aws-sdk-secretsmanager 1.37.1 → 1.42.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f3b9e8d73deccb863f9fc745030a70cdbc9883cfb3dde4234ca47bb403f638fe
4
- data.tar.gz: c7294e681c03f5789f17ccc244605ca38b0f4cd42ce1e067064a553571f2a4ae
3
+ metadata.gz: 27bde9c73e8932de364c630b52db249ab97730193b05cfcd77d0f48ba4dff85c
4
+ data.tar.gz: 383c505042824f7adb3b462e03d7be719ff4e18b6da6232cdfb4a4d3ddd8f304
5
5
  SHA512:
6
- metadata.gz: eafd26ca3305e62797f4dec4d16442067d5442915eb7a58019f4435ed49351a08c74444fa516161e12ad6580d8101f11ad7983c2042c716689970760988149a2
7
- data.tar.gz: b8bf16570345efdd54dfab11544b8a3b1d5a7a4956c1b644f277e2be38bef847fde1fbaf32c7c36aee5d6b3d1a116bf0b802802267b77301ab22acdc13be3e0a
6
+ metadata.gz: 64cbcc749e96e300c06d603ebb77a9441d6f1bd3643ea4b6cafc73da0f9d053bbe5b719e49aaca878186fad94c42bf493dbe67d42cdfa369757e7d5dd1b6facd
7
+ data.tar.gz: 7b6979622238a0b9ab172539c82f36626c3bdc6622b70f91ae3e121008e4938b5e917495499b0ac82b2e50965538606d41664889d853804cdbf710c22b2cfe31
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  # WARNING ABOUT GENERATED CODE
2
4
  #
3
5
  # This file is generated. See the contributing guide for more information:
@@ -5,6 +7,7 @@
5
7
  #
6
8
  # WARNING ABOUT GENERATED CODE
7
9
 
10
+
8
11
  require 'aws-sdk-core'
9
12
  require 'aws-sigv4'
10
13
 
@@ -42,9 +45,9 @@ require_relative 'aws-sdk-secretsmanager/customizations'
42
45
  #
43
46
  # See {Errors} for more information.
44
47
  #
45
- # @service
48
+ # @!group service
46
49
  module Aws::SecretsManager
47
50
 
48
- GEM_VERSION = '1.37.1'
51
+ GEM_VERSION = '1.42.0'
49
52
 
50
53
  end
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  # WARNING ABOUT GENERATED CODE
2
4
  #
3
5
  # This file is generated. See the contributing guide for more information:
@@ -83,13 +85,28 @@ module Aws::SecretsManager
83
85
  # * `Aws::Credentials` - Used for configuring static, non-refreshing
84
86
  # credentials.
85
87
  #
88
+ # * `Aws::SharedCredentials` - Used for loading static credentials from a
89
+ # shared file, such as `~/.aws/config`.
90
+ #
91
+ # * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
92
+ #
93
+ # * `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
94
+ # assume a role after providing credentials via the web.
95
+ #
96
+ # * `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
97
+ # access token generated from `aws login`.
98
+ #
99
+ # * `Aws::ProcessCredentials` - Used for loading credentials from a
100
+ # process that outputs to stdout.
101
+ #
86
102
  # * `Aws::InstanceProfileCredentials` - Used for loading credentials
87
103
  # from an EC2 IMDS on an EC2 instance.
88
104
  #
89
- # * `Aws::SharedCredentials` - Used for loading credentials from a
90
- # shared file, such as `~/.aws/config`.
105
+ # * `Aws::ECSCredentials` - Used for loading credentials from
106
+ # instances running in ECS.
91
107
  #
92
- # * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
108
+ # * `Aws::CognitoIdentityCredentials` - Used for loading credentials
109
+ # from the Cognito Identity service.
93
110
  #
94
111
  # When `:credentials` are not configured directly, the following
95
112
  # locations will be searched for credentials:
@@ -99,10 +116,10 @@ module Aws::SecretsManager
99
116
  # * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
100
117
  # * `~/.aws/credentials`
101
118
  # * `~/.aws/config`
102
- # * EC2 IMDS instance profile - When used by default, the timeouts are
103
- # very aggressive. Construct and pass an instance of
104
- # `Aws::InstanceProfileCredentails` to enable retries and extended
105
- # timeouts.
119
+ # * EC2/ECS IMDS instance profile - When used by default, the timeouts
120
+ # are very aggressive. Construct and pass an instance of
121
+ # `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
122
+ # enable retries and extended timeouts.
106
123
  #
107
124
  # @option options [required, String] :region
108
125
  # The AWS region to connect to. The configured `:region` is
@@ -321,20 +338,20 @@ module Aws::SecretsManager
321
338
  # @!group API Operations
322
339
 
323
340
  # Disables automatic scheduled rotation and cancels the rotation of a
324
- # secret if one is currently in progress.
341
+ # secret if currently in progress.
325
342
  #
326
343
  # To re-enable scheduled rotation, call RotateSecret with
327
344
  # `AutomaticallyRotateAfterDays` set to a value greater than 0. This
328
- # will immediately rotate your secret and then enable the automatic
345
+ # immediately rotates your secret and then enables the automatic
329
346
  # schedule.
330
347
  #
331
- # <note markdown="1"> If you cancel a rotation that is in progress, it can leave the
332
- # `VersionStage` labels in an unexpected state. Depending on what step
333
- # of the rotation was in progress, you might need to remove the staging
334
- # label `AWSPENDING` from the partially created version, specified by
335
- # the `VersionId` response value. You should also evaluate the partially
348
+ # <note markdown="1"> If you cancel a rotation while in progress, it can leave the
349
+ # `VersionStage` labels in an unexpected state. Depending on the step of
350
+ # the rotation in progress, you might need to remove the staging label
351
+ # `AWSPENDING` from the partially created version, specified by the
352
+ # `VersionId` response value. You should also evaluate the partially
336
353
  # rotated new version to see if it should be deleted, which you can do
337
- # by removing all staging labels from the new version's `VersionStage`
354
+ # by removing all staging labels from the new version `VersionStage`
338
355
  # field.
339
356
  #
340
357
  # </note>
@@ -342,12 +359,12 @@ module Aws::SecretsManager
342
359
  # To successfully start a rotation, the staging label `AWSPENDING` must
343
360
  # be in one of the following states:
344
361
  #
345
- # * Not be attached to any version at all
362
+ # * Not attached to any version at all
346
363
  #
347
364
  # * Attached to the same version as the staging label `AWSCURRENT`
348
365
  #
349
- # If the staging label `AWSPENDING` is attached to a different version
350
- # than the version with `AWSCURRENT` then the attempt to rotate fails.
366
+ # If the staging label `AWSPENDING` attached to a different version than
367
+ # the version with `AWSCURRENT` then the attempt to rotate fails.
351
368
  #
352
369
  # **Minimum permissions**
353
370
  #
@@ -371,9 +388,9 @@ module Aws::SecretsManager
371
388
  # ListSecretVersionIds.
372
389
  #
373
390
  # @option params [required, String] :secret_id
374
- # Specifies the secret for which you want to cancel a rotation request.
375
- # You can specify either the Amazon Resource Name (ARN) or the friendly
376
- # name of the secret.
391
+ # Specifies the secret to cancel a rotation request. You can specify
392
+ # either the Amazon Resource Name (ARN) or the friendly name of the
393
+ # secret.
377
394
  #
378
395
  # <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
379
396
  # complete ARN. You can specify a partial ARN too—for example, if you
@@ -386,7 +403,13 @@ module Aws::SecretsManager
386
403
  # then those characters cause Secrets Manager to assume that you’re
387
404
  # specifying a complete ARN. This confusion can cause unexpected
388
405
  # results. To avoid this situation, we recommend that you don’t create
389
- # secret names that end with a hyphen followed by six characters.
406
+ # secret names ending with a hyphen followed by six characters.
407
+ #
408
+ # If you specify an incomplete ARN without the random suffix, and
409
+ # instead provide the 'friendly name', you *must* not include the
410
+ # random suffix. If you do include the random suffix added by Secrets
411
+ # Manager, you receive either a *ResourceNotFoundException* or an
412
+ # *AccessDeniedException* error, depending on your permissions.
390
413
  #
391
414
  # </note>
392
415
  #
@@ -445,7 +468,7 @@ module Aws::SecretsManager
445
468
  # version is in the rotation cycle. The `SecretVersionsToStages` field
446
469
  # of the secret contains the mapping of staging labels to the active
447
470
  # versions of the secret. Versions without a staging label are
448
- # considered deprecated and are not included in the list.
471
+ # considered deprecated and not included in the list.
449
472
  #
450
473
  # You provide the secret data to be encrypted by putting text in either
451
474
  # the `SecretString` parameter or binary data in the `SecretBinary`
@@ -454,29 +477,29 @@ module Aws::SecretsManager
454
477
  # version and automatically attaches the staging label `AWSCURRENT` to
455
478
  # the new version.
456
479
  #
457
- # <note markdown="1"> * If you call an operation that needs to encrypt or decrypt the
458
- # `SecretString` or `SecretBinary` for a secret in the same account as
459
- # the calling user and that secret doesn't specify a AWS KMS
460
- # encryption key, Secrets Manager uses the account's default AWS
461
- # managed customer master key (CMK) with the alias
462
- # `aws/secretsmanager`. If this key doesn't already exist in your
463
- # account then Secrets Manager creates it for you automatically. All
464
- # users and roles in the same AWS account automatically have access to
465
- # use the default CMK. Note that if an Secrets Manager API call
466
- # results in AWS having to create the account's AWS-managed CMK, it
467
- # can result in a one-time significant delay in returning the result.
468
- #
469
- # * If the secret is in a different AWS account from the credentials
470
- # calling an API that requires encryption or decryption of the secret
471
- # value then you must create and use a custom AWS KMS CMK because you
472
- # can't access the default CMK for the account using credentials from
473
- # a different AWS account. Store the ARN of the CMK in the secret when
474
- # you create the secret or when you update it by including it in the
475
- # `KMSKeyId`. If you call an API that must encrypt or decrypt
476
- # `SecretString` or `SecretBinary` using credentials from a different
477
- # account then the AWS KMS key policy must grant cross-account access
478
- # to that other account's user or role for both the
479
- # kms:GenerateDataKey and kms:Decrypt operations.
480
+ # <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
481
+ # `SecretBinary` for a secret in the same account as the calling user
482
+ # and that secret doesn't specify a AWS KMS encryption key, Secrets
483
+ # Manager uses the account's default AWS managed customer master key
484
+ # (CMK) with the alias `aws/secretsmanager`. If this key doesn't
485
+ # already exist in your account then Secrets Manager creates it for
486
+ # you automatically. All users and roles in the same AWS account
487
+ # automatically have access to use the default CMK. Note that if an
488
+ # Secrets Manager API call results in AWS creating the account's
489
+ # AWS-managed CMK, it can result in a one-time significant delay in
490
+ # returning the result.
491
+ #
492
+ # * If the secret resides in a different AWS account from the
493
+ # credentials calling an API that requires encryption or decryption of
494
+ # the secret value then you must create and use a custom AWS KMS CMK
495
+ # because you can't access the default CMK for the account using
496
+ # credentials from a different AWS account. Store the ARN of the CMK
497
+ # in the secret when you create the secret or when you update it by
498
+ # including it in the `KMSKeyId`. If you call an API that must encrypt
499
+ # or decrypt `SecretString` or `SecretBinary` using credentials from a
500
+ # different account then the AWS KMS key policy must grant
501
+ # cross-account access to that other account's user or role for both
502
+ # the kms:GenerateDataKey and kms:Decrypt operations.
480
503
  #
481
504
  # </note>
482
505
  #
@@ -490,11 +513,11 @@ module Aws::SecretsManager
490
513
  #
491
514
  # * kms:GenerateDataKey - needed only if you use a customer-managed AWS
492
515
  # KMS key to encrypt the secret. You do not need this permission to
493
- # use the account's default AWS managed CMK for Secrets Manager.
516
+ # use the account default AWS managed CMK for Secrets Manager.
494
517
  #
495
518
  # * kms:Decrypt - needed only if you use a customer-managed AWS KMS key
496
519
  # to encrypt the secret. You do not need this permission to use the
497
- # account's default AWS managed CMK for Secrets Manager.
520
+ # account default AWS managed CMK for Secrets Manager.
498
521
  #
499
522
  # * secretsmanager:TagResource - needed only if you include the `Tags`
500
523
  # parameter.
@@ -524,11 +547,10 @@ module Aws::SecretsManager
524
547
  # The secret name must be ASCII letters, digits, or the following
525
548
  # characters : /\_+=.@-
526
549
  #
527
- # <note markdown="1"> Don't end your secret name with a hyphen followed by six characters.
550
+ # <note markdown="1"> Do not end your secret name with a hyphen followed by six characters.
528
551
  # If you do so, you risk confusion and unexpected results when searching
529
- # for a secret by partial ARN. This is because Secrets Manager
530
- # automatically adds a hyphen and six random characters at the end of
531
- # the ARN.
552
+ # for a secret by partial ARN. Secrets Manager automatically adds a
553
+ # hyphen and six random characters at the end of the ARN.
532
554
  #
533
555
  # </note>
534
556
  #
@@ -543,7 +565,7 @@ module Aws::SecretsManager
543
565
  # the request. If you don't use the SDK and instead generate a raw HTTP
544
566
  # request to the Secrets Manager service endpoint, then you must
545
567
  # generate a `ClientRequestToken` yourself for the new version and
546
- # include that value in the request.
568
+ # include the value in the request.
547
569
  #
548
570
  # </note>
549
571
  #
@@ -556,10 +578,9 @@ module Aws::SecretsManager
556
578
  # * If the `ClientRequestToken` value isn't already associated with a
557
579
  # version of the secret then a new version of the secret is created.
558
580
  #
559
- # * If a version with this value already exists and that version's
581
+ # * If a version with this value already exists and the version
560
582
  # `SecretString` and `SecretBinary` values are the same as those in
561
- # the request, then the request is ignored (the operation is
562
- # idempotent).
583
+ # the request, then the request is ignored.
563
584
  #
564
585
  # * If a version with this value already exists and that version's
565
586
  # `SecretString` and `SecretBinary` values are different from those in
@@ -595,12 +616,12 @@ module Aws::SecretsManager
595
616
  # time it needs to encrypt a version's `SecretString` or `SecretBinary`
596
617
  # fields.
597
618
  #
598
- # You can use the account's default CMK to encrypt and decrypt only if
599
- # you call this operation using credentials from the same account that
600
- # owns the secret. If the secret is in a different account, then you
619
+ # You can use the account default CMK to encrypt and decrypt only if you
620
+ # call this operation using credentials from the same account that owns
621
+ # the secret. If the secret resides in a different account, then you
601
622
  # must create a custom CMK and specify the ARN in this field.
602
623
  #
603
- # @option params [String, IO] :secret_binary
624
+ # @option params [String, StringIO, File] :secret_binary
604
625
  # (Optional) Specifies binary data that you want to encrypt and store in
605
626
  # the new version of the secret. To use this parameter in the
606
627
  # command-line tools, we recommend that you store your binary data in a
@@ -632,7 +653,7 @@ module Aws::SecretsManager
632
653
  # environments, see [Using JSON for Parameters][1] in the *AWS CLI User
633
654
  # Guide*. For example:
634
655
  #
635
- # `[\{"username":"bob"\},\{"password":"abc123xyz456"\}]`
656
+ # `\{"username":"bob","password":"abc123xyz456"\}`
636
657
  #
637
658
  # If your command-line tool or SDK requires quotation marks around the
638
659
  # parameter, you should use single quotes to avoid confusion with the
@@ -678,16 +699,16 @@ module Aws::SecretsManager
678
699
  #
679
700
  # * Tag keys and values are case sensitive.
680
701
  #
681
- # * Do not use the `aws:` prefix in your tag names or values because it
682
- # is reserved for AWS use. You can't edit or delete tag names or
702
+ # * Do not use the `aws:` prefix in your tag names or values because AWS
703
+ # reserves it for AWS use. You can't edit or delete tag names or
683
704
  # values with this prefix. Tags with this prefix do not count against
684
705
  # your tags per secret limit.
685
706
  #
686
- # * If your tagging schema will be used across multiple services and
687
- # resources, remember that other services might have restrictions on
688
- # allowed characters. Generally allowed characters are: letters,
689
- # spaces, and numbers representable in UTF-8, plus the following
690
- # special characters: + - = . \_ : / @.
707
+ # * If you use your tagging schema across multiple services and
708
+ # resources, remember other services might have restrictions on
709
+ # allowed characters. Generally allowed characters: letters, spaces,
710
+ # and numbers representable in UTF-8, plus the following special
711
+ # characters: + - = . \_ : / @.
691
712
  #
692
713
  #
693
714
  #
@@ -751,8 +772,7 @@ module Aws::SecretsManager
751
772
  req.send_request(options)
752
773
  end
753
774
 
754
- # Deletes the resource-based permission policy that's attached to the
755
- # secret.
775
+ # Deletes the resource-based permission policy attached to the secret.
756
776
  #
757
777
  # **Minimum permissions**
758
778
  #
@@ -787,7 +807,13 @@ module Aws::SecretsManager
787
807
  # then those characters cause Secrets Manager to assume that you’re
788
808
  # specifying a complete ARN. This confusion can cause unexpected
789
809
  # results. To avoid this situation, we recommend that you don’t create
790
- # secret names that end with a hyphen followed by six characters.
810
+ # secret names ending with a hyphen followed by six characters.
811
+ #
812
+ # If you specify an incomplete ARN without the random suffix, and
813
+ # instead provide the 'friendly name', you *must* not include the
814
+ # random suffix. If you do include the random suffix added by Secrets
815
+ # Manager, you receive either a *ResourceNotFoundException* or an
816
+ # *AccessDeniedException* error, depending on your permissions.
791
817
  #
792
818
  # </note>
793
819
  #
@@ -890,7 +916,13 @@ module Aws::SecretsManager
890
916
  # then those characters cause Secrets Manager to assume that you’re
891
917
  # specifying a complete ARN. This confusion can cause unexpected
892
918
  # results. To avoid this situation, we recommend that you don’t create
893
- # secret names that end with a hyphen followed by six characters.
919
+ # secret names ending with a hyphen followed by six characters.
920
+ #
921
+ # If you specify an incomplete ARN without the random suffix, and
922
+ # instead provide the 'friendly name', you *must* not include the
923
+ # random suffix. If you do include the random suffix added by Secrets
924
+ # Manager, you receive either a *ResourceNotFoundException* or an
925
+ # *AccessDeniedException* error, depending on your permissions.
894
926
  #
895
927
  # </note>
896
928
  #
@@ -968,8 +1000,8 @@ module Aws::SecretsManager
968
1000
  end
969
1001
 
970
1002
  # Retrieves the details of a secret. It does not include the encrypted
971
- # fields. Only those fields that are populated with a value are returned
972
- # in the response.
1003
+ # fields. Secrets Manager only returns fields populated with a value in
1004
+ # the response.
973
1005
  #
974
1006
  # **Minimum permissions**
975
1007
  #
@@ -1006,7 +1038,13 @@ module Aws::SecretsManager
1006
1038
  # then those characters cause Secrets Manager to assume that you’re
1007
1039
  # specifying a complete ARN. This confusion can cause unexpected
1008
1040
  # results. To avoid this situation, we recommend that you don’t create
1009
- # secret names that end with a hyphen followed by six characters.
1041
+ # secret names ending with a hyphen followed by six characters.
1042
+ #
1043
+ # If you specify an incomplete ARN without the random suffix, and
1044
+ # instead provide the 'friendly name', you *must* not include the
1045
+ # random suffix. If you do include the random suffix added by Secrets
1046
+ # Manager, you receive either a *ResourceNotFoundException* or an
1047
+ # *AccessDeniedException* error, depending on your permissions.
1010
1048
  #
1011
1049
  # </note>
1012
1050
  #
@@ -1026,6 +1064,7 @@ module Aws::SecretsManager
1026
1064
  # * {Types::DescribeSecretResponse#tags #tags} => Array&lt;Types::Tag&gt;
1027
1065
  # * {Types::DescribeSecretResponse#version_ids_to_stages #version_ids_to_stages} => Hash&lt;String,Array&lt;String&gt;&gt;
1028
1066
  # * {Types::DescribeSecretResponse#owning_service #owning_service} => String
1067
+ # * {Types::DescribeSecretResponse#created_date #created_date} => Time
1029
1068
  #
1030
1069
  #
1031
1070
  # @example Example: To retrieve the details of a secret
@@ -1096,6 +1135,7 @@ module Aws::SecretsManager
1096
1135
  # resp.version_ids_to_stages["SecretVersionIdType"] #=> Array
1097
1136
  # resp.version_ids_to_stages["SecretVersionIdType"][0] #=> String
1098
1137
  # resp.owning_service #=> String
1138
+ # resp.created_date #=> Time
1099
1139
  #
1100
1140
  # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/DescribeSecret AWS API Documentation
1101
1141
  #
@@ -1214,11 +1254,10 @@ module Aws::SecretsManager
1214
1254
  req.send_request(options)
1215
1255
  end
1216
1256
 
1217
- # Retrieves the JSON text of the resource-based policy document that's
1218
- # attached to the specified secret. The JSON request string input and
1219
- # response output are shown formatted with white space and line breaks
1220
- # for better readability. Submit your input as a single line JSON
1221
- # string.
1257
+ # Retrieves the JSON text of the resource-based policy document attached
1258
+ # to the specified secret. The JSON request string input and response
1259
+ # output displays formatted code with white space and line breaks for
1260
+ # better readability. Submit your input as a single line JSON string.
1222
1261
  #
1223
1262
  # **Minimum permissions**
1224
1263
  #
@@ -1232,8 +1271,8 @@ module Aws::SecretsManager
1232
1271
  #
1233
1272
  # * To attach a resource policy to a secret, use PutResourcePolicy.
1234
1273
  #
1235
- # * To delete the resource-based policy that's attached to a secret,
1236
- # use DeleteResourcePolicy.
1274
+ # * To delete the resource-based policy attached to a secret, use
1275
+ # DeleteResourcePolicy.
1237
1276
  #
1238
1277
  # * To list all of the currently available secrets, use ListSecrets.
1239
1278
  #
@@ -1253,7 +1292,13 @@ module Aws::SecretsManager
1253
1292
  # then those characters cause Secrets Manager to assume that you’re
1254
1293
  # specifying a complete ARN. This confusion can cause unexpected
1255
1294
  # results. To avoid this situation, we recommend that you don’t create
1256
- # secret names that end with a hyphen followed by six characters.
1295
+ # secret names ending with a hyphen followed by six characters.
1296
+ #
1297
+ # If you specify an incomplete ARN without the random suffix, and
1298
+ # instead provide the 'friendly name', you *must* not include the
1299
+ # random suffix. If you do include the random suffix added by Secrets
1300
+ # Manager, you receive either a *ResourceNotFoundException* or an
1301
+ # *AccessDeniedException* error, depending on your permissions.
1257
1302
  #
1258
1303
  # </note>
1259
1304
  #
@@ -1338,7 +1383,13 @@ module Aws::SecretsManager
1338
1383
  # then those characters cause Secrets Manager to assume that you’re
1339
1384
  # specifying a complete ARN. This confusion can cause unexpected
1340
1385
  # results. To avoid this situation, we recommend that you don’t create
1341
- # secret names that end with a hyphen followed by six characters.
1386
+ # secret names ending with a hyphen followed by six characters.
1387
+ #
1388
+ # If you specify an incomplete ARN without the random suffix, and
1389
+ # instead provide the 'friendly name', you *must* not include the
1390
+ # random suffix. If you do include the random suffix added by Secrets
1391
+ # Manager, you receive either a *ResourceNotFoundException* or an
1392
+ # *AccessDeniedException* error, depending on your permissions.
1342
1393
  #
1343
1394
  # </note>
1344
1395
  #
@@ -1435,8 +1486,8 @@ module Aws::SecretsManager
1435
1486
  #
1436
1487
  # <note markdown="1"> Always check the `NextToken` response parameter when calling any of
1437
1488
  # the `List*` operations. These operations can occasionally return an
1438
- # empty or shorter than expected list of results even when there are
1439
- # more results available. When this happens, the `NextToken` response
1489
+ # empty or shorter than expected list of results even when there more
1490
+ # results become available. When this happens, the `NextToken` response
1440
1491
  # parameter contains a value to pass to the next call to the same API to
1441
1492
  # request the next part of the list.
1442
1493
  #
@@ -1472,28 +1523,34 @@ module Aws::SecretsManager
1472
1523
  # then those characters cause Secrets Manager to assume that you’re
1473
1524
  # specifying a complete ARN. This confusion can cause unexpected
1474
1525
  # results. To avoid this situation, we recommend that you don’t create
1475
- # secret names that end with a hyphen followed by six characters.
1526
+ # secret names ending with a hyphen followed by six characters.
1527
+ #
1528
+ # If you specify an incomplete ARN without the random suffix, and
1529
+ # instead provide the 'friendly name', you *must* not include the
1530
+ # random suffix. If you do include the random suffix added by Secrets
1531
+ # Manager, you receive either a *ResourceNotFoundException* or an
1532
+ # *AccessDeniedException* error, depending on your permissions.
1476
1533
  #
1477
1534
  # </note>
1478
1535
  #
1479
1536
  # @option params [Integer] :max_results
1480
- # (Optional) Limits the number of results that you want to include in
1481
- # the response. If you don't include this parameter, it defaults to a
1482
- # value that's specific to the operation. If additional items exist
1483
- # beyond the maximum you specify, the `NextToken` response element is
1484
- # present and has a value (isn't null). Include that value as the
1485
- # `NextToken` request parameter in the next call to the operation to get
1486
- # the next part of the results. Note that Secrets Manager might return
1487
- # fewer results than the maximum even when there are more results
1488
- # available. You should check `NextToken` after every operation to
1489
- # ensure that you receive all of the results.
1537
+ # (Optional) Limits the number of results you want to include in the
1538
+ # response. If you don't include this parameter, it defaults to a value
1539
+ # that's specific to the operation. If additional items exist beyond
1540
+ # the maximum you specify, the `NextToken` response element is present
1541
+ # and has a value (isn't null). Include that value as the `NextToken`
1542
+ # request parameter in the next call to the operation to get the next
1543
+ # part of the results. Note that Secrets Manager might return fewer
1544
+ # results than the maximum even when there are more results available.
1545
+ # You should check `NextToken` after every operation to ensure that you
1546
+ # receive all of the results.
1490
1547
  #
1491
1548
  # @option params [String] :next_token
1492
1549
  # (Optional) Use this parameter in a request if you receive a
1493
- # `NextToken` response in a previous request that indicates that
1494
- # there's more output available. In a subsequent call, set it to the
1495
- # value of the previous call's `NextToken` response to indicate where
1496
- # the output should continue from.
1550
+ # `NextToken` response in a previous request indicating there's more
1551
+ # output available. In a subsequent call, set it to the value of the
1552
+ # previous call `NextToken` response to indicate where the output should
1553
+ # continue from.
1497
1554
  #
1498
1555
  # @option params [Boolean] :include_deprecated
1499
1556
  # (Optional) Specifies that you want the results to include versions
@@ -1585,8 +1642,8 @@ module Aws::SecretsManager
1585
1642
  #
1586
1643
  # <note markdown="1"> Always check the `NextToken` response parameter when calling any of
1587
1644
  # the `List*` operations. These operations can occasionally return an
1588
- # empty or shorter than expected list of results even when there are
1589
- # more results available. When this happens, the `NextToken` response
1645
+ # empty or shorter than expected list of results even when there more
1646
+ # results become available. When this happens, the `NextToken` response
1590
1647
  # parameter contains a value to pass to the next call to the same API to
1591
1648
  # request the next part of the list.
1592
1649
  #
@@ -1607,23 +1664,29 @@ module Aws::SecretsManager
1607
1664
  # ^
1608
1665
  #
1609
1666
  # @option params [Integer] :max_results
1610
- # (Optional) Limits the number of results that you want to include in
1611
- # the response. If you don't include this parameter, it defaults to a
1612
- # value that's specific to the operation. If additional items exist
1613
- # beyond the maximum you specify, the `NextToken` response element is
1614
- # present and has a value (isn't null). Include that value as the
1615
- # `NextToken` request parameter in the next call to the operation to get
1616
- # the next part of the results. Note that Secrets Manager might return
1617
- # fewer results than the maximum even when there are more results
1618
- # available. You should check `NextToken` after every operation to
1619
- # ensure that you receive all of the results.
1667
+ # (Optional) Limits the number of results you want to include in the
1668
+ # response. If you don't include this parameter, it defaults to a value
1669
+ # that's specific to the operation. If additional items exist beyond
1670
+ # the maximum you specify, the `NextToken` response element is present
1671
+ # and has a value (isn't null). Include that value as the `NextToken`
1672
+ # request parameter in the next call to the operation to get the next
1673
+ # part of the results. Note that Secrets Manager might return fewer
1674
+ # results than the maximum even when there are more results available.
1675
+ # You should check `NextToken` after every operation to ensure that you
1676
+ # receive all of the results.
1620
1677
  #
1621
1678
  # @option params [String] :next_token
1622
1679
  # (Optional) Use this parameter in a request if you receive a
1623
- # `NextToken` response in a previous request that indicates that
1624
- # there's more output available. In a subsequent call, set it to the
1625
- # value of the previous call's `NextToken` response to indicate where
1626
- # the output should continue from.
1680
+ # `NextToken` response in a previous request indicating there's more
1681
+ # output available. In a subsequent call, set it to the value of the
1682
+ # previous call `NextToken` response to indicate where the output should
1683
+ # continue from.
1684
+ #
1685
+ # @option params [Array<Types::Filter>] :filters
1686
+ # Lists the secret request filters.
1687
+ #
1688
+ # @option params [String] :sort_order
1689
+ # Lists secrets in the requested order.
1627
1690
  #
1628
1691
  # @return [Types::ListSecretsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1629
1692
  #
@@ -1673,6 +1736,13 @@ module Aws::SecretsManager
1673
1736
  # resp = client.list_secrets({
1674
1737
  # max_results: 1,
1675
1738
  # next_token: "NextTokenType",
1739
+ # filters: [
1740
+ # {
1741
+ # key: "description", # accepts description, name, tag-key, tag-value, all
1742
+ # values: ["FilterValueStringType"],
1743
+ # },
1744
+ # ],
1745
+ # sort_order: "asc", # accepts asc, desc
1676
1746
  # })
1677
1747
  #
1678
1748
  # @example Response structure
@@ -1696,6 +1766,7 @@ module Aws::SecretsManager
1696
1766
  # resp.secret_list[0].secret_versions_to_stages["SecretVersionIdType"] #=> Array
1697
1767
  # resp.secret_list[0].secret_versions_to_stages["SecretVersionIdType"][0] #=> String
1698
1768
  # resp.secret_list[0].owning_service #=> String
1769
+ # resp.secret_list[0].created_date #=> Time
1699
1770
  # resp.next_token #=> String
1700
1771
  #
1701
1772
  # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ListSecrets AWS API Documentation
@@ -1729,7 +1800,7 @@ module Aws::SecretsManager
1729
1800
  #
1730
1801
  # **Related operations**
1731
1802
  #
1732
- # * To retrieve the resource policy that's attached to a secret, use
1803
+ # * To retrieve the resource policy attached to a secret, use
1733
1804
  # GetResourcePolicy.
1734
1805
  #
1735
1806
  # * To delete the resource-based policy that's attached to a secret,
@@ -1757,7 +1828,13 @@ module Aws::SecretsManager
1757
1828
  # then those characters cause Secrets Manager to assume that you’re
1758
1829
  # specifying a complete ARN. This confusion can cause unexpected
1759
1830
  # results. To avoid this situation, we recommend that you don’t create
1760
- # secret names that end with a hyphen followed by six characters.
1831
+ # secret names ending with a hyphen followed by six characters.
1832
+ #
1833
+ # If you specify an incomplete ARN without the random suffix, and
1834
+ # instead provide the 'friendly name', you *must* not include the
1835
+ # random suffix. If you do include the random suffix added by Secrets
1836
+ # Manager, you receive either a *ResourceNotFoundException* or an
1837
+ # *AccessDeniedException* error, depending on your permissions.
1761
1838
  #
1762
1839
  # </note>
1763
1840
  #
@@ -1773,6 +1850,10 @@ module Aws::SecretsManager
1773
1850
  #
1774
1851
  # [1]: http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
1775
1852
  #
1853
+ # @option params [Boolean] :block_public_policy
1854
+ # Makes an optional API call to Zelkova to validate the Resource Policy
1855
+ # to prevent broad access to your secret.
1856
+ #
1776
1857
  # @return [Types::PutResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1777
1858
  #
1778
1859
  # * {Types::PutResourcePolicyResponse#arn #arn} => String
@@ -1799,6 +1880,7 @@ module Aws::SecretsManager
1799
1880
  # resp = client.put_resource_policy({
1800
1881
  # secret_id: "SecretIdType", # required
1801
1882
  # resource_policy: "NonEmptyResourcePolicyType", # required
1883
+ # block_public_policy: false,
1802
1884
  # })
1803
1885
  #
1804
1886
  # @example Response structure
@@ -1848,29 +1930,29 @@ module Aws::SecretsManager
1848
1930
  # operation fails because you cannot modify an existing version; you
1849
1931
  # can only create new ones.
1850
1932
  #
1851
- # <note markdown="1"> * If you call an operation that needs to encrypt or decrypt the
1852
- # `SecretString` or `SecretBinary` for a secret in the same account as
1853
- # the calling user and that secret doesn't specify a AWS KMS
1854
- # encryption key, Secrets Manager uses the account's default AWS
1855
- # managed customer master key (CMK) with the alias
1856
- # `aws/secretsmanager`. If this key doesn't already exist in your
1857
- # account then Secrets Manager creates it for you automatically. All
1858
- # users and roles in the same AWS account automatically have access to
1859
- # use the default CMK. Note that if an Secrets Manager API call
1860
- # results in AWS having to create the account's AWS-managed CMK, it
1861
- # can result in a one-time significant delay in returning the result.
1862
- #
1863
- # * If the secret is in a different AWS account from the credentials
1864
- # calling an API that requires encryption or decryption of the secret
1865
- # value then you must create and use a custom AWS KMS CMK because you
1866
- # can't access the default CMK for the account using credentials from
1867
- # a different AWS account. Store the ARN of the CMK in the secret when
1868
- # you create the secret or when you update it by including it in the
1869
- # `KMSKeyId`. If you call an API that must encrypt or decrypt
1870
- # `SecretString` or `SecretBinary` using credentials from a different
1871
- # account then the AWS KMS key policy must grant cross-account access
1872
- # to that other account's user or role for both the
1873
- # kms:GenerateDataKey and kms:Decrypt operations.
1933
+ # <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
1934
+ # `SecretBinary` for a secret in the same account as the calling user
1935
+ # and that secret doesn't specify a AWS KMS encryption key, Secrets
1936
+ # Manager uses the account's default AWS managed customer master key
1937
+ # (CMK) with the alias `aws/secretsmanager`. If this key doesn't
1938
+ # already exist in your account then Secrets Manager creates it for
1939
+ # you automatically. All users and roles in the same AWS account
1940
+ # automatically have access to use the default CMK. Note that if an
1941
+ # Secrets Manager API call results in AWS creating the account's
1942
+ # AWS-managed CMK, it can result in a one-time significant delay in
1943
+ # returning the result.
1944
+ #
1945
+ # * If the secret resides in a different AWS account from the
1946
+ # credentials calling an API that requires encryption or decryption of
1947
+ # the secret value then you must create and use a custom AWS KMS CMK
1948
+ # because you can't access the default CMK for the account using
1949
+ # credentials from a different AWS account. Store the ARN of the CMK
1950
+ # in the secret when you create the secret or when you update it by
1951
+ # including it in the `KMSKeyId`. If you call an API that must encrypt
1952
+ # or decrypt `SecretString` or `SecretBinary` using credentials from a
1953
+ # different account then the AWS KMS key policy must grant
1954
+ # cross-account access to that other account's user or role for both
1955
+ # the kms:GenerateDataKey and kms:Decrypt operations.
1874
1956
  #
1875
1957
  # </note>
1876
1958
  #
@@ -1911,7 +1993,13 @@ module Aws::SecretsManager
1911
1993
  # then those characters cause Secrets Manager to assume that you’re
1912
1994
  # specifying a complete ARN. This confusion can cause unexpected
1913
1995
  # results. To avoid this situation, we recommend that you don’t create
1914
- # secret names that end with a hyphen followed by six characters.
1996
+ # secret names ending with a hyphen followed by six characters.
1997
+ #
1998
+ # If you specify an incomplete ARN without the random suffix, and
1999
+ # instead provide the 'friendly name', you *must* not include the
2000
+ # random suffix. If you do include the random suffix added by Secrets
2001
+ # Manager, you receive either a *ResourceNotFoundException* or an
2002
+ # *AccessDeniedException* error, depending on your permissions.
1915
2003
  #
1916
2004
  # </note>
1917
2005
  #
@@ -1942,7 +2030,7 @@ module Aws::SecretsManager
1942
2030
  # `SecretString` or `SecretBinary` values are the same as those in the
1943
2031
  # request then the request is ignored (the operation is idempotent).
1944
2032
  #
1945
- # * If a version with this value already exists and that version's
2033
+ # * If a version with this value already exists and the version of the
1946
2034
  # `SecretString` and `SecretBinary` values are different from those in
1947
2035
  # the request then the request fails because you cannot modify an
1948
2036
  # existing secret version. You can only create new versions to store
@@ -1957,7 +2045,7 @@ module Aws::SecretsManager
1957
2045
  #
1958
2046
  # [1]: https://wikipedia.org/wiki/Universally_unique_identifier
1959
2047
  #
1960
- # @option params [String, IO] :secret_binary
2048
+ # @option params [String, StringIO, File] :secret_binary
1961
2049
  # (Optional) Specifies binary data that you want to encrypt and store in
1962
2050
  # the new version of the secret. To use this parameter in the
1963
2051
  # command-line tools, we recommend that you store your binary data in a
@@ -2104,7 +2192,13 @@ module Aws::SecretsManager
2104
2192
  # then those characters cause Secrets Manager to assume that you’re
2105
2193
  # specifying a complete ARN. This confusion can cause unexpected
2106
2194
  # results. To avoid this situation, we recommend that you don’t create
2107
- # secret names that end with a hyphen followed by six characters.
2195
+ # secret names ending with a hyphen followed by six characters.
2196
+ #
2197
+ # If you specify an incomplete ARN without the random suffix, and
2198
+ # instead provide the 'friendly name', you *must* not include the
2199
+ # random suffix. If you do include the random suffix added by Secrets
2200
+ # Manager, you receive either a *ResourceNotFoundException* or an
2201
+ # *AccessDeniedException* error, depending on your permissions.
2108
2202
  #
2109
2203
  # </note>
2110
2204
  #
@@ -2167,8 +2261,8 @@ module Aws::SecretsManager
2167
2261
  # for your protected service, see [Rotating Secrets in AWS Secrets
2168
2262
  # Manager][1] in the *AWS Secrets Manager User Guide*.
2169
2263
  #
2170
- # Secrets Manager schedules the next rotation when the previous one is
2171
- # complete. Secrets Manager schedules the date by adding the rotation
2264
+ # Secrets Manager schedules the next rotation when the previous one
2265
+ # completes. Secrets Manager schedules the date by adding the rotation
2172
2266
  # interval (number of days) to the actual date of the last rotation. The
2173
2267
  # service chooses the hour within that 24-hour date window randomly. The
2174
2268
  # minute is also chosen somewhat randomly, but weighted towards the top
@@ -2184,9 +2278,9 @@ module Aws::SecretsManager
2184
2278
  # * The `AWSPENDING` staging label is not attached to any version of the
2185
2279
  # secret.
2186
2280
  #
2187
- # If instead the `AWSPENDING` staging label is present but is not
2188
- # attached to the same version as `AWSCURRENT` then any later invocation
2189
- # of `RotateSecret` assumes that a previous rotation request is still in
2281
+ # If the `AWSPENDING` staging label is present but not attached to the
2282
+ # same version as `AWSCURRENT` then any later invocation of
2283
+ # `RotateSecret` assumes that a previous rotation request is still in
2190
2284
  # progress and returns an error.
2191
2285
  #
2192
2286
  # **Minimum permissions**
@@ -2228,7 +2322,13 @@ module Aws::SecretsManager
2228
2322
  # then those characters cause Secrets Manager to assume that you’re
2229
2323
  # specifying a complete ARN. This confusion can cause unexpected
2230
2324
  # results. To avoid this situation, we recommend that you don’t create
2231
- # secret names that end with a hyphen followed by six characters.
2325
+ # secret names ending with a hyphen followed by six characters.
2326
+ #
2327
+ # If you specify an incomplete ARN without the random suffix, and
2328
+ # instead provide the 'friendly name', you *must* not include the
2329
+ # random suffix. If you do include the random suffix added by Secrets
2330
+ # Manager, you receive either a *ResourceNotFoundException* or an
2331
+ # *AccessDeniedException* error, depending on your permissions.
2232
2332
  #
2233
2333
  # </note>
2234
2334
  #
@@ -2244,8 +2344,8 @@ module Aws::SecretsManager
2244
2344
  # generate a `ClientRequestToken` yourself for new versions and include
2245
2345
  # that value in the request.
2246
2346
  #
2247
- # You only need to specify your own value if you are implementing your
2248
- # own retry logic and want to ensure that a given secret is not created
2347
+ # You only need to specify your own value if you implement your own
2348
+ # retry logic and want to ensure that a given secret is not created
2249
2349
  # twice. We recommend that you generate a [UUID-type][1] value to ensure
2250
2350
  # uniqueness within the specified secret.
2251
2351
  #
@@ -2316,16 +2416,16 @@ module Aws::SecretsManager
2316
2416
  #
2317
2417
  # * Tag keys and values are case sensitive.
2318
2418
  #
2319
- # * Do not use the `aws:` prefix in your tag names or values because it
2320
- # is reserved for AWS use. You can't edit or delete tag names or
2419
+ # * Do not use the `aws:` prefix in your tag names or values because AWS
2420
+ # reserves it for AWS use. You can't edit or delete tag names or
2321
2421
  # values with this prefix. Tags with this prefix do not count against
2322
2422
  # your tags per secret limit.
2323
2423
  #
2324
- # * If your tagging schema will be used across multiple services and
2325
- # resources, remember that other services might have restrictions on
2326
- # allowed characters. Generally allowed characters are: letters,
2327
- # spaces, and numbers representable in UTF-8, plus the following
2328
- # special characters: + - = . \_ : / @.
2424
+ # * If you use your tagging schema across multiple services and
2425
+ # resources, remember other services might have restrictions on
2426
+ # allowed characters. Generally allowed characters: letters, spaces,
2427
+ # and numbers representable in UTF-8, plus the following special
2428
+ # characters: + - = . \_ : / @.
2329
2429
  #
2330
2430
  # If you use tags as part of your security strategy, then adding or
2331
2431
  # removing a tag can change permissions. If successfully completing this
@@ -2363,7 +2463,13 @@ module Aws::SecretsManager
2363
2463
  # then those characters cause Secrets Manager to assume that you’re
2364
2464
  # specifying a complete ARN. This confusion can cause unexpected
2365
2465
  # results. To avoid this situation, we recommend that you don’t create
2366
- # secret names that end with a hyphen followed by six characters.
2466
+ # secret names ending with a hyphen followed by six characters.
2467
+ #
2468
+ # If you specify an incomplete ARN without the random suffix, and
2469
+ # instead provide the 'friendly name', you *must* not include the
2470
+ # random suffix. If you do include the random suffix added by Secrets
2471
+ # Manager, you receive either a *ResourceNotFoundException* or an
2472
+ # *AccessDeniedException* error, depending on your permissions.
2367
2473
  #
2368
2474
  # </note>
2369
2475
  #
@@ -2465,7 +2571,13 @@ module Aws::SecretsManager
2465
2571
  # then those characters cause Secrets Manager to assume that you’re
2466
2572
  # specifying a complete ARN. This confusion can cause unexpected
2467
2573
  # results. To avoid this situation, we recommend that you don’t create
2468
- # secret names that end with a hyphen followed by six characters.
2574
+ # secret names ending with a hyphen followed by six characters.
2575
+ #
2576
+ # If you specify an incomplete ARN without the random suffix, and
2577
+ # instead provide the 'friendly name', you *must* not include the
2578
+ # random suffix. If you do include the random suffix added by Secrets
2579
+ # Manager, you receive either a *ResourceNotFoundException* or an
2580
+ # *AccessDeniedException* error, depending on your permissions.
2469
2581
  #
2470
2582
  # </note>
2471
2583
  #
@@ -2537,29 +2649,29 @@ module Aws::SecretsManager
2537
2649
  # secret version, Secrets Manager automatically attaches the staging
2538
2650
  # label `AWSCURRENT` to the new version.
2539
2651
  #
2540
- # <note markdown="1"> * If you call an operation that needs to encrypt or decrypt the
2541
- # `SecretString` or `SecretBinary` for a secret in the same account as
2542
- # the calling user and that secret doesn't specify a AWS KMS
2543
- # encryption key, Secrets Manager uses the account's default AWS
2544
- # managed customer master key (CMK) with the alias
2545
- # `aws/secretsmanager`. If this key doesn't already exist in your
2546
- # account then Secrets Manager creates it for you automatically. All
2547
- # users and roles in the same AWS account automatically have access to
2548
- # use the default CMK. Note that if an Secrets Manager API call
2549
- # results in AWS having to create the account's AWS-managed CMK, it
2550
- # can result in a one-time significant delay in returning the result.
2551
- #
2552
- # * If the secret is in a different AWS account from the credentials
2553
- # calling an API that requires encryption or decryption of the secret
2554
- # value then you must create and use a custom AWS KMS CMK because you
2555
- # can't access the default CMK for the account using credentials from
2556
- # a different AWS account. Store the ARN of the CMK in the secret when
2557
- # you create the secret or when you update it by including it in the
2558
- # `KMSKeyId`. If you call an API that must encrypt or decrypt
2559
- # `SecretString` or `SecretBinary` using credentials from a different
2560
- # account then the AWS KMS key policy must grant cross-account access
2561
- # to that other account's user or role for both the
2562
- # kms:GenerateDataKey and kms:Decrypt operations.
2652
+ # <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
2653
+ # `SecretBinary` for a secret in the same account as the calling user
2654
+ # and that secret doesn't specify a AWS KMS encryption key, Secrets
2655
+ # Manager uses the account's default AWS managed customer master key
2656
+ # (CMK) with the alias `aws/secretsmanager`. If this key doesn't
2657
+ # already exist in your account then Secrets Manager creates it for
2658
+ # you automatically. All users and roles in the same AWS account
2659
+ # automatically have access to use the default CMK. Note that if an
2660
+ # Secrets Manager API call results in AWS creating the account's
2661
+ # AWS-managed CMK, it can result in a one-time significant delay in
2662
+ # returning the result.
2663
+ #
2664
+ # * If the secret resides in a different AWS account from the
2665
+ # credentials calling an API that requires encryption or decryption of
2666
+ # the secret value then you must create and use a custom AWS KMS CMK
2667
+ # because you can't access the default CMK for the account using
2668
+ # credentials from a different AWS account. Store the ARN of the CMK
2669
+ # in the secret when you create the secret or when you update it by
2670
+ # including it in the `KMSKeyId`. If you call an API that must encrypt
2671
+ # or decrypt `SecretString` or `SecretBinary` using credentials from a
2672
+ # different account then the AWS KMS key policy must grant
2673
+ # cross-account access to that other account's user or role for both
2674
+ # the kms:GenerateDataKey and kms:Decrypt operations.
2563
2675
  #
2564
2676
  # </note>
2565
2677
  #
@@ -2604,7 +2716,13 @@ module Aws::SecretsManager
2604
2716
  # then those characters cause Secrets Manager to assume that you’re
2605
2717
  # specifying a complete ARN. This confusion can cause unexpected
2606
2718
  # results. To avoid this situation, we recommend that you don’t create
2607
- # secret names that end with a hyphen followed by six characters.
2719
+ # secret names ending with a hyphen followed by six characters.
2720
+ #
2721
+ # If you specify an incomplete ARN without the random suffix, and
2722
+ # instead provide the 'friendly name', you *must* not include the
2723
+ # random suffix. If you do include the random suffix added by Secrets
2724
+ # Manager, you receive either a *ResourceNotFoundException* or an
2725
+ # *AccessDeniedException* error, depending on your permissions.
2608
2726
  #
2609
2727
  # </note>
2610
2728
  #
@@ -2668,7 +2786,7 @@ module Aws::SecretsManager
2668
2786
  # field. The user making the call must have permissions to both the
2669
2787
  # secret and the CMK in their respective accounts.
2670
2788
  #
2671
- # @option params [String, IO] :secret_binary
2789
+ # @option params [String, StringIO, File] :secret_binary
2672
2790
  # (Optional) Specifies updated binary data that you want to encrypt and
2673
2791
  # store in the new version of the secret. To use this parameter in the
2674
2792
  # command-line tools, we recommend that you store your binary data in a
@@ -2841,9 +2959,9 @@ module Aws::SecretsManager
2841
2959
  # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/terms-concepts.html#term_staging-label
2842
2960
  #
2843
2961
  # @option params [required, String] :secret_id
2844
- # Specifies the secret with the version whose list of staging labels you
2845
- # want to modify. You can specify either the Amazon Resource Name (ARN)
2846
- # or the friendly name of the secret.
2962
+ # Specifies the secret with the version with the list of staging labels
2963
+ # you want to modify. You can specify either the Amazon Resource Name
2964
+ # (ARN) or the friendly name of the secret.
2847
2965
  #
2848
2966
  # <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
2849
2967
  # complete ARN. You can specify a partial ARN too—for example, if you
@@ -2856,7 +2974,13 @@ module Aws::SecretsManager
2856
2974
  # then those characters cause Secrets Manager to assume that you’re
2857
2975
  # specifying a complete ARN. This confusion can cause unexpected
2858
2976
  # results. To avoid this situation, we recommend that you don’t create
2859
- # secret names that end with a hyphen followed by six characters.
2977
+ # secret names ending with a hyphen followed by six characters.
2978
+ #
2979
+ # If you specify an incomplete ARN without the random suffix, and
2980
+ # instead provide the 'friendly name', you *must* not include the
2981
+ # random suffix. If you do include the random suffix added by Secrets
2982
+ # Manager, you receive either a *ResourceNotFoundException* or an
2983
+ # *AccessDeniedException* error, depending on your permissions.
2860
2984
  #
2861
2985
  # </note>
2862
2986
  #
@@ -2874,7 +2998,7 @@ module Aws::SecretsManager
2874
2998
  #
2875
2999
  # @option params [String] :move_to_version_id
2876
3000
  # (Optional) The secret version ID that you want to add the staging
2877
- # label to. If you want to remove a label from a version, then do not
3001
+ # label. If you want to remove a label from a version, then do not
2878
3002
  # specify this parameter.
2879
3003
  #
2880
3004
  # If the staging label is already attached to a different version of the
@@ -2964,6 +3088,86 @@ module Aws::SecretsManager
2964
3088
  req.send_request(options)
2965
3089
  end
2966
3090
 
3091
+ # Validates the JSON text of the resource-based policy document attached
3092
+ # to the specified secret. The JSON request string input and response
3093
+ # output displays formatted code with white space and line breaks for
3094
+ # better readability. Submit your input as a single line JSON string. A
3095
+ # resource-based policy is optional.
3096
+ #
3097
+ # @option params [String] :secret_id
3098
+ # The identifier for the secret that you want to validate a resource
3099
+ # policy. You can specify either the Amazon Resource Name (ARN) or the
3100
+ # friendly name of the secret.
3101
+ #
3102
+ # <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
3103
+ # complete ARN. You can specify a partial ARN too—for example, if you
3104
+ # don’t include the final hyphen and six random characters that Secrets
3105
+ # Manager adds at the end of the ARN when you created the secret. A
3106
+ # partial ARN match can work as long as it uniquely matches only one
3107
+ # secret. However, if your secret has a name that ends in a hyphen
3108
+ # followed by six characters (before Secrets Manager adds the hyphen and
3109
+ # six characters to the ARN) and you try to use that as a partial ARN,
3110
+ # then those characters cause Secrets Manager to assume that you’re
3111
+ # specifying a complete ARN. This confusion can cause unexpected
3112
+ # results. To avoid this situation, we recommend that you don’t create
3113
+ # secret names ending with a hyphen followed by six characters.
3114
+ #
3115
+ # If you specify an incomplete ARN without the random suffix, and
3116
+ # instead provide the 'friendly name', you *must* not include the
3117
+ # random suffix. If you do include the random suffix added by Secrets
3118
+ # Manager, you receive either a *ResourceNotFoundException* or an
3119
+ # *AccessDeniedException* error, depending on your permissions.
3120
+ #
3121
+ # </note>
3122
+ #
3123
+ # @option params [required, String] :resource_policy
3124
+ # Identifies the Resource Policy attached to the secret.
3125
+ #
3126
+ # @return [Types::ValidateResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
3127
+ #
3128
+ # * {Types::ValidateResourcePolicyResponse#policy_validation_passed #policy_validation_passed} => Boolean
3129
+ # * {Types::ValidateResourcePolicyResponse#validation_errors #validation_errors} => Array&lt;Types::ValidationErrorsEntry&gt;
3130
+ #
3131
+ #
3132
+ # @example Example: To validate a resource-based policy to a secret
3133
+ #
3134
+ # # The following example shows how to validate a resource-based policy to a secret.
3135
+ #
3136
+ # resp = client.validate_resource_policy({
3137
+ # resource_policy: "{\n\"Version\":\"2012-10-17\",\n\"Statement\":[{\n\"Effect\":\"Allow\",\n\"Principal\":{\n\"AWS\":\"arn:aws:iam::123456789012:root\"\n},\n\"Action\":\"secretsmanager:GetSecretValue\",\n\"Resource\":\"*\"\n}]\n}",
3138
+ # secret_id: "MyTestDatabaseSecret",
3139
+ # })
3140
+ #
3141
+ # resp.to_h outputs the following:
3142
+ # {
3143
+ # policy_validation_passed: true,
3144
+ # validation_errors: [
3145
+ # ],
3146
+ # }
3147
+ #
3148
+ # @example Request syntax with placeholder values
3149
+ #
3150
+ # resp = client.validate_resource_policy({
3151
+ # secret_id: "SecretIdType",
3152
+ # resource_policy: "NonEmptyResourcePolicyType", # required
3153
+ # })
3154
+ #
3155
+ # @example Response structure
3156
+ #
3157
+ # resp.policy_validation_passed #=> Boolean
3158
+ # resp.validation_errors #=> Array
3159
+ # resp.validation_errors[0].check_name #=> String
3160
+ # resp.validation_errors[0].error_message #=> String
3161
+ #
3162
+ # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ValidateResourcePolicy AWS API Documentation
3163
+ #
3164
+ # @overload validate_resource_policy(params = {})
3165
+ # @param [Hash] params ({})
3166
+ def validate_resource_policy(params = {}, options = {})
3167
+ req = build_request(:validate_resource_policy, params)
3168
+ req.send_request(options)
3169
+ end
3170
+
2967
3171
  # @!endgroup
2968
3172
 
2969
3173
  # @param params ({})
@@ -2977,7 +3181,7 @@ module Aws::SecretsManager
2977
3181
  params: params,
2978
3182
  config: config)
2979
3183
  context[:gem_name] = 'aws-sdk-secretsmanager'
2980
- context[:gem_version] = '1.37.1'
3184
+ context[:gem_version] = '1.42.0'
2981
3185
  Seahorse::Client::Request.new(handlers, context)
2982
3186
  end
2983
3187