Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Moto Secrets Manager rotation deviates from the real Secrets Manager #8403

Open
pergardebrink opened this issue Dec 15, 2024 · 0 comments
Open

Comments

@pergardebrink
Copy link

pergardebrink commented Dec 15, 2024

Issue:
When the rotation is iniated by moto, the version with stage AWSPENDING does not behave exactly the same as the real Secrets Manager secret.

I noticed that when the real Secrets Manager is called with rotate_secret, it will create a new version with stage AWSPENDING just like moto before it invokes the lambda for the createSecret step. However, this version does not have a secret value attached to it in the real Secrets Manager.

If you call moto with get_secret_value(VersionId=<the new versionid>, VersionStage="AWSPENDING") moto will return a value (copied from AWSCURRENT).

The real Secrets Manager will fail with ResourceNotFoundException regardless if you request either VersionId or VersionStage, or both. It seems like the version does not have a secret value attached to it at all.:

Steps to reproduce:

Expected result:
You should not see "createSecret: Successfully retrieved secret for..." as this message indicates that the get_secret_value call succeeded on the first step as this is not how Secrets Manager behave.

Actual result:
You see the message (the version/stage AWSPENDING has a secret_value)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant