- Newest
- Most votes
- Most comments
While AWS Secrets Manager does offer cross-region replication for secrets, there isn't a specific latency SLA provided for the propagation of rotated secrets to replica regions. The replication process in Secrets Manager uses a distributed computing model called eventual consistency, which means that changes take some time to become visible across all endpoints.
Typically, the propagation of changes, including rotated secrets, happens relatively quickly - often within seconds or minutes. However, the exact time can vary due to factors such as network conditions, distance between regions, and system load.
When rotating a secret that is replicated across regions, there isn't a built-in mechanism to ensure that the new secret becomes AWSCURRENT only after it has propagated to all other regions. The rotation process updates the primary secret first, and then the changes are propagated to the replicas.
To ensure consistency across regions when using rotated secrets in Lambda functions, you could implement a custom solution:
-
After initiating rotation, implement a delay or polling mechanism in your Lambda function to allow time for replication.
-
Use the GetSecretValue API in each region to verify that the new secret version is available before considering the rotation complete.
-
Implement error handling in your Lambda function to gracefully handle potential inconsistencies during the replication period.
It's important to design your applications to account for potential delays in consistency across regions. This might involve implementing retry logic or fallback mechanisms to handle temporary inconsistencies in secret values across regions.
Remember that during the rotation process, new connections retrieving the secret may briefly get the previous version of the credentials. This is typically a short window, usually less than a minute for managed rotations, but it's an important consideration for your application design.
Sources
Troubleshooting AWS Secrets Manager - AWS Secrets Manager
Replicate AWS Secrets Manager secrets across Regions - AWS Secrets Manager
Managed rotation for AWS Secrets Manager secrets - AWS Secrets Manager
Relevant content
- asked 10 months ago
- asked 2 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago