going to use PersistKeysToAwsS3 by hotchkj, but it was deprecated when AWS came out with PersistKeysToAWSSystemsManager.

The runtime error AmazonClientException: No RegionEndpoint or ServiceURL configured happens on CreateHostBuilder in my Program.cs:

I've spent many hours on this trying just to get Visual Studio 2019 to run my app locally, using suggestions from these sites:

https://aws.amazon.com/blogs/developer/configuring-aws-sdk-with-net-core/

https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-netcore.html

ASP NET Core AWS No RegionEndpoint or ServiceURL configured when deployed to Heroku

No RegionEndpoint or ServiceURL configured

https://github.com/secretorange/aws-aspnetcore-environment-startup

https://www.youtube.com/watch?v=C4AyfV3Z3xs&ab_channel=AmazonWebServices

My appsettings.Development.json (and I also tried it in appsettings.json) contains:

"AWS": {
  "Profile": "default",
  "Region": "us-east-1",
  "ProfilesLocation": "C:\\Users\\username\\.aws\\credentials"
}

And the credentials file contains:

[default]
aws_access_key_id = MY_ACCESS_KEY
aws_secret_access_key = MY_SECRET_KEY
region = us-east-1
toolkit_artifact_guid=GUID

Answer 1

I ended up abandoning PersistKeysToAWSSystemsManager for storing my Data Protection keys because I don't want to set up yet another AWS service just to store keys in their Systems Manager. I am already paying for an S3 account, so I chose to use the deprecated NuGet package AspNetCore.DataProtection.Aws.S3.

I use server-side encryption on the bucket I created for the keys. This is the code in Startup.cs:

    services.AddDataProtection()
        .SetApplicationName("AppName")
        .PersistKeysToAwsS3(new AmazonS3Client(RegionEndpoint.USEast1), new S3XmlRepositoryConfig("S3BucketName")
        {
            KeyPrefix = "DataProtectionKeys/",  // Folder in the S3 bucket for keys
        });

Notice the RegionEndpoint parameter in the PersistKeysToAwsS3, which resolved the No RegionEndpoint or ServiceURL Configured error.

I added the AmazonS3FullAccess policy to the IAM role that's running in all my instances. This gives the instance the permissions to access the S3 bucket. My local development computer also seems to be able to access the S3 bucket, although I don't know where it's getting credentials from. I tried several iterations of appsettings.json and credentials file changes to locally set region and credentials, but nothing worked. Maybe it's using credentials I entered when I set up the AWS Toolkit in Visual Studio.