Wire an AWS KMS-backed secret protector and a Secrets Manager store, then envelope-encrypt and store values.
A host that registers ISecretProtector (KMS envelope encryption) and ISecretStore
(AWS Secrets Manager) from SquidStd.Secrets.Aws, then exercises protect/unprotect and
set/get/list.
- .NET 10 SDK
dotnet add package SquidStd.Secrets.Aws- The live calls (steps 2–3) need a KMS + Secrets Manager endpoint. The sample is
compile-and-wire focused: it resolves the services without AWS and only runs the live calls
when
SQUIDSTD_RUN_AWS=1is set with LocalStack (or real AWS) reachable at the configured endpoint.
RegisterKmsSecretProtector and RegisterAwsSecretsManagerStore take the KMS key alias, the
secret name prefix, and the AWS endpoint - pointed here at a LocalStack ServiceUrl.
Protect requests a KMS data key, encrypts the payload with it, and wraps the encrypted data
key alongside the ciphertext; Unprotect reverses it.
ISecretStore reads and writes named secrets through Secrets Manager; ListNamesAsync streams
the names under the configured prefix.
dotnet run --project samples/SquidStd.Samples.Secrets
# with the live calls:
SQUIDSTD_RUN_AWS=1 dotnet run --project samples/SquidStd.Samples.Secrets