Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How do I immediately delete a Secrets Manager secret so that I can create a new secret with the same name?
I deleted an AWS Secrets Manager secret. When I try to create a new secret with the same name, I get the following error: "You can't create this secret because a secret with this name is already scheduled for deletion."
Short description
When you delete a secret, Secrets Manager schedules the secret for deletion after a recovery window with a minimum of seven days. You can't create a secret with the previously used name on the Secrets Manager console until the recovery window ends. To immediately delete a secret without the recovery window, use the AWS Command Line Interface (AWS CLI). For more information, see Delete an AWS Secrets Manager secret.
Resolution
Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
To delete the secret permanently without any recovery window, run the DeleteSecret API call with the ForceDeleteWithoutRecovery parameter.
Important: When you use the ForceDeleteWithoutRecovery parameter, the secret can't be recovered or restored.
To get the deleted Secrets Manager secret ID, use the AWS Secrets Manager console
Note: If you know the deleted secret's ID, then skip this step.
- Open the Secrets Manager console.
- In the navigation pane, choose Secrets.
- Choose the Settings icon. Then, in Preferences, select Show secrets scheduled for deletion.
- In Visible columns, turn on the Deleted on toggle switch. Then, choose Save.
- In the Secrets pane, note the Secret name and Deleted on fields to locate the deleted secret ID.
- In Secret name, choose your secret.
- In Secrets detail, copy the Secret name.
Use the AWS CLI to permanently delete the secret
Replace your-secret-name with your Secrets Manager secret ID and your-region with your AWS Region:
aws secretsmanager delete-secret --secret-id your-secret-name --force-delete-without-recovery --region your-region
To verify that you permanently deleted the secret, run the DescribeSecret API call:
aws secretsmanager describe-secret --secret-id your-secret-name --region your-region
Note: The deletion has a short time delay.
When you delete the secret, you receive the following error:
An error occurred (ResourceNotFoundException) when calling the DescribeSecret operation: Secrets Manager can't find the specified secret.
Related information
- Language
- English
We have a new redshift serverless cluster that created secrets for it's admin account. We deleted the cluster and it's supposed to take it's secrets with it but it did not.
When I try to delete the secret with this CLI command I get this error:
❯ aws secretsmanager delete-secret --secret-id 'arn:aws:secretsmanager:us-west-1:111111111111:secret:redshift!test-admin-sdxvUc' --force-delete-without-recovery --region us-west-1
An error occurred (InvalidRequestException) when calling the DeleteSecret operation: Operation is not allowed on secret owned by redshift
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Be careful to supply the secret name for the value of the --secret-id option and NOT the secret ID when attempting to delete.
If you have secret replication enabled and you supply the secret name, it will warn you that you can't delete while it still has replicas.
If you have secret replication enabled and you supply the secret ID, it will appear as though the delete succeeded but it really didn't.
If you don't have secret replication enabled and the secret is already scheduled for deletion and then you supply the secret ID in a delete-secret --force-delete-without-recovery command, it will appear as though the immediate delete succeeded but it really didn't.
When you try to view the status of a secret scheduled for deletion, the web console will show a Deleted on date and the CLI it will show a DeletedDate or DeletionDate. The date it shows is not the date that secret was actually deleted. The date it shows is the date that the schedule operation occurred. I have not found any way to determine the date that the secret is scheduled to be deleted on.
Once while trying to set the recovery window days to 30 on a secret that already had a DeletedDate value, the response showed a DeletionDate of the previous day. So, somehow, a secret that I just created minutes earlier was supposedly deleted one day before it was created. ¯\_(ツ)_/¯
Relevant content
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 6 months ago
