How to delete lots of AWS secrets in one go

This is a NodeJS script that will delete AWS secrets from secrets manager in your account.

Buzz Team

Buzz Team

@saasboxengineering

If you maintain an application that stores secure keys in AWS secrets, and you maintain that application to store secrets for lots of users, you may end up one day needing to delete them in one go.

You might be motivated to do that as each secret costs a fraction of a dollar and having hundreds of secrets in your account may result in several tens or hundreds of dollars each month on your AWS bill. So if you have unused secrets created by test applications you will want to delete them in one go.

The problem is there is no such AWS command, and like with most AWS commands this one is paginated with a token.

So you have to repeatedly call the AWS api, retrieve list of secrets and delete them. You need a script and some minutes to write it. Long story short, below script will just poll the AWS API and do this for you. Warning: it deletes ALL the secrets in an account, be careful to pick the right list:

/*
 * Note this is a command line script invoked by npm run
 */
require('dotenv').config()
const AWS = require('aws-sdk');
// We use a database generated UUID field, for the friendly name of the secret. We don't store ARN.
const secretsManager = new AWS.SecretsManager({
  accessKeyId: process.env.aws_secretsManager_accessKey,
  secretAccessKey: process.env.aws_secretsManager_secret,
  region : "us-west-1"
});
// Callback to promise wrappers:
const smgr_deleteSecret = function(params) {
	return new Promise((resolve, reject) => {
		secretsManager.deleteSecret(params, function(err, data) {
			if (err)
				return reject(err)
			else
				return resolve(data)
		});
	})
}
const deleteSecret = async function(arn) {
	var params = {
  		RecoveryWindowInDays: 7, 
  		SecretId: arn
 	};
	return smgr_deleteSecret(params);
}
// Callback to promise wrappers:
const smgr_listSecrets = function(params) {
	return new Promise((resolve, reject) => {
		secretsManager.listSecrets(params, function(err, data) {
			if (err)
				return reject(err)
			else
				return resolve(data)
		});
	})
}
const listSecrets = async function() {
	let params = {}
	let NextToken = null;
	let data = null;
	let SecretList = [];
	let arns = [];
	do {
		try {
			if (NextToken) {
				params.NextToken = data.NextToken;
			}
			data = await smgr_listSecrets(params);
			NextToken = data.NextToken;
			//console.log("Returned Data is:", data)	
			SecretList = data.SecretList;
			for (let i = 0; i < SecretList.length; i++) {
				arns.push(SecretList[i].ARN);
			}
		} catch(e) {
			console.log("Error fetching secret list.", e);
		}
	} while (data.NextToken);
	return arns;
}
exports.listSecrets = listSecrets;
//listSecrets();
const listDeleteSecrets = async function() {
	let arns = await listSecrets();
	for (let i = 0; i < arns.length; i++ ) {
		console.log("Deleting: ", arns[i]);
		try {
			await deleteSecret(arns[i]);
			console.log("Done.\n");
		} catch(e) {
			console.log("Error deleting secret. Error:", e)
		}
	}
}
listDeleteSecrets();

You can add this script to your package.json file as follows:

"delete:awssecrets": "node ./helpers/delete-aws-secrets",

and call it as follows:

$ npm run delete:awssecrets
> myapp@0.0.0 delete:awssecrets /Users/bahadir/express/sbox
> node ./helpers/delete-aws-secrets
Deleting: arn:aws:secretsmanager:us-west-1:8908909890:secret:a0d12324-d429-43e0-be28-b0fdc8e26c29-TmszDE
Done.
Deleting: arn:aws:secretsmanager:us-west-1:8908909890:secret:a9127fb7-8195-4ad6-b5fa-7e2957b270ee-CcgaBA
Done.
[Many more lines ...]

I hope you enjoy it and I saved you some dollars on your AWS!




Join The Discussion