[ aws . secretsmanager ]



Turns off automatic rotation, and if a rotation is currently in progress, cancels the rotation.

To turn on automatic rotation again, call RotateSecret .


If you cancel a rotation in progress, it can leave the VersionStage labels in an unexpected state. Depending on the step of the rotation in progress, you might need to remove the staging label AWSPENDING from the partially created version, specified by the VersionId response value. We recommend you also evaluate the partially rotated new version to see if it should be deleted. You can delete a version by removing all staging labels from it.

See also: AWS API Documentation

See ‘aws help’ for descriptions of global parameters.


--secret-id <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]


--secret-id (string)

The ARN or name of the secret.

For an ARN, we recommend that you specify a complete ARN rather than a partial ARN.

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See ‘aws help’ for descriptions of global parameters.


To turn off automatic rotation for a secret

The following cancel-rotate-secret example turns off automatic rotation for a secret. To resume rotation, call rotate-secret.

aws secretsmanager cancel-rotate-secret \
    --secret-id MyTestSecret


  "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3",
  "Name": "MyTestSecret"

For more information, see Rotate a secret in the Secrets Manager User Guide.


ARN -> (string)

The ARN of the secret.

Name -> (string)

The name of the secret.

VersionId -> (string)

The unique identifier of the version of the secret created during the rotation. This version might not be complete, and should be evaluated for possible deletion. We recommend that you remove the VersionStage value AWSPENDING from this version so that Secrets Manager can delete it. Failing to clean up a cancelled rotation can block you from starting future rotations.