Why does the responseElements in some CloudTrail events for Secrets Manager contain "aRN" instead of "arn"?
I want to know why the responseElements in some AWS CloudTrail events for AWS Secrets Manager contain "aRN" instead of "arn".
Short description
This is a known issue for the following Secrets Manager APIs:
- CancelRotateSecret
- DeleteResourcePolicy
- DeleteSecret
- PutResourcePolicy
- RemoveRegionsFromReplication
- ReplicateSecretToRegions
- RestoreSecret
- RotateSecret
- StopReplicationToReplica
- UpdateSecretVersionStage
In January 2024, Secrets Manager will standardize the response element for secret ARN to "arn" in CloudTrail events for all Secrets Manager APIs.
Resolution
When using CloudTrail events for Secrets Manager, include both "arn" and "aRN" in your logic. For an example, see Match AWS Secrets Manager events with Amazon EventBridge.
The following JSON shows an example of the CloudTrail event for DeleteSecret before January 2024:
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "", "arn": "", "accountId": "", "accessKeyId": "", "sessionContext": { "sessionIssuer": { "type": "", "principalId": "", "arn": "", "accountId": "", "userName": "" }, "webIdFederationData": {}, "attributes": { "creationDate": "", "mfaAuthenticated": "" } } }, "eventTime": "", "eventSource": "secretsmanager.amazonaws.com", "eventName": "DeleteSecret", "awsRegion": "", "sourceIPAddress": "", "userAgent": "", "requestParameters": { "secretId": "", "recoveryWindowInDays": }, "responseElements": { "aRN": "", "name": "", "deletionDate": "" }, "requestID": "", "eventID": "", "readOnly": , "eventType": "", "managementEvent": , "recipientAccountId": "", "eventCategory": "", "tlsDetails": { "tlsVersion": "", "cipherSuite": "", "clientProvidedHostHeader": "" }, "sessionCredentialFromConsole": "" }
The following JSON shows an example of the CloudTrail event for DeleteSecret after January 2024:
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "", "arn": "", "accountId": "", "accessKeyId": "", "sessionContext": { "sessionIssuer": { "type": "", "principalId": "", "arn": "", "accountId": "", "userName": "" }, "webIdFederationData": {}, "attributes": { "creationDate": "", "mfaAuthenticated": "" } } }, "eventTime": "", "eventSource": "secretsmanager.amazonaws.com", "eventName": "DeleteSecret", "awsRegion": "", "sourceIPAddress": "", "userAgent": "", "requestParameters": { "secretId": "", "recoveryWindowInDays": }, "responseElements": { "arn": "", "name": "", "deletionDate": "" }, "requestID": "", "eventID": "", "readOnly": , "eventType": "", "managementEvent": , "recipientAccountId": "", "eventCategory": "", "tlsDetails": { "tlsVersion": "", "cipherSuite": "", "clientProvidedHostHeader": "" }, "sessionCredentialFromConsole": "" }
Related information
When in January 2024 this change will take effect? Jan 1st, Jan 31st, or in the middle?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Thank you team. As far as I have noticed, I rely on Secrets manager via CodeBuild service. What changes should I do?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- Accepted Answerasked 2 years ago
- asked 4 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
