aws-sdk-secretsmanager 1.39.0 → 1.44.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 44bb4b64972ae334b89344496c8cc19f8461f48430c247c81e58ee5284cd893e
4
- data.tar.gz: 370c660e0f424b226387f19977cb059f69cf7d0ae30e61ab68fa04f869a44970
3
+ metadata.gz: f6c6bad2a4b036843ccfb62a2cea8ff975b750c8cd56766f0d65725a94b46973
4
+ data.tar.gz: c02d2eec7eae4d148ad53d3ac38d9a1b0ad3838750970ab6e550ad7283fdd1e5
5
5
  SHA512:
6
- metadata.gz: 4cfb45a25f1344a5574fdbc56f9c3c2755911b5a46cd8971272b2f81949c9a62cef807bb3ee14b3cffdb4ee4a05199fc791f992ca63664f7e7cf658edfe1efab
7
- data.tar.gz: 6fb8eced24d860e5f2e38ab2101d10652d825cb8d97e2f511184fe507ce464065b37af8a787787cf8c5b3d153871520b4106b513c053415341763b2c40147efc
6
+ metadata.gz: 473a87bcc8e159d67c76f2a52ac189490c145e5397d6f7c6ea434dd43373364bd71c5f03b36bf78a15ddccd2090533b96f935fbd6eccaf480ad891b623367bb3
7
+ data.tar.gz: 2589fc010c099183aacc676f7844b3bdcd412769f614b1ab3eb5359368585c6c877efb8640798335ff5a9ad0d9fa08739c8a50e8e8ee037678d20af22e7947d5
@@ -7,6 +7,7 @@
7
7
  #
8
8
  # WARNING ABOUT GENERATED CODE
9
9
 
10
+
10
11
  require 'aws-sdk-core'
11
12
  require 'aws-sigv4'
12
13
 
@@ -44,9 +45,9 @@ require_relative 'aws-sdk-secretsmanager/customizations'
44
45
  #
45
46
  # See {Errors} for more information.
46
47
  #
47
- # @service
48
+ # @!group service
48
49
  module Aws::SecretsManager
49
50
 
50
- GEM_VERSION = '1.39.0'
51
+ GEM_VERSION = '1.44.0'
51
52
 
52
53
  end
@@ -85,13 +85,28 @@ module Aws::SecretsManager
85
85
  # * `Aws::Credentials` - Used for configuring static, non-refreshing
86
86
  # credentials.
87
87
  #
88
+ # * `Aws::SharedCredentials` - Used for loading static credentials from a
89
+ # shared file, such as `~/.aws/config`.
90
+ #
91
+ # * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
92
+ #
93
+ # * `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
94
+ # assume a role after providing credentials via the web.
95
+ #
96
+ # * `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
97
+ # access token generated from `aws login`.
98
+ #
99
+ # * `Aws::ProcessCredentials` - Used for loading credentials from a
100
+ # process that outputs to stdout.
101
+ #
88
102
  # * `Aws::InstanceProfileCredentials` - Used for loading credentials
89
103
  # from an EC2 IMDS on an EC2 instance.
90
104
  #
91
- # * `Aws::SharedCredentials` - Used for loading credentials from a
92
- # shared file, such as `~/.aws/config`.
105
+ # * `Aws::ECSCredentials` - Used for loading credentials from
106
+ # instances running in ECS.
93
107
  #
94
- # * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
108
+ # * `Aws::CognitoIdentityCredentials` - Used for loading credentials
109
+ # from the Cognito Identity service.
95
110
  #
96
111
  # When `:credentials` are not configured directly, the following
97
112
  # locations will be searched for credentials:
@@ -101,10 +116,10 @@ module Aws::SecretsManager
101
116
  # * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
102
117
  # * `~/.aws/credentials`
103
118
  # * `~/.aws/config`
104
- # * EC2 IMDS instance profile - When used by default, the timeouts are
105
- # very aggressive. Construct and pass an instance of
106
- # `Aws::InstanceProfileCredentails` to enable retries and extended
107
- # timeouts.
119
+ # * EC2/ECS IMDS instance profile - When used by default, the timeouts
120
+ # are very aggressive. Construct and pass an instance of
121
+ # `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
122
+ # enable retries and extended timeouts.
108
123
  #
109
124
  # @option options [required, String] :region
110
125
  # The AWS region to connect to. The configured `:region` is
@@ -323,20 +338,20 @@ module Aws::SecretsManager
323
338
  # @!group API Operations
324
339
 
325
340
  # Disables automatic scheduled rotation and cancels the rotation of a
326
- # secret if one is currently in progress.
341
+ # secret if currently in progress.
327
342
  #
328
343
  # To re-enable scheduled rotation, call RotateSecret with
329
344
  # `AutomaticallyRotateAfterDays` set to a value greater than 0. This
330
- # will immediately rotate your secret and then enable the automatic
345
+ # immediately rotates your secret and then enables the automatic
331
346
  # schedule.
332
347
  #
333
- # <note markdown="1"> If you cancel a rotation that is in progress, it can leave the
334
- # `VersionStage` labels in an unexpected state. Depending on what step
335
- # of the rotation was in progress, you might need to remove the staging
336
- # label `AWSPENDING` from the partially created version, specified by
337
- # the `VersionId` response value. You should also evaluate the partially
348
+ # <note markdown="1"> If you cancel a rotation while in progress, it can leave the
349
+ # `VersionStage` labels in an unexpected state. Depending on the step of
350
+ # the rotation in progress, you might need to remove the staging label
351
+ # `AWSPENDING` from the partially created version, specified by the
352
+ # `VersionId` response value. You should also evaluate the partially
338
353
  # rotated new version to see if it should be deleted, which you can do
339
- # by removing all staging labels from the new version's `VersionStage`
354
+ # by removing all staging labels from the new version `VersionStage`
340
355
  # field.
341
356
  #
342
357
  # </note>
@@ -344,12 +359,12 @@ module Aws::SecretsManager
344
359
  # To successfully start a rotation, the staging label `AWSPENDING` must
345
360
  # be in one of the following states:
346
361
  #
347
- # * Not be attached to any version at all
362
+ # * Not attached to any version at all
348
363
  #
349
364
  # * Attached to the same version as the staging label `AWSCURRENT`
350
365
  #
351
- # If the staging label `AWSPENDING` is attached to a different version
352
- # than the version with `AWSCURRENT` then the attempt to rotate fails.
366
+ # If the staging label `AWSPENDING` attached to a different version than
367
+ # the version with `AWSCURRENT` then the attempt to rotate fails.
353
368
  #
354
369
  # **Minimum permissions**
355
370
  #
@@ -373,9 +388,9 @@ module Aws::SecretsManager
373
388
  # ListSecretVersionIds.
374
389
  #
375
390
  # @option params [required, String] :secret_id
376
- # Specifies the secret for which you want to cancel a rotation request.
377
- # You can specify either the Amazon Resource Name (ARN) or the friendly
378
- # name of the secret.
391
+ # Specifies the secret to cancel a rotation request. You can specify
392
+ # either the Amazon Resource Name (ARN) or the friendly name of the
393
+ # secret.
379
394
  #
380
395
  # <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
381
396
  # complete ARN. You can specify a partial ARN too—for example, if you
@@ -388,7 +403,13 @@ module Aws::SecretsManager
388
403
  # then those characters cause Secrets Manager to assume that you’re
389
404
  # specifying a complete ARN. This confusion can cause unexpected
390
405
  # results. To avoid this situation, we recommend that you don’t create
391
- # secret names that end with a hyphen followed by six characters.
406
+ # secret names ending with a hyphen followed by six characters.
407
+ #
408
+ # If you specify an incomplete ARN without the random suffix, and
409
+ # instead provide the 'friendly name', you *must* not include the
410
+ # random suffix. If you do include the random suffix added by Secrets
411
+ # Manager, you receive either a *ResourceNotFoundException* or an
412
+ # *AccessDeniedException* error, depending on your permissions.
392
413
  #
393
414
  # </note>
394
415
  #
@@ -447,7 +468,7 @@ module Aws::SecretsManager
447
468
  # version is in the rotation cycle. The `SecretVersionsToStages` field
448
469
  # of the secret contains the mapping of staging labels to the active
449
470
  # versions of the secret. Versions without a staging label are
450
- # considered deprecated and are not included in the list.
471
+ # considered deprecated and not included in the list.
451
472
  #
452
473
  # You provide the secret data to be encrypted by putting text in either
453
474
  # the `SecretString` parameter or binary data in the `SecretBinary`
@@ -456,29 +477,29 @@ module Aws::SecretsManager
456
477
  # version and automatically attaches the staging label `AWSCURRENT` to
457
478
  # the new version.
458
479
  #
459
- # <note markdown="1"> * If you call an operation that needs to encrypt or decrypt the
460
- # `SecretString` or `SecretBinary` for a secret in the same account as
461
- # the calling user and that secret doesn't specify a AWS KMS
462
- # encryption key, Secrets Manager uses the account's default AWS
463
- # managed customer master key (CMK) with the alias
464
- # `aws/secretsmanager`. If this key doesn't already exist in your
465
- # account then Secrets Manager creates it for you automatically. All
466
- # users and roles in the same AWS account automatically have access to
467
- # use the default CMK. Note that if an Secrets Manager API call
468
- # results in AWS having to create the account's AWS-managed CMK, it
469
- # can result in a one-time significant delay in returning the result.
470
- #
471
- # * If the secret is in a different AWS account from the credentials
472
- # calling an API that requires encryption or decryption of the secret
473
- # value then you must create and use a custom AWS KMS CMK because you
474
- # can't access the default CMK for the account using credentials from
475
- # a different AWS account. Store the ARN of the CMK in the secret when
476
- # you create the secret or when you update it by including it in the
477
- # `KMSKeyId`. If you call an API that must encrypt or decrypt
478
- # `SecretString` or `SecretBinary` using credentials from a different
479
- # account then the AWS KMS key policy must grant cross-account access
480
- # to that other account's user or role for both the
481
- # kms:GenerateDataKey and kms:Decrypt operations.
480
+ # <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
481
+ # `SecretBinary` for a secret in the same account as the calling user
482
+ # and that secret doesn't specify a AWS KMS encryption key, Secrets
483
+ # Manager uses the account's default AWS managed customer master key
484
+ # (CMK) with the alias `aws/secretsmanager`. If this key doesn't
485
+ # already exist in your account then Secrets Manager creates it for
486
+ # you automatically. All users and roles in the same AWS account
487
+ # automatically have access to use the default CMK. Note that if an
488
+ # Secrets Manager API call results in AWS creating the account's
489
+ # AWS-managed CMK, it can result in a one-time significant delay in
490
+ # returning the result.
491
+ #
492
+ # * If the secret resides in a different AWS account from the
493
+ # credentials calling an API that requires encryption or decryption of
494
+ # the secret value then you must create and use a custom AWS KMS CMK
495
+ # because you can't access the default CMK for the account using
496
+ # credentials from a different AWS account. Store the ARN of the CMK
497
+ # in the secret when you create the secret or when you update it by
498
+ # including it in the `KMSKeyId`. If you call an API that must encrypt
499
+ # or decrypt `SecretString` or `SecretBinary` using credentials from a
500
+ # different account then the AWS KMS key policy must grant
501
+ # cross-account access to that other account's user or role for both
502
+ # the kms:GenerateDataKey and kms:Decrypt operations.
482
503
  #
483
504
  # </note>
484
505
  #
@@ -492,11 +513,11 @@ module Aws::SecretsManager
492
513
  #
493
514
  # * kms:GenerateDataKey - needed only if you use a customer-managed AWS
494
515
  # KMS key to encrypt the secret. You do not need this permission to
495
- # use the account's default AWS managed CMK for Secrets Manager.
516
+ # use the account default AWS managed CMK for Secrets Manager.
496
517
  #
497
518
  # * kms:Decrypt - needed only if you use a customer-managed AWS KMS key
498
519
  # to encrypt the secret. You do not need this permission to use the
499
- # account's default AWS managed CMK for Secrets Manager.
520
+ # account default AWS managed CMK for Secrets Manager.
500
521
  #
501
522
  # * secretsmanager:TagResource - needed only if you include the `Tags`
502
523
  # parameter.
@@ -526,11 +547,10 @@ module Aws::SecretsManager
526
547
  # The secret name must be ASCII letters, digits, or the following
527
548
  # characters : /\_+=.@-
528
549
  #
529
- # <note markdown="1"> Don't end your secret name with a hyphen followed by six characters.
550
+ # <note markdown="1"> Do not end your secret name with a hyphen followed by six characters.
530
551
  # If you do so, you risk confusion and unexpected results when searching
531
- # for a secret by partial ARN. This is because Secrets Manager
532
- # automatically adds a hyphen and six random characters at the end of
533
- # the ARN.
552
+ # for a secret by partial ARN. Secrets Manager automatically adds a
553
+ # hyphen and six random characters at the end of the ARN.
534
554
  #
535
555
  # </note>
536
556
  #
@@ -545,7 +565,7 @@ module Aws::SecretsManager
545
565
  # the request. If you don't use the SDK and instead generate a raw HTTP
546
566
  # request to the Secrets Manager service endpoint, then you must
547
567
  # generate a `ClientRequestToken` yourself for the new version and
548
- # include that value in the request.
568
+ # include the value in the request.
549
569
  #
550
570
  # </note>
551
571
  #
@@ -558,10 +578,9 @@ module Aws::SecretsManager
558
578
  # * If the `ClientRequestToken` value isn't already associated with a
559
579
  # version of the secret then a new version of the secret is created.
560
580
  #
561
- # * If a version with this value already exists and that version's
581
+ # * If a version with this value already exists and the version
562
582
  # `SecretString` and `SecretBinary` values are the same as those in
563
- # the request, then the request is ignored (the operation is
564
- # idempotent).
583
+ # the request, then the request is ignored.
565
584
  #
566
585
  # * If a version with this value already exists and that version's
567
586
  # `SecretString` and `SecretBinary` values are different from those in
@@ -597,12 +616,12 @@ module Aws::SecretsManager
597
616
  # time it needs to encrypt a version's `SecretString` or `SecretBinary`
598
617
  # fields.
599
618
  #
600
- # You can use the account's default CMK to encrypt and decrypt only if
601
- # you call this operation using credentials from the same account that
602
- # owns the secret. If the secret is in a different account, then you
619
+ # You can use the account default CMK to encrypt and decrypt only if you
620
+ # call this operation using credentials from the same account that owns
621
+ # the secret. If the secret resides in a different account, then you
603
622
  # must create a custom CMK and specify the ARN in this field.
604
623
  #
605
- # @option params [String, IO] :secret_binary
624
+ # @option params [String, StringIO, File] :secret_binary
606
625
  # (Optional) Specifies binary data that you want to encrypt and store in
607
626
  # the new version of the secret. To use this parameter in the
608
627
  # command-line tools, we recommend that you store your binary data in a
@@ -634,7 +653,7 @@ module Aws::SecretsManager
634
653
  # environments, see [Using JSON for Parameters][1] in the *AWS CLI User
635
654
  # Guide*. For example:
636
655
  #
637
- # `[\{"username":"bob"\},\{"password":"abc123xyz456"\}]`
656
+ # `\{"username":"bob","password":"abc123xyz456"\}`
638
657
  #
639
658
  # If your command-line tool or SDK requires quotation marks around the
640
659
  # parameter, you should use single quotes to avoid confusion with the
@@ -680,16 +699,16 @@ module Aws::SecretsManager
680
699
  #
681
700
  # * Tag keys and values are case sensitive.
682
701
  #
683
- # * Do not use the `aws:` prefix in your tag names or values because it
684
- # is reserved for AWS use. You can't edit or delete tag names or
702
+ # * Do not use the `aws:` prefix in your tag names or values because AWS
703
+ # reserves it for AWS use. You can't edit or delete tag names or
685
704
  # values with this prefix. Tags with this prefix do not count against
686
705
  # your tags per secret limit.
687
706
  #
688
- # * If your tagging schema will be used across multiple services and
689
- # resources, remember that other services might have restrictions on
690
- # allowed characters. Generally allowed characters are: letters,
691
- # spaces, and numbers representable in UTF-8, plus the following
692
- # special characters: + - = . \_ : / @.
707
+ # * If you use your tagging schema across multiple services and
708
+ # resources, remember other services might have restrictions on
709
+ # allowed characters. Generally allowed characters: letters, spaces,
710
+ # and numbers representable in UTF-8, plus the following special
711
+ # characters: + - = . \_ : / @.
693
712
  #
694
713
  #
695
714
  #
@@ -753,8 +772,7 @@ module Aws::SecretsManager
753
772
  req.send_request(options)
754
773
  end
755
774
 
756
- # Deletes the resource-based permission policy that's attached to the
757
- # secret.
775
+ # Deletes the resource-based permission policy attached to the secret.
758
776
  #
759
777
  # **Minimum permissions**
760
778
  #
@@ -789,7 +807,13 @@ module Aws::SecretsManager
789
807
  # then those characters cause Secrets Manager to assume that you’re
790
808
  # specifying a complete ARN. This confusion can cause unexpected
791
809
  # results. To avoid this situation, we recommend that you don’t create
792
- # secret names that end with a hyphen followed by six characters.
810
+ # secret names ending with a hyphen followed by six characters.
811
+ #
812
+ # If you specify an incomplete ARN without the random suffix, and
813
+ # instead provide the 'friendly name', you *must* not include the
814
+ # random suffix. If you do include the random suffix added by Secrets
815
+ # Manager, you receive either a *ResourceNotFoundException* or an
816
+ # *AccessDeniedException* error, depending on your permissions.
793
817
  #
794
818
  # </note>
795
819
  #
@@ -892,7 +916,13 @@ module Aws::SecretsManager
892
916
  # then those characters cause Secrets Manager to assume that you’re
893
917
  # specifying a complete ARN. This confusion can cause unexpected
894
918
  # results. To avoid this situation, we recommend that you don’t create
895
- # secret names that end with a hyphen followed by six characters.
919
+ # secret names ending with a hyphen followed by six characters.
920
+ #
921
+ # If you specify an incomplete ARN without the random suffix, and
922
+ # instead provide the 'friendly name', you *must* not include the
923
+ # random suffix. If you do include the random suffix added by Secrets
924
+ # Manager, you receive either a *ResourceNotFoundException* or an
925
+ # *AccessDeniedException* error, depending on your permissions.
896
926
  #
897
927
  # </note>
898
928
  #
@@ -970,8 +1000,8 @@ module Aws::SecretsManager
970
1000
  end
971
1001
 
972
1002
  # Retrieves the details of a secret. It does not include the encrypted
973
- # fields. Only those fields that are populated with a value are returned
974
- # in the response.
1003
+ # fields. Secrets Manager only returns fields populated with a value in
1004
+ # the response.
975
1005
  #
976
1006
  # **Minimum permissions**
977
1007
  #
@@ -1008,7 +1038,13 @@ module Aws::SecretsManager
1008
1038
  # then those characters cause Secrets Manager to assume that you’re
1009
1039
  # specifying a complete ARN. This confusion can cause unexpected
1010
1040
  # results. To avoid this situation, we recommend that you don’t create
1011
- # secret names that end with a hyphen followed by six characters.
1041
+ # secret names ending with a hyphen followed by six characters.
1042
+ #
1043
+ # If you specify an incomplete ARN without the random suffix, and
1044
+ # instead provide the 'friendly name', you *must* not include the
1045
+ # random suffix. If you do include the random suffix added by Secrets
1046
+ # Manager, you receive either a *ResourceNotFoundException* or an
1047
+ # *AccessDeniedException* error, depending on your permissions.
1012
1048
  #
1013
1049
  # </note>
1014
1050
  #
@@ -1028,6 +1064,7 @@ module Aws::SecretsManager
1028
1064
  # * {Types::DescribeSecretResponse#tags #tags} => Array&lt;Types::Tag&gt;
1029
1065
  # * {Types::DescribeSecretResponse#version_ids_to_stages #version_ids_to_stages} => Hash&lt;String,Array&lt;String&gt;&gt;
1030
1066
  # * {Types::DescribeSecretResponse#owning_service #owning_service} => String
1067
+ # * {Types::DescribeSecretResponse#created_date #created_date} => Time
1031
1068
  #
1032
1069
  #
1033
1070
  # @example Example: To retrieve the details of a secret
@@ -1098,6 +1135,7 @@ module Aws::SecretsManager
1098
1135
  # resp.version_ids_to_stages["SecretVersionIdType"] #=> Array
1099
1136
  # resp.version_ids_to_stages["SecretVersionIdType"][0] #=> String
1100
1137
  # resp.owning_service #=> String
1138
+ # resp.created_date #=> Time
1101
1139
  #
1102
1140
  # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/DescribeSecret AWS API Documentation
1103
1141
  #
@@ -1216,11 +1254,10 @@ module Aws::SecretsManager
1216
1254
  req.send_request(options)
1217
1255
  end
1218
1256
 
1219
- # Retrieves the JSON text of the resource-based policy document that's
1220
- # attached to the specified secret. The JSON request string input and
1221
- # response output are shown formatted with white space and line breaks
1222
- # for better readability. Submit your input as a single line JSON
1223
- # string.
1257
+ # Retrieves the JSON text of the resource-based policy document attached
1258
+ # to the specified secret. The JSON request string input and response
1259
+ # output displays formatted code with white space and line breaks for
1260
+ # better readability. Submit your input as a single line JSON string.
1224
1261
  #
1225
1262
  # **Minimum permissions**
1226
1263
  #
@@ -1234,8 +1271,8 @@ module Aws::SecretsManager
1234
1271
  #
1235
1272
  # * To attach a resource policy to a secret, use PutResourcePolicy.
1236
1273
  #
1237
- # * To delete the resource-based policy that's attached to a secret,
1238
- # use DeleteResourcePolicy.
1274
+ # * To delete the resource-based policy attached to a secret, use
1275
+ # DeleteResourcePolicy.
1239
1276
  #
1240
1277
  # * To list all of the currently available secrets, use ListSecrets.
1241
1278
  #
@@ -1255,7 +1292,13 @@ module Aws::SecretsManager
1255
1292
  # then those characters cause Secrets Manager to assume that you’re
1256
1293
  # specifying a complete ARN. This confusion can cause unexpected
1257
1294
  # results. To avoid this situation, we recommend that you don’t create
1258
- # secret names that end with a hyphen followed by six characters.
1295
+ # secret names ending with a hyphen followed by six characters.
1296
+ #
1297
+ # If you specify an incomplete ARN without the random suffix, and
1298
+ # instead provide the 'friendly name', you *must* not include the
1299
+ # random suffix. If you do include the random suffix added by Secrets
1300
+ # Manager, you receive either a *ResourceNotFoundException* or an
1301
+ # *AccessDeniedException* error, depending on your permissions.
1259
1302
  #
1260
1303
  # </note>
1261
1304
  #
@@ -1340,7 +1383,13 @@ module Aws::SecretsManager
1340
1383
  # then those characters cause Secrets Manager to assume that you’re
1341
1384
  # specifying a complete ARN. This confusion can cause unexpected
1342
1385
  # results. To avoid this situation, we recommend that you don’t create
1343
- # secret names that end with a hyphen followed by six characters.
1386
+ # secret names ending with a hyphen followed by six characters.
1387
+ #
1388
+ # If you specify an incomplete ARN without the random suffix, and
1389
+ # instead provide the 'friendly name', you *must* not include the
1390
+ # random suffix. If you do include the random suffix added by Secrets
1391
+ # Manager, you receive either a *ResourceNotFoundException* or an
1392
+ # *AccessDeniedException* error, depending on your permissions.
1344
1393
  #
1345
1394
  # </note>
1346
1395
  #
@@ -1437,8 +1486,8 @@ module Aws::SecretsManager
1437
1486
  #
1438
1487
  # <note markdown="1"> Always check the `NextToken` response parameter when calling any of
1439
1488
  # the `List*` operations. These operations can occasionally return an
1440
- # empty or shorter than expected list of results even when there are
1441
- # more results available. When this happens, the `NextToken` response
1489
+ # empty or shorter than expected list of results even when there more
1490
+ # results become available. When this happens, the `NextToken` response
1442
1491
  # parameter contains a value to pass to the next call to the same API to
1443
1492
  # request the next part of the list.
1444
1493
  #
@@ -1474,28 +1523,34 @@ module Aws::SecretsManager
1474
1523
  # then those characters cause Secrets Manager to assume that you’re
1475
1524
  # specifying a complete ARN. This confusion can cause unexpected
1476
1525
  # results. To avoid this situation, we recommend that you don’t create
1477
- # secret names that end with a hyphen followed by six characters.
1526
+ # secret names ending with a hyphen followed by six characters.
1527
+ #
1528
+ # If you specify an incomplete ARN without the random suffix, and
1529
+ # instead provide the 'friendly name', you *must* not include the
1530
+ # random suffix. If you do include the random suffix added by Secrets
1531
+ # Manager, you receive either a *ResourceNotFoundException* or an
1532
+ # *AccessDeniedException* error, depending on your permissions.
1478
1533
  #
1479
1534
  # </note>
1480
1535
  #
1481
1536
  # @option params [Integer] :max_results
1482
- # (Optional) Limits the number of results that you want to include in
1483
- # the response. If you don't include this parameter, it defaults to a
1484
- # value that's specific to the operation. If additional items exist
1485
- # beyond the maximum you specify, the `NextToken` response element is
1486
- # present and has a value (isn't null). Include that value as the
1487
- # `NextToken` request parameter in the next call to the operation to get
1488
- # the next part of the results. Note that Secrets Manager might return
1489
- # fewer results than the maximum even when there are more results
1490
- # available. You should check `NextToken` after every operation to
1491
- # ensure that you receive all of the results.
1537
+ # (Optional) Limits the number of results you want to include in the
1538
+ # response. If you don't include this parameter, it defaults to a value
1539
+ # that's specific to the operation. If additional items exist beyond
1540
+ # the maximum you specify, the `NextToken` response element is present
1541
+ # and has a value (isn't null). Include that value as the `NextToken`
1542
+ # request parameter in the next call to the operation to get the next
1543
+ # part of the results. Note that Secrets Manager might return fewer
1544
+ # results than the maximum even when there are more results available.
1545
+ # You should check `NextToken` after every operation to ensure that you
1546
+ # receive all of the results.
1492
1547
  #
1493
1548
  # @option params [String] :next_token
1494
1549
  # (Optional) Use this parameter in a request if you receive a
1495
- # `NextToken` response in a previous request that indicates that
1496
- # there's more output available. In a subsequent call, set it to the
1497
- # value of the previous call's `NextToken` response to indicate where
1498
- # the output should continue from.
1550
+ # `NextToken` response in a previous request indicating there's more
1551
+ # output available. In a subsequent call, set it to the value of the
1552
+ # previous call `NextToken` response to indicate where the output should
1553
+ # continue from.
1499
1554
  #
1500
1555
  # @option params [Boolean] :include_deprecated
1501
1556
  # (Optional) Specifies that you want the results to include versions
@@ -1587,8 +1642,8 @@ module Aws::SecretsManager
1587
1642
  #
1588
1643
  # <note markdown="1"> Always check the `NextToken` response parameter when calling any of
1589
1644
  # the `List*` operations. These operations can occasionally return an
1590
- # empty or shorter than expected list of results even when there are
1591
- # more results available. When this happens, the `NextToken` response
1645
+ # empty or shorter than expected list of results even when there more
1646
+ # results become available. When this happens, the `NextToken` response
1592
1647
  # parameter contains a value to pass to the next call to the same API to
1593
1648
  # request the next part of the list.
1594
1649
  #
@@ -1609,23 +1664,29 @@ module Aws::SecretsManager
1609
1664
  # ^
1610
1665
  #
1611
1666
  # @option params [Integer] :max_results
1612
- # (Optional) Limits the number of results that you want to include in
1613
- # the response. If you don't include this parameter, it defaults to a
1614
- # value that's specific to the operation. If additional items exist
1615
- # beyond the maximum you specify, the `NextToken` response element is
1616
- # present and has a value (isn't null). Include that value as the
1617
- # `NextToken` request parameter in the next call to the operation to get
1618
- # the next part of the results. Note that Secrets Manager might return
1619
- # fewer results than the maximum even when there are more results
1620
- # available. You should check `NextToken` after every operation to
1621
- # ensure that you receive all of the results.
1667
+ # (Optional) Limits the number of results you want to include in the
1668
+ # response. If you don't include this parameter, it defaults to a value
1669
+ # that's specific to the operation. If additional items exist beyond
1670
+ # the maximum you specify, the `NextToken` response element is present
1671
+ # and has a value (isn't null). Include that value as the `NextToken`
1672
+ # request parameter in the next call to the operation to get the next
1673
+ # part of the results. Note that Secrets Manager might return fewer
1674
+ # results than the maximum even when there are more results available.
1675
+ # You should check `NextToken` after every operation to ensure that you
1676
+ # receive all of the results.
1622
1677
  #
1623
1678
  # @option params [String] :next_token
1624
1679
  # (Optional) Use this parameter in a request if you receive a
1625
- # `NextToken` response in a previous request that indicates that
1626
- # there's more output available. In a subsequent call, set it to the
1627
- # value of the previous call's `NextToken` response to indicate where
1628
- # the output should continue from.
1680
+ # `NextToken` response in a previous request indicating there's more
1681
+ # output available. In a subsequent call, set it to the value of the
1682
+ # previous call `NextToken` response to indicate where the output should
1683
+ # continue from.
1684
+ #
1685
+ # @option params [Array<Types::Filter>] :filters
1686
+ # Lists the secret request filters.
1687
+ #
1688
+ # @option params [String] :sort_order
1689
+ # Lists secrets in the requested order.
1629
1690
  #
1630
1691
  # @return [Types::ListSecretsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1631
1692
  #
@@ -1675,6 +1736,13 @@ module Aws::SecretsManager
1675
1736
  # resp = client.list_secrets({
1676
1737
  # max_results: 1,
1677
1738
  # next_token: "NextTokenType",
1739
+ # filters: [
1740
+ # {
1741
+ # key: "description", # accepts description, name, tag-key, tag-value, all
1742
+ # values: ["FilterValueStringType"],
1743
+ # },
1744
+ # ],
1745
+ # sort_order: "asc", # accepts asc, desc
1678
1746
  # })
1679
1747
  #
1680
1748
  # @example Response structure
@@ -1698,6 +1766,7 @@ module Aws::SecretsManager
1698
1766
  # resp.secret_list[0].secret_versions_to_stages["SecretVersionIdType"] #=> Array
1699
1767
  # resp.secret_list[0].secret_versions_to_stages["SecretVersionIdType"][0] #=> String
1700
1768
  # resp.secret_list[0].owning_service #=> String
1769
+ # resp.secret_list[0].created_date #=> Time
1701
1770
  # resp.next_token #=> String
1702
1771
  #
1703
1772
  # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ListSecrets AWS API Documentation
@@ -1731,7 +1800,7 @@ module Aws::SecretsManager
1731
1800
  #
1732
1801
  # **Related operations**
1733
1802
  #
1734
- # * To retrieve the resource policy that's attached to a secret, use
1803
+ # * To retrieve the resource policy attached to a secret, use
1735
1804
  # GetResourcePolicy.
1736
1805
  #
1737
1806
  # * To delete the resource-based policy that's attached to a secret,
@@ -1759,7 +1828,13 @@ module Aws::SecretsManager
1759
1828
  # then those characters cause Secrets Manager to assume that you’re
1760
1829
  # specifying a complete ARN. This confusion can cause unexpected
1761
1830
  # results. To avoid this situation, we recommend that you don’t create
1762
- # secret names that end with a hyphen followed by six characters.
1831
+ # secret names ending with a hyphen followed by six characters.
1832
+ #
1833
+ # If you specify an incomplete ARN without the random suffix, and
1834
+ # instead provide the 'friendly name', you *must* not include the
1835
+ # random suffix. If you do include the random suffix added by Secrets
1836
+ # Manager, you receive either a *ResourceNotFoundException* or an
1837
+ # *AccessDeniedException* error, depending on your permissions.
1763
1838
  #
1764
1839
  # </note>
1765
1840
  #
@@ -1775,6 +1850,10 @@ module Aws::SecretsManager
1775
1850
  #
1776
1851
  # [1]: http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
1777
1852
  #
1853
+ # @option params [Boolean] :block_public_policy
1854
+ # Makes an optional API call to Zelkova to validate the Resource Policy
1855
+ # to prevent broad access to your secret.
1856
+ #
1778
1857
  # @return [Types::PutResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1779
1858
  #
1780
1859
  # * {Types::PutResourcePolicyResponse#arn #arn} => String
@@ -1801,6 +1880,7 @@ module Aws::SecretsManager
1801
1880
  # resp = client.put_resource_policy({
1802
1881
  # secret_id: "SecretIdType", # required
1803
1882
  # resource_policy: "NonEmptyResourcePolicyType", # required
1883
+ # block_public_policy: false,
1804
1884
  # })
1805
1885
  #
1806
1886
  # @example Response structure
@@ -1850,29 +1930,29 @@ module Aws::SecretsManager
1850
1930
  # operation fails because you cannot modify an existing version; you
1851
1931
  # can only create new ones.
1852
1932
  #
1853
- # <note markdown="1"> * If you call an operation that needs to encrypt or decrypt the
1854
- # `SecretString` or `SecretBinary` for a secret in the same account as
1855
- # the calling user and that secret doesn't specify a AWS KMS
1856
- # encryption key, Secrets Manager uses the account's default AWS
1857
- # managed customer master key (CMK) with the alias
1858
- # `aws/secretsmanager`. If this key doesn't already exist in your
1859
- # account then Secrets Manager creates it for you automatically. All
1860
- # users and roles in the same AWS account automatically have access to
1861
- # use the default CMK. Note that if an Secrets Manager API call
1862
- # results in AWS having to create the account's AWS-managed CMK, it
1863
- # can result in a one-time significant delay in returning the result.
1864
- #
1865
- # * If the secret is in a different AWS account from the credentials
1866
- # calling an API that requires encryption or decryption of the secret
1867
- # value then you must create and use a custom AWS KMS CMK because you
1868
- # can't access the default CMK for the account using credentials from
1869
- # a different AWS account. Store the ARN of the CMK in the secret when
1870
- # you create the secret or when you update it by including it in the
1871
- # `KMSKeyId`. If you call an API that must encrypt or decrypt
1872
- # `SecretString` or `SecretBinary` using credentials from a different
1873
- # account then the AWS KMS key policy must grant cross-account access
1874
- # to that other account's user or role for both the
1875
- # kms:GenerateDataKey and kms:Decrypt operations.
1933
+ # <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
1934
+ # `SecretBinary` for a secret in the same account as the calling user
1935
+ # and that secret doesn't specify a AWS KMS encryption key, Secrets
1936
+ # Manager uses the account's default AWS managed customer master key
1937
+ # (CMK) with the alias `aws/secretsmanager`. If this key doesn't
1938
+ # already exist in your account then Secrets Manager creates it for
1939
+ # you automatically. All users and roles in the same AWS account
1940
+ # automatically have access to use the default CMK. Note that if an
1941
+ # Secrets Manager API call results in AWS creating the account's
1942
+ # AWS-managed CMK, it can result in a one-time significant delay in
1943
+ # returning the result.
1944
+ #
1945
+ # * If the secret resides in a different AWS account from the
1946
+ # credentials calling an API that requires encryption or decryption of
1947
+ # the secret value then you must create and use a custom AWS KMS CMK
1948
+ # because you can't access the default CMK for the account using
1949
+ # credentials from a different AWS account. Store the ARN of the CMK
1950
+ # in the secret when you create the secret or when you update it by
1951
+ # including it in the `KMSKeyId`. If you call an API that must encrypt
1952
+ # or decrypt `SecretString` or `SecretBinary` using credentials from a
1953
+ # different account then the AWS KMS key policy must grant
1954
+ # cross-account access to that other account's user or role for both
1955
+ # the kms:GenerateDataKey and kms:Decrypt operations.
1876
1956
  #
1877
1957
  # </note>
1878
1958
  #
@@ -1913,7 +1993,13 @@ module Aws::SecretsManager
1913
1993
  # then those characters cause Secrets Manager to assume that you’re
1914
1994
  # specifying a complete ARN. This confusion can cause unexpected
1915
1995
  # results. To avoid this situation, we recommend that you don’t create
1916
- # secret names that end with a hyphen followed by six characters.
1996
+ # secret names ending with a hyphen followed by six characters.
1997
+ #
1998
+ # If you specify an incomplete ARN without the random suffix, and
1999
+ # instead provide the 'friendly name', you *must* not include the
2000
+ # random suffix. If you do include the random suffix added by Secrets
2001
+ # Manager, you receive either a *ResourceNotFoundException* or an
2002
+ # *AccessDeniedException* error, depending on your permissions.
1917
2003
  #
1918
2004
  # </note>
1919
2005
  #
@@ -1944,7 +2030,7 @@ module Aws::SecretsManager
1944
2030
  # `SecretString` or `SecretBinary` values are the same as those in the
1945
2031
  # request then the request is ignored (the operation is idempotent).
1946
2032
  #
1947
- # * If a version with this value already exists and that version's
2033
+ # * If a version with this value already exists and the version of the
1948
2034
  # `SecretString` and `SecretBinary` values are different from those in
1949
2035
  # the request then the request fails because you cannot modify an
1950
2036
  # existing secret version. You can only create new versions to store
@@ -1959,7 +2045,7 @@ module Aws::SecretsManager
1959
2045
  #
1960
2046
  # [1]: https://wikipedia.org/wiki/Universally_unique_identifier
1961
2047
  #
1962
- # @option params [String, IO] :secret_binary
2048
+ # @option params [String, StringIO, File] :secret_binary
1963
2049
  # (Optional) Specifies binary data that you want to encrypt and store in
1964
2050
  # the new version of the secret. To use this parameter in the
1965
2051
  # command-line tools, we recommend that you store your binary data in a
@@ -2106,7 +2192,13 @@ module Aws::SecretsManager
2106
2192
  # then those characters cause Secrets Manager to assume that you’re
2107
2193
  # specifying a complete ARN. This confusion can cause unexpected
2108
2194
  # results. To avoid this situation, we recommend that you don’t create
2109
- # secret names that end with a hyphen followed by six characters.
2195
+ # secret names ending with a hyphen followed by six characters.
2196
+ #
2197
+ # If you specify an incomplete ARN without the random suffix, and
2198
+ # instead provide the 'friendly name', you *must* not include the
2199
+ # random suffix. If you do include the random suffix added by Secrets
2200
+ # Manager, you receive either a *ResourceNotFoundException* or an
2201
+ # *AccessDeniedException* error, depending on your permissions.
2110
2202
  #
2111
2203
  # </note>
2112
2204
  #
@@ -2169,8 +2261,8 @@ module Aws::SecretsManager
2169
2261
  # for your protected service, see [Rotating Secrets in AWS Secrets
2170
2262
  # Manager][1] in the *AWS Secrets Manager User Guide*.
2171
2263
  #
2172
- # Secrets Manager schedules the next rotation when the previous one is
2173
- # complete. Secrets Manager schedules the date by adding the rotation
2264
+ # Secrets Manager schedules the next rotation when the previous one
2265
+ # completes. Secrets Manager schedules the date by adding the rotation
2174
2266
  # interval (number of days) to the actual date of the last rotation. The
2175
2267
  # service chooses the hour within that 24-hour date window randomly. The
2176
2268
  # minute is also chosen somewhat randomly, but weighted towards the top
@@ -2186,9 +2278,9 @@ module Aws::SecretsManager
2186
2278
  # * The `AWSPENDING` staging label is not attached to any version of the
2187
2279
  # secret.
2188
2280
  #
2189
- # If instead the `AWSPENDING` staging label is present but is not
2190
- # attached to the same version as `AWSCURRENT` then any later invocation
2191
- # of `RotateSecret` assumes that a previous rotation request is still in
2281
+ # If the `AWSPENDING` staging label is present but not attached to the
2282
+ # same version as `AWSCURRENT` then any later invocation of
2283
+ # `RotateSecret` assumes that a previous rotation request is still in
2192
2284
  # progress and returns an error.
2193
2285
  #
2194
2286
  # **Minimum permissions**
@@ -2230,7 +2322,13 @@ module Aws::SecretsManager
2230
2322
  # then those characters cause Secrets Manager to assume that you’re
2231
2323
  # specifying a complete ARN. This confusion can cause unexpected
2232
2324
  # results. To avoid this situation, we recommend that you don’t create
2233
- # secret names that end with a hyphen followed by six characters.
2325
+ # secret names ending with a hyphen followed by six characters.
2326
+ #
2327
+ # If you specify an incomplete ARN without the random suffix, and
2328
+ # instead provide the 'friendly name', you *must* not include the
2329
+ # random suffix. If you do include the random suffix added by Secrets
2330
+ # Manager, you receive either a *ResourceNotFoundException* or an
2331
+ # *AccessDeniedException* error, depending on your permissions.
2234
2332
  #
2235
2333
  # </note>
2236
2334
  #
@@ -2246,8 +2344,8 @@ module Aws::SecretsManager
2246
2344
  # generate a `ClientRequestToken` yourself for new versions and include
2247
2345
  # that value in the request.
2248
2346
  #
2249
- # You only need to specify your own value if you are implementing your
2250
- # own retry logic and want to ensure that a given secret is not created
2347
+ # You only need to specify your own value if you implement your own
2348
+ # retry logic and want to ensure that a given secret is not created
2251
2349
  # twice. We recommend that you generate a [UUID-type][1] value to ensure
2252
2350
  # uniqueness within the specified secret.
2253
2351
  #
@@ -2318,16 +2416,16 @@ module Aws::SecretsManager
2318
2416
  #
2319
2417
  # * Tag keys and values are case sensitive.
2320
2418
  #
2321
- # * Do not use the `aws:` prefix in your tag names or values because it
2322
- # is reserved for AWS use. You can't edit or delete tag names or
2419
+ # * Do not use the `aws:` prefix in your tag names or values because AWS
2420
+ # reserves it for AWS use. You can't edit or delete tag names or
2323
2421
  # values with this prefix. Tags with this prefix do not count against
2324
2422
  # your tags per secret limit.
2325
2423
  #
2326
- # * If your tagging schema will be used across multiple services and
2327
- # resources, remember that other services might have restrictions on
2328
- # allowed characters. Generally allowed characters are: letters,
2329
- # spaces, and numbers representable in UTF-8, plus the following
2330
- # special characters: + - = . \_ : / @.
2424
+ # * If you use your tagging schema across multiple services and
2425
+ # resources, remember other services might have restrictions on
2426
+ # allowed characters. Generally allowed characters: letters, spaces,
2427
+ # and numbers representable in UTF-8, plus the following special
2428
+ # characters: + - = . \_ : / @.
2331
2429
  #
2332
2430
  # If you use tags as part of your security strategy, then adding or
2333
2431
  # removing a tag can change permissions. If successfully completing this
@@ -2365,7 +2463,13 @@ module Aws::SecretsManager
2365
2463
  # then those characters cause Secrets Manager to assume that you’re
2366
2464
  # specifying a complete ARN. This confusion can cause unexpected
2367
2465
  # results. To avoid this situation, we recommend that you don’t create
2368
- # secret names that end with a hyphen followed by six characters.
2466
+ # secret names ending with a hyphen followed by six characters.
2467
+ #
2468
+ # If you specify an incomplete ARN without the random suffix, and
2469
+ # instead provide the 'friendly name', you *must* not include the
2470
+ # random suffix. If you do include the random suffix added by Secrets
2471
+ # Manager, you receive either a *ResourceNotFoundException* or an
2472
+ # *AccessDeniedException* error, depending on your permissions.
2369
2473
  #
2370
2474
  # </note>
2371
2475
  #
@@ -2467,7 +2571,13 @@ module Aws::SecretsManager
2467
2571
  # then those characters cause Secrets Manager to assume that you’re
2468
2572
  # specifying a complete ARN. This confusion can cause unexpected
2469
2573
  # results. To avoid this situation, we recommend that you don’t create
2470
- # secret names that end with a hyphen followed by six characters.
2574
+ # secret names ending with a hyphen followed by six characters.
2575
+ #
2576
+ # If you specify an incomplete ARN without the random suffix, and
2577
+ # instead provide the 'friendly name', you *must* not include the
2578
+ # random suffix. If you do include the random suffix added by Secrets
2579
+ # Manager, you receive either a *ResourceNotFoundException* or an
2580
+ # *AccessDeniedException* error, depending on your permissions.
2471
2581
  #
2472
2582
  # </note>
2473
2583
  #
@@ -2539,29 +2649,29 @@ module Aws::SecretsManager
2539
2649
  # secret version, Secrets Manager automatically attaches the staging
2540
2650
  # label `AWSCURRENT` to the new version.
2541
2651
  #
2542
- # <note markdown="1"> * If you call an operation that needs to encrypt or decrypt the
2543
- # `SecretString` or `SecretBinary` for a secret in the same account as
2544
- # the calling user and that secret doesn't specify a AWS KMS
2545
- # encryption key, Secrets Manager uses the account's default AWS
2546
- # managed customer master key (CMK) with the alias
2547
- # `aws/secretsmanager`. If this key doesn't already exist in your
2548
- # account then Secrets Manager creates it for you automatically. All
2549
- # users and roles in the same AWS account automatically have access to
2550
- # use the default CMK. Note that if an Secrets Manager API call
2551
- # results in AWS having to create the account's AWS-managed CMK, it
2552
- # can result in a one-time significant delay in returning the result.
2553
- #
2554
- # * If the secret is in a different AWS account from the credentials
2555
- # calling an API that requires encryption or decryption of the secret
2556
- # value then you must create and use a custom AWS KMS CMK because you
2557
- # can't access the default CMK for the account using credentials from
2558
- # a different AWS account. Store the ARN of the CMK in the secret when
2559
- # you create the secret or when you update it by including it in the
2560
- # `KMSKeyId`. If you call an API that must encrypt or decrypt
2561
- # `SecretString` or `SecretBinary` using credentials from a different
2562
- # account then the AWS KMS key policy must grant cross-account access
2563
- # to that other account's user or role for both the
2564
- # kms:GenerateDataKey and kms:Decrypt operations.
2652
+ # <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
2653
+ # `SecretBinary` for a secret in the same account as the calling user
2654
+ # and that secret doesn't specify a AWS KMS encryption key, Secrets
2655
+ # Manager uses the account's default AWS managed customer master key
2656
+ # (CMK) with the alias `aws/secretsmanager`. If this key doesn't
2657
+ # already exist in your account then Secrets Manager creates it for
2658
+ # you automatically. All users and roles in the same AWS account
2659
+ # automatically have access to use the default CMK. Note that if an
2660
+ # Secrets Manager API call results in AWS creating the account's
2661
+ # AWS-managed CMK, it can result in a one-time significant delay in
2662
+ # returning the result.
2663
+ #
2664
+ # * If the secret resides in a different AWS account from the
2665
+ # credentials calling an API that requires encryption or decryption of
2666
+ # the secret value then you must create and use a custom AWS KMS CMK
2667
+ # because you can't access the default CMK for the account using
2668
+ # credentials from a different AWS account. Store the ARN of the CMK
2669
+ # in the secret when you create the secret or when you update it by
2670
+ # including it in the `KMSKeyId`. If you call an API that must encrypt
2671
+ # or decrypt `SecretString` or `SecretBinary` using credentials from a
2672
+ # different account then the AWS KMS key policy must grant
2673
+ # cross-account access to that other account's user or role for both
2674
+ # the kms:GenerateDataKey and kms:Decrypt operations.
2565
2675
  #
2566
2676
  # </note>
2567
2677
  #
@@ -2606,7 +2716,13 @@ module Aws::SecretsManager
2606
2716
  # then those characters cause Secrets Manager to assume that you’re
2607
2717
  # specifying a complete ARN. This confusion can cause unexpected
2608
2718
  # results. To avoid this situation, we recommend that you don’t create
2609
- # secret names that end with a hyphen followed by six characters.
2719
+ # secret names ending with a hyphen followed by six characters.
2720
+ #
2721
+ # If you specify an incomplete ARN without the random suffix, and
2722
+ # instead provide the 'friendly name', you *must* not include the
2723
+ # random suffix. If you do include the random suffix added by Secrets
2724
+ # Manager, you receive either a *ResourceNotFoundException* or an
2725
+ # *AccessDeniedException* error, depending on your permissions.
2610
2726
  #
2611
2727
  # </note>
2612
2728
  #
@@ -2670,7 +2786,7 @@ module Aws::SecretsManager
2670
2786
  # field. The user making the call must have permissions to both the
2671
2787
  # secret and the CMK in their respective accounts.
2672
2788
  #
2673
- # @option params [String, IO] :secret_binary
2789
+ # @option params [String, StringIO, File] :secret_binary
2674
2790
  # (Optional) Specifies updated binary data that you want to encrypt and
2675
2791
  # store in the new version of the secret. To use this parameter in the
2676
2792
  # command-line tools, we recommend that you store your binary data in a
@@ -2843,9 +2959,9 @@ module Aws::SecretsManager
2843
2959
  # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/terms-concepts.html#term_staging-label
2844
2960
  #
2845
2961
  # @option params [required, String] :secret_id
2846
- # Specifies the secret with the version whose list of staging labels you
2847
- # want to modify. You can specify either the Amazon Resource Name (ARN)
2848
- # or the friendly name of the secret.
2962
+ # Specifies the secret with the version with the list of staging labels
2963
+ # you want to modify. You can specify either the Amazon Resource Name
2964
+ # (ARN) or the friendly name of the secret.
2849
2965
  #
2850
2966
  # <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
2851
2967
  # complete ARN. You can specify a partial ARN too—for example, if you
@@ -2858,7 +2974,13 @@ module Aws::SecretsManager
2858
2974
  # then those characters cause Secrets Manager to assume that you’re
2859
2975
  # specifying a complete ARN. This confusion can cause unexpected
2860
2976
  # results. To avoid this situation, we recommend that you don’t create
2861
- # secret names that end with a hyphen followed by six characters.
2977
+ # secret names ending with a hyphen followed by six characters.
2978
+ #
2979
+ # If you specify an incomplete ARN without the random suffix, and
2980
+ # instead provide the 'friendly name', you *must* not include the
2981
+ # random suffix. If you do include the random suffix added by Secrets
2982
+ # Manager, you receive either a *ResourceNotFoundException* or an
2983
+ # *AccessDeniedException* error, depending on your permissions.
2862
2984
  #
2863
2985
  # </note>
2864
2986
  #
@@ -2876,7 +2998,7 @@ module Aws::SecretsManager
2876
2998
  #
2877
2999
  # @option params [String] :move_to_version_id
2878
3000
  # (Optional) The secret version ID that you want to add the staging
2879
- # label to. If you want to remove a label from a version, then do not
3001
+ # label. If you want to remove a label from a version, then do not
2880
3002
  # specify this parameter.
2881
3003
  #
2882
3004
  # If the staging label is already attached to a different version of the
@@ -2966,6 +3088,86 @@ module Aws::SecretsManager
2966
3088
  req.send_request(options)
2967
3089
  end
2968
3090
 
3091
+ # Validates the JSON text of the resource-based policy document attached
3092
+ # to the specified secret. The JSON request string input and response
3093
+ # output displays formatted code with white space and line breaks for
3094
+ # better readability. Submit your input as a single line JSON string. A
3095
+ # resource-based policy is optional.
3096
+ #
3097
+ # @option params [String] :secret_id
3098
+ # The identifier for the secret that you want to validate a resource
3099
+ # policy. You can specify either the Amazon Resource Name (ARN) or the
3100
+ # friendly name of the secret.
3101
+ #
3102
+ # <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
3103
+ # complete ARN. You can specify a partial ARN too—for example, if you
3104
+ # don’t include the final hyphen and six random characters that Secrets
3105
+ # Manager adds at the end of the ARN when you created the secret. A
3106
+ # partial ARN match can work as long as it uniquely matches only one
3107
+ # secret. However, if your secret has a name that ends in a hyphen
3108
+ # followed by six characters (before Secrets Manager adds the hyphen and
3109
+ # six characters to the ARN) and you try to use that as a partial ARN,
3110
+ # then those characters cause Secrets Manager to assume that you’re
3111
+ # specifying a complete ARN. This confusion can cause unexpected
3112
+ # results. To avoid this situation, we recommend that you don’t create
3113
+ # secret names ending with a hyphen followed by six characters.
3114
+ #
3115
+ # If you specify an incomplete ARN without the random suffix, and
3116
+ # instead provide the 'friendly name', you *must* not include the
3117
+ # random suffix. If you do include the random suffix added by Secrets
3118
+ # Manager, you receive either a *ResourceNotFoundException* or an
3119
+ # *AccessDeniedException* error, depending on your permissions.
3120
+ #
3121
+ # </note>
3122
+ #
3123
+ # @option params [required, String] :resource_policy
3124
+ # Identifies the Resource Policy attached to the secret.
3125
+ #
3126
+ # @return [Types::ValidateResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
3127
+ #
3128
+ # * {Types::ValidateResourcePolicyResponse#policy_validation_passed #policy_validation_passed} => Boolean
3129
+ # * {Types::ValidateResourcePolicyResponse#validation_errors #validation_errors} => Array&lt;Types::ValidationErrorsEntry&gt;
3130
+ #
3131
+ #
3132
+ # @example Example: To validate a resource-based policy to a secret
3133
+ #
3134
+ # # The following example shows how to validate a resource-based policy to a secret.
3135
+ #
3136
+ # resp = client.validate_resource_policy({
3137
+ # resource_policy: "{\n\"Version\":\"2012-10-17\",\n\"Statement\":[{\n\"Effect\":\"Allow\",\n\"Principal\":{\n\"AWS\":\"arn:aws:iam::123456789012:root\"\n},\n\"Action\":\"secretsmanager:GetSecretValue\",\n\"Resource\":\"*\"\n}]\n}",
3138
+ # secret_id: "MyTestDatabaseSecret",
3139
+ # })
3140
+ #
3141
+ # resp.to_h outputs the following:
3142
+ # {
3143
+ # policy_validation_passed: true,
3144
+ # validation_errors: [
3145
+ # ],
3146
+ # }
3147
+ #
3148
+ # @example Request syntax with placeholder values
3149
+ #
3150
+ # resp = client.validate_resource_policy({
3151
+ # secret_id: "SecretIdType",
3152
+ # resource_policy: "NonEmptyResourcePolicyType", # required
3153
+ # })
3154
+ #
3155
+ # @example Response structure
3156
+ #
3157
+ # resp.policy_validation_passed #=> Boolean
3158
+ # resp.validation_errors #=> Array
3159
+ # resp.validation_errors[0].check_name #=> String
3160
+ # resp.validation_errors[0].error_message #=> String
3161
+ #
3162
+ # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ValidateResourcePolicy AWS API Documentation
3163
+ #
3164
+ # @overload validate_resource_policy(params = {})
3165
+ # @param [Hash] params ({})
3166
+ def validate_resource_policy(params = {}, options = {})
3167
+ req = build_request(:validate_resource_policy, params)
3168
+ req.send_request(options)
3169
+ end
3170
+
2969
3171
  # @!endgroup
2970
3172
 
2971
3173
  # @param params ({})
@@ -2979,7 +3181,7 @@ module Aws::SecretsManager
2979
3181
  params: params,
2980
3182
  config: config)
2981
3183
  context[:gem_name] = 'aws-sdk-secretsmanager'
2982
- context[:gem_version] = '1.39.0'
3184
+ context[:gem_version] = '1.44.0'
2983
3185
  Seahorse::Client::Request.new(handlers, context)
2984
3186
  end
2985
3187