Skip to content
This repository has been archived by the owner on Oct 15, 2024. It is now read-only.

Deletion of SecretsManager secret with replica #1127

Closed
npellegrin opened this issue Oct 21, 2023 · 3 comments
Closed

Deletion of SecretsManager secret with replica #1127

npellegrin opened this issue Oct 21, 2023 · 3 comments

Comments

@npellegrin
Copy link
Contributor

The deletion of a secret stored in AWS SecretsManager fails when replication is enabled.
aws-nuke must delete all the replicas before attempting to delete the secret

Error in CloudTrail:

You can't delete secret arn:aws:secretsmanager:eu-west-3:000000000000:secret:myvault/mysecret-AbCd that still has replica regions [eu-west-2, eu-south-1, eu-west-1, eu-central-1, us-east-1, us-east-2, us-west-1, us-west-2, eu-north-1].
@imduchy
Copy link

imduchy commented Jul 23, 2024

Running into exactly same issue

eu-central-1 - SecretsManagerSecret - arn:aws:secretsmanager:eu-central-1:123456789012:secret:my-secret - [] - failed
time="2024-07-19T19:17:47Z" level=error msg="InvalidParameterException: You can't delete secret arn:aws:secretsmanager:eu-central-1:123456789012:secret:my-secret that still has replica regions [eu-north-1]."

...

eu-north-1 - SecretsManagerSecret - arn:aws:secretsmanager:eu-north-1:123456789012:secret:my-secret - [] - failed
time="2024-07-19T19:17:47Z" level=error msg="InvalidParameterException: Operation not permitted on a replica secret. Call must be made in primary secret's region."

@imduchy
Copy link

imduchy commented Jul 23, 2024
edited
Loading

It looks like secrets with replication enabled returned by ListSecrets contain an extra key called PrimaryRegion. The key is only present in secrets with replication enabled.

The remove-regions-from-replication action can be used to remove these replicas before removing the secret itself but regions have to be provided explicitly via --remove-replica-regions. With describe-secret, we can get a list of all regions where the secret is replicated.

@ekristen
Copy link
Contributor

@npellegrin and @imduchy this feature has been implemented over on the now active fork via the PR ekristen/aws-nuke#210 and has been in the fork of aws-nuke since version 3.3.1.

--

Please see a copy of the notice from the README about the deprecation of this project. Sven was kind enough to grant me access to help triage and close issues and pull requests that have already been addressed in the actively maintained fork. Some additional information is located in the welcome issue for more information.

Caution

This repository for aws-nuke is no longer being actively maintained. We recommend users to switch to the actively maintained fork of this project at ekristen/aws-nuke.
We appreciate all the support and contributions we've received throughout the life of this project. We believe that the fork will continue to provide the functionality and support that you have come to expect from aws-nuke.
Please note that this deprecation means we will not be addressing issues, accepting pull requests, or making future releases from this repository.
Thank you for your understanding and support.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ekristen @npellegrin @imduchy