Promote a replica secret to a standalone secret in AWS Secrets Manager
A replica secret is a secret that is replicated from a primary in another AWS Region. It has the same secret value and metadata as the primary, but it can be encrypted with a different KMS key. A replica secret can't be updated independently from its primary secret, except for its encryption key. Promoting a replica secret disconnects the replica secret from the primary secret and makes the replica secret a standalone secret. Changes to the primary secret won't replicate to the standalone secret.
You might want to promote a replica secret to a standalone secret as a disaster recovery solution if the primary secret becomes unavailable. Or you might want to promote a replica to a standalone secret if you want to turn on rotation for the replica.
If you promote a replica, be sure to update the corresponding applications to use the standalone secret.
Secrets Manager generates a CloudTrail log entry when you promote a secret. For more information, see Log AWS Secrets Manager events with AWS CloudTrail.
To promote a replica secret (console)
-
Log in to the Secrets Manager at https://console.aws.amazon.com/secretsmanager/
. -
Navigate to the replica region.
-
On the Secrets page, choose the replica secret.
-
On the replica secret details page, choose Promote to standalone secret.
-
In the Promote replica to standalone secret dialog box, enter the Region and then choose Promote replica.
AWS CLI
Example Promote a replica secret to a primary
The following stop-replication-to-replica example removes the link between a replica secret to the primary. The replica secret is promoted to a primary secret in the replica region. You must call stop-replication-to-replica from within the replica region.
aws secretsmanager stop-replication-to-replica \ --secret-id MyTestSecret
AWS SDK
To promote a replica to a standalone secret, use the StopReplicationToReplica command. You must call this
command from the replica secret Region. For more information, see AWS SDKs.
