How to rotate a secret with AWS Secret Manager as the backend?

[pearj]

When I was using Azure as the backend, I submitted a change (#221) to make it so that a disabled secret version would cause secret-agent to think the secret was missing and create it again.

I want the same capability for AWS, and I can't figure out if it's already supported or not.

Looking through the AWS EnsureSecret function, it doesn't appear that this is supported: https://github.com/ForgeRock/secret-agent/blob/master/pkg/secretsmanager/secretsmanager.go#L424-L469

At the moment I think the only way to regenerate a secret, is to delete it and wait for the 7 day minimum waiting period, so that the secret can be properly deleted.

I was thinking that perhaps if the secret version that has the AWSCURRENT tag also has a tag of SACREGENERATE then it will treat the secret as missing and then regenerate the secret.

[pearj]

@lee-baines thoughts?

[lee-baines]

Hi @pearj. I'm not entirely sure about this. I've taken a look at the code too and can't say for sure how this works. I can't prioritise this at the moment as we're not actively developing the secret-agent and have a lot of big changes coming up.