来自 AWS CLI SecretsManager 的意外行为 --force-delete-without-recovery

Unexpected Behavior from AWS CLI SecretsManager --force-delete-without-recovery

我正在尝试删除 AWS Secrets Manager 中的密钥。我可以使用 --secret-id 或 ARN,但无论哪种方式,秘密仍然存在于控制台中,稍后 CLI 调用 --force-delete。 ARN 和 DeletionDates 发生变化,并且在控制台中它显示为“已删除”日期,但取消删除的选项仍然存在。这是怎么回事?

>>> aws secretsmanager delete-secret --secret-id 202112030312-dev-rds-pw --force-delete-without-recovery --region us-west-2 --profile=development
{
    "ARN": "arn:aws:secretsmanager:us-west-2:99999999999:secret:202112030312-dev-rds-pw-Cf10KE",
    "Name": "202112030312-dev-rds-pw",
    "DeletionDate": "2021-12-02T20:15:28.129000-07:00"
}

>>> aws secretsmanager delete-secret --secret-id 202112030312-dev-rds-pw --force-delete-without-recovery --region us-west-2 --profile=development
{
    "ARN": "arn:aws:secretsmanager:us-west-2:99999999999:secret:202112030312-dev-rds-pw-srMuPx",
    "Name": "202112030312-dev-rds-pw",
    "DeletionDate": "2021-12-02T20:15:40.226000-07:00"
}

>>> # NOTE THE SUFFIX ON THE ARN...
>>> aws secretsmanager delete-secret --secret-id arn:aws:secretsmanager:us-west-2:99999999999:secret:202112030312-dev-rds-pw-srMuPx --force-delete-without-recovery --region us-west-2 --profile=development
{
    "ARN": "arn:aws:secretsmanager:us-west-2:99999999999:secret:202112030312-dev-rds-pw-oz8kB2",
    "Name": "202112030312-dev-rds-pw",
    "DeletionDate": "2021-12-02T20:17:36.631000-07:00"
}

如果您包含 --force-delete-without-recoverydelete-secret 不会检查秘密是否存在。它仍然会“起作用”,就好像秘密存在一样。来自 docs:

If you use this parameter and include a previously deleted or nonexistent secret, the operation does not return the error ResourceNotFoundException in order to correctly handle retries.