The secret manager is sooo good at hiding things that the API or AWS CLI does not show you secrets scheduled for deletion... But you can cheat your way around this. The GOpher can discover the secret...
Update March 2023:
AWS Secrets Manager now supports listing secrets scheduled for deletion with a new request parameter, IncludePlannedDeletion.
Thanks to Simon Marty for pointing it out and updating my code!
When you delete a secret from AWS Secrets Manager, the standard
aws secretsmanager list-secrets
does not show these secrets.
Also, there is no parameter to show the deleted /schedules for deletion secrets.
In the AWS console, you have the option to show these secrets also:
Debugging the AWS console, you see that the console is cheating and using a parameter not defined in the API
Definition, see APIdoc.
So you have to change the content of the request to:
{
"MaxResults": 100,
"IncludeDeleted": true,
"SortOrder": "desc",
"Filters": []
}
Implement with GO SDK V2
In go the input parameter for the secretsmanager.ListSecrets
are well-defined, so any attempt to add a field will go wrong.
But because of the GO middleware, you can manipulate requests at all stages.
See AWS GO SDK V2 Middleware for documentation.
The middleware has several steps:
Stack Step | Description |
---|---|
Initialize | Prepares the input and sets any default parameters as needed. |
Serialize | Serializes the input to a protocol format suitable for the target transport layer. |
Build | Attach additional metadata to the serialised input, such as HTTP Content-Length. |
Finalize | Final message preparation, including retries and authentication (SigV4 signing). |
Deserialize | Deserialize responses from the protocol format into a structured type or error. |
The Build step seems fine for this.
So we append a function to the cfg with ApiOptions
:
cfg, err := config.LoadDefaultConfig(context.TODO())
if err != nil {
panic("configuration error, " err.Error())
}
cfg.APIOptions = append(cf.APIOptions, func(stack *middleware. Stack) error {
// Attach the custom middleware to the beginning of the Build step
return stack.Build.Add(secret parameter, middleware.Before)
})
client = secretsmanager.NewFromConfig(cfg)
```
The function `secretsmanager` now replaces the JSON content of the request to the API with the JSON data, which the console uses.
## Run
Create a secret "deleteme" in the AWS console and delete it again. The AWS CLI will show you an empty list:
```bash
aws secretsmanager list-secrets
{
"SecretList": []
}
```
With this[this](https://github.com/megaproaktiv/listdeletedsecrets) programm:
```bash
go run main.go
```
You get the Output:
```bash
Results
=======
Secret: deleteme / deleted on 2022-11-23 12:23:58.374 0000 UTC
```
## Show details
Now you may describe the secret:
```bash
aws secretsmanager describe-secret --secret-id deleteme
```
## Really delete
And you can delete it for good - use it at your own risk!
```bash
aws secretsmanager delete-secret --secret-id deleteme --force-delete-without-recovery
```
## Source
See [github](https://github.com/megaproaktiv/listdeletedsecrets) for the source code and the releases to download an executable : [Release](https://github.com/megaproaktiv/listdeletedsecrets/releases/tag/v0.1.1)
Top comments (0)