AWS Secrets Manager - replication lag

0

I'm looking at this page Replicate AWS Secrets Manager secrets across Regions, below paragraph in particular:

If you turn on rotation for your primary secret, Secrets Manager rotates the secret in the primary Region, and the new secret value propagates to all of the associated replica secrets. You don't have to manage rotation individually for all of the replica secrets.

This looks cool, but does it have latency SLA? I assume it's done in seconds or so but wanted to confirm.

Or rather, when rotating a lambda function, is there a way to test and ensure that the new secret becomes AWSCURRENT only after it has propagated to all other regions?

asked 4 days ago17 views
1 Answer
0

While AWS Secrets Manager does offer cross-region replication for secrets, there isn't a specific latency SLA provided for the propagation of rotated secrets to replica regions. The replication process in Secrets Manager uses a distributed computing model called eventual consistency, which means that changes take some time to become visible across all endpoints.

Typically, the propagation of changes, including rotated secrets, happens relatively quickly - often within seconds or minutes. However, the exact time can vary due to factors such as network conditions, distance between regions, and system load.

When rotating a secret that is replicated across regions, there isn't a built-in mechanism to ensure that the new secret becomes AWSCURRENT only after it has propagated to all other regions. The rotation process updates the primary secret first, and then the changes are propagated to the replicas.

To ensure consistency across regions when using rotated secrets in Lambda functions, you could implement a custom solution:

  1. After initiating rotation, implement a delay or polling mechanism in your Lambda function to allow time for replication.

  2. Use the GetSecretValue API in each region to verify that the new secret version is available before considering the rotation complete.

  3. Implement error handling in your Lambda function to gracefully handle potential inconsistencies during the replication period.

It's important to design your applications to account for potential delays in consistency across regions. This might involve implementing retry logic or fallback mechanisms to handle temporary inconsistencies in secret values across regions.

Remember that during the rotation process, new connections retrieving the secret may briefly get the previous version of the credentials. This is typically a short window, usually less than a minute for managed rotations, but it's an important consideration for your application design.
Sources
Troubleshooting AWS Secrets Manager - AWS Secrets Manager
Replicate AWS Secrets Manager secrets across Regions - AWS Secrets Manager
Managed rotation for AWS Secrets Manager secrets - AWS Secrets Manager

profile picture
answered 4 days ago
profile picture
EXPERT
reviewed 4 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions