Table Of Contents

Feedback

User Guide

First time using the AWS CLI? See the User Guide for help getting started.

[ aws . secretsmanager ]

delete-secret

Description

Deletes an entire secret and all of its versions. You can optionally include a recovery window during which you can restore the secret. If you don't specify a recovery window value, the operation defaults to 30 days. Secrets Manager attaches a DeletionDate stamp to the secret that specifies the end of the recovery window. At the end of the recovery window, Secrets Manager deletes the secret permanently.

At any time before recovery window ends, you can use restore-secret to remove the DeletionDate and cancel the deletion of the secret.

You cannot access the encrypted secret information in any secret that is scheduled for deletion. If you need to access that information, you must cancel the deletion with restore-secret and then retrieve the information.

Note

  • There is no explicit operation to delete a version of a secret. Instead, remove all staging labels from the VersionStage field of a version. That marks the version as deprecated and allows Secrets Manager to delete it as needed. Versions that do not have any staging labels do not show up in list-secret-version-ids unless you specify IncludeDeprecated .
  • The permanent secret deletion at the end of the waiting period is performed as a background task with low priority. There is no guarantee of a specific time after the recovery window for the actual delete operation to occur.

Minimum permissions

To run this command, you must have the following permissions:

  • secretsmanager:DeleteSecret
Related operations
  • To create a secret, use create-secret .
  • To cancel deletion of a version of a secret before the recovery window has expired, use restore-secret .

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.

Synopsis

  delete-secret
--secret-id <value>
[--recovery-window-in-days <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]

Options

--secret-id (string)

Specifies the secret that you want to delete. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.

--recovery-window-in-days (long)

(Optional) Specifies the number of days that Secrets Manager waits before it can delete the secret.

This value can range from 7 to 30 days. The default value is 30.

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.

Output

ARN -> (string)

The ARN of the secret that is now scheduled for deletion.

Name -> (string)

The friendly name of the secret that is now scheduled for deletion.

DeletionDate -> (timestamp)

The date and time after which this secret can be deleted by Secrets Manager and can no longer be restored. This value is the date and time of the delete request plus the number of days specified in RecoveryWindowInDays .