By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Secrets Manager and CF- can not create secret because it already exists

1

I have a CF template with a simple secret inside, like this:

Credentials:
Type: 'AWS::SecretsManager::Secret'
Properties:
Name: !Sub ${ProjectKey}.${StageName}.${ComponentId}.credentials
Description: client credentials
SecretString: !Sub '{"client_id":"${ClientId}","client_secret":"${ClientSecret}"}'

The stack is created successfully and the secret is correctly generated.

However when I delete the stack and recreate it again I get the following error message:

The operation failed because the secret pk.stage.compid.credentials already exists. (Service: AWSSecretsManager; Status Code: 400; Error Code: ResourceExistsException; Request ID: ###)

I guess this is because the secret is not really deleted but only marked for deletion for x days.

It is possible to delete a secret immediately via CLI, but how can this be done within the CF Template?

I need to delete and recreate the stacks because it is part of a continous integration/delivery pipeline which is automatically triggered on source code commits.

Topics
Security, Identity, & Compliance
Tags
AWS Secrets Manager
Language
English
svshane
asked 5 years ago5217 views
3 Answers
1
Accepted Answer

Hi, thanks for reaching out.

When the CloudFormation stack is deleted, Secrets Manager is called with the force-delete-without-recovery option in order to avoid this scenario. I'm unsure why that did not work in your particular case. If you can private message me more details (i.e. Request ID's) I would be happy to trace this down.

As you mentioned, you can fix this by calling delete-secret from the CLI using the same --force-delete-without-recovery option that is involked when deleting the stack - https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/delete-secret.html

AWS
AWS-User-3221109
answered 5 years ago
0

I deleted the secret via CLI and --force-delete-without-recovery and ran the pipeline again several times successfully.
Then checked the last commit which led to the error and recognized that I also changed the logical id in the template:

Credentials: <- THIS
Type: 'AWS::SecretsManager::Secret'

With the ID change the secret was still there when the stack has been created.
I guess this is my fault and the CF template for the secret is working correctly.

Thank you for your support and sorry for the confusion.

svshane
answered 5 years ago
0

Hi svshane,

As i gone through the discussion but didn't understand how the issue related to "Secret already exists on AWS Secrets Manager" get resolved as i am facing the same when i trying to re-deploy code on server. Please let us know how you can resolve this issue.

Along with this i have one more query that, it is required to delete the secrets forcefully via command line before deploying the code to server via cloudformation/serverless?

Waiting for your valuable response....

Thanks

Edited by: Raman88 on May 20, 2021 7:12 AM

Raman88
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content