Delete a secret - AWS Secrets Manager

Delete a secret

Because of the critical nature of secrets, AWS Secrets Manager intentionally makes deleting a secret difficult. Secrets Manager does not immediately delete secrets. Instead, Secrets Manager immediately makes the secrets inaccessible and scheduled for deletion after a recovery window of a minimum of seven days. Until the recovery window ends, you can recover a secret you previously deleted. There is no charge for secrets that you have marked for deletion.

You can't delete a primary secret if it is replicated to other Regions. First delete the replicas, then delete the primary secret. When you delete a replica, it is deleted immediately.

You can't directly delete a version of a secret. Instead, you remove all staging labels from the version using the AWS CLI or AWS SDK. This marks the version as deprecated, and then Secrets Manager can automatically delete the version in the background.

If you don't know whether an application still uses a secret, you can create an Amazon CloudWatch alarm to alert you to any attempts to access a secret during the recovery window. For more information, see Monitor secrets scheduled for deletion.

To delete a secret, you must have secretsmanager:ListSecrets and secretsmanager:DeleteSecret permissions.

To delete a secret (console)

  1. Open the Secrets Manager console at

  2. In the list of secrets, choose the secret you want to delete.

  3. In the Secret details section, choose Actions, and then choose Delete secret.

  4. In the Disable secret and schedule deletion dialog box, in Waiting period, enter the number of days to wait before the deletion becomes permanent. Secrets Manager attaches a field called DeletionDate and sets the field to the current date and time, plus the number of days specified for the recovery window.

  5. Choose Schedule deletion.

To view deleted secrets

  1. Open the Secrets Manager console at

  2. On the Secrets page, choose Preferences ( ).

  3. In the Preferences dialog box, select Show disabled secrets, and then choose Save

To delete a replica secret

  1. Open the Secrets Manager console at

  2. Choose the primary secret.

  3. In the Replicate Secret section, choose the replica secret.

  4. From the Actions menu, choose Delete Replica.


To delete a secret, use the delete-secret action. To delete a version of a secret, use the update-secret-version-stage action to remove all of the staging labels. Secrets Manager can then delete the version in the background. To find the version ID of the version you want to delete, use ListSecretVersionIds.

To delete a replica, use the the remove-regions-from-replication action.

The following example marks for deletion the secret named "MyTestDatabase" and schedules deletion after a recovery window of 14 days. At any time after the date and time specified in the DeletionDate field, Secrets Manager permanently deletes the secret.

$ aws secretsmanager delete-secret --secret-id development/MyTestDatabase --recovery-window-in-days 14 { "ARN": "arn:aws:secretsmanager:us-east-2:111122223333:secret:development/MyTestDatabase-AbCdEf", "Name": "development/MyTestDatabase", "DeletionDate": 1510089380.309 }

The following example immediately deletes the secret without a recovery window. The DeletionDate response field shows the current date and time instead of a future time. This secret cannot be recovered.

$ aws secretsmanager delete-secret --secret-id development/MyTestDatabase --force-delete-without-recovery { "ARN": "arn:aws:secretsmanager:us-east-2:111122223333:secret:development/MyTestDatabase-AbCdEf", "Name": "development/MyTestDatabase", "DeletionDate": 1508750180.309 }

The following example deletes a replica secret.

$ aws secretsmanager remove-regions-from-replication --secret-id development/MyTestDatabase --remove-replica-regions us-east-1

The following example removes the AWSPREVIOUS staging label from a version of the secret named "MyTestDatabase".

$ aws secretsmanager update-secret-version-stage \ --secret-id development/MyTestDatabase \ --remove-from-version-id EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE --version-stage AWSPREVIOUS { "ARN": "arn:aws:secretsmanager:us-east-2:111122223333:secret:development/MyTestDatabase-AbCdEf", "Name": "development/MyTestDatabase" }


To delete a secret, use the DeleteSecret command. To delete a version of a secret, use the UpdateSecretVersionStage command. To delete a replica, use the StopReplicationToReplica command. For more information, see AWS SDKs.