AWS Secrets Manager:
1.AWS Secrets Manager intentionally makes deleting a secret difficult.
2.Instead, Secrets Manager immediately makes the secrets inaccessible and scheduled for deletion after a recovery window of a minimum of seven days. Until the recovery window ends, you can recover a secret you previously deleted
3.There is no charge for secrets that you have marked for deletion.
4.You can't delete a primary secret if it is replicated to other Regions. First delete the replicas, then delete the primary secret.
Permissions:
To delete a secret, you must have secretsmanager:ListSecrets and secretsmanager:DeleteSecret permissions.
Approach1 : Deletion of Secrets from AWS Console
Step1: Create a secret: test-secret in AWS Secrets manager
Step2: Steps for deleting a secret through AWS Console
Step3: Window will prompt asking to select period for Disable secret and schedule deletion. By default 30 days is auto populated, we need choose 7 to 30 days.
Step4: Changing to 7 days and then click on Schedule deletion
Approach2 : Deletion of Secrets from AWS CLI
| SNo | Purpose | Command |
|---|---|---|
| 1 | Delete a secret | aws secretsmanager delete-secret --secret-id MyTestSecret --recovery-window-in-days 7 |
| 2 | If you wanted to restore the deleted secret Secret id-MyTestSecret | aws secretsmanager restore-secret --secret-id MyTestSecret |
| 3 | To delete a secret that is replicated to other regions, first remove its replicas with remove-regions-from-replication, and then call delete-secret | aws secretsmanager remove-regions-from-replication --secret-id MyTestSecret --remove-replica-regions eu-west-3 |
| 4 | Delete a secret immediately | aws secretsmanager delete-secret --secret-id MyTestSecret --force-delete-without-recovery |
| 5 | Delete a replica secret | aws secretsmanager remove-regions-from-replication --secret-id MyTestSecret --remove-replica-regions eu-west-3 |
Approach 3: Deletion of All AWS Secrets using AWS Lambda (Python3 +Boto3)
Lambda Permissions:
To delete a secret, you must have secretsmanager:ListSecrets and secretsmanager:DeleteSecret permissions.
import json import boto3 from botocore.exceptions import ClientError def lambda_handler(event, context): delete_all_secrets('eu-west-1') return { 'statusCode': 200, 'body': json.dumps('Hello from Lambda!') } def delete_all_secrets(region_name): """ Deletes all secrets from AWS Secrets Manager in the specified region. :param region_name: AWS region where the secrets are stored """ client = boto3.client('secretsmanager', region_name=region_name) try: # List all secrets paginator = client.get_paginator('list_secrets') for page in paginator.paginate(): for secret in page['SecretList']: secret_name = secret['Name'] try: # Delete each secret client.delete_secret( SecretId=secret_name, ForceDeleteWithoutRecovery=True # Set to True to skip recovery window ) print(f"Secret '{secret_name}' deleted successfully.") except ClientError as e: print(f"Error deleting secret '{secret_name}': {e}") except ClientError as e: print(f"Error listing secrets: {e}") Pricing :
1.Per Secret Per Month
- $0.40 per secret per month.
- A replica secret is considered a distinct secret and will also be billed at $0.40 per replica per month.
- For secrets that are stored for less than a month, the price is prorated (based on the number of hours.)
Reference: https://aws.amazon.com/secrets-manager
Conclusion: Deleting AWS Secrets from AWS Secret manager in different approaches.
💬 If you enjoyed reading this blog post and found it informative, please take a moment to share your thoughts by leaving a review and liking it 😀 and follow me in dev.to , linkedin
Top comments (0)