2 Answers
- Newest
- Most votes
- Most comments
0
When you mention cache any secret, does it include ListSecretVersionIds cache?
answered 4 months ago
0
If you want to Cache in lambda you should use this layer which doesnt require/use the SDK. It should cache any secret or SSM parameter it retrieves.
https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html
Theres only 3 version stages per secret and you can pull each one of them using this method. Secrets Manager doesn't store a linear history of secrets with versions. Instead, it keeps track of three specific versions by labelling them:
- The current version - AWSCURRENT
- The previous version - AWSPREVIOUS
- The pending version (during rotation) - AWSPENDING
Just call which ever version you require such as GET: /secretsmanager/get?secretId=secretId&versionStage=AWSCURRENT
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Curious why would you need a list of secret version ids? Theres only 3 version stages per secret and you can pull each one of them using this method. Secrets Manager doesn't store a linear history of secrets with versions. Instead, it keeps track of three specific versions by labelling them:
Just call GET: /secretsmanager/get?secretId=secretId&versionStage=AWSCURRENT
our client keeps the value for up to some time. and the key rotations on the server are set every few months. we want to cover the possibility of forcing key rotations that might be sooner than the client update on the secret value, so we at least need to support up to 3 versions. AWSCURRENT and AWSPREVIOUS are just not enough and AWSPENDING is out of the question since we do not use the AWS key rotation feature and instead implement our own key rotation on schedule.
You can get any verison stage you wish and cache it.. That was just an example