@aws-sdk/client-secrets-manager - AWSCURRENT & AWSPREVIOUS incorrect

[aguilita1]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

AWS Secret Manager uses older versions of AWS Secrets, instead of the AWSCURRENT and AWSPREVIOUS. Older version of secrets are still displayed in output of DescribeSecretCommand and GetSecretValueCommand even though AWS Secrets Manager clearly has a different current version of secrets.

Impacted Versions (at least)

"@aws-sdk/client-secrets-manager": "^3.0.0",
"@aws-sdk/client-secrets-manager": "^3.606.0"
"@aws-sdk/client-secrets-manager": "^3.911.0",

Regression Issue

• Select this option if this issue appears to be a regression.

SDK version number

"@aws-sdk/client-secrets-manager": "^3.0.0","@aws-sdk/client-secrets-manager": "^3.606.0", "@aws-sdk/client-secrets-manager": "^3.911.0",

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

v24.10.0

Reproduction Steps

Steps to Reproduce

• Create secrets in AWS Secret Manager
• Update secrets in AWS Secret Manager so there are two distinct versions.
  • first version has secrets
    • TEST__SECRET_1=1
    • TEST__SECRET_2=2
    • TEST__SECRET_3=3
  • 2nd version has secrets
    • TEST__SECRET_4=4
    • TEST__SECRET_5=5
  • 3rd version has secrets
    • TEST__SECRET_6=6
• Verify there are distinct versions of secrets and secrets are values expected
  aws secretsmanager describe-secret --secret-id my/test/env --region us-east-1
aws secretsmanager get-secret-value --secret-id my/test/env --version-id ENTER_CURRENT_VERSION_ID --region us-east-1
• Run test code to DescribeSecretCommand and GetSecretValueCommand
• Notice TEST__SECRET_1, TEST__SECRET_2, TEST__SECRET_3 are still displayed in environment, even though these are not the current version. Note @aws-sdk/client-secrets-manager is not pulling the current version or previous version of secret properly. If you compare results for DescribeSecretCommand to AWS CLI aws secretsmanager describe-secret --secret-id my/test/env --region us-east-1 then you will quickly notice error.

Test code

/**
 * Retrieves a secret from Secrets Manager
 *
 * @param secretId: The name or full ARN of a secret
 * @returns Promise<SecretValueResponse>
 */
async function getSecretValue(secretId)  {
  let secretValue = '';

  // Step 1: Describe the secret to get version metadata
  const describeResult = await secretMgr.send(new DescribeSecretCommand({
    SecretId: secretId
  }));
  console.log("JSON Describe Secret: ", describeResult);

  // Step 2: Find the version ID associated with AWSCURRENT
  const versionId = Object.entries(describeResult.VersionIdsToStages || {})
    .find(([_, stages]) => stages.includes('AWSCURRENT'))?.[0];
  console.log("Secret versionId: ", versionId);
  
  if (!versionId) {
    throw new Error(`No version marked as AWSCURRENT for secret: ${secretId}`);
  }
  
  const data = await secretMgr.send(new GetSecretValueCommand({SecretId: secretId, VersionId: versionId}));

  if (data.SecretString) {
      secretValue = data.SecretString;
      console.log("JSON Secret: ", secretValue);
  } else if (data.SecretBinary) {
      // Only string and JSON string values are supported in Github env
      secretValue = Buffer.from(data.SecretBinary).toString('ascii');
  }

  if (!(data.Name)){
      throw new Error('Invalid name for secret');
  }

  return {
      name: data.Name,
      secretValue
  };
}

Observed Behavior

Below snip-it of output from DescribeSecretCommand show version-ids for very old AWSCURRENT and AWSPREVIOUS.

  VersionIdsToStages: {
    '5d370cde-6d81-47fe-9bc3-fdb5f09ced77': [ 'AWSPREVIOUS' ],
    'f6598456-3fd9-4b04-982c-16fcadb10075': [ 'AWSCURRENT' ]
  }

Expected Behavior

Below snip-it of output from AWS CLI aws secretsmanager describe-secret --secret-id my/test/env --region us-east-1 shows correct version-ids for AWSCURRENT and AWSPREVIOUS.

    "VersionIdsToStages": {
        "40b02ab8-28ab-4407-84e8-ab5273ada46d": [
            "AWSPREVIOUS"
        ],
        "466d52bf-4873-44ce-ae3f-9d536238a826": [
            "AWSCURRENT"
        ]

Possible Solution

Correct version-ids returned @aws-sdk/client-secrets-manager so AWSCURRENT and AWSPREVIOUS match AWS CLI and AWS Console version-id

Additional Information/Context

No response

[aguilita1]

This seems likely to be AWS server side and not @aws-sdk/client-secrets-manager given the incorrect behavior can be observed in all 3.x versions.

[simonmarty]

Update secrets in AWS Secret Manager so there are two distinct versions.
first version has secrets
TEST__SECRET_1=1
TEST__SECRET_2=2
TEST__SECRET_3=3
2nd version has secrets
TEST__SECRET_4=4
TEST__SECRET_5=5
3rd version has secrets
TEST__SECRET_6=6

Where does this third version come from? Could you give AWS SDK or CLI commands to reproduce the setup?

[aguilita1]

Nevermind. I found I have a different AWS account configured on command line hence the different results in AWS CLI

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.