DEV Community 👩‍💻👨‍💻

Cover image for List deleted secrets from AWS Secrets Manager
Gernot Glawe for AWS Community Builders

Posted on • Originally published at tecracer.com

List deleted secrets from AWS Secrets Manager

The secret manager is sooo good at hiding things that the API or AWS CLI does not show you secrets scheduled for deletion... But you can cheat your way around this. The GOpher can discover the secret...

When you delete a secret from AWS Secrets Manager, the standard

aws secretsmanager list-secrets
Enter fullscreen mode Exit fullscreen mode

does not show these secrets.

Also, there is no parameter to show the deleted /schedules for deletion secrets.

In the AWS console, you have the option to show these secrets also:

Preferences

Debugging the AWS console, you see that the console is cheating and using a parameter not defined in the API
Definition, see APIdoc.

Debug the console

So you have to change the content of the request to:

{
  "MaxResults": 100,
  "IncludeDeleted": true,
  "SortOrder": "desc",
  "Filters": []
}
Enter fullscreen mode Exit fullscreen mode

Implement with GO SDK V2

In go the input parameter for the secretsmanager.ListSecrets are well-defined, so any attempt to add a field will go wrong.

But because of the GO middleware, you can manipulate requests at all stages.

See AWS GO SDK V2 Middleware for documentation.

The middleware has several steps:

Stack Step Description
Initialize Prepares the input and sets any default parameters as needed.
Serialize Serializes the input to a protocol format suitable for the target transport layer.
Build Attach additional metadata to the serialised input, such as HTTP Content-Length.
Finalize Final message preparation, including retries and authentication (SigV4 signing).
Deserialize Deserialize responses from the protocol format into a structured type or error.

The Build step seems fine for this.

So we append a function to the cfg with ApiOptions:

cfg, err := config.LoadDefaultConfig(context.TODO())
if err != nil {
    panic("configuration error, " + err.Error())
}

cfg.APIOptions = append(cf.APIOptions, func(stack *middleware. Stack) error {
    // Attach the custom middleware to the beginning of the Build step
    return stack.Build.Add(secret parameter, middleware.Before)
})
client = secretsmanager.NewFromConfig(cfg)
Enter fullscreen mode Exit fullscreen mode

The function secretsmanager now replaces the JSON content of the request to the API with the JSON data, which the console uses.

Run

Create a secret "deleteme" in the AWS console and delete it again. The AWS CLI will show you an empty list:

aws secretsmanager list-secrets
{
    "SecretList": []
}
Enter fullscreen mode Exit fullscreen mode

With thisthis programm:

go run main.go
Enter fullscreen mode Exit fullscreen mode

You get the Output:

Results
=======
Secret: deleteme / deleted on 2022-11-23 12:23:58.374 +0000 UTC
Enter fullscreen mode Exit fullscreen mode

Show details

Now you may describe the secret:

aws secretsmanager describe-secret --secret-id deleteme
Enter fullscreen mode Exit fullscreen mode

Really delete

And you can delete it for good - use it at your own risk!

aws secretsmanager delete-secret --secret-id deleteme --force-delete-without-recovery
Enter fullscreen mode Exit fullscreen mode

Source

See github for the source code and the releases to download an executable : Release

Top comments (0)

19 Valuable Github Repositories for Beginners

19 Valuable GitHub Repositories for beginner devs looking to take the first step into the web development career.