AWS Secrets Manager:
1.AWS Secrets Manager intentionally makes deleting a secret difficult.
2.Instead, Secrets Manager immediately makes the secrets inaccessible and scheduled for deletion after a recovery window of a minimum of seven days. Until the recovery window ends, you can recover a secret you previously deleted
3.There is no charge for secrets that you have marked for deletion.
4.You can't delete a primary secret if it is replicated to other Regions. First delete the replicas, then delete the primary secret.
Permissions:
To delete a secret, you must have secretsmanager:ListSecrets and secretsmanager:DeleteSecret permissions.
Approach1 : Deletion of Secrets from AWS Console
Step1: Create a secret: test-secret in AWS Secrets manager
Step2: Steps for deleting a secret through AWS Console
Step3: Window will prompt asking to select period for Disable secret and schedule deletion. By default 30 days is auto populated, we need choose 7 to 30 days.
Step4: Changing to 7 days and then click on Schedule deletion
Approach2 : Deletion of Secrets from AWS CLI
| SNo | Purpose | Command |
|---|---|---|
| 1 | Delete a secret | aws secretsmanager delete-secret --secret-id MyTestSecret --recovery-window-in-days 7 |
| 2 | If you wanted to restore the deleted secret Secret id-MyTestSecret | aws secretsmanager restore-secret --secret-id MyTestSecret |
| 3 | To delete a secret that is replicated to other regions, first remove its replicas with remove-regions-from-replication, and then call delete-secret | aws secretsmanager remove-regions-from-replication --secret-id MyTestSecret --remove-replica-regions eu-west-3 |
| 4 | Delete a secret immediately | aws secretsmanager delete-secret --secret-id MyTestSecret --force-delete-without-recovery |
| 5 | Delete a replica secret | aws secretsmanager remove-regions-from-replication --secret-id MyTestSecret --remove-replica-regions eu-west-3 |
Approach 3: Deletion of All AWS Secrets using AWS Lambda (Python3 +Boto3)
Lambda Permissions:
To delete a secret, you must have secretsmanager:ListSecrets and secretsmanager:DeleteSecret permissions.
import json
import boto3
from botocore.exceptions import ClientError
def lambda_handler(event, context):
delete_all_secrets('eu-west-1')
return {
'statusCode': 200,
'body': json.dumps('Hello from Lambda!')
}
def delete_all_secrets(region_name):
"""
Deletes all secrets from AWS Secrets Manager in the specified region.
:param region_name: AWS region where the secrets are stored
"""
client = boto3.client('secretsmanager', region_name=region_name)
try:
# List all secrets
paginator = client.get_paginator('list_secrets')
for page in paginator.paginate():
for secret in page['SecretList']:
secret_name = secret['Name']
try:
# Delete each secret
client.delete_secret(
SecretId=secret_name,
ForceDeleteWithoutRecovery=True # Set to True to skip recovery window
)
print(f"Secret '{secret_name}' deleted successfully.")
except ClientError as e:
print(f"Error deleting secret '{secret_name}': {e}")
except ClientError as e:
print(f"Error listing secrets: {e}")
Pricing :
1.Per Secret Per Month
- $0.40 per secret per month.
- A replica secret is considered a distinct secret and will also be billed at $0.40 per replica per month.
- For secrets that are stored for less than a month, the price is prorated (based on the number of hours.)
Reference: https://aws.amazon.com/secrets-manager
Conclusion: Deleting AWS Secrets from AWS Secret manager in different approaches.
💬 If you enjoyed reading this blog post and found it informative, please take a moment to share your thoughts by leaving a review and liking it 😀 and follow me in dev.to , linkedin
Top comments (0)