How can I immediately delete a Secrets Manager secret so that I can create a new secret with the same name?

3 minute read

I deleted an AWS Secrets Manager secret. Then I tried to recreate the secret using the same name. However, I received an error similar to the following: "You can't create this secret because a secret with this name is already scheduled for deletion"

Short description

When you delete a secret, Secrets Manager doesn't immediately delete the secret. Secrets Manager schedules the secret for deletion after a recovery window of a minimum of seven days. This means that you can't recreate a secret using the same name using the AWS Management Console until the recovery window ends. You can permanently delete a secret without any recovery window using the AWS Command Line Interface (AWS CLI). For more information, see Delete a secret.

Resolution

Run the DeleteSecret API call with the ForceDeleteWithoutRecovery parameter to delete the secret permanently.

Notes:

If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
Secrets deleted using the ForceDeleteWithoutRecovery parameter can't be recovered or restored.

Use the AWS Secrets Manager console to get the deleted Secrets Manager secret ID

Note: You can skip this step if you already know the deleted secret's ID.

Open the Secrets Manager console.
In the navigation pane, choose Secrets.
Choose the settings icon, and then in Preferences, select Show secrets scheduled for deletion.
In Visible columns, turn on the Deleted on toggle switch, and then choose Save.
In the Secrets pane, note the Secret name and Deleted on fields to locate the deleted secret ID.
In Secret name, choose your secret.
In Secrets detail, copy the Secret name.

Use the AWS CLI to permanently delete the secret

In this example, replace your-secret-name with your Secrets Manager secret ID or ARN, and your-region with your AWS Region.

aws secretsmanager delete-secret --secret-id your-secret-name --force-delete-without-recovery --region your-region

Run the DescribeSecret API call to verify that the secret is permanently deleted.

Note: The deletion is an asynchronous process. There might be a short delay.

aws secretsmanager describe-secret --secret-id your-secret-name --region your-region

You receive an error similar to the following:

An error occurred (ResourceNotFoundException) when calling the DescribeSecret operation: Secrets Manager can't find the specified secret.

This error means that the secret is successfully deleted.

Related information

delete-secret

Topics

Security, Identity, & Compliance

Relevant content

Unable access a cloud secret using Secrets Manager with Greengrass
Accepted Answer
Christian
asked 9 months ago
How can I build a CloudFormation secret out of another secret?
Accepted Answer
Rob
asked 2 years ago
Secrets Manager and CF- can not create secret because it already exists
Accepted Answer
svshane
asked 5 years ago
How do I retrieve my secrets from secret manager in a pipeline build?
AWS-User-9567271
asked 2 years ago
Error retrieving a secret value from secrets manager
scorpio998
asked 2 years ago
How can I rotate a Secrets Manager secret in a private VPC?
AWS OFFICIALUpdated a year ago
How can I resolve issues accessing an encrypted AWS Secrets Manager secret?
AWS OFFICIALUpdated 2 years ago
How do I apply a resource-based policy on an AWS Secrets Manager secret?
AWS OFFICIALUpdated 5 months ago
How can I rotate an AWS Secrets Manager secret for a DB connection that requires SSL?
AWS OFFICIALUpdated 2 years ago
Manage secrets in CDK via Mozilla SecretOPerationS (SOPS)
EXPERT
Antonio_Lagrotteria
published 7 months ago