How to update an expired GitHub PAT

[zackproser]

A customer asked:

I'm trying to update an expired GitHub PAT, but apparently during a deployment I used a nonstandard name, so I recreated it. Following the instructions from the gruntwork-cli tool, I used gruntwork secrets create and got an ARN. However, after updating the arn in the shared-secret-resource-policies in the shared account, and then eg updating the arn in the _envcommon/mgmt/ecs-deploy-runner.hcl I can't seem to get the pipeline permissions right. The CI/CD pipeline won't run. It fails with the error

[infrastructure-deployer] ERRO[2022-01-05T03:42:17Z] ECS Task failed to start. Reason: Fetching secret data from
 AWS Secrets Manager in region us-west-2: secret arn:aws:secretsmanager:us-west-2:-:secret:MachineUserGitHubPAT-aoEEZk: InvalidRequestException:
 You can't access a secret from a different AWS account if you encrypt the secret with the default KMS service key.

[zackproser]

You can update the github PAT if you use the gruntwork secrets update command, which will update the secret in place.

However, if you need to rename the secret and recreate it, there is an extra step after the secrets create command. You need to update the secrets manager secret to be encrypted with the shared KMS key instead of the default. The gruntwork CLI in create mode doesn’t automatically use the right KMS key because it is unfortunately designed for pre deployment and isn’t optimized for post deployment secrets rotation.

So we recommend doing this via the AWS web console. When you open the page for the secrets manager entry, you should see a drop down with the KMS key used for encryption, and you want to update it to use the key called shared-secrets.

[zackproser]

credit for this solution goes to @yorinasub17