Promote a replica secret to a standalone secret in Amazon Secrets Manager - Amazon Secrets Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Promote a replica secret to a standalone secret in Amazon Secrets Manager

A replica secret is a secret that is replicated from a primary in another Amazon Web Services Region. It has the same secret value and metadata as the primary, but it can be encrypted with a different KMS key. A replica secret can't be updated independently from its primary secret, except for its encryption key. Promoting a replica secret disconnects the replica secret from the primary secret and makes the replica secret a standalone secret. Changes to the primary secret won't replicate to the standalone secret.

You might want to promote a replica secret to a standalone secret as a disaster recovery solution if the primary secret becomes unavailable. Or you might want to promote a replica to a standalone secret if you want to turn on rotation for the replica.

If you promote a replica, be sure to update the corresponding applications to use the standalone secret.

Secrets Manager generates a CloudTrail log entry when you promote a secret. For more information, see Log Amazon Secrets Manager events with Amazon CloudTrail.

To promote a replica secret (console)
  1. Log in to the Secrets Manager at

  2. Navigate to the replica region.

  3. On the Secrets page, choose the replica secret.

  4. On the replica secret details page, choose Promote to standalone secret.

  5. In the Promote replica to standalone secret dialog box, enter the Region and then choose Promote replica.

Amazon CLI

Example Promote a replica secret to a primary

The following stop-replication-to-replica example removes the link between a replica secret to the primary. The replica secret is promoted to a primary secret in the replica region. You must call stop-replication-to-replica from within the replica region.

aws secretsmanager stop-replication-to-replica \ --secret-id MyTestSecret

Amazon SDK

To promote a replica to a standalone secret, use the StopReplicationToReplica command. You must call this command from the replica secret Region. For more information, see Amazon SDKs.