Delete a secret - AWS Secrets Manager

Delete a secret

Because of the critical nature of secrets, AWS Secrets Manager intentionally makes deleting a secret difficult. Secrets Manager does not immediately delete secrets. Instead, Secrets Manager immediately makes the secrets inaccessible and scheduled for deletion after a recovery window of a minimum of seven days. Until the recovery window ends, you can recover a secret you previously deleted. There is no charge for secrets that you have marked for deletion.

You also can't directly delete a version of a secret. Instead, you remove all staging labels from the secret using the AWS CLI or AWS SDK. This marks the secret as deprecated, and then Secrets Manager can automatically delete the version in the background.

If you don't know whether an application still uses a secret, you can create an Amazon CloudWatch alarm to alert you to any attempts to access a secret during the recovery window. For more information, see Monitor secret versions scheduled for deletion.

To delete a secret, you must have secretsmanager:ListSecrets and secretsmanager:DeleteSecret permissions.

To delete a secret (console)

  1. Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.

  2. In the list of secrets, choose the secret you want to delete.

  3. In the Secret details section, choose Actions, and then choose Delete secret.

  4. In the Disable secret and schedule deletion dialog box, in Waiting period, enter the number of days to wait before the deletion becomes permanent. Secrets Manager attaches a field called DeletionDate and sets the field to the current date and time, plus the number of days specified for the recovery window.

  5. Choose Schedule deletion.

To view deleted secrets

  1. On the Secrets page, choose Preferences ( ).

  2. In the Preferences dialog box, select Show disabled secrets, and then choose Save

AWS CLI

To delete a secret by using the AWS CLI, use the delete-secret action. To delete a version of a secret, use the update-secret-version-stage action to remove all of the staging labels. Secrets Manager can then delete the version in the background. To find the version ID of the version you want to delete, use ListSecretVersionIds.

The following example marks for deletion the secret named "MyTestDatabase" and schedules deletion after a recovery window of 14 days. At any time after the date and time specified in the DeletionDate field, Secrets Manager permanently deletes the secret.

$ aws secretsmanager delete-secret --secret-id development/MyTestDatabase --recovery-window-in-days 14 { "ARN": "arn:aws:secretsmanager:us-east-2:111122223333:secret:development/MyTestDatabase-AbCdEf", "Name": "development/MyTestDatabase", "DeletionDate": 1510089380.309 }

The following example immediately deletes the secret without a recovery window. The DeletionDate response field shows the current date and time instead of a future time. This secret cannot be recovered.

$ aws secretsmanager delete-secret --secret-id development/MyTestDatabase --force-delete-without-recovery { "ARN": "arn:aws:secretsmanager:us-east-2:111122223333:secret:development/MyTestDatabase-AbCdEf", "Name": "development/MyTestDatabase", "DeletionDate": 1508750180.309 }

The following example removes the AWSPREVIOUS staging label from a version of the secret named "MyTestDatabase".

$ aws secretsmanager update-secret-version-stage \ --secret-id development/MyTestDatabase \ --remove-from-version-id EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE --version-stage AWSPREVIOUS { "ARN": "arn:aws:secretsmanager:us-east-2:111122223333:secret:development/MyTestDatabase-AbCdEf", "Name": "development/MyTestDatabase" }

AWS SDK;

To delete a secret, use the DeleteSecret command. To delete a version of a secret, use the UpdateSecretVersionStage command. For more information, see: