AWS Secret Manager Update

Question

Is there any possible method by which i can update key/values in AWS Secret Manager without having to retrieve the current values and then updating them?

The current solutions i have found first retrieve the value from secrets manager:

original_secret = client.get_secret_value(SecretId="my_first_secret")

Then do an update on them and run the update-secret command:

updated_secret = original_secret.update({"UPDATE_KEY": "update_value"})
client.update_secret(SecretId="my_secret_name", SecretString=json.dumps(updated_secret))

But i dont want to retrieve the secret values. Preferred language is python.

Answer 1

Sadly you can't do this, as secrets values are de-facto immutable. Instead what you call an "update" is just a process of creating a new version of the secret:

When you update the encrypted secret value in a secret, you create a new version of the secret. The new version automatically receives the staging label AWSCURRENT.

AWS console dumps down this process, as it make it appear that you can "update" a secret's value in-place. Instead it just copies the current version, updates its value, and creates a new version of the secret's value. All this is done in the backend, so you don't see this.

But using AWS CLI, you can list the secret value versions with list-secret-version-ids. If you do this, you will see that you never update any secret values directly, you just keep creating new versions of it with a past value still present (only one past value is kept). You can always retrieve the old version using --version-id in get-secret-value.

So you have to do the same with python. Get the current version of the secret's value, update it locally, and make a new version of the value.

Answer 2

You can use put_secret_value():

import boto3
client = boto3.client('secretsmanager')

# Create secret
client.create_secret(
    Name='foo',
    SecretString='bar'
)

# Update secret
client.put_secret_value(
    SecretId='foo',
    SecretString='bar2'
)