While implementing a Lambda function to support auto-rotation for AWS secrets, I noticed a strange behaviour. Whenever the Secrets Managers triggers the rotation, it creates a new version AWSPENDING and calls the Lambda function with this.
My Lambda function receives something like this - {"Step": "create_secret", "ClientRequestToken": "token_for_AWSPENDING" }
But when I run a getSecretValue based on this clientRequestToken, I get a ResourceNotFoundException. I catch this exception and write follow-up steps but why does a token (version ID for AWSPENDING) that Secrets Manager provided does not exist OR is not returned?
Most of the scripts I found online seem to be catching this exception and adding a new secret version (via putSecretValue). I am trying to understand the AWS Secrets Manager side of implementation. Thank you in advance.
If I understand your question correctly when you get the secret, you need to specify the label of the version you want (AWSPENDING, AWSCURRENT, etc.). This assumes your new secret version was created successfully.