Reputation: 959
How do I list deleted secrets in AWS Secrets Manager?
Looking at the man page for list-secrets, there is no special options to show deleted or not. It does not list deleted secrets. However, the output definition includes a "DeletedDate" timestamp.
The ListSecrets API does not show any option for deleted secrets. But again the response includes a DeletedDate.
The boto3 docs for list_secrets() are the same.
However, in the AWS console I can see deleted secrets. A quick look at the dev tools and I can see my request payload to the Secrets Manager endpoint looks like:
{
"method": "POST",
"path": "/",
"headers": {
"Content-Type": "application/x-amz-json-1.1",
"X-Amz-Target": "secretsmanager.ListSecrets",
"X-Amz-Date": "Fri, 27 Nov 2020 13:19:06 GMT"
},
"operation": "ListSecrets",
"content": {
"MaxResults": 100,
"IncludeDeleted": true,
"SortOrder": "asc"
},
"region": "eu-west-2"
}
Is there any way to pass "IncludeDeleted": true to the CLI?
Is this a bug? Where do I report it? (I know there is a cloudformation bug tracker on github, I assume secretsmanager would have something similar somewhere..?)
Upvotes: 5
Views: 4486
Answers (2)
Reputation: 21
Needs: AWS CLI and jq
aws secretsmanager list-secrets --include-planned-deletion --profile YOUR_PROFILE --output json | jq -r '.SecretList[] | select(.DeletedDate!=null) | .Name'
Upvotes: 2
Reputation: 6098
Save the following file to ~/.aws/models/secretsmanager/2017-10-17/service-2.sdk-extras.json:
{
"version": 1.0,
"merge": {
"shapes": {
"ListSecretsRequest": {
"members": {
"IncludeDeleted": {
"shape": "BooleanType",
"documentation": "<p>If set, includes secrets that are disabled.</p>"
}
}
}
}
}
}
Then you can list secrets with the CLI as follows:
aws secretsmanager list-secrets --include-deleted
or with boto3:
import boto3
def list_secrets(session, **kwargs):
client = session.client("secretsmanager")
for page in client.get_paginator("list_secrets").paginate(, **kwargs):
yield from page["SecretList"]
if __name__ == "__main__":
session = boto3.Session()
for secret in list_secrets(session, IncludeDeleted=True):
if "DeletedDate" in secret:
print(secret)
This is using the botocore loader mechanism to augment the service model for Secrets Manager, and tell boto3 that "IncludeDeleted" is a parameter for the ListSecrets API.
If you want more detail, I've just posted a blog post explaining what else I tried and how I got to this solution – and thanks to OP, whose dev tool experiments were a useful clue.
Upvotes: 8
Related Questions
- `aws secretsmanager list-secrets` command to return secrets and filter them by tag
- AWS Secret Manager secret deleted without mandatory retention period
- How to retrieve SecretsManager secret in AWS CDK
- Unexpected Behavior from AWS CLI SecretsManager --force-delete-without-recovery
- get all secrets from AWS secret manager
- AWS secretsmanager error, unable to list the secrets with particular prefix
- Retrieve secrets from AWS Secrets Manager
- How to know which AWS RDS database is using a particular secret?
- How to get all secrets from a different AWS accounts secret manager with Boto3?
- How to find the cache location for AWS Secrets Manager