Modify an Amazon Secrets Manager secret

You can modify the metadata of a secret after it is created, depending on who created the secret. For secrets created by other services, you might need to use the other service to update or rotate it.

To determine who manages a secret, you can review the secret name. Secrets managed by other services are prefixed with the ID of that service. Or, in the Amazon CLI, call describe-secret, and then review the field OwningService. For more information, see Amazon Secrets Manager secrets managed by other Amazon services.

For secrets you manage, you can modify the description, resource-based policy, the encryption key, and tags. You can also change the encrypted secret value; however, we recommend you use rotation to update secret values that contain credentials. Rotation updates both the secret in Secrets Manager and the credentials on the database or service. This keeps the secret automatically synchronized so when clients request a secret value, they always get a working set of credentials. For more information, see Rotate Amazon Secrets Manager secrets.

Secrets Manager generates a CloudTrail log entry when you modify a secret. For more information, see Log Amazon Secrets Manager events with Amazon CloudTrail.

To update a secret you manage (console)

Open the Secrets Manager console at https://console.amazonaws.cn/secretsmanager/.
From the list of secrets, choose your secret.
On the secret details page, do any of the following:

Note that you can't change the name or ARN of a secret.
- To update the description, in the Secrets details section, choose Actions, and then choose Edit description.
- To update the encryption key, see Change the encryption key for an Amazon Secrets Manager secret.
- To update tags, on the Tags tab, choose Edit tags. See Tag Amazon Secrets Manager secrets.
- To update the secret value, see Update the value for an Amazon Secrets Manager secret.
- To update permissions for your secret, on the Overview tab, choose Edit permissions. See Attach a permissions policy to an Amazon Secrets Manager secret.
- To update rotation for your secret, on the Rotation tab, choose Edit rotation. See Rotate Amazon Secrets Manager secrets.
- To replicate your secret to other Regions, see Replicate secrets across Regions.
- If your secret has replicas, you can change the encryption key for a replica. On the Replication tab, select the radio button for the replica, and then on the Actions menu, choose Edit encryption key. See Secret encryption and decryption in Amazon Secrets Manager.
- To change a secret so that it is managed by another service, you need to recreate the secret in that service. See Managed secrets.

Amazon CLI

Example Update secret description

The following update-secret example updates the description of a secret.


aws secretsmanager update-secret \
    --secret-id MyTestSecret \
    --description "This is a new description for the secret."

Amazon SDK

We recommend you avoid calling PutSecretValue or UpdateSecret at a sustained rate of more than once every 10 minutes. When you call PutSecretValue or UpdateSecret to update the secret value, Secrets Manager creates a new version of the secret. Secrets Manager removes unlabeled versions when there are more than 100, but it does not remove versions created less than 24 hours ago. If you update the secret value more than once every 10 minutes, you create more versions than Secrets Manager removes, and you will reach the quota for secret versions.

To update a secret, use the following actions: UpdateSecret or ReplicateSecretToRegions. For more information, see Amazon SDKs.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Change the encryption key for a secret

Find secrets