aws-sdk-secretsmanager 1.38.0 → 1.43.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/aws-sdk-secretsmanager.rb +3 -2
- data/lib/aws-sdk-secretsmanager/client.rb +396 -194
- data/lib/aws-sdk-secretsmanager/client_api.rb +56 -0
- data/lib/aws-sdk-secretsmanager/errors.rb +16 -0
- data/lib/aws-sdk-secretsmanager/types.rb +346 -97
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d781f22f508df67554732195c3fb241e0e7824078dc95b69bf469f696740734b
|
4
|
+
data.tar.gz: 79677d273f59f8531842336ca9e023a3554cdce174ba33c1dce7b779ac3389c7
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6b357169563766e5c776e7bc4e15a59775e60dc9cb1f93366db99fce597cab99645badfcda762639cafed4c9b49f41a538c0c3fcd4e5861aec936ed52f72cd68
|
7
|
+
data.tar.gz: 37db784995c61c8576f7cd5ceb6f87a9acdcbc31dc0b15fcd9870588aec2b7cc1b7b7d700e75a39c4ca64d0bcf2915e59018fd81e098143cddf65546333a280b
|
@@ -7,6 +7,7 @@
|
|
7
7
|
#
|
8
8
|
# WARNING ABOUT GENERATED CODE
|
9
9
|
|
10
|
+
|
10
11
|
require 'aws-sdk-core'
|
11
12
|
require 'aws-sigv4'
|
12
13
|
|
@@ -44,9 +45,9 @@ require_relative 'aws-sdk-secretsmanager/customizations'
|
|
44
45
|
#
|
45
46
|
# See {Errors} for more information.
|
46
47
|
#
|
47
|
-
#
|
48
|
+
# @!group service
|
48
49
|
module Aws::SecretsManager
|
49
50
|
|
50
|
-
GEM_VERSION = '1.
|
51
|
+
GEM_VERSION = '1.43.0'
|
51
52
|
|
52
53
|
end
|
@@ -85,13 +85,28 @@ module Aws::SecretsManager
|
|
85
85
|
# * `Aws::Credentials` - Used for configuring static, non-refreshing
|
86
86
|
# credentials.
|
87
87
|
#
|
88
|
+
# * `Aws::SharedCredentials` - Used for loading static credentials from a
|
89
|
+
# shared file, such as `~/.aws/config`.
|
90
|
+
#
|
91
|
+
# * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
|
92
|
+
#
|
93
|
+
# * `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
|
94
|
+
# assume a role after providing credentials via the web.
|
95
|
+
#
|
96
|
+
# * `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
|
97
|
+
# access token generated from `aws login`.
|
98
|
+
#
|
99
|
+
# * `Aws::ProcessCredentials` - Used for loading credentials from a
|
100
|
+
# process that outputs to stdout.
|
101
|
+
#
|
88
102
|
# * `Aws::InstanceProfileCredentials` - Used for loading credentials
|
89
103
|
# from an EC2 IMDS on an EC2 instance.
|
90
104
|
#
|
91
|
-
# * `Aws::
|
92
|
-
#
|
105
|
+
# * `Aws::ECSCredentials` - Used for loading credentials from
|
106
|
+
# instances running in ECS.
|
93
107
|
#
|
94
|
-
# * `Aws::
|
108
|
+
# * `Aws::CognitoIdentityCredentials` - Used for loading credentials
|
109
|
+
# from the Cognito Identity service.
|
95
110
|
#
|
96
111
|
# When `:credentials` are not configured directly, the following
|
97
112
|
# locations will be searched for credentials:
|
@@ -101,10 +116,10 @@ module Aws::SecretsManager
|
|
101
116
|
# * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
|
102
117
|
# * `~/.aws/credentials`
|
103
118
|
# * `~/.aws/config`
|
104
|
-
# * EC2 IMDS instance profile - When used by default, the timeouts
|
105
|
-
# very aggressive. Construct and pass an instance of
|
106
|
-
# `Aws::InstanceProfileCredentails`
|
107
|
-
# timeouts.
|
119
|
+
# * EC2/ECS IMDS instance profile - When used by default, the timeouts
|
120
|
+
# are very aggressive. Construct and pass an instance of
|
121
|
+
# `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
|
122
|
+
# enable retries and extended timeouts.
|
108
123
|
#
|
109
124
|
# @option options [required, String] :region
|
110
125
|
# The AWS region to connect to. The configured `:region` is
|
@@ -323,20 +338,20 @@ module Aws::SecretsManager
|
|
323
338
|
# @!group API Operations
|
324
339
|
|
325
340
|
# Disables automatic scheduled rotation and cancels the rotation of a
|
326
|
-
# secret if
|
341
|
+
# secret if currently in progress.
|
327
342
|
#
|
328
343
|
# To re-enable scheduled rotation, call RotateSecret with
|
329
344
|
# `AutomaticallyRotateAfterDays` set to a value greater than 0. This
|
330
|
-
#
|
345
|
+
# immediately rotates your secret and then enables the automatic
|
331
346
|
# schedule.
|
332
347
|
#
|
333
|
-
# <note markdown="1"> If you cancel a rotation
|
334
|
-
# `VersionStage` labels in an unexpected state. Depending on
|
335
|
-
#
|
336
|
-
#
|
337
|
-
#
|
348
|
+
# <note markdown="1"> If you cancel a rotation while in progress, it can leave the
|
349
|
+
# `VersionStage` labels in an unexpected state. Depending on the step of
|
350
|
+
# the rotation in progress, you might need to remove the staging label
|
351
|
+
# `AWSPENDING` from the partially created version, specified by the
|
352
|
+
# `VersionId` response value. You should also evaluate the partially
|
338
353
|
# rotated new version to see if it should be deleted, which you can do
|
339
|
-
# by removing all staging labels from the new version
|
354
|
+
# by removing all staging labels from the new version `VersionStage`
|
340
355
|
# field.
|
341
356
|
#
|
342
357
|
# </note>
|
@@ -344,12 +359,12 @@ module Aws::SecretsManager
|
|
344
359
|
# To successfully start a rotation, the staging label `AWSPENDING` must
|
345
360
|
# be in one of the following states:
|
346
361
|
#
|
347
|
-
# * Not
|
362
|
+
# * Not attached to any version at all
|
348
363
|
#
|
349
364
|
# * Attached to the same version as the staging label `AWSCURRENT`
|
350
365
|
#
|
351
|
-
# If the staging label `AWSPENDING`
|
352
|
-
#
|
366
|
+
# If the staging label `AWSPENDING` attached to a different version than
|
367
|
+
# the version with `AWSCURRENT` then the attempt to rotate fails.
|
353
368
|
#
|
354
369
|
# **Minimum permissions**
|
355
370
|
#
|
@@ -373,9 +388,9 @@ module Aws::SecretsManager
|
|
373
388
|
# ListSecretVersionIds.
|
374
389
|
#
|
375
390
|
# @option params [required, String] :secret_id
|
376
|
-
# Specifies the secret
|
377
|
-
#
|
378
|
-
#
|
391
|
+
# Specifies the secret to cancel a rotation request. You can specify
|
392
|
+
# either the Amazon Resource Name (ARN) or the friendly name of the
|
393
|
+
# secret.
|
379
394
|
#
|
380
395
|
# <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
|
381
396
|
# complete ARN. You can specify a partial ARN too—for example, if you
|
@@ -388,7 +403,13 @@ module Aws::SecretsManager
|
|
388
403
|
# then those characters cause Secrets Manager to assume that you’re
|
389
404
|
# specifying a complete ARN. This confusion can cause unexpected
|
390
405
|
# results. To avoid this situation, we recommend that you don’t create
|
391
|
-
# secret names
|
406
|
+
# secret names ending with a hyphen followed by six characters.
|
407
|
+
#
|
408
|
+
# If you specify an incomplete ARN without the random suffix, and
|
409
|
+
# instead provide the 'friendly name', you *must* not include the
|
410
|
+
# random suffix. If you do include the random suffix added by Secrets
|
411
|
+
# Manager, you receive either a *ResourceNotFoundException* or an
|
412
|
+
# *AccessDeniedException* error, depending on your permissions.
|
392
413
|
#
|
393
414
|
# </note>
|
394
415
|
#
|
@@ -447,7 +468,7 @@ module Aws::SecretsManager
|
|
447
468
|
# version is in the rotation cycle. The `SecretVersionsToStages` field
|
448
469
|
# of the secret contains the mapping of staging labels to the active
|
449
470
|
# versions of the secret. Versions without a staging label are
|
450
|
-
# considered deprecated and
|
471
|
+
# considered deprecated and not included in the list.
|
451
472
|
#
|
452
473
|
# You provide the secret data to be encrypted by putting text in either
|
453
474
|
# the `SecretString` parameter or binary data in the `SecretBinary`
|
@@ -456,29 +477,29 @@ module Aws::SecretsManager
|
|
456
477
|
# version and automatically attaches the staging label `AWSCURRENT` to
|
457
478
|
# the new version.
|
458
479
|
#
|
459
|
-
# <note markdown="1"> * If you call an operation
|
460
|
-
# `
|
461
|
-
#
|
462
|
-
#
|
463
|
-
#
|
464
|
-
#
|
465
|
-
#
|
466
|
-
#
|
467
|
-
#
|
468
|
-
#
|
469
|
-
#
|
470
|
-
#
|
471
|
-
# * If the secret
|
472
|
-
# calling an API that requires encryption or decryption of
|
473
|
-
# value then you must create and use a custom AWS KMS CMK
|
474
|
-
# can't access the default CMK for the account using
|
475
|
-
# a different AWS account. Store the ARN of the CMK
|
476
|
-
# you create the secret or when you update it by
|
477
|
-
# `KMSKeyId`. If you call an API that must encrypt
|
478
|
-
# `SecretString` or `SecretBinary` using credentials from a
|
479
|
-
# account then the AWS KMS key policy must grant
|
480
|
-
# to that other account's user or role for both
|
481
|
-
# kms:GenerateDataKey and kms:Decrypt operations.
|
480
|
+
# <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
|
481
|
+
# `SecretBinary` for a secret in the same account as the calling user
|
482
|
+
# and that secret doesn't specify a AWS KMS encryption key, Secrets
|
483
|
+
# Manager uses the account's default AWS managed customer master key
|
484
|
+
# (CMK) with the alias `aws/secretsmanager`. If this key doesn't
|
485
|
+
# already exist in your account then Secrets Manager creates it for
|
486
|
+
# you automatically. All users and roles in the same AWS account
|
487
|
+
# automatically have access to use the default CMK. Note that if an
|
488
|
+
# Secrets Manager API call results in AWS creating the account's
|
489
|
+
# AWS-managed CMK, it can result in a one-time significant delay in
|
490
|
+
# returning the result.
|
491
|
+
#
|
492
|
+
# * If the secret resides in a different AWS account from the
|
493
|
+
# credentials calling an API that requires encryption or decryption of
|
494
|
+
# the secret value then you must create and use a custom AWS KMS CMK
|
495
|
+
# because you can't access the default CMK for the account using
|
496
|
+
# credentials from a different AWS account. Store the ARN of the CMK
|
497
|
+
# in the secret when you create the secret or when you update it by
|
498
|
+
# including it in the `KMSKeyId`. If you call an API that must encrypt
|
499
|
+
# or decrypt `SecretString` or `SecretBinary` using credentials from a
|
500
|
+
# different account then the AWS KMS key policy must grant
|
501
|
+
# cross-account access to that other account's user or role for both
|
502
|
+
# the kms:GenerateDataKey and kms:Decrypt operations.
|
482
503
|
#
|
483
504
|
# </note>
|
484
505
|
#
|
@@ -492,11 +513,11 @@ module Aws::SecretsManager
|
|
492
513
|
#
|
493
514
|
# * kms:GenerateDataKey - needed only if you use a customer-managed AWS
|
494
515
|
# KMS key to encrypt the secret. You do not need this permission to
|
495
|
-
# use the account
|
516
|
+
# use the account default AWS managed CMK for Secrets Manager.
|
496
517
|
#
|
497
518
|
# * kms:Decrypt - needed only if you use a customer-managed AWS KMS key
|
498
519
|
# to encrypt the secret. You do not need this permission to use the
|
499
|
-
# account
|
520
|
+
# account default AWS managed CMK for Secrets Manager.
|
500
521
|
#
|
501
522
|
# * secretsmanager:TagResource - needed only if you include the `Tags`
|
502
523
|
# parameter.
|
@@ -526,11 +547,10 @@ module Aws::SecretsManager
|
|
526
547
|
# The secret name must be ASCII letters, digits, or the following
|
527
548
|
# characters : /\_+=.@-
|
528
549
|
#
|
529
|
-
# <note markdown="1">
|
550
|
+
# <note markdown="1"> Do not end your secret name with a hyphen followed by six characters.
|
530
551
|
# If you do so, you risk confusion and unexpected results when searching
|
531
|
-
# for a secret by partial ARN.
|
532
|
-
#
|
533
|
-
# the ARN.
|
552
|
+
# for a secret by partial ARN. Secrets Manager automatically adds a
|
553
|
+
# hyphen and six random characters at the end of the ARN.
|
534
554
|
#
|
535
555
|
# </note>
|
536
556
|
#
|
@@ -545,7 +565,7 @@ module Aws::SecretsManager
|
|
545
565
|
# the request. If you don't use the SDK and instead generate a raw HTTP
|
546
566
|
# request to the Secrets Manager service endpoint, then you must
|
547
567
|
# generate a `ClientRequestToken` yourself for the new version and
|
548
|
-
# include
|
568
|
+
# include the value in the request.
|
549
569
|
#
|
550
570
|
# </note>
|
551
571
|
#
|
@@ -558,10 +578,9 @@ module Aws::SecretsManager
|
|
558
578
|
# * If the `ClientRequestToken` value isn't already associated with a
|
559
579
|
# version of the secret then a new version of the secret is created.
|
560
580
|
#
|
561
|
-
# * If a version with this value already exists and
|
581
|
+
# * If a version with this value already exists and the version
|
562
582
|
# `SecretString` and `SecretBinary` values are the same as those in
|
563
|
-
# the request, then the request is ignored
|
564
|
-
# idempotent).
|
583
|
+
# the request, then the request is ignored.
|
565
584
|
#
|
566
585
|
# * If a version with this value already exists and that version's
|
567
586
|
# `SecretString` and `SecretBinary` values are different from those in
|
@@ -597,12 +616,12 @@ module Aws::SecretsManager
|
|
597
616
|
# time it needs to encrypt a version's `SecretString` or `SecretBinary`
|
598
617
|
# fields.
|
599
618
|
#
|
600
|
-
# You can use the account
|
601
|
-
#
|
602
|
-
#
|
619
|
+
# You can use the account default CMK to encrypt and decrypt only if you
|
620
|
+
# call this operation using credentials from the same account that owns
|
621
|
+
# the secret. If the secret resides in a different account, then you
|
603
622
|
# must create a custom CMK and specify the ARN in this field.
|
604
623
|
#
|
605
|
-
# @option params [String,
|
624
|
+
# @option params [String, StringIO, File] :secret_binary
|
606
625
|
# (Optional) Specifies binary data that you want to encrypt and store in
|
607
626
|
# the new version of the secret. To use this parameter in the
|
608
627
|
# command-line tools, we recommend that you store your binary data in a
|
@@ -634,7 +653,7 @@ module Aws::SecretsManager
|
|
634
653
|
# environments, see [Using JSON for Parameters][1] in the *AWS CLI User
|
635
654
|
# Guide*. For example:
|
636
655
|
#
|
637
|
-
#
|
656
|
+
# `\{"username":"bob","password":"abc123xyz456"\}`
|
638
657
|
#
|
639
658
|
# If your command-line tool or SDK requires quotation marks around the
|
640
659
|
# parameter, you should use single quotes to avoid confusion with the
|
@@ -680,16 +699,16 @@ module Aws::SecretsManager
|
|
680
699
|
#
|
681
700
|
# * Tag keys and values are case sensitive.
|
682
701
|
#
|
683
|
-
# * Do not use the `aws:` prefix in your tag names or values because
|
684
|
-
#
|
702
|
+
# * Do not use the `aws:` prefix in your tag names or values because AWS
|
703
|
+
# reserves it for AWS use. You can't edit or delete tag names or
|
685
704
|
# values with this prefix. Tags with this prefix do not count against
|
686
705
|
# your tags per secret limit.
|
687
706
|
#
|
688
|
-
# * If your tagging schema
|
689
|
-
# resources, remember
|
690
|
-
# allowed characters. Generally allowed characters
|
691
|
-
#
|
692
|
-
#
|
707
|
+
# * If you use your tagging schema across multiple services and
|
708
|
+
# resources, remember other services might have restrictions on
|
709
|
+
# allowed characters. Generally allowed characters: letters, spaces,
|
710
|
+
# and numbers representable in UTF-8, plus the following special
|
711
|
+
# characters: + - = . \_ : / @.
|
693
712
|
#
|
694
713
|
#
|
695
714
|
#
|
@@ -753,8 +772,7 @@ module Aws::SecretsManager
|
|
753
772
|
req.send_request(options)
|
754
773
|
end
|
755
774
|
|
756
|
-
# Deletes the resource-based permission policy
|
757
|
-
# secret.
|
775
|
+
# Deletes the resource-based permission policy attached to the secret.
|
758
776
|
#
|
759
777
|
# **Minimum permissions**
|
760
778
|
#
|
@@ -789,7 +807,13 @@ module Aws::SecretsManager
|
|
789
807
|
# then those characters cause Secrets Manager to assume that you’re
|
790
808
|
# specifying a complete ARN. This confusion can cause unexpected
|
791
809
|
# results. To avoid this situation, we recommend that you don’t create
|
792
|
-
# secret names
|
810
|
+
# secret names ending with a hyphen followed by six characters.
|
811
|
+
#
|
812
|
+
# If you specify an incomplete ARN without the random suffix, and
|
813
|
+
# instead provide the 'friendly name', you *must* not include the
|
814
|
+
# random suffix. If you do include the random suffix added by Secrets
|
815
|
+
# Manager, you receive either a *ResourceNotFoundException* or an
|
816
|
+
# *AccessDeniedException* error, depending on your permissions.
|
793
817
|
#
|
794
818
|
# </note>
|
795
819
|
#
|
@@ -892,7 +916,13 @@ module Aws::SecretsManager
|
|
892
916
|
# then those characters cause Secrets Manager to assume that you’re
|
893
917
|
# specifying a complete ARN. This confusion can cause unexpected
|
894
918
|
# results. To avoid this situation, we recommend that you don’t create
|
895
|
-
# secret names
|
919
|
+
# secret names ending with a hyphen followed by six characters.
|
920
|
+
#
|
921
|
+
# If you specify an incomplete ARN without the random suffix, and
|
922
|
+
# instead provide the 'friendly name', you *must* not include the
|
923
|
+
# random suffix. If you do include the random suffix added by Secrets
|
924
|
+
# Manager, you receive either a *ResourceNotFoundException* or an
|
925
|
+
# *AccessDeniedException* error, depending on your permissions.
|
896
926
|
#
|
897
927
|
# </note>
|
898
928
|
#
|
@@ -970,8 +1000,8 @@ module Aws::SecretsManager
|
|
970
1000
|
end
|
971
1001
|
|
972
1002
|
# Retrieves the details of a secret. It does not include the encrypted
|
973
|
-
# fields.
|
974
|
-
#
|
1003
|
+
# fields. Secrets Manager only returns fields populated with a value in
|
1004
|
+
# the response.
|
975
1005
|
#
|
976
1006
|
# **Minimum permissions**
|
977
1007
|
#
|
@@ -1008,7 +1038,13 @@ module Aws::SecretsManager
|
|
1008
1038
|
# then those characters cause Secrets Manager to assume that you’re
|
1009
1039
|
# specifying a complete ARN. This confusion can cause unexpected
|
1010
1040
|
# results. To avoid this situation, we recommend that you don’t create
|
1011
|
-
# secret names
|
1041
|
+
# secret names ending with a hyphen followed by six characters.
|
1042
|
+
#
|
1043
|
+
# If you specify an incomplete ARN without the random suffix, and
|
1044
|
+
# instead provide the 'friendly name', you *must* not include the
|
1045
|
+
# random suffix. If you do include the random suffix added by Secrets
|
1046
|
+
# Manager, you receive either a *ResourceNotFoundException* or an
|
1047
|
+
# *AccessDeniedException* error, depending on your permissions.
|
1012
1048
|
#
|
1013
1049
|
# </note>
|
1014
1050
|
#
|
@@ -1028,6 +1064,7 @@ module Aws::SecretsManager
|
|
1028
1064
|
# * {Types::DescribeSecretResponse#tags #tags} => Array<Types::Tag>
|
1029
1065
|
# * {Types::DescribeSecretResponse#version_ids_to_stages #version_ids_to_stages} => Hash<String,Array<String>>
|
1030
1066
|
# * {Types::DescribeSecretResponse#owning_service #owning_service} => String
|
1067
|
+
# * {Types::DescribeSecretResponse#created_date #created_date} => Time
|
1031
1068
|
#
|
1032
1069
|
#
|
1033
1070
|
# @example Example: To retrieve the details of a secret
|
@@ -1098,6 +1135,7 @@ module Aws::SecretsManager
|
|
1098
1135
|
# resp.version_ids_to_stages["SecretVersionIdType"] #=> Array
|
1099
1136
|
# resp.version_ids_to_stages["SecretVersionIdType"][0] #=> String
|
1100
1137
|
# resp.owning_service #=> String
|
1138
|
+
# resp.created_date #=> Time
|
1101
1139
|
#
|
1102
1140
|
# @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/DescribeSecret AWS API Documentation
|
1103
1141
|
#
|
@@ -1216,11 +1254,10 @@ module Aws::SecretsManager
|
|
1216
1254
|
req.send_request(options)
|
1217
1255
|
end
|
1218
1256
|
|
1219
|
-
# Retrieves the JSON text of the resource-based policy document
|
1220
|
-
#
|
1221
|
-
#
|
1222
|
-
#
|
1223
|
-
# string.
|
1257
|
+
# Retrieves the JSON text of the resource-based policy document attached
|
1258
|
+
# to the specified secret. The JSON request string input and response
|
1259
|
+
# output displays formatted code with white space and line breaks for
|
1260
|
+
# better readability. Submit your input as a single line JSON string.
|
1224
1261
|
#
|
1225
1262
|
# **Minimum permissions**
|
1226
1263
|
#
|
@@ -1234,8 +1271,8 @@ module Aws::SecretsManager
|
|
1234
1271
|
#
|
1235
1272
|
# * To attach a resource policy to a secret, use PutResourcePolicy.
|
1236
1273
|
#
|
1237
|
-
# * To delete the resource-based policy
|
1238
|
-
#
|
1274
|
+
# * To delete the resource-based policy attached to a secret, use
|
1275
|
+
# DeleteResourcePolicy.
|
1239
1276
|
#
|
1240
1277
|
# * To list all of the currently available secrets, use ListSecrets.
|
1241
1278
|
#
|
@@ -1255,7 +1292,13 @@ module Aws::SecretsManager
|
|
1255
1292
|
# then those characters cause Secrets Manager to assume that you’re
|
1256
1293
|
# specifying a complete ARN. This confusion can cause unexpected
|
1257
1294
|
# results. To avoid this situation, we recommend that you don’t create
|
1258
|
-
# secret names
|
1295
|
+
# secret names ending with a hyphen followed by six characters.
|
1296
|
+
#
|
1297
|
+
# If you specify an incomplete ARN without the random suffix, and
|
1298
|
+
# instead provide the 'friendly name', you *must* not include the
|
1299
|
+
# random suffix. If you do include the random suffix added by Secrets
|
1300
|
+
# Manager, you receive either a *ResourceNotFoundException* or an
|
1301
|
+
# *AccessDeniedException* error, depending on your permissions.
|
1259
1302
|
#
|
1260
1303
|
# </note>
|
1261
1304
|
#
|
@@ -1340,7 +1383,13 @@ module Aws::SecretsManager
|
|
1340
1383
|
# then those characters cause Secrets Manager to assume that you’re
|
1341
1384
|
# specifying a complete ARN. This confusion can cause unexpected
|
1342
1385
|
# results. To avoid this situation, we recommend that you don’t create
|
1343
|
-
# secret names
|
1386
|
+
# secret names ending with a hyphen followed by six characters.
|
1387
|
+
#
|
1388
|
+
# If you specify an incomplete ARN without the random suffix, and
|
1389
|
+
# instead provide the 'friendly name', you *must* not include the
|
1390
|
+
# random suffix. If you do include the random suffix added by Secrets
|
1391
|
+
# Manager, you receive either a *ResourceNotFoundException* or an
|
1392
|
+
# *AccessDeniedException* error, depending on your permissions.
|
1344
1393
|
#
|
1345
1394
|
# </note>
|
1346
1395
|
#
|
@@ -1437,8 +1486,8 @@ module Aws::SecretsManager
|
|
1437
1486
|
#
|
1438
1487
|
# <note markdown="1"> Always check the `NextToken` response parameter when calling any of
|
1439
1488
|
# the `List*` operations. These operations can occasionally return an
|
1440
|
-
# empty or shorter than expected list of results even when there
|
1441
|
-
#
|
1489
|
+
# empty or shorter than expected list of results even when there more
|
1490
|
+
# results become available. When this happens, the `NextToken` response
|
1442
1491
|
# parameter contains a value to pass to the next call to the same API to
|
1443
1492
|
# request the next part of the list.
|
1444
1493
|
#
|
@@ -1474,28 +1523,34 @@ module Aws::SecretsManager
|
|
1474
1523
|
# then those characters cause Secrets Manager to assume that you’re
|
1475
1524
|
# specifying a complete ARN. This confusion can cause unexpected
|
1476
1525
|
# results. To avoid this situation, we recommend that you don’t create
|
1477
|
-
# secret names
|
1526
|
+
# secret names ending with a hyphen followed by six characters.
|
1527
|
+
#
|
1528
|
+
# If you specify an incomplete ARN without the random suffix, and
|
1529
|
+
# instead provide the 'friendly name', you *must* not include the
|
1530
|
+
# random suffix. If you do include the random suffix added by Secrets
|
1531
|
+
# Manager, you receive either a *ResourceNotFoundException* or an
|
1532
|
+
# *AccessDeniedException* error, depending on your permissions.
|
1478
1533
|
#
|
1479
1534
|
# </note>
|
1480
1535
|
#
|
1481
1536
|
# @option params [Integer] :max_results
|
1482
|
-
# (Optional) Limits the number of results
|
1483
|
-
#
|
1484
|
-
#
|
1485
|
-
#
|
1486
|
-
#
|
1487
|
-
#
|
1488
|
-
#
|
1489
|
-
#
|
1490
|
-
#
|
1491
|
-
#
|
1537
|
+
# (Optional) Limits the number of results you want to include in the
|
1538
|
+
# response. If you don't include this parameter, it defaults to a value
|
1539
|
+
# that's specific to the operation. If additional items exist beyond
|
1540
|
+
# the maximum you specify, the `NextToken` response element is present
|
1541
|
+
# and has a value (isn't null). Include that value as the `NextToken`
|
1542
|
+
# request parameter in the next call to the operation to get the next
|
1543
|
+
# part of the results. Note that Secrets Manager might return fewer
|
1544
|
+
# results than the maximum even when there are more results available.
|
1545
|
+
# You should check `NextToken` after every operation to ensure that you
|
1546
|
+
# receive all of the results.
|
1492
1547
|
#
|
1493
1548
|
# @option params [String] :next_token
|
1494
1549
|
# (Optional) Use this parameter in a request if you receive a
|
1495
|
-
# `NextToken` response in a previous request
|
1496
|
-
#
|
1497
|
-
#
|
1498
|
-
#
|
1550
|
+
# `NextToken` response in a previous request indicating there's more
|
1551
|
+
# output available. In a subsequent call, set it to the value of the
|
1552
|
+
# previous call `NextToken` response to indicate where the output should
|
1553
|
+
# continue from.
|
1499
1554
|
#
|
1500
1555
|
# @option params [Boolean] :include_deprecated
|
1501
1556
|
# (Optional) Specifies that you want the results to include versions
|
@@ -1587,8 +1642,8 @@ module Aws::SecretsManager
|
|
1587
1642
|
#
|
1588
1643
|
# <note markdown="1"> Always check the `NextToken` response parameter when calling any of
|
1589
1644
|
# the `List*` operations. These operations can occasionally return an
|
1590
|
-
# empty or shorter than expected list of results even when there
|
1591
|
-
#
|
1645
|
+
# empty or shorter than expected list of results even when there more
|
1646
|
+
# results become available. When this happens, the `NextToken` response
|
1592
1647
|
# parameter contains a value to pass to the next call to the same API to
|
1593
1648
|
# request the next part of the list.
|
1594
1649
|
#
|
@@ -1609,23 +1664,29 @@ module Aws::SecretsManager
|
|
1609
1664
|
# ^
|
1610
1665
|
#
|
1611
1666
|
# @option params [Integer] :max_results
|
1612
|
-
# (Optional) Limits the number of results
|
1613
|
-
#
|
1614
|
-
#
|
1615
|
-
#
|
1616
|
-
#
|
1617
|
-
#
|
1618
|
-
#
|
1619
|
-
#
|
1620
|
-
#
|
1621
|
-
#
|
1667
|
+
# (Optional) Limits the number of results you want to include in the
|
1668
|
+
# response. If you don't include this parameter, it defaults to a value
|
1669
|
+
# that's specific to the operation. If additional items exist beyond
|
1670
|
+
# the maximum you specify, the `NextToken` response element is present
|
1671
|
+
# and has a value (isn't null). Include that value as the `NextToken`
|
1672
|
+
# request parameter in the next call to the operation to get the next
|
1673
|
+
# part of the results. Note that Secrets Manager might return fewer
|
1674
|
+
# results than the maximum even when there are more results available.
|
1675
|
+
# You should check `NextToken` after every operation to ensure that you
|
1676
|
+
# receive all of the results.
|
1622
1677
|
#
|
1623
1678
|
# @option params [String] :next_token
|
1624
1679
|
# (Optional) Use this parameter in a request if you receive a
|
1625
|
-
# `NextToken` response in a previous request
|
1626
|
-
#
|
1627
|
-
#
|
1628
|
-
#
|
1680
|
+
# `NextToken` response in a previous request indicating there's more
|
1681
|
+
# output available. In a subsequent call, set it to the value of the
|
1682
|
+
# previous call `NextToken` response to indicate where the output should
|
1683
|
+
# continue from.
|
1684
|
+
#
|
1685
|
+
# @option params [Array<Types::Filter>] :filters
|
1686
|
+
# Lists the secret request filters.
|
1687
|
+
#
|
1688
|
+
# @option params [String] :sort_order
|
1689
|
+
# Lists secrets in the requested order.
|
1629
1690
|
#
|
1630
1691
|
# @return [Types::ListSecretsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1631
1692
|
#
|
@@ -1675,6 +1736,13 @@ module Aws::SecretsManager
|
|
1675
1736
|
# resp = client.list_secrets({
|
1676
1737
|
# max_results: 1,
|
1677
1738
|
# next_token: "NextTokenType",
|
1739
|
+
# filters: [
|
1740
|
+
# {
|
1741
|
+
# key: "description", # accepts description, name, tag-key, tag-value, all
|
1742
|
+
# values: ["FilterValueStringType"],
|
1743
|
+
# },
|
1744
|
+
# ],
|
1745
|
+
# sort_order: "asc", # accepts asc, desc
|
1678
1746
|
# })
|
1679
1747
|
#
|
1680
1748
|
# @example Response structure
|
@@ -1698,6 +1766,7 @@ module Aws::SecretsManager
|
|
1698
1766
|
# resp.secret_list[0].secret_versions_to_stages["SecretVersionIdType"] #=> Array
|
1699
1767
|
# resp.secret_list[0].secret_versions_to_stages["SecretVersionIdType"][0] #=> String
|
1700
1768
|
# resp.secret_list[0].owning_service #=> String
|
1769
|
+
# resp.secret_list[0].created_date #=> Time
|
1701
1770
|
# resp.next_token #=> String
|
1702
1771
|
#
|
1703
1772
|
# @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ListSecrets AWS API Documentation
|
@@ -1731,7 +1800,7 @@ module Aws::SecretsManager
|
|
1731
1800
|
#
|
1732
1801
|
# **Related operations**
|
1733
1802
|
#
|
1734
|
-
# * To retrieve the resource policy
|
1803
|
+
# * To retrieve the resource policy attached to a secret, use
|
1735
1804
|
# GetResourcePolicy.
|
1736
1805
|
#
|
1737
1806
|
# * To delete the resource-based policy that's attached to a secret,
|
@@ -1759,7 +1828,13 @@ module Aws::SecretsManager
|
|
1759
1828
|
# then those characters cause Secrets Manager to assume that you’re
|
1760
1829
|
# specifying a complete ARN. This confusion can cause unexpected
|
1761
1830
|
# results. To avoid this situation, we recommend that you don’t create
|
1762
|
-
# secret names
|
1831
|
+
# secret names ending with a hyphen followed by six characters.
|
1832
|
+
#
|
1833
|
+
# If you specify an incomplete ARN without the random suffix, and
|
1834
|
+
# instead provide the 'friendly name', you *must* not include the
|
1835
|
+
# random suffix. If you do include the random suffix added by Secrets
|
1836
|
+
# Manager, you receive either a *ResourceNotFoundException* or an
|
1837
|
+
# *AccessDeniedException* error, depending on your permissions.
|
1763
1838
|
#
|
1764
1839
|
# </note>
|
1765
1840
|
#
|
@@ -1775,6 +1850,10 @@ module Aws::SecretsManager
|
|
1775
1850
|
#
|
1776
1851
|
# [1]: http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
|
1777
1852
|
#
|
1853
|
+
# @option params [Boolean] :block_public_policy
|
1854
|
+
# Makes an optional API call to Zelkova to validate the Resource Policy
|
1855
|
+
# to prevent broad access to your secret.
|
1856
|
+
#
|
1778
1857
|
# @return [Types::PutResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1779
1858
|
#
|
1780
1859
|
# * {Types::PutResourcePolicyResponse#arn #arn} => String
|
@@ -1801,6 +1880,7 @@ module Aws::SecretsManager
|
|
1801
1880
|
# resp = client.put_resource_policy({
|
1802
1881
|
# secret_id: "SecretIdType", # required
|
1803
1882
|
# resource_policy: "NonEmptyResourcePolicyType", # required
|
1883
|
+
# block_public_policy: false,
|
1804
1884
|
# })
|
1805
1885
|
#
|
1806
1886
|
# @example Response structure
|
@@ -1850,29 +1930,29 @@ module Aws::SecretsManager
|
|
1850
1930
|
# operation fails because you cannot modify an existing version; you
|
1851
1931
|
# can only create new ones.
|
1852
1932
|
#
|
1853
|
-
# <note markdown="1"> * If you call an operation
|
1854
|
-
# `
|
1855
|
-
#
|
1856
|
-
#
|
1857
|
-
#
|
1858
|
-
#
|
1859
|
-
#
|
1860
|
-
#
|
1861
|
-
#
|
1862
|
-
#
|
1863
|
-
#
|
1864
|
-
#
|
1865
|
-
# * If the secret
|
1866
|
-
# calling an API that requires encryption or decryption of
|
1867
|
-
# value then you must create and use a custom AWS KMS CMK
|
1868
|
-
# can't access the default CMK for the account using
|
1869
|
-
# a different AWS account. Store the ARN of the CMK
|
1870
|
-
# you create the secret or when you update it by
|
1871
|
-
# `KMSKeyId`. If you call an API that must encrypt
|
1872
|
-
# `SecretString` or `SecretBinary` using credentials from a
|
1873
|
-
# account then the AWS KMS key policy must grant
|
1874
|
-
# to that other account's user or role for both
|
1875
|
-
# kms:GenerateDataKey and kms:Decrypt operations.
|
1933
|
+
# <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
|
1934
|
+
# `SecretBinary` for a secret in the same account as the calling user
|
1935
|
+
# and that secret doesn't specify a AWS KMS encryption key, Secrets
|
1936
|
+
# Manager uses the account's default AWS managed customer master key
|
1937
|
+
# (CMK) with the alias `aws/secretsmanager`. If this key doesn't
|
1938
|
+
# already exist in your account then Secrets Manager creates it for
|
1939
|
+
# you automatically. All users and roles in the same AWS account
|
1940
|
+
# automatically have access to use the default CMK. Note that if an
|
1941
|
+
# Secrets Manager API call results in AWS creating the account's
|
1942
|
+
# AWS-managed CMK, it can result in a one-time significant delay in
|
1943
|
+
# returning the result.
|
1944
|
+
#
|
1945
|
+
# * If the secret resides in a different AWS account from the
|
1946
|
+
# credentials calling an API that requires encryption or decryption of
|
1947
|
+
# the secret value then you must create and use a custom AWS KMS CMK
|
1948
|
+
# because you can't access the default CMK for the account using
|
1949
|
+
# credentials from a different AWS account. Store the ARN of the CMK
|
1950
|
+
# in the secret when you create the secret or when you update it by
|
1951
|
+
# including it in the `KMSKeyId`. If you call an API that must encrypt
|
1952
|
+
# or decrypt `SecretString` or `SecretBinary` using credentials from a
|
1953
|
+
# different account then the AWS KMS key policy must grant
|
1954
|
+
# cross-account access to that other account's user or role for both
|
1955
|
+
# the kms:GenerateDataKey and kms:Decrypt operations.
|
1876
1956
|
#
|
1877
1957
|
# </note>
|
1878
1958
|
#
|
@@ -1913,7 +1993,13 @@ module Aws::SecretsManager
|
|
1913
1993
|
# then those characters cause Secrets Manager to assume that you’re
|
1914
1994
|
# specifying a complete ARN. This confusion can cause unexpected
|
1915
1995
|
# results. To avoid this situation, we recommend that you don’t create
|
1916
|
-
# secret names
|
1996
|
+
# secret names ending with a hyphen followed by six characters.
|
1997
|
+
#
|
1998
|
+
# If you specify an incomplete ARN without the random suffix, and
|
1999
|
+
# instead provide the 'friendly name', you *must* not include the
|
2000
|
+
# random suffix. If you do include the random suffix added by Secrets
|
2001
|
+
# Manager, you receive either a *ResourceNotFoundException* or an
|
2002
|
+
# *AccessDeniedException* error, depending on your permissions.
|
1917
2003
|
#
|
1918
2004
|
# </note>
|
1919
2005
|
#
|
@@ -1944,7 +2030,7 @@ module Aws::SecretsManager
|
|
1944
2030
|
# `SecretString` or `SecretBinary` values are the same as those in the
|
1945
2031
|
# request then the request is ignored (the operation is idempotent).
|
1946
2032
|
#
|
1947
|
-
# * If a version with this value already exists and
|
2033
|
+
# * If a version with this value already exists and the version of the
|
1948
2034
|
# `SecretString` and `SecretBinary` values are different from those in
|
1949
2035
|
# the request then the request fails because you cannot modify an
|
1950
2036
|
# existing secret version. You can only create new versions to store
|
@@ -1959,7 +2045,7 @@ module Aws::SecretsManager
|
|
1959
2045
|
#
|
1960
2046
|
# [1]: https://wikipedia.org/wiki/Universally_unique_identifier
|
1961
2047
|
#
|
1962
|
-
# @option params [String,
|
2048
|
+
# @option params [String, StringIO, File] :secret_binary
|
1963
2049
|
# (Optional) Specifies binary data that you want to encrypt and store in
|
1964
2050
|
# the new version of the secret. To use this parameter in the
|
1965
2051
|
# command-line tools, we recommend that you store your binary data in a
|
@@ -2106,7 +2192,13 @@ module Aws::SecretsManager
|
|
2106
2192
|
# then those characters cause Secrets Manager to assume that you’re
|
2107
2193
|
# specifying a complete ARN. This confusion can cause unexpected
|
2108
2194
|
# results. To avoid this situation, we recommend that you don’t create
|
2109
|
-
# secret names
|
2195
|
+
# secret names ending with a hyphen followed by six characters.
|
2196
|
+
#
|
2197
|
+
# If you specify an incomplete ARN without the random suffix, and
|
2198
|
+
# instead provide the 'friendly name', you *must* not include the
|
2199
|
+
# random suffix. If you do include the random suffix added by Secrets
|
2200
|
+
# Manager, you receive either a *ResourceNotFoundException* or an
|
2201
|
+
# *AccessDeniedException* error, depending on your permissions.
|
2110
2202
|
#
|
2111
2203
|
# </note>
|
2112
2204
|
#
|
@@ -2169,8 +2261,8 @@ module Aws::SecretsManager
|
|
2169
2261
|
# for your protected service, see [Rotating Secrets in AWS Secrets
|
2170
2262
|
# Manager][1] in the *AWS Secrets Manager User Guide*.
|
2171
2263
|
#
|
2172
|
-
# Secrets Manager schedules the next rotation when the previous one
|
2173
|
-
#
|
2264
|
+
# Secrets Manager schedules the next rotation when the previous one
|
2265
|
+
# completes. Secrets Manager schedules the date by adding the rotation
|
2174
2266
|
# interval (number of days) to the actual date of the last rotation. The
|
2175
2267
|
# service chooses the hour within that 24-hour date window randomly. The
|
2176
2268
|
# minute is also chosen somewhat randomly, but weighted towards the top
|
@@ -2186,9 +2278,9 @@ module Aws::SecretsManager
|
|
2186
2278
|
# * The `AWSPENDING` staging label is not attached to any version of the
|
2187
2279
|
# secret.
|
2188
2280
|
#
|
2189
|
-
# If
|
2190
|
-
#
|
2191
|
-
#
|
2281
|
+
# If the `AWSPENDING` staging label is present but not attached to the
|
2282
|
+
# same version as `AWSCURRENT` then any later invocation of
|
2283
|
+
# `RotateSecret` assumes that a previous rotation request is still in
|
2192
2284
|
# progress and returns an error.
|
2193
2285
|
#
|
2194
2286
|
# **Minimum permissions**
|
@@ -2230,7 +2322,13 @@ module Aws::SecretsManager
|
|
2230
2322
|
# then those characters cause Secrets Manager to assume that you’re
|
2231
2323
|
# specifying a complete ARN. This confusion can cause unexpected
|
2232
2324
|
# results. To avoid this situation, we recommend that you don’t create
|
2233
|
-
# secret names
|
2325
|
+
# secret names ending with a hyphen followed by six characters.
|
2326
|
+
#
|
2327
|
+
# If you specify an incomplete ARN without the random suffix, and
|
2328
|
+
# instead provide the 'friendly name', you *must* not include the
|
2329
|
+
# random suffix. If you do include the random suffix added by Secrets
|
2330
|
+
# Manager, you receive either a *ResourceNotFoundException* or an
|
2331
|
+
# *AccessDeniedException* error, depending on your permissions.
|
2234
2332
|
#
|
2235
2333
|
# </note>
|
2236
2334
|
#
|
@@ -2246,8 +2344,8 @@ module Aws::SecretsManager
|
|
2246
2344
|
# generate a `ClientRequestToken` yourself for new versions and include
|
2247
2345
|
# that value in the request.
|
2248
2346
|
#
|
2249
|
-
# You only need to specify your own value if you
|
2250
|
-
#
|
2347
|
+
# You only need to specify your own value if you implement your own
|
2348
|
+
# retry logic and want to ensure that a given secret is not created
|
2251
2349
|
# twice. We recommend that you generate a [UUID-type][1] value to ensure
|
2252
2350
|
# uniqueness within the specified secret.
|
2253
2351
|
#
|
@@ -2318,16 +2416,16 @@ module Aws::SecretsManager
|
|
2318
2416
|
#
|
2319
2417
|
# * Tag keys and values are case sensitive.
|
2320
2418
|
#
|
2321
|
-
# * Do not use the `aws:` prefix in your tag names or values because
|
2322
|
-
#
|
2419
|
+
# * Do not use the `aws:` prefix in your tag names or values because AWS
|
2420
|
+
# reserves it for AWS use. You can't edit or delete tag names or
|
2323
2421
|
# values with this prefix. Tags with this prefix do not count against
|
2324
2422
|
# your tags per secret limit.
|
2325
2423
|
#
|
2326
|
-
# * If your tagging schema
|
2327
|
-
# resources, remember
|
2328
|
-
# allowed characters. Generally allowed characters
|
2329
|
-
#
|
2330
|
-
#
|
2424
|
+
# * If you use your tagging schema across multiple services and
|
2425
|
+
# resources, remember other services might have restrictions on
|
2426
|
+
# allowed characters. Generally allowed characters: letters, spaces,
|
2427
|
+
# and numbers representable in UTF-8, plus the following special
|
2428
|
+
# characters: + - = . \_ : / @.
|
2331
2429
|
#
|
2332
2430
|
# If you use tags as part of your security strategy, then adding or
|
2333
2431
|
# removing a tag can change permissions. If successfully completing this
|
@@ -2365,7 +2463,13 @@ module Aws::SecretsManager
|
|
2365
2463
|
# then those characters cause Secrets Manager to assume that you’re
|
2366
2464
|
# specifying a complete ARN. This confusion can cause unexpected
|
2367
2465
|
# results. To avoid this situation, we recommend that you don’t create
|
2368
|
-
# secret names
|
2466
|
+
# secret names ending with a hyphen followed by six characters.
|
2467
|
+
#
|
2468
|
+
# If you specify an incomplete ARN without the random suffix, and
|
2469
|
+
# instead provide the 'friendly name', you *must* not include the
|
2470
|
+
# random suffix. If you do include the random suffix added by Secrets
|
2471
|
+
# Manager, you receive either a *ResourceNotFoundException* or an
|
2472
|
+
# *AccessDeniedException* error, depending on your permissions.
|
2369
2473
|
#
|
2370
2474
|
# </note>
|
2371
2475
|
#
|
@@ -2467,7 +2571,13 @@ module Aws::SecretsManager
|
|
2467
2571
|
# then those characters cause Secrets Manager to assume that you’re
|
2468
2572
|
# specifying a complete ARN. This confusion can cause unexpected
|
2469
2573
|
# results. To avoid this situation, we recommend that you don’t create
|
2470
|
-
# secret names
|
2574
|
+
# secret names ending with a hyphen followed by six characters.
|
2575
|
+
#
|
2576
|
+
# If you specify an incomplete ARN without the random suffix, and
|
2577
|
+
# instead provide the 'friendly name', you *must* not include the
|
2578
|
+
# random suffix. If you do include the random suffix added by Secrets
|
2579
|
+
# Manager, you receive either a *ResourceNotFoundException* or an
|
2580
|
+
# *AccessDeniedException* error, depending on your permissions.
|
2471
2581
|
#
|
2472
2582
|
# </note>
|
2473
2583
|
#
|
@@ -2539,29 +2649,29 @@ module Aws::SecretsManager
|
|
2539
2649
|
# secret version, Secrets Manager automatically attaches the staging
|
2540
2650
|
# label `AWSCURRENT` to the new version.
|
2541
2651
|
#
|
2542
|
-
# <note markdown="1"> * If you call an operation
|
2543
|
-
# `
|
2544
|
-
#
|
2545
|
-
#
|
2546
|
-
#
|
2547
|
-
#
|
2548
|
-
#
|
2549
|
-
#
|
2550
|
-
#
|
2551
|
-
#
|
2552
|
-
#
|
2553
|
-
#
|
2554
|
-
# * If the secret
|
2555
|
-
# calling an API that requires encryption or decryption of
|
2556
|
-
# value then you must create and use a custom AWS KMS CMK
|
2557
|
-
# can't access the default CMK for the account using
|
2558
|
-
# a different AWS account. Store the ARN of the CMK
|
2559
|
-
# you create the secret or when you update it by
|
2560
|
-
# `KMSKeyId`. If you call an API that must encrypt
|
2561
|
-
# `SecretString` or `SecretBinary` using credentials from a
|
2562
|
-
# account then the AWS KMS key policy must grant
|
2563
|
-
# to that other account's user or role for both
|
2564
|
-
# kms:GenerateDataKey and kms:Decrypt operations.
|
2652
|
+
# <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
|
2653
|
+
# `SecretBinary` for a secret in the same account as the calling user
|
2654
|
+
# and that secret doesn't specify a AWS KMS encryption key, Secrets
|
2655
|
+
# Manager uses the account's default AWS managed customer master key
|
2656
|
+
# (CMK) with the alias `aws/secretsmanager`. If this key doesn't
|
2657
|
+
# already exist in your account then Secrets Manager creates it for
|
2658
|
+
# you automatically. All users and roles in the same AWS account
|
2659
|
+
# automatically have access to use the default CMK. Note that if an
|
2660
|
+
# Secrets Manager API call results in AWS creating the account's
|
2661
|
+
# AWS-managed CMK, it can result in a one-time significant delay in
|
2662
|
+
# returning the result.
|
2663
|
+
#
|
2664
|
+
# * If the secret resides in a different AWS account from the
|
2665
|
+
# credentials calling an API that requires encryption or decryption of
|
2666
|
+
# the secret value then you must create and use a custom AWS KMS CMK
|
2667
|
+
# because you can't access the default CMK for the account using
|
2668
|
+
# credentials from a different AWS account. Store the ARN of the CMK
|
2669
|
+
# in the secret when you create the secret or when you update it by
|
2670
|
+
# including it in the `KMSKeyId`. If you call an API that must encrypt
|
2671
|
+
# or decrypt `SecretString` or `SecretBinary` using credentials from a
|
2672
|
+
# different account then the AWS KMS key policy must grant
|
2673
|
+
# cross-account access to that other account's user or role for both
|
2674
|
+
# the kms:GenerateDataKey and kms:Decrypt operations.
|
2565
2675
|
#
|
2566
2676
|
# </note>
|
2567
2677
|
#
|
@@ -2606,7 +2716,13 @@ module Aws::SecretsManager
|
|
2606
2716
|
# then those characters cause Secrets Manager to assume that you’re
|
2607
2717
|
# specifying a complete ARN. This confusion can cause unexpected
|
2608
2718
|
# results. To avoid this situation, we recommend that you don’t create
|
2609
|
-
# secret names
|
2719
|
+
# secret names ending with a hyphen followed by six characters.
|
2720
|
+
#
|
2721
|
+
# If you specify an incomplete ARN without the random suffix, and
|
2722
|
+
# instead provide the 'friendly name', you *must* not include the
|
2723
|
+
# random suffix. If you do include the random suffix added by Secrets
|
2724
|
+
# Manager, you receive either a *ResourceNotFoundException* or an
|
2725
|
+
# *AccessDeniedException* error, depending on your permissions.
|
2610
2726
|
#
|
2611
2727
|
# </note>
|
2612
2728
|
#
|
@@ -2670,7 +2786,7 @@ module Aws::SecretsManager
|
|
2670
2786
|
# field. The user making the call must have permissions to both the
|
2671
2787
|
# secret and the CMK in their respective accounts.
|
2672
2788
|
#
|
2673
|
-
# @option params [String,
|
2789
|
+
# @option params [String, StringIO, File] :secret_binary
|
2674
2790
|
# (Optional) Specifies updated binary data that you want to encrypt and
|
2675
2791
|
# store in the new version of the secret. To use this parameter in the
|
2676
2792
|
# command-line tools, we recommend that you store your binary data in a
|
@@ -2843,9 +2959,9 @@ module Aws::SecretsManager
|
|
2843
2959
|
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/terms-concepts.html#term_staging-label
|
2844
2960
|
#
|
2845
2961
|
# @option params [required, String] :secret_id
|
2846
|
-
# Specifies the secret with the version
|
2847
|
-
# want to modify. You can specify either the Amazon Resource Name
|
2848
|
-
# or the friendly name of the secret.
|
2962
|
+
# Specifies the secret with the version with the list of staging labels
|
2963
|
+
# you want to modify. You can specify either the Amazon Resource Name
|
2964
|
+
# (ARN) or the friendly name of the secret.
|
2849
2965
|
#
|
2850
2966
|
# <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
|
2851
2967
|
# complete ARN. You can specify a partial ARN too—for example, if you
|
@@ -2858,7 +2974,13 @@ module Aws::SecretsManager
|
|
2858
2974
|
# then those characters cause Secrets Manager to assume that you’re
|
2859
2975
|
# specifying a complete ARN. This confusion can cause unexpected
|
2860
2976
|
# results. To avoid this situation, we recommend that you don’t create
|
2861
|
-
# secret names
|
2977
|
+
# secret names ending with a hyphen followed by six characters.
|
2978
|
+
#
|
2979
|
+
# If you specify an incomplete ARN without the random suffix, and
|
2980
|
+
# instead provide the 'friendly name', you *must* not include the
|
2981
|
+
# random suffix. If you do include the random suffix added by Secrets
|
2982
|
+
# Manager, you receive either a *ResourceNotFoundException* or an
|
2983
|
+
# *AccessDeniedException* error, depending on your permissions.
|
2862
2984
|
#
|
2863
2985
|
# </note>
|
2864
2986
|
#
|
@@ -2876,7 +2998,7 @@ module Aws::SecretsManager
|
|
2876
2998
|
#
|
2877
2999
|
# @option params [String] :move_to_version_id
|
2878
3000
|
# (Optional) The secret version ID that you want to add the staging
|
2879
|
-
# label
|
3001
|
+
# label. If you want to remove a label from a version, then do not
|
2880
3002
|
# specify this parameter.
|
2881
3003
|
#
|
2882
3004
|
# If the staging label is already attached to a different version of the
|
@@ -2966,6 +3088,86 @@ module Aws::SecretsManager
|
|
2966
3088
|
req.send_request(options)
|
2967
3089
|
end
|
2968
3090
|
|
3091
|
+
# Validates the JSON text of the resource-based policy document attached
|
3092
|
+
# to the specified secret. The JSON request string input and response
|
3093
|
+
# output displays formatted code with white space and line breaks for
|
3094
|
+
# better readability. Submit your input as a single line JSON string. A
|
3095
|
+
# resource-based policy is optional.
|
3096
|
+
#
|
3097
|
+
# @option params [String] :secret_id
|
3098
|
+
# The identifier for the secret that you want to validate a resource
|
3099
|
+
# policy. You can specify either the Amazon Resource Name (ARN) or the
|
3100
|
+
# friendly name of the secret.
|
3101
|
+
#
|
3102
|
+
# <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
|
3103
|
+
# complete ARN. You can specify a partial ARN too—for example, if you
|
3104
|
+
# don’t include the final hyphen and six random characters that Secrets
|
3105
|
+
# Manager adds at the end of the ARN when you created the secret. A
|
3106
|
+
# partial ARN match can work as long as it uniquely matches only one
|
3107
|
+
# secret. However, if your secret has a name that ends in a hyphen
|
3108
|
+
# followed by six characters (before Secrets Manager adds the hyphen and
|
3109
|
+
# six characters to the ARN) and you try to use that as a partial ARN,
|
3110
|
+
# then those characters cause Secrets Manager to assume that you’re
|
3111
|
+
# specifying a complete ARN. This confusion can cause unexpected
|
3112
|
+
# results. To avoid this situation, we recommend that you don’t create
|
3113
|
+
# secret names ending with a hyphen followed by six characters.
|
3114
|
+
#
|
3115
|
+
# If you specify an incomplete ARN without the random suffix, and
|
3116
|
+
# instead provide the 'friendly name', you *must* not include the
|
3117
|
+
# random suffix. If you do include the random suffix added by Secrets
|
3118
|
+
# Manager, you receive either a *ResourceNotFoundException* or an
|
3119
|
+
# *AccessDeniedException* error, depending on your permissions.
|
3120
|
+
#
|
3121
|
+
# </note>
|
3122
|
+
#
|
3123
|
+
# @option params [required, String] :resource_policy
|
3124
|
+
# Identifies the Resource Policy attached to the secret.
|
3125
|
+
#
|
3126
|
+
# @return [Types::ValidateResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
3127
|
+
#
|
3128
|
+
# * {Types::ValidateResourcePolicyResponse#policy_validation_passed #policy_validation_passed} => Boolean
|
3129
|
+
# * {Types::ValidateResourcePolicyResponse#validation_errors #validation_errors} => Array<Types::ValidationErrorsEntry>
|
3130
|
+
#
|
3131
|
+
#
|
3132
|
+
# @example Example: To validate a resource-based policy to a secret
|
3133
|
+
#
|
3134
|
+
# # The following example shows how to validate a resource-based policy to a secret.
|
3135
|
+
#
|
3136
|
+
# resp = client.validate_resource_policy({
|
3137
|
+
# resource_policy: "{\n\"Version\":\"2012-10-17\",\n\"Statement\":[{\n\"Effect\":\"Allow\",\n\"Principal\":{\n\"AWS\":\"arn:aws:iam::123456789012:root\"\n},\n\"Action\":\"secretsmanager:GetSecretValue\",\n\"Resource\":\"*\"\n}]\n}",
|
3138
|
+
# secret_id: "MyTestDatabaseSecret",
|
3139
|
+
# })
|
3140
|
+
#
|
3141
|
+
# resp.to_h outputs the following:
|
3142
|
+
# {
|
3143
|
+
# policy_validation_passed: true,
|
3144
|
+
# validation_errors: [
|
3145
|
+
# ],
|
3146
|
+
# }
|
3147
|
+
#
|
3148
|
+
# @example Request syntax with placeholder values
|
3149
|
+
#
|
3150
|
+
# resp = client.validate_resource_policy({
|
3151
|
+
# secret_id: "SecretIdType",
|
3152
|
+
# resource_policy: "NonEmptyResourcePolicyType", # required
|
3153
|
+
# })
|
3154
|
+
#
|
3155
|
+
# @example Response structure
|
3156
|
+
#
|
3157
|
+
# resp.policy_validation_passed #=> Boolean
|
3158
|
+
# resp.validation_errors #=> Array
|
3159
|
+
# resp.validation_errors[0].check_name #=> String
|
3160
|
+
# resp.validation_errors[0].error_message #=> String
|
3161
|
+
#
|
3162
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ValidateResourcePolicy AWS API Documentation
|
3163
|
+
#
|
3164
|
+
# @overload validate_resource_policy(params = {})
|
3165
|
+
# @param [Hash] params ({})
|
3166
|
+
def validate_resource_policy(params = {}, options = {})
|
3167
|
+
req = build_request(:validate_resource_policy, params)
|
3168
|
+
req.send_request(options)
|
3169
|
+
end
|
3170
|
+
|
2969
3171
|
# @!endgroup
|
2970
3172
|
|
2971
3173
|
# @param params ({})
|
@@ -2979,7 +3181,7 @@ module Aws::SecretsManager
|
|
2979
3181
|
params: params,
|
2980
3182
|
config: config)
|
2981
3183
|
context[:gem_name] = 'aws-sdk-secretsmanager'
|
2982
|
-
context[:gem_version] = '1.
|
3184
|
+
context[:gem_version] = '1.43.0'
|
2983
3185
|
Seahorse::Client::Request.new(handlers, context)
|
2984
3186
|
end
|
2985
3187
|
|