Home Whiteboard Practice Code Graphing Calculator Online Compilers Articles Tools
Tutorials Courses Jobs

How to use Boto3 to delete all secret keys from a specific location in AWS Secret Manager

AWS Boto3 Python Server Side Programming Programming

AWS Secrets Manager is a service that helps you protect secrets needed to access your applications and services. Using boto3, you can programmatically delete secrets from specific locations in AWS Secrets Manager.

Prerequisites

Before running this code, ensure you have ?

  • AWS credentials configured (via AWS CLI, IAM roles, or environment variables)

  • boto3 library installed: pip install boto3

  • Appropriate IAM permissions for secretsmanager:DeleteSecret

Algorithm Steps

  • Step 1: Import boto3 and botocore exceptions to handle exceptions.

  • Step 2: Define the secret_stored_location parameter (Secret ARN or name).

  • Step 3: Create an AWS session using boto3. Ensure region_name is configured.

  • Step 4: Create an AWS client for secretsmanager.

  • Step 5: Call delete_secret method with the SecretId parameter.

  • Step 6: Handle exceptions if deletion fails.

Example: Deleting a Single Secret

Here's how to delete a specific secret from AWS Secrets Manager ?

import boto3
from botocore.exceptions import ClientError

def delete_secret_details(secret_stored_location):
    """
    Delete a secret from AWS Secrets Manager
    
    Args:
        secret_stored_location (str): Secret name or ARN
    
    Returns:
        dict: Response metadata from AWS
    """
    session = boto3.session.Session()
    secretsmanager_client = session.client('secretsmanager')
    
    try:
        response = secretsmanager_client.delete_secret(
            SecretId=secret_stored_location,
            ForceDeleteWithoutRecovery=True  # Immediate deletion
        )
        return response
    except ClientError as e:
        raise Exception(f"boto3 client error in delete_secret_details: {str(e)}")
    except Exception as e:
        raise Exception(f"Unexpected error in delete_secret_details: {str(e)}")

# Example usage
try:
    result = delete_secret_details('/secrets/aws/database-password')
    print("Secret deleted successfully:")
    print(f"ARN: {result['ARN']}")
    print(f"Deletion Date: {result['DeletionDate']}")
except Exception as e:
    print(f"Error: {e}")

Example: Deleting Multiple Secrets by Location Pattern

To delete all secrets from a specific location (e.g., all secrets starting with "/secrets/production/"), you need to list and then delete them ?

import boto3
from botocore.exceptions import ClientError

def delete_secrets_by_location_pattern(location_pattern):
    """
    Delete all secrets matching a location pattern
    
    Args:
        location_pattern (str): Pattern to match secret names
    
    Returns:
        list: List of deleted secret responses
    """
    session = boto3.session.Session()
    secretsmanager_client = session.client('secretsmanager')
    
    deleted_secrets = []
    
    try:
        # List all secrets
        paginator = secretsmanager_client.get_paginator('list_secrets')
        page_iterator = paginator.paginate()
        
        for page in page_iterator:
            for secret in page['SecretList']:
                secret_name = secret['Name']
                
                # Check if secret name matches the pattern
                if secret_name.startswith(location_pattern):
                    try:
                        response = secretsmanager_client.delete_secret(
                            SecretId=secret_name,
                            ForceDeleteWithoutRecovery=True
                        )
                        deleted_secrets.append({
                            'Name': secret_name,
                            'ARN': response['ARN'],
                            'DeletionDate': response['DeletionDate']
                        })
                        print(f"Deleted: {secret_name}")
                    except ClientError as e:
                        print(f"Failed to delete {secret_name}: {e}")
                        
    except ClientError as e:
        raise Exception(f"Error listing secrets: {str(e)}")
    
    return deleted_secrets

# Example usage
location_pattern = "/secrets/production/"
try:
    deleted = delete_secrets_by_location_pattern(location_pattern)
    print(f"\nDeleted {len(deleted)} secrets matching pattern: {location_pattern}")
    for secret in deleted:
        print(f"  - {secret['Name']}")
except Exception as e:
    print(f"Error: {e}")

Key Parameters

Parameter Description Required
SecretId Secret name or ARN Yes
ForceDeleteWithoutRecovery Skip 30-day recovery window No
RecoveryWindowInDays Days before permanent deletion (7-30) No

Error Handling

Common errors you might encounter ?

  • ResourceNotFoundException: Secret doesn't exist

  • InvalidParameterException: Invalid secret name or parameters

  • AccessDeniedException: Insufficient IAM permissions

Conclusion

Use delete_secret() to remove individual secrets from AWS Secrets Manager. For bulk deletion, combine list_secrets() with pattern matching to delete multiple secrets from specific locations. Always handle exceptions properly and consider the recovery window for production environments.

---
Updated on: 2026-03-25T19:01:38+05:30

484 Views

Kickstart Your Career

Get certified by completing the course

Get Started
Advertisements