AWS secrets manager, 'A previous rotation isn’t complete' when rotating secrets

aws secrets manager tutorial
aws secrets manager api
aws secrets manager vs kms
aws secrets manager example
aws secrets manager cli
aws secrets manager pricing
aws secrets manager documentation
aws secrets manager vs vault

I've created a secret and updated it to have a lambda rotation function

My secret looks like

aws secretsmanager list-secret-version-ids --secret-id envir/username
{
    "Versions": [
        {
            "VersionId": "90179cd3-daa1-48e4-9fe5-dde0a4cf22e4",
            "VersionStages": [
                "AWSPREVIOUS"
            ],
            "LastAccessedDate": 1524528000.0,
            "CreatedDate": 1524568488.358
        },
        {
            "VersionId": "60576823-5d98-4360-af53-7e1f909b88d0",
            "VersionStages": [
                "AWSCURRENT"
            ],
            "LastAccessedDate": 1524528000.0,
            "CreatedDate": 1524568827.466
        }
    ],
    "ARN": "arn:aws:secretsmanager:eu-west-1:8282828282828:secret:username-YdgbPA",
    "Name": "envir/username"
}

and when i try to rotate it, i get this error

An error occurred (InvalidRequestException) when calling the RotateSecret operation: A previous rotation isn’t complete. That rotation will be reattempted.

I can rotate the secret without issues if i trigger the lambda function without issues.

Anyone has any ideas ?


related links:

For anyone still having this issue what you can try doing is clearing the pending version and reattempting the rotation

For example with a secret with secret id thefrog, call

aws secretsmanager get-secret-value \
    --secret-id thefrog \
    --version-stage AWSPENDING

to get the version id of the version with the pending label. The result would look like

{                                                                      
    "CreatedDate": 1541540242.561,                         
    "Name": "thefrog",                
    "VersionStages": [                               
        "AWSPENDING"                                        
    ],                                                    
    "SecretString": "TOP-SECRET",                                                    
    "ARN": "arn:aws:secretsmanager:xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "VersionId": "2a27cecb-23c7-4320-b168-78661c24612f"   
} 

Then call

aws secretsmanager update-secret-version-stage \
    --secret-id thefrog \
    --version-stage AWSPENDING \
    --remove-from-version-id 2a27cecb-23c7-4320-b168-78661c24612f

to remove the version of secret that has the pending label.

From here you can retry the rotation

AWS Secrets Manager, In this tutorial, you create a secret and store it in AWS Secrets Manager. You then retrieve it in both the AWS Management Console and the AWS CLI. Since you  Secrets Manager ensures encryption of your secret while in transit between AWS and the computers you use to retrieve the secret. Automatically Rotating Your Secrets You can configure Secrets Manager to automatically rotate your secrets without user intervention and on a specified schedule.

For anyone who thinks that the link at https://forums.aws.amazon.com/thread.jspa?threadID=280093&tstart=0 doesn't apply, make sure to check the output of both aws secretsmanager list-secret-version-ids and aws secretsmanager list-secrets to make sure they are in sync with each other. I just had one secret I could not rotate, kept getting the "A previous rotation isn’t complete. That rotation will be reattempted" error message. I had a support case with AWS open on it, and while I was waiting on hold to speak to a support rep, I decided to check the output of list-secrets, and lo and behold I found an AWSPENDING label on the secret I could not rotate (that label did NOT show up on the output of list-secret-version-ids for that secret). Once I cleared that label, I could then successfully rotate the secret I was having problems with.

Tutorial: Creating and Retrieving a Secret, AWS Secrets Manager provides a service to enable you to store, manage, and retrieve, secrets. AWS Secrets Manager: Store, Distribute, and Rotate Credentials Securely Today we’re launching AWS Secrets Manager which makes it easy to store and retrieve your secrets via API or the AWS Command Line Interface (CLI) and rotate your credentials with built-in or custom AWS Lambda functions.

Welcome, AWS Secrets Manager is a web service that enables you to store, manage, and retrieve, secrets. This guide provides descriptions of the Secrets Manager API. AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

The problem was that the lambda function was failing and the retry was happening w/o my control (there is currently no way to limit the retries on a lambda function).

secretsmanager, Several AWS services enable you to add tags to your resources, and Secrets Manager allows you tag your secrets. Secrets Manager defines a tag as a simple​  AWS Secrets Manager helps you to securely encrypt, store, and retrieve credentials for your databases and other services. Instead of hardcoding credentials in your apps, you can make calls to Secrets Manager to retrieve your credentials whenever needed. Secrets Manager helps you protect access to your IT resources and data by enabling you to rotate and manage access to your secrets.

AWS Secrets Manager Best Practices, AWS Secrets Manager is a secrets management service that helps you protect access to your Duration: 33:50 Posted: Jun 26, 2018 AWS Secret Manager Secret Manager is a service managed by the Amazon Web Services. According to the amazon, the service cost $0.40 in every secret per month and $0.05in every 10,000 API calls. This

Understanding AWS Secrets Manager, Learn about AWS Secrets Manager and how it enables you to easily rotate, manage, and Duration: 11:38 Posted: Apr 10, 2018 The AWS Secrets Management team is responsible for managing and distributing credentials and secrets across millions of hosts deployed for internal Amazon use and AWS customers. This team owns the

AWS Secrets Manager, Browse the latest Aws Management with Us! Compare Aws Management at AnswersOnly.com

Comments
  • I wonder why they keep the AWSPENDING label on a secret where rotation failed
  • Doesn't the retry only happen if you're reattempting the rotation?