Table Of Contents


User Guide

First time using the AWS CLI? See the User Guide for help getting started.

Note: You are viewing the documentation for an older major version of the AWS CLI (version 1).

AWS CLI version 2, the latest major version of AWS CLI, is now stable and recommended for general use. To view this page for the AWS CLI version 2, click here. For more information see the AWS CLI version 2 installation instructions and migration guide.

[ aws . secretsmanager ]



Lists all of the versions attached to the specified secret. The output does not include the SecretString or SecretBinary fields. By default, the list includes only versions that have at least one staging label in VersionStage attached.


Always check the NextToken response parameter when calling any of the List* operations. These operations can occasionally return an empty or shorter than expected list of results even when there more results become available. When this happens, the NextToken response parameter contains a value to pass to the next call to the same API to request the next part of the list.

Minimum permissions

To run this command, you must have the following permissions:

  • secretsmanager:ListSecretVersionIds
Related operations
  • To list the secrets in an account, use ListSecrets .

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.


--secret-id <value>
[--max-results <value>]
[--next-token <value>]
[--include-deprecated | --no-include-deprecated]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]


--secret-id (string)

The identifier for the secret containing the versions you want to list. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.

For an ARN, we recommend that you specify a complete ARN rather than a partial ARN.

--max-results (integer)

(Optional) Limits the number of results you want to include in the response. If you don't include this parameter, it defaults to a value that's specific to the operation. If additional items exist beyond the maximum you specify, the NextToken response element is present and has a value (isn't null). Include that value as the NextToken request parameter in the next call to the operation to get the next part of the results. Note that Secrets Manager might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.

--next-token (string)

(Optional) Use this parameter in a request if you receive a NextToken response in a previous request indicating there's more output available. In a subsequent call, set it to the value of the previous call NextToken response to indicate where the output should continue from.

--include-deprecated | --no-include-deprecated (boolean)

(Optional) Specifies that you want the results to include versions that do not have any staging labels attached to them. Such versions are considered deprecated and are subject to deletion by Secrets Manager as needed.

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.


To list all of the secret versions associated with a secret

The following example shows how to retrieve a list of all of the versions of a secret, including those without any staging labels.

aws secretsmanager list-secret-version-ids --secret-id MyTestDatabaseSecret \

The output shows the following:

  "Versions": [
      "VersionId": "EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE",
      "VersionStages": [
      "CreatedDate": 1523477145.713
      "VersionId": "EXAMPLE2-90ab-cdef-fedc-ba987EXAMPLE",
      "VersionStages": [
     "CreatedDate": 1523486221.391
      "CreatedDate": 1.51197446236E9,
      "VersionId": "EXAMPLE3-90ab-cdef-fedc-ba987EXAMPLE;"
  "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestDatabaseSecret-a1b2c3",
  "Name": "MyTestDatabaseSecret"


Versions -> (list)

The list of the currently available versions of the specified secret.


A structure that contains information about one version of a secret.

VersionId -> (string)

The unique version identifier of this version of the secret.

VersionStages -> (list)

An array of staging labels that are currently associated with this version of the secret.


LastAccessedDate -> (timestamp)

The date that this version of the secret was last accessed. Note that the resolution of this field is at the date level and does not include the time.

CreatedDate -> (timestamp)

The date and time this version of the secret was created.

KmsKeyIds -> (list)

The KMS keys used to encrypt the secret version.


NextToken -> (string)

If present in the response, this value indicates that there's more output available than included in the current response. This can occur even when the response includes no values at all, such as when you ask for a filtered view of a very long list. Use this value in the NextToken request parameter in a subsequent call to the operation to continue processing and get the next part of the output. You should repeat this until the NextToken response element comes back empty (as null ).

ARN -> (string)

The Amazon Resource Name (ARN) for the secret.


Secrets Manager automatically adds several random characters to the name at the end of the ARN when you initially create a secret. This affects only the ARN and not the actual friendly name. This ensures that if you create a new secret with the same name as an old secret that you previously deleted, then users with access to the old secret don't automatically get access to the new secret because the ARNs are different.

Name -> (string)

The friendly name of the secret.