Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Secrets Manager and CF- can not create secret because it already exists

1

I have a CF template with a simple secret inside, like this:

Credentials:
Type: 'AWS::SecretsManager::Secret'
Properties:
Name: !Sub ${ProjectKey}.${StageName}.${ComponentId}.credentials
Description: client credentials
SecretString: !Sub '{"client_id":"${ClientId}","client_secret":"${ClientSecret}"}'

The stack is created successfully and the secret is correctly generated.

However when I delete the stack and recreate it again I get the following error message:

The operation failed because the secret pk.stage.compid.credentials already exists. (Service: AWSSecretsManager; Status Code: 400; Error Code: ResourceExistsException; Request ID: ###)

I guess this is because the secret is not really deleted but only marked for deletion for x days.

It is possible to delete a secret immediately via CLI, but how can this be done within the CF Template?

I need to delete and recreate the stacks because it is part of a continous integration/delivery pipeline which is automatically triggered on source code commits.

Themen
Sicherheit, Identität & Konformität
Tags
AWS Geheimnismanager
Sprache
English
svshane
gefragt vor 5 Jahren5267 Aufrufe
3 Antworten
1
Akzeptierte Antwort

Hi, thanks for reaching out.

When the CloudFormation stack is deleted, Secrets Manager is called with the force-delete-without-recovery option in order to avoid this scenario. I'm unsure why that did not work in your particular case. If you can private message me more details (i.e. Request ID's) I would be happy to trace this down.

As you mentioned, you can fix this by calling delete-secret from the CLI using the same --force-delete-without-recovery option that is involked when deleting the stack - https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/delete-secret.html

AWS
AWS-User-3221109
beantwortet vor 5 Jahren
0

I deleted the secret via CLI and --force-delete-without-recovery and ran the pipeline again several times successfully.
Then checked the last commit which led to the error and recognized that I also changed the logical id in the template:

Credentials: <- THIS
Type: 'AWS::SecretsManager::Secret'

With the ID change the secret was still there when the stack has been created.
I guess this is my fault and the CF template for the secret is working correctly.

Thank you for your support and sorry for the confusion.

svshane
beantwortet vor 5 Jahren
0

Hi svshane,

As i gone through the discussion but didn't understand how the issue related to "Secret already exists on AWS Secrets Manager" get resolved as i am facing the same when i trying to re-deploy code on server. Please let us know how you can resolve this issue.

Along with this i have one more query that, it is required to delete the secrets forcefully via command line before deploying the code to server via cloudformation/serverless?

Waiting for your valuable response....

Thanks

Edited by: Raman88 on May 20, 2021 7:12 AM

Raman88
beantwortet vor 3 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt