Last post Apr 18, 2019 05:44 AM by DanielLidstrom
Apr 17, 2019 02:38 PM|DanielLidstrom|LINK
I'm learning about the new Data Protection API's and the key vaults. I am now trying to understand the limits when using AWS to host an ASP.NET Core application using Data Protection API.
According to the problem statement, the canonical example is an authentication cookie or bearer token. As such it seems to me that I should expect the number of secrets to be proportionate to the number of users (of a web site built with asp.net core, using
the data protection api). I am thinking then that the key vault should be able to hold this many secrets.
Now, when I look at the implementation of AWS SSM ASP.NET Core Data Protection Provider (https://github.com/aws/aws-ssm-data-protection-provider-for-aspnet), it uses the AWS
Systems Manager Parameter Store which has a limit of 10'000 keys per account (https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html#limits_ssm).
Will this pose a limit to my application then? I am not sure I totally understand the Data Protection API so I might be wrong.
Can someone please clarify? Thanks!
Apr 17, 2019 08:34 PM|bruce (sqlwork.com)|LINK
there should not be a secret per user. secrets are for server to server authentication. database connection and password, webapi access tokens etc.
generally you'd expect a secret per database, and per web service (internal and external). if you want to hide the url/connect string and the access token, then you might get 2/3 per web service / database.
Apr 18, 2019 05:44 AM|DanielLidstrom|LINK
That makes much more sense. Thank you Bruce!