A secret with the same name exists in the selected Region No permissions available on the KMS key to complete the replication The KMS key is disabled or not found You have not enabled the Region where the replication occurs

Troubleshoot Amazon Secrets Manager replication

Amazon Secrets Manager replication might fail for various reasons. To check why a secret failed to replicate, you can do one of the following:

Call the DescribeSecret API operation
Review Amazon CloudTrail events

When replication fails:

If there are no usable secret versions, Secrets Manager removes the secret from the replica Region.
If there are successfully replicated secret versions, they remain in the replica Region until you explicitly remove them using the RemoveRegionsFromReplication API operation.

The following sections describe some common reasons for replication failures.

A secret with the same name exists in the selected Region

To resolve this issue, you can overwrite the duplicate name secret in the replica Region. Retry replication, and then in the Retry replication dialog box, choose Overwrite.

No permissions available on the KMS key to complete the replication

Secrets Manager first decrypts the secret before re-encrypting with the new KMS key in the replica Region. If you don't have kms:Decrypt permission to the encryption key in the primary Region, you will encounter this error. To encrypt the replicated secret with a KMS key other than aws/secretsmanager, you need kms:GenerateDataKey and kms:Encrypt to the key. See Permissions for the KMS key.

The KMS key is disabled or not found

If the encryption key in the primary Region is disabled or deleted, Secrets Manager can't replicate the secret. This error can occur even if you have changed the encryption key, if the secret has custom labelled versions that were encrypted with the disabled or deleted encryption key. For information about how Secrets Manager does encryption, see Secret encryption and decryption in Amazon Secrets Manager. To work around this issue, you can recreate the secret versions so that Secrets Manager encrypts them with the current encryption key. For more information, see Change the encryption key for a secret. Then retry replication.


aws secretsmanager put-secret-value \
  --secret-id testDescriptionUpdate \
  --secret-string "SecretValue" \
  --version-stages "MyCustomLabel"

You have not enabled the Region where the replication occurs

For information about how to enable a Region, see Managing Amazon Regions. in the Amazon Account Management Reference Guide.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Prevent replication

Get secrets