aws-sdk-secretsmanager 1.44.0 → 1.45.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f6c6bad2a4b036843ccfb62a2cea8ff975b750c8cd56766f0d65725a94b46973
4
- data.tar.gz: c02d2eec7eae4d148ad53d3ac38d9a1b0ad3838750970ab6e550ad7283fdd1e5
3
+ metadata.gz: d846c13bffe56b68cf541256000b48cc80ae134843af7263c7742e7bdfbaf2b7
4
+ data.tar.gz: 3d8dfc8bfb52906c7af56b69e3f6f71908db55658b68c01c17ce3a0c08744f2b
5
5
  SHA512:
6
- metadata.gz: 473a87bcc8e159d67c76f2a52ac189490c145e5397d6f7c6ea434dd43373364bd71c5f03b36bf78a15ddccd2090533b96f935fbd6eccaf480ad891b623367bb3
7
- data.tar.gz: 2589fc010c099183aacc676f7844b3bdcd412769f614b1ab3eb5359368585c6c877efb8640798335ff5a9ad0d9fa08739c8a50e8e8ee037678d20af22e7947d5
6
+ metadata.gz: fc9fb09b8111bab8e4a69f57dd24213feadee71f931ce288ccfae967383125995ef3977855603e659238d671d9b3cc7407ae47fe3547369afbba5bef511aa63f
7
+ data.tar.gz: c2abdb72a7948aa4fee2f32821c1da57debe4e824cf6e613ec786da6aff60500c650fa8a5e4081cefc637a7d7d1de213a3b65a15bce7e82b99c4a78962b4d9bc
@@ -48,6 +48,6 @@ require_relative 'aws-sdk-secretsmanager/customizations'
48
48
  # @!group service
49
49
  module Aws::SecretsManager
50
50
 
51
- GEM_VERSION = '1.44.0'
51
+ GEM_VERSION = '1.45.0'
52
52
 
53
53
  end
@@ -584,7 +584,7 @@ module Aws::SecretsManager
584
584
  #
585
585
  # * If a version with this value already exists and that version's
586
586
  # `SecretString` and `SecretBinary` values are different from those in
587
- # the request then the request fails because you cannot modify an
587
+ # the request, then the request fails because you cannot modify an
588
588
  # existing version. Instead, use PutSecretValue to create a new
589
589
  # version.
590
590
  #
@@ -714,11 +714,21 @@ module Aws::SecretsManager
714
714
  #
715
715
  # [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
716
716
  #
717
+ # @option params [Array<Types::ReplicaRegionType>] :add_replica_regions
718
+ # (Optional) Add a list of regions to replicate secrets. Secrets Manager
719
+ # replicates the KMSKeyID objects to the list of regions specified in
720
+ # the parameter.
721
+ #
722
+ # @option params [Boolean] :force_overwrite_replica_secret
723
+ # (Optional) If set, the replication overwrites a secret with the same
724
+ # name in the destination region.
725
+ #
717
726
  # @return [Types::CreateSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
718
727
  #
719
728
  # * {Types::CreateSecretResponse#arn #arn} => String
720
729
  # * {Types::CreateSecretResponse#name #name} => String
721
730
  # * {Types::CreateSecretResponse#version_id #version_id} => String
731
+ # * {Types::CreateSecretResponse#replication_status #replication_status} => Array&lt;Types::ReplicationStatusType&gt;
722
732
  #
723
733
  #
724
734
  # @example Example: To create a basic secret
@@ -755,6 +765,13 @@ module Aws::SecretsManager
755
765
  # value: "TagValueType",
756
766
  # },
757
767
  # ],
768
+ # add_replica_regions: [
769
+ # {
770
+ # region: "RegionType",
771
+ # kms_key_id: "KmsKeyIdType",
772
+ # },
773
+ # ],
774
+ # force_overwrite_replica_secret: false,
758
775
  # })
759
776
  #
760
777
  # @example Response structure
@@ -762,6 +779,12 @@ module Aws::SecretsManager
762
779
  # resp.arn #=> String
763
780
  # resp.name #=> String
764
781
  # resp.version_id #=> String
782
+ # resp.replication_status #=> Array
783
+ # resp.replication_status[0].region #=> String
784
+ # resp.replication_status[0].kms_key_id #=> String
785
+ # resp.replication_status[0].status #=> String, one of "InSync", "Failed", "InProgress"
786
+ # resp.replication_status[0].status_message #=> String
787
+ # resp.replication_status[0].last_accessed_date #=> Time
765
788
  #
766
789
  # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/CreateSecret AWS API Documentation
767
790
  #
@@ -786,8 +809,8 @@ module Aws::SecretsManager
786
809
  #
787
810
  # * To attach a resource policy to a secret, use PutResourcePolicy.
788
811
  #
789
- # * To retrieve the current resource-based policy that's attached to a
790
- # secret, use GetResourcePolicy.
812
+ # * To retrieve the current resource-based policy attached to a secret,
813
+ # use GetResourcePolicy.
791
814
  #
792
815
  # * To list all of the currently available secrets, use ListSecrets.
793
816
  #
@@ -857,7 +880,7 @@ module Aws::SecretsManager
857
880
  req.send_request(options)
858
881
  end
859
882
 
860
- # Deletes an entire secret and all of its versions. You can optionally
883
+ # Deletes an entire secret and all of the versions. You can optionally
861
884
  # include a recovery window during which you can restore the secret. If
862
885
  # you don't specify a recovery window value, the operation defaults to
863
886
  # 30 days. Secrets Manager attaches a `DeletionDate` stamp to the secret
@@ -867,17 +890,17 @@ module Aws::SecretsManager
867
890
  # At any time before recovery window ends, you can use RestoreSecret to
868
891
  # remove the `DeletionDate` and cancel the deletion of the secret.
869
892
  #
870
- # You cannot access the encrypted secret information in any secret that
871
- # is scheduled for deletion. If you need to access that information, you
893
+ # You cannot access the encrypted secret information in any secret
894
+ # scheduled for deletion. If you need to access that information, you
872
895
  # must cancel the deletion with RestoreSecret and then retrieve the
873
896
  # information.
874
897
  #
875
898
  # <note markdown="1"> * There is no explicit operation to delete a version of a secret.
876
899
  # Instead, remove all staging labels from the `VersionStage` field of
877
900
  # a version. That marks the version as deprecated and allows Secrets
878
- # Manager to delete it as needed. Versions that do not have any
879
- # staging labels do not show up in ListSecretVersionIds unless you
880
- # specify `IncludeDeprecated`.
901
+ # Manager to delete it as needed. Versions without any staging labels
902
+ # do not show up in ListSecretVersionIds unless you specify
903
+ # `IncludeDeprecated`.
881
904
  #
882
905
  # * The permanent secret deletion at the end of the waiting period is
883
906
  # performed as a background task with low priority. There is no
@@ -902,8 +925,8 @@ module Aws::SecretsManager
902
925
  # window has expired, use RestoreSecret.
903
926
  #
904
927
  # @option params [required, String] :secret_id
905
- # Specifies the secret that you want to delete. You can specify either
906
- # the Amazon Resource Name (ARN) or the friendly name of the secret.
928
+ # Specifies the secret to delete. You can specify either the Amazon
929
+ # Resource Name (ARN) or the friendly name of the secret.
907
930
  #
908
931
  # <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
909
932
  # complete ARN. You can specify a partial ARN too—for example, if you
@@ -928,10 +951,11 @@ module Aws::SecretsManager
928
951
  #
929
952
  # @option params [Integer] :recovery_window_in_days
930
953
  # (Optional) Specifies the number of days that Secrets Manager waits
931
- # before it can delete the secret. You can't use both this parameter
932
- # and the `ForceDeleteWithoutRecovery` parameter in the same API call.
954
+ # before Secrets Manager can delete the secret. You can't use both this
955
+ # parameter and the `ForceDeleteWithoutRecovery` parameter in the same
956
+ # API call.
933
957
  #
934
- # This value can range from 7 to 30 days. The default value is 30.
958
+ # This value can range from 7 to 30 days with a default value of 30.
935
959
  #
936
960
  # @option params [Boolean] :force_delete_without_recovery
937
961
  # (Optional) Specifies that the secret is to be deleted without any
@@ -948,8 +972,12 @@ module Aws::SecretsManager
948
972
  # to skip the normal waiting period before the permanent deletion that
949
973
  # AWS would normally impose with the `RecoveryWindowInDays` parameter.
950
974
  # If you delete a secret with the `ForceDeleteWithouRecovery` parameter,
951
- # then you have no opportunity to recover the secret. It is permanently
952
- # lost.
975
+ # then you have no opportunity to recover the secret. You lose the
976
+ # secret permanently.
977
+ #
978
+ # If you use this parameter and include a previously deleted or
979
+ # nonexistent secret, the operation does not return the error
980
+ # `ResourceNotFoundException` in order to correctly handle retries.
953
981
  #
954
982
  # @return [Types::DeleteSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
955
983
  #
@@ -1065,6 +1093,8 @@ module Aws::SecretsManager
1065
1093
  # * {Types::DescribeSecretResponse#version_ids_to_stages #version_ids_to_stages} => Hash&lt;String,Array&lt;String&gt;&gt;
1066
1094
  # * {Types::DescribeSecretResponse#owning_service #owning_service} => String
1067
1095
  # * {Types::DescribeSecretResponse#created_date #created_date} => Time
1096
+ # * {Types::DescribeSecretResponse#primary_region #primary_region} => String
1097
+ # * {Types::DescribeSecretResponse#replication_status #replication_status} => Array&lt;Types::ReplicationStatusType&gt;
1068
1098
  #
1069
1099
  #
1070
1100
  # @example Example: To retrieve the details of a secret
@@ -1136,6 +1166,13 @@ module Aws::SecretsManager
1136
1166
  # resp.version_ids_to_stages["SecretVersionIdType"][0] #=> String
1137
1167
  # resp.owning_service #=> String
1138
1168
  # resp.created_date #=> Time
1169
+ # resp.primary_region #=> String
1170
+ # resp.replication_status #=> Array
1171
+ # resp.replication_status[0].region #=> String
1172
+ # resp.replication_status[0].kms_key_id #=> String
1173
+ # resp.replication_status[0].status #=> String, one of "InSync", "Failed", "InProgress"
1174
+ # resp.replication_status[0].status_message #=> String
1175
+ # resp.replication_status[0].last_accessed_date #=> Time
1139
1176
  #
1140
1177
  # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/DescribeSecret AWS API Documentation
1141
1178
  #
@@ -1395,10 +1432,11 @@ module Aws::SecretsManager
1395
1432
  #
1396
1433
  # @option params [String] :version_id
1397
1434
  # Specifies the unique identifier of the version of the secret that you
1398
- # want to retrieve. If you specify this parameter then don't specify
1399
- # `VersionStage`. If you don't specify either a `VersionStage` or
1400
- # `VersionId` then the default is to perform the operation on the
1401
- # version with the `VersionStage` value of `AWSCURRENT`.
1435
+ # want to retrieve. If you specify both this parameter and
1436
+ # `VersionStage`, the two parameters must refer to the same secret
1437
+ # version. If you don't specify either a `VersionStage` or `VersionId`
1438
+ # then the default is to perform the operation on the version with the
1439
+ # `VersionStage` value of `AWSCURRENT`.
1402
1440
  #
1403
1441
  # This value is typically a [UUID-type][1] value with 32 hexadecimal
1404
1442
  # digits.
@@ -1412,10 +1450,11 @@ module Aws::SecretsManager
1412
1450
  # label attached to the version.
1413
1451
  #
1414
1452
  # Staging labels are used to keep track of different versions during the
1415
- # rotation process. If you use this parameter then don't specify
1416
- # `VersionId`. If you don't specify either a `VersionStage` or
1417
- # `VersionId`, then the default is to perform the operation on the
1418
- # version with the `VersionStage` value of `AWSCURRENT`.
1453
+ # rotation process. If you specify both this parameter and `VersionId`,
1454
+ # the two parameters must refer to the same secret version . If you
1455
+ # don't specify either a `VersionStage` or `VersionId`, then the
1456
+ # default is to perform the operation on the version with the
1457
+ # `VersionStage` value of `AWSCURRENT`.
1419
1458
  #
1420
1459
  # @return [Types::GetSecretValueResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1421
1460
  #
@@ -1738,7 +1777,7 @@ module Aws::SecretsManager
1738
1777
  # next_token: "NextTokenType",
1739
1778
  # filters: [
1740
1779
  # {
1741
- # key: "description", # accepts description, name, tag-key, tag-value, all
1780
+ # key: "description", # accepts description, name, tag-key, tag-value, primary-region, all
1742
1781
  # values: ["FilterValueStringType"],
1743
1782
  # },
1744
1783
  # ],
@@ -1767,6 +1806,7 @@ module Aws::SecretsManager
1767
1806
  # resp.secret_list[0].secret_versions_to_stages["SecretVersionIdType"][0] #=> String
1768
1807
  # resp.secret_list[0].owning_service #=> String
1769
1808
  # resp.secret_list[0].created_date #=> Time
1809
+ # resp.secret_list[0].primary_region #=> String
1770
1810
  # resp.next_token #=> String
1771
1811
  #
1772
1812
  # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ListSecrets AWS API Documentation
@@ -1803,8 +1843,8 @@ module Aws::SecretsManager
1803
1843
  # * To retrieve the resource policy attached to a secret, use
1804
1844
  # GetResourcePolicy.
1805
1845
  #
1806
- # * To delete the resource-based policy that's attached to a secret,
1807
- # use DeleteResourcePolicy.
1846
+ # * To delete the resource-based policy attached to a secret, use
1847
+ # DeleteResourcePolicy.
1808
1848
  #
1809
1849
  # * To list all of the currently available secrets, use ListSecrets.
1810
1850
  #
@@ -1814,8 +1854,9 @@ module Aws::SecretsManager
1814
1854
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
1815
1855
  #
1816
1856
  # @option params [required, String] :secret_id
1817
- # Specifies the secret that you want to attach the resource-based policy
1818
- # to. You can specify either the ARN or the friendly name of the secret.
1857
+ # Specifies the secret that you want to attach the resource-based
1858
+ # policy. You can specify either the ARN or the friendly name of the
1859
+ # secret.
1819
1860
  #
1820
1861
  # <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
1821
1862
  # complete ARN. You can specify a partial ARN too—for example, if you
@@ -1839,8 +1880,8 @@ module Aws::SecretsManager
1839
1880
  # </note>
1840
1881
  #
1841
1882
  # @option params [required, String] :resource_policy
1842
- # A JSON-formatted string that's constructed according to the grammar
1843
- # and syntax for an AWS resource-based policy. The policy in the string
1883
+ # A JSON-formatted string constructed according to the grammar and
1884
+ # syntax for an AWS resource-based policy. The policy in the string
1844
1885
  # identifies who can access or manage this secret and its versions. For
1845
1886
  # information on how to format a JSON parameter for the various command
1846
1887
  # line tool environments, see [Using JSON for Parameters][1] in the *AWS
@@ -1851,8 +1892,9 @@ module Aws::SecretsManager
1851
1892
  # [1]: http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
1852
1893
  #
1853
1894
  # @option params [Boolean] :block_public_policy
1854
- # Makes an optional API call to Zelkova to validate the Resource Policy
1855
- # to prevent broad access to your secret.
1895
+ # (Optional) If you set the parameter, `BlockPublicPolicy` to true, then
1896
+ # you block resource-based policies that allow broad access to the
1897
+ # secret.
1856
1898
  #
1857
1899
  # @return [Types::PutResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1858
1900
  #
@@ -1913,13 +1955,12 @@ module Aws::SecretsManager
1913
1955
  # Secrets Manager automatically attaches the staging label
1914
1956
  # `AWSCURRENT` to the new version.
1915
1957
  #
1916
- # * If another version of this secret already exists, then this
1917
- # operation does not automatically move any staging labels other than
1918
- # those that you explicitly specify in the `VersionStages` parameter.
1958
+ # * If you do not specify a value for VersionStages then Secrets Manager
1959
+ # automatically moves the staging label `AWSCURRENT` to this new
1960
+ # version.
1919
1961
  #
1920
1962
  # * If this operation moves the staging label `AWSCURRENT` from another
1921
- # version to this version (because you included it in the
1922
- # `StagingLabels` parameter) then Secrets Manager also automatically
1963
+ # version to this version, then Secrets Manager also automatically
1923
1964
  # moves the staging label `AWSPREVIOUS` to the version that
1924
1965
  # `AWSCURRENT` was removed from.
1925
1966
  #
@@ -2158,6 +2199,95 @@ module Aws::SecretsManager
2158
2199
  req.send_request(options)
2159
2200
  end
2160
2201
 
2202
+ # Remove regions from replication.
2203
+ #
2204
+ # @option params [required, String] :secret_id
2205
+ # Remove a secret by `SecretId` from replica Regions.
2206
+ #
2207
+ # @option params [required, Array<String>] :remove_replica_regions
2208
+ # Remove replication from specific Regions.
2209
+ #
2210
+ # @return [Types::RemoveRegionsFromReplicationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
2211
+ #
2212
+ # * {Types::RemoveRegionsFromReplicationResponse#arn #arn} => String
2213
+ # * {Types::RemoveRegionsFromReplicationResponse#replication_status #replication_status} => Array&lt;Types::ReplicationStatusType&gt;
2214
+ #
2215
+ # @example Request syntax with placeholder values
2216
+ #
2217
+ # resp = client.remove_regions_from_replication({
2218
+ # secret_id: "SecretIdType", # required
2219
+ # remove_replica_regions: ["RegionType"], # required
2220
+ # })
2221
+ #
2222
+ # @example Response structure
2223
+ #
2224
+ # resp.arn #=> String
2225
+ # resp.replication_status #=> Array
2226
+ # resp.replication_status[0].region #=> String
2227
+ # resp.replication_status[0].kms_key_id #=> String
2228
+ # resp.replication_status[0].status #=> String, one of "InSync", "Failed", "InProgress"
2229
+ # resp.replication_status[0].status_message #=> String
2230
+ # resp.replication_status[0].last_accessed_date #=> Time
2231
+ #
2232
+ # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/RemoveRegionsFromReplication AWS API Documentation
2233
+ #
2234
+ # @overload remove_regions_from_replication(params = {})
2235
+ # @param [Hash] params ({})
2236
+ def remove_regions_from_replication(params = {}, options = {})
2237
+ req = build_request(:remove_regions_from_replication, params)
2238
+ req.send_request(options)
2239
+ end
2240
+
2241
+ # Converts an existing secret to a multi-Region secret and begins
2242
+ # replication the secret to a list of new regions.
2243
+ #
2244
+ # @option params [required, String] :secret_id
2245
+ # Use the `Secret Id` to replicate a secret to regions.
2246
+ #
2247
+ # @option params [required, Array<Types::ReplicaRegionType>] :add_replica_regions
2248
+ # Add Regions to replicate the secret.
2249
+ #
2250
+ # @option params [Boolean] :force_overwrite_replica_secret
2251
+ # (Optional) If set, Secrets Manager replication overwrites a secret
2252
+ # with the same name in the destination region.
2253
+ #
2254
+ # @return [Types::ReplicateSecretToRegionsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
2255
+ #
2256
+ # * {Types::ReplicateSecretToRegionsResponse#arn #arn} => String
2257
+ # * {Types::ReplicateSecretToRegionsResponse#replication_status #replication_status} => Array&lt;Types::ReplicationStatusType&gt;
2258
+ #
2259
+ # @example Request syntax with placeholder values
2260
+ #
2261
+ # resp = client.replicate_secret_to_regions({
2262
+ # secret_id: "SecretIdType", # required
2263
+ # add_replica_regions: [ # required
2264
+ # {
2265
+ # region: "RegionType",
2266
+ # kms_key_id: "KmsKeyIdType",
2267
+ # },
2268
+ # ],
2269
+ # force_overwrite_replica_secret: false,
2270
+ # })
2271
+ #
2272
+ # @example Response structure
2273
+ #
2274
+ # resp.arn #=> String
2275
+ # resp.replication_status #=> Array
2276
+ # resp.replication_status[0].region #=> String
2277
+ # resp.replication_status[0].kms_key_id #=> String
2278
+ # resp.replication_status[0].status #=> String, one of "InSync", "Failed", "InProgress"
2279
+ # resp.replication_status[0].status_message #=> String
2280
+ # resp.replication_status[0].last_accessed_date #=> Time
2281
+ #
2282
+ # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ReplicateSecretToRegions AWS API Documentation
2283
+ #
2284
+ # @overload replicate_secret_to_regions(params = {})
2285
+ # @param [Hash] params ({})
2286
+ def replicate_secret_to_regions(params = {}, options = {})
2287
+ req = build_request(:replicate_secret_to_regions, params)
2288
+ req.send_request(options)
2289
+ end
2290
+
2161
2291
  # Cancels the scheduled deletion of a secret by removing the
2162
2292
  # `DeletedDate` time stamp. This makes the secret accessible to query
2163
2293
  # once again.
@@ -2400,6 +2530,36 @@ module Aws::SecretsManager
2400
2530
  req.send_request(options)
2401
2531
  end
2402
2532
 
2533
+ # Removes the secret from replication and promotes the secret to a
2534
+ # regional secret in the replica Region.
2535
+ #
2536
+ # @option params [required, String] :secret_id
2537
+ # Response to `StopReplicationToReplica` of a secret, based on the
2538
+ # `SecretId`.
2539
+ #
2540
+ # @return [Types::StopReplicationToReplicaResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
2541
+ #
2542
+ # * {Types::StopReplicationToReplicaResponse#arn #arn} => String
2543
+ #
2544
+ # @example Request syntax with placeholder values
2545
+ #
2546
+ # resp = client.stop_replication_to_replica({
2547
+ # secret_id: "SecretIdType", # required
2548
+ # })
2549
+ #
2550
+ # @example Response structure
2551
+ #
2552
+ # resp.arn #=> String
2553
+ #
2554
+ # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/StopReplicationToReplica AWS API Documentation
2555
+ #
2556
+ # @overload stop_replication_to_replica(params = {})
2557
+ # @param [Hash] params ({})
2558
+ def stop_replication_to_replica(params = {}, options = {})
2559
+ req = build_request(:stop_replication_to_replica, params)
2560
+ req.send_request(options)
2561
+ end
2562
+
2403
2563
  # Attaches one or more tags, each consisting of a key name and a value,
2404
2564
  # to the specified secret. Tags are part of the secret's overall
2405
2565
  # metadata, and are not associated with any specific version of the
@@ -2481,7 +2641,7 @@ module Aws::SecretsManager
2481
2641
  # information on how to format a JSON parameter for the various command
2482
2642
  # line tool environments, see [Using JSON for Parameters][1] in the *AWS
2483
2643
  # CLI User Guide*. For the AWS CLI, you can also use the syntax: `--Tags
2484
- # Key="Key1",Value="Value1",Key="Key2",Value="Value2"[,…]`
2644
+ # Key="Key1",Value="Value1" Key="Key2",Value="Value2"[,…]`
2485
2645
  #
2486
2646
  #
2487
2647
  #
@@ -3088,16 +3248,38 @@ module Aws::SecretsManager
3088
3248
  req.send_request(options)
3089
3249
  end
3090
3250
 
3091
- # Validates the JSON text of the resource-based policy document attached
3092
- # to the specified secret. The JSON request string input and response
3093
- # output displays formatted code with white space and line breaks for
3094
- # better readability. Submit your input as a single line JSON string. A
3095
- # resource-based policy is optional.
3251
+ # Validates that the resource policy does not grant a wide range of IAM
3252
+ # principals access to your secret. The JSON request string input and
3253
+ # response output displays formatted code with white space and line
3254
+ # breaks for better readability. Submit your input as a single line JSON
3255
+ # string. A resource-based policy is optional for secrets.
3256
+ #
3257
+ # The API performs three checks when validating the secret:
3258
+ #
3259
+ # * Sends a call to [Zelkova][1], an automated reasoning engine, to
3260
+ # ensure your Resource Policy does not allow broad access to your
3261
+ # secret.
3262
+ #
3263
+ # * Checks for correct syntax in a policy.
3264
+ #
3265
+ # * Verifies the policy does not lock out a caller.
3266
+ #
3267
+ # **Minimum Permissions**
3268
+ #
3269
+ # You must have the permissions required to access the following APIs:
3270
+ #
3271
+ # * `secretsmanager:PutResourcePolicy`
3272
+ #
3273
+ # * `secretsmanager:ValidateResourcePolicy`
3274
+ #
3275
+ #
3276
+ #
3277
+ # [1]: https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/
3096
3278
  #
3097
3279
  # @option params [String] :secret_id
3098
- # The identifier for the secret that you want to validate a resource
3099
- # policy. You can specify either the Amazon Resource Name (ARN) or the
3100
- # friendly name of the secret.
3280
+ # (Optional) The identifier of the secret with the resource-based policy
3281
+ # you want to validate. You can specify either the Amazon Resource Name
3282
+ # (ARN) or the friendly name of the secret.
3101
3283
  #
3102
3284
  # <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
3103
3285
  # complete ARN. You can specify a partial ARN too—for example, if you
@@ -3121,7 +3303,16 @@ module Aws::SecretsManager
3121
3303
  # </note>
3122
3304
  #
3123
3305
  # @option params [required, String] :resource_policy
3124
- # Identifies the Resource Policy attached to the secret.
3306
+ # A JSON-formatted string constructed according to the grammar and
3307
+ # syntax for an AWS resource-based policy. The policy in the string
3308
+ # identifies who can access or manage this secret and its versions. For
3309
+ # information on how to format a JSON parameter for the various command
3310
+ # line tool environments, see [Using JSON for Parameters][1] in the *AWS
3311
+ # CLI User Guide*.publi
3312
+ #
3313
+ #
3314
+ #
3315
+ # [1]: http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
3125
3316
  #
3126
3317
  # @return [Types::ValidateResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
3127
3318
  #
@@ -3181,7 +3372,7 @@ module Aws::SecretsManager
3181
3372
  params: params,
3182
3373
  config: config)
3183
3374
  context[:gem_name] = 'aws-sdk-secretsmanager'
3184
- context[:gem_version] = '1.44.0'
3375
+ context[:gem_version] = '1.45.0'
3185
3376
  Seahorse::Client::Request.new(handlers, context)
3186
3377
  end
3187
3378
 
@@ -13,6 +13,7 @@ module Aws::SecretsManager
13
13
 
14
14
  include Seahorse::Model
15
15
 
16
+ AddReplicaRegionListType = Shapes::ListShape.new(name: 'AddReplicaRegionListType')
16
17
  AutomaticallyRotateAfterDaysType = Shapes::IntegerShape.new(name: 'AutomaticallyRotateAfterDaysType')
17
18
  BooleanType = Shapes::BooleanShape.new(name: 'BooleanType')
18
19
  CancelRotateSecretRequest = Shapes::StructureShape.new(name: 'CancelRotateSecretRequest')
@@ -78,6 +79,15 @@ module Aws::SecretsManager
78
79
  PutSecretValueResponse = Shapes::StructureShape.new(name: 'PutSecretValueResponse')
79
80
  RandomPasswordType = Shapes::StringShape.new(name: 'RandomPasswordType')
80
81
  RecoveryWindowInDaysType = Shapes::IntegerShape.new(name: 'RecoveryWindowInDaysType')
82
+ RegionType = Shapes::StringShape.new(name: 'RegionType')
83
+ RemoveRegionsFromReplicationRequest = Shapes::StructureShape.new(name: 'RemoveRegionsFromReplicationRequest')
84
+ RemoveRegionsFromReplicationResponse = Shapes::StructureShape.new(name: 'RemoveRegionsFromReplicationResponse')
85
+ RemoveReplicaRegionListType = Shapes::ListShape.new(name: 'RemoveReplicaRegionListType')
86
+ ReplicaRegionType = Shapes::StructureShape.new(name: 'ReplicaRegionType')
87
+ ReplicateSecretToRegionsRequest = Shapes::StructureShape.new(name: 'ReplicateSecretToRegionsRequest')
88
+ ReplicateSecretToRegionsResponse = Shapes::StructureShape.new(name: 'ReplicateSecretToRegionsResponse')
89
+ ReplicationStatusListType = Shapes::ListShape.new(name: 'ReplicationStatusListType')
90
+ ReplicationStatusType = Shapes::StructureShape.new(name: 'ReplicationStatusType')
81
91
  RequireEachIncludedTypeType = Shapes::BooleanShape.new(name: 'RequireEachIncludedTypeType')
82
92
  ResourceExistsException = Shapes::StructureShape.new(name: 'ResourceExistsException')
83
93
  ResourceNotFoundException = Shapes::StructureShape.new(name: 'ResourceNotFoundException')
@@ -102,6 +112,10 @@ module Aws::SecretsManager
102
112
  SecretVersionsListType = Shapes::ListShape.new(name: 'SecretVersionsListType')
103
113
  SecretVersionsToStagesMapType = Shapes::MapShape.new(name: 'SecretVersionsToStagesMapType')
104
114
  SortOrderType = Shapes::StringShape.new(name: 'SortOrderType')
115
+ StatusMessageType = Shapes::StringShape.new(name: 'StatusMessageType')
116
+ StatusType = Shapes::StringShape.new(name: 'StatusType')
117
+ StopReplicationToReplicaRequest = Shapes::StructureShape.new(name: 'StopReplicationToReplicaRequest')
118
+ StopReplicationToReplicaResponse = Shapes::StructureShape.new(name: 'StopReplicationToReplicaResponse')
105
119
  Tag = Shapes::StructureShape.new(name: 'Tag')
106
120
  TagKeyListType = Shapes::ListShape.new(name: 'TagKeyListType')
107
121
  TagKeyType = Shapes::StringShape.new(name: 'TagKeyType')
@@ -119,6 +133,8 @@ module Aws::SecretsManager
119
133
  ValidationErrorsEntry = Shapes::StructureShape.new(name: 'ValidationErrorsEntry')
120
134
  ValidationErrorsType = Shapes::ListShape.new(name: 'ValidationErrorsType')
121
135
 
136
+ AddReplicaRegionListType.member = Shapes::ShapeRef.new(shape: ReplicaRegionType)
137
+
122
138
  CancelRotateSecretRequest.add_member(:secret_id, Shapes::ShapeRef.new(shape: SecretIdType, required: true, location_name: "SecretId"))
123
139
  CancelRotateSecretRequest.struct_class = Types::CancelRotateSecretRequest
124
140
 
@@ -134,11 +150,14 @@ module Aws::SecretsManager
134
150
  CreateSecretRequest.add_member(:secret_binary, Shapes::ShapeRef.new(shape: SecretBinaryType, location_name: "SecretBinary"))
135
151
  CreateSecretRequest.add_member(:secret_string, Shapes::ShapeRef.new(shape: SecretStringType, location_name: "SecretString"))
136
152
  CreateSecretRequest.add_member(:tags, Shapes::ShapeRef.new(shape: TagListType, location_name: "Tags"))
153
+ CreateSecretRequest.add_member(:add_replica_regions, Shapes::ShapeRef.new(shape: AddReplicaRegionListType, location_name: "AddReplicaRegions"))
154
+ CreateSecretRequest.add_member(:force_overwrite_replica_secret, Shapes::ShapeRef.new(shape: BooleanType, location_name: "ForceOverwriteReplicaSecret"))
137
155
  CreateSecretRequest.struct_class = Types::CreateSecretRequest
138
156
 
139
157
  CreateSecretResponse.add_member(:arn, Shapes::ShapeRef.new(shape: SecretARNType, location_name: "ARN"))
140
158
  CreateSecretResponse.add_member(:name, Shapes::ShapeRef.new(shape: SecretNameType, location_name: "Name"))
141
159
  CreateSecretResponse.add_member(:version_id, Shapes::ShapeRef.new(shape: SecretVersionIdType, location_name: "VersionId"))
160
+ CreateSecretResponse.add_member(:replication_status, Shapes::ShapeRef.new(shape: ReplicationStatusListType, location_name: "ReplicationStatus"))
142
161
  CreateSecretResponse.struct_class = Types::CreateSecretResponse
143
162
 
144
163
  DecryptionFailure.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessage, location_name: "Message"))
@@ -179,6 +198,8 @@ module Aws::SecretsManager
179
198
  DescribeSecretResponse.add_member(:version_ids_to_stages, Shapes::ShapeRef.new(shape: SecretVersionsToStagesMapType, location_name: "VersionIdsToStages"))
180
199
  DescribeSecretResponse.add_member(:owning_service, Shapes::ShapeRef.new(shape: OwningServiceType, location_name: "OwningService"))
181
200
  DescribeSecretResponse.add_member(:created_date, Shapes::ShapeRef.new(shape: TimestampType, location_name: "CreatedDate", metadata: {"box"=>true}))
201
+ DescribeSecretResponse.add_member(:primary_region, Shapes::ShapeRef.new(shape: RegionType, location_name: "PrimaryRegion"))
202
+ DescribeSecretResponse.add_member(:replication_status, Shapes::ShapeRef.new(shape: ReplicationStatusListType, location_name: "ReplicationStatus"))
182
203
  DescribeSecretResponse.struct_class = Types::DescribeSecretResponse
183
204
 
184
205
  EncryptionFailure.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessage, location_name: "Message"))
@@ -295,6 +316,38 @@ module Aws::SecretsManager
295
316
  PutSecretValueResponse.add_member(:version_stages, Shapes::ShapeRef.new(shape: SecretVersionStagesType, location_name: "VersionStages"))
296
317
  PutSecretValueResponse.struct_class = Types::PutSecretValueResponse
297
318
 
319
+ RemoveRegionsFromReplicationRequest.add_member(:secret_id, Shapes::ShapeRef.new(shape: SecretIdType, required: true, location_name: "SecretId"))
320
+ RemoveRegionsFromReplicationRequest.add_member(:remove_replica_regions, Shapes::ShapeRef.new(shape: RemoveReplicaRegionListType, required: true, location_name: "RemoveReplicaRegions"))
321
+ RemoveRegionsFromReplicationRequest.struct_class = Types::RemoveRegionsFromReplicationRequest
322
+
323
+ RemoveRegionsFromReplicationResponse.add_member(:arn, Shapes::ShapeRef.new(shape: SecretARNType, location_name: "ARN"))
324
+ RemoveRegionsFromReplicationResponse.add_member(:replication_status, Shapes::ShapeRef.new(shape: ReplicationStatusListType, location_name: "ReplicationStatus"))
325
+ RemoveRegionsFromReplicationResponse.struct_class = Types::RemoveRegionsFromReplicationResponse
326
+
327
+ RemoveReplicaRegionListType.member = Shapes::ShapeRef.new(shape: RegionType)
328
+
329
+ ReplicaRegionType.add_member(:region, Shapes::ShapeRef.new(shape: RegionType, location_name: "Region"))
330
+ ReplicaRegionType.add_member(:kms_key_id, Shapes::ShapeRef.new(shape: KmsKeyIdType, location_name: "KmsKeyId"))
331
+ ReplicaRegionType.struct_class = Types::ReplicaRegionType
332
+
333
+ ReplicateSecretToRegionsRequest.add_member(:secret_id, Shapes::ShapeRef.new(shape: SecretIdType, required: true, location_name: "SecretId"))
334
+ ReplicateSecretToRegionsRequest.add_member(:add_replica_regions, Shapes::ShapeRef.new(shape: AddReplicaRegionListType, required: true, location_name: "AddReplicaRegions"))
335
+ ReplicateSecretToRegionsRequest.add_member(:force_overwrite_replica_secret, Shapes::ShapeRef.new(shape: BooleanType, location_name: "ForceOverwriteReplicaSecret"))
336
+ ReplicateSecretToRegionsRequest.struct_class = Types::ReplicateSecretToRegionsRequest
337
+
338
+ ReplicateSecretToRegionsResponse.add_member(:arn, Shapes::ShapeRef.new(shape: SecretARNType, location_name: "ARN"))
339
+ ReplicateSecretToRegionsResponse.add_member(:replication_status, Shapes::ShapeRef.new(shape: ReplicationStatusListType, location_name: "ReplicationStatus"))
340
+ ReplicateSecretToRegionsResponse.struct_class = Types::ReplicateSecretToRegionsResponse
341
+
342
+ ReplicationStatusListType.member = Shapes::ShapeRef.new(shape: ReplicationStatusType)
343
+
344
+ ReplicationStatusType.add_member(:region, Shapes::ShapeRef.new(shape: RegionType, location_name: "Region"))
345
+ ReplicationStatusType.add_member(:kms_key_id, Shapes::ShapeRef.new(shape: KmsKeyIdType, location_name: "KmsKeyId"))
346
+ ReplicationStatusType.add_member(:status, Shapes::ShapeRef.new(shape: StatusType, location_name: "Status"))
347
+ ReplicationStatusType.add_member(:status_message, Shapes::ShapeRef.new(shape: StatusMessageType, location_name: "StatusMessage"))
348
+ ReplicationStatusType.add_member(:last_accessed_date, Shapes::ShapeRef.new(shape: LastAccessedDateType, location_name: "LastAccessedDate"))
349
+ ReplicationStatusType.struct_class = Types::ReplicationStatusType
350
+
298
351
  ResourceExistsException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessage, location_name: "Message"))
299
352
  ResourceExistsException.struct_class = Types::ResourceExistsException
300
353
 
@@ -337,6 +390,7 @@ module Aws::SecretsManager
337
390
  SecretListEntry.add_member(:secret_versions_to_stages, Shapes::ShapeRef.new(shape: SecretVersionsToStagesMapType, location_name: "SecretVersionsToStages"))
338
391
  SecretListEntry.add_member(:owning_service, Shapes::ShapeRef.new(shape: OwningServiceType, location_name: "OwningService"))
339
392
  SecretListEntry.add_member(:created_date, Shapes::ShapeRef.new(shape: TimestampType, location_name: "CreatedDate", metadata: {"box"=>true}))
393
+ SecretListEntry.add_member(:primary_region, Shapes::ShapeRef.new(shape: RegionType, location_name: "PrimaryRegion"))
340
394
  SecretListEntry.struct_class = Types::SecretListEntry
341
395
 
342
396
  SecretListType.member = Shapes::ShapeRef.new(shape: SecretListEntry)
@@ -354,6 +408,12 @@ module Aws::SecretsManager
354
408
  SecretVersionsToStagesMapType.key = Shapes::ShapeRef.new(shape: SecretVersionIdType)
355
409
  SecretVersionsToStagesMapType.value = Shapes::ShapeRef.new(shape: SecretVersionStagesType)
356
410
 
411
+ StopReplicationToReplicaRequest.add_member(:secret_id, Shapes::ShapeRef.new(shape: SecretIdType, required: true, location_name: "SecretId"))
412
+ StopReplicationToReplicaRequest.struct_class = Types::StopReplicationToReplicaRequest
413
+
414
+ StopReplicationToReplicaResponse.add_member(:arn, Shapes::ShapeRef.new(shape: SecretARNType, location_name: "ARN"))
415
+ StopReplicationToReplicaResponse.struct_class = Types::StopReplicationToReplicaResponse
416
+
357
417
  Tag.add_member(:key, Shapes::ShapeRef.new(shape: TagKeyType, location_name: "Key"))
358
418
  Tag.add_member(:value, Shapes::ShapeRef.new(shape: TagValueType, location_name: "Value"))
359
419
  Tag.struct_class = Types::Tag
@@ -464,6 +524,7 @@ module Aws::SecretsManager
464
524
  o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
465
525
  o.errors << Shapes::ShapeRef.new(shape: InternalServiceError)
466
526
  o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
527
+ o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
467
528
  end)
468
529
 
469
530
  api.add_operation(:delete_secret, Seahorse::Model::Operation.new.tap do |o|
@@ -586,6 +647,30 @@ module Aws::SecretsManager
586
647
  o.errors << Shapes::ShapeRef.new(shape: InternalServiceError)
587
648
  end)
588
649
 
650
+ api.add_operation(:remove_regions_from_replication, Seahorse::Model::Operation.new.tap do |o|
651
+ o.name = "RemoveRegionsFromReplication"
652
+ o.http_method = "POST"
653
+ o.http_request_uri = "/"
654
+ o.input = Shapes::ShapeRef.new(shape: RemoveRegionsFromReplicationRequest)
655
+ o.output = Shapes::ShapeRef.new(shape: RemoveRegionsFromReplicationResponse)
656
+ o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
657
+ o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
658
+ o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
659
+ o.errors << Shapes::ShapeRef.new(shape: InternalServiceError)
660
+ end)
661
+
662
+ api.add_operation(:replicate_secret_to_regions, Seahorse::Model::Operation.new.tap do |o|
663
+ o.name = "ReplicateSecretToRegions"
664
+ o.http_method = "POST"
665
+ o.http_request_uri = "/"
666
+ o.input = Shapes::ShapeRef.new(shape: ReplicateSecretToRegionsRequest)
667
+ o.output = Shapes::ShapeRef.new(shape: ReplicateSecretToRegionsResponse)
668
+ o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
669
+ o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
670
+ o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
671
+ o.errors << Shapes::ShapeRef.new(shape: InternalServiceError)
672
+ end)
673
+
589
674
  api.add_operation(:restore_secret, Seahorse::Model::Operation.new.tap do |o|
590
675
  o.name = "RestoreSecret"
591
676
  o.http_method = "POST"
@@ -610,6 +695,18 @@ module Aws::SecretsManager
610
695
  o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
611
696
  end)
612
697
 
698
+ api.add_operation(:stop_replication_to_replica, Seahorse::Model::Operation.new.tap do |o|
699
+ o.name = "StopReplicationToReplica"
700
+ o.http_method = "POST"
701
+ o.http_request_uri = "/"
702
+ o.input = Shapes::ShapeRef.new(shape: StopReplicationToReplicaRequest)
703
+ o.output = Shapes::ShapeRef.new(shape: StopReplicationToReplicaResponse)
704
+ o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
705
+ o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
706
+ o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
707
+ o.errors << Shapes::ShapeRef.new(shape: InternalServiceError)
708
+ end)
709
+
613
710
  api.add_operation(:tag_resource, Seahorse::Model::Operation.new.tap do |o|
614
711
  o.name = "TagResource"
615
712
  o.http_method = "POST"
@@ -96,6 +96,13 @@ module Aws::SecretsManager
96
96
  # value: "TagValueType",
97
97
  # },
98
98
  # ],
99
+ # add_replica_regions: [
100
+ # {
101
+ # region: "RegionType",
102
+ # kms_key_id: "KmsKeyIdType",
103
+ # },
104
+ # ],
105
+ # force_overwrite_replica_secret: false,
99
106
  # }
100
107
  #
101
108
  # @!attribute [rw] name
@@ -143,8 +150,8 @@ module Aws::SecretsManager
143
150
  #
144
151
  # * If a version with this value already exists and that version's
145
152
  # `SecretString` and `SecretBinary` values are different from those
146
- # in the request then the request fails because you cannot modify an
147
- # existing version. Instead, use PutSecretValue to create a new
153
+ # in the request, then the request fails because you cannot modify
154
+ # an existing version. Instead, use PutSecretValue to create a new
148
155
  # version.
149
156
  #
150
157
  # This value becomes the `VersionId` of the new version.
@@ -279,6 +286,17 @@ module Aws::SecretsManager
279
286
  # [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
280
287
  # @return [Array<Types::Tag>]
281
288
  #
289
+ # @!attribute [rw] add_replica_regions
290
+ # (Optional) Add a list of regions to replicate secrets. Secrets
291
+ # Manager replicates the KMSKeyID objects to the list of regions
292
+ # specified in the parameter.
293
+ # @return [Array<Types::ReplicaRegionType>]
294
+ #
295
+ # @!attribute [rw] force_overwrite_replica_secret
296
+ # (Optional) If set, the replication overwrites a secret with the same
297
+ # name in the destination region.
298
+ # @return [Boolean]
299
+ #
282
300
  # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/CreateSecretRequest AWS API Documentation
283
301
  #
284
302
  class CreateSecretRequest < Struct.new(
@@ -288,7 +306,9 @@ module Aws::SecretsManager
288
306
  :kms_key_id,
289
307
  :secret_binary,
290
308
  :secret_string,
291
- :tags)
309
+ :tags,
310
+ :add_replica_regions,
311
+ :force_overwrite_replica_secret)
292
312
  SENSITIVE = [:secret_binary, :secret_string]
293
313
  include Aws::Structure
294
314
  end
@@ -316,12 +336,18 @@ module Aws::SecretsManager
316
336
  # just created.
317
337
  # @return [String]
318
338
  #
339
+ # @!attribute [rw] replication_status
340
+ # Describes a list of replication status objects as `InProgress`,
341
+ # `Failed` or `InSync`.
342
+ # @return [Array<Types::ReplicationStatusType>]
343
+ #
319
344
  # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/CreateSecretResponse AWS API Documentation
320
345
  #
321
346
  class CreateSecretResponse < Struct.new(
322
347
  :arn,
323
348
  :name,
324
- :version_id)
349
+ :version_id,
350
+ :replication_status)
325
351
  SENSITIVE = []
326
352
  include Aws::Structure
327
353
  end
@@ -412,8 +438,8 @@ module Aws::SecretsManager
412
438
  # }
413
439
  #
414
440
  # @!attribute [rw] secret_id
415
- # Specifies the secret that you want to delete. You can specify either
416
- # the Amazon Resource Name (ARN) or the friendly name of the secret.
441
+ # Specifies the secret to delete. You can specify either the Amazon
442
+ # Resource Name (ARN) or the friendly name of the secret.
417
443
  #
418
444
  # <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
419
445
  # complete ARN. You can specify a partial ARN too—for example, if you
@@ -440,10 +466,11 @@ module Aws::SecretsManager
440
466
  #
441
467
  # @!attribute [rw] recovery_window_in_days
442
468
  # (Optional) Specifies the number of days that Secrets Manager waits
443
- # before it can delete the secret. You can't use both this parameter
444
- # and the `ForceDeleteWithoutRecovery` parameter in the same API call.
469
+ # before Secrets Manager can delete the secret. You can't use both
470
+ # this parameter and the `ForceDeleteWithoutRecovery` parameter in the
471
+ # same API call.
445
472
  #
446
- # This value can range from 7 to 30 days. The default value is 30.
473
+ # This value can range from 7 to 30 days with a default value of 30.
447
474
  # @return [Integer]
448
475
  #
449
476
  # @!attribute [rw] force_delete_without_recovery
@@ -461,8 +488,12 @@ module Aws::SecretsManager
461
488
  # to skip the normal waiting period before the permanent deletion that
462
489
  # AWS would normally impose with the `RecoveryWindowInDays` parameter.
463
490
  # If you delete a secret with the `ForceDeleteWithouRecovery`
464
- # parameter, then you have no opportunity to recover the secret. It is
465
- # permanently lost.
491
+ # parameter, then you have no opportunity to recover the secret. You
492
+ # lose the secret permanently.
493
+ #
494
+ # If you use this parameter and include a previously deleted or
495
+ # nonexistent secret, the operation does not return the error
496
+ # `ResourceNotFoundException` in order to correctly handle retries.
466
497
  # @return [Boolean]
467
498
  #
468
499
  # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/DeleteSecretRequest AWS API Documentation
@@ -480,7 +511,7 @@ module Aws::SecretsManager
480
511
  # @return [String]
481
512
  #
482
513
  # @!attribute [rw] name
483
- # The friendly name of the secret that is now scheduled for deletion.
514
+ # The friendly name of the secret currently scheduled for deletion.
484
515
  # @return [String]
485
516
  #
486
517
  # @!attribute [rw] deletion_date
@@ -578,14 +609,16 @@ module Aws::SecretsManager
578
609
  # @return [String]
579
610
  #
580
611
  # @!attribute [rw] rotation_rules
581
- # A structure that contains the rotation configuration for this
582
- # secret.
612
+ # A structure with the rotation configuration for this secret.
583
613
  # @return [Types::RotationRulesType]
584
614
  #
585
615
  # @!attribute [rw] last_rotated_date
616
+ # The last date and time that the rotation process for this secret was
617
+ # invoked.
618
+ #
586
619
  # The most recent date and time that the Secrets Manager rotation
587
- # process was successfully completed. This value is null if the secret
588
- # has never rotated.
620
+ # process successfully completed. If the secret doesn't rotate,
621
+ # Secrets Manager returns a null value.
589
622
  # @return [Time]
590
623
  #
591
624
  # @!attribute [rw] last_changed_date
@@ -632,9 +665,18 @@ module Aws::SecretsManager
632
665
  # @return [String]
633
666
  #
634
667
  # @!attribute [rw] created_date
635
- # The date that the secret was created.
668
+ # The date you created the secret.
636
669
  # @return [Time]
637
670
  #
671
+ # @!attribute [rw] primary_region
672
+ # Specifies the primary region for secret replication.
673
+ # @return [String]
674
+ #
675
+ # @!attribute [rw] replication_status
676
+ # Describes a list of replication status objects as `InProgress`,
677
+ # `Failed` or `InSync`.`P`
678
+ # @return [Array<Types::ReplicationStatusType>]
679
+ #
638
680
  # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/DescribeSecretResponse AWS API Documentation
639
681
  #
640
682
  class DescribeSecretResponse < Struct.new(
@@ -652,7 +694,9 @@ module Aws::SecretsManager
652
694
  :tags,
653
695
  :version_ids_to_stages,
654
696
  :owning_service,
655
- :created_date)
697
+ :created_date,
698
+ :primary_region,
699
+ :replication_status)
656
700
  SENSITIVE = []
657
701
  include Aws::Structure
658
702
  end
@@ -677,13 +721,14 @@ module Aws::SecretsManager
677
721
  include Aws::Structure
678
722
  end
679
723
 
680
- # Allows you to filter your list of secrets.
724
+ # Allows you to add filters when you use the search function in Secrets
725
+ # Manager.
681
726
  #
682
727
  # @note When making an API call, you may pass Filter
683
728
  # data as a hash:
684
729
  #
685
730
  # {
686
- # key: "description", # accepts description, name, tag-key, tag-value, all
731
+ # key: "description", # accepts description, name, tag-key, tag-value, primary-region, all
687
732
  # values: ["FilterValueStringType"],
688
733
  # }
689
734
  #
@@ -693,6 +738,9 @@ module Aws::SecretsManager
693
738
  #
694
739
  # @!attribute [rw] values
695
740
  # Filters your list of secrets by a specific value.
741
+ #
742
+ # You can prefix your search value with an exclamation mark (`!`) in
743
+ # order to perform negation filters.
696
744
  # @return [Array<String>]
697
745
  #
698
746
  # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/Filter AWS API Documentation
@@ -916,11 +964,11 @@ module Aws::SecretsManager
916
964
  #
917
965
  # @!attribute [rw] version_id
918
966
  # Specifies the unique identifier of the version of the secret that
919
- # you want to retrieve. If you specify this parameter then don't
920
- # specify `VersionStage`. If you don't specify either a
921
- # `VersionStage` or `VersionId` then the default is to perform the
922
- # operation on the version with the `VersionStage` value of
923
- # `AWSCURRENT`.
967
+ # you want to retrieve. If you specify both this parameter and
968
+ # `VersionStage`, the two parameters must refer to the same secret
969
+ # version. If you don't specify either a `VersionStage` or
970
+ # `VersionId` then the default is to perform the operation on the
971
+ # version with the `VersionStage` value of `AWSCURRENT`.
924
972
  #
925
973
  # This value is typically a [UUID-type][1] value with 32 hexadecimal
926
974
  # digits.
@@ -935,8 +983,9 @@ module Aws::SecretsManager
935
983
  # staging label attached to the version.
936
984
  #
937
985
  # Staging labels are used to keep track of different versions during
938
- # the rotation process. If you use this parameter then don't specify
939
- # `VersionId`. If you don't specify either a `VersionStage` or
986
+ # the rotation process. If you specify both this parameter and
987
+ # `VersionId`, the two parameters must refer to the same secret
988
+ # version . If you don't specify either a `VersionStage` or
940
989
  # `VersionId`, then the default is to perform the operation on the
941
990
  # version with the `VersionStage` value of `AWSCURRENT`.
942
991
  # @return [String]
@@ -1226,7 +1275,7 @@ module Aws::SecretsManager
1226
1275
  # next_token: "NextTokenType",
1227
1276
  # filters: [
1228
1277
  # {
1229
- # key: "description", # accepts description, name, tag-key, tag-value, all
1278
+ # key: "description", # accepts description, name, tag-key, tag-value, primary-region, all
1230
1279
  # values: ["FilterValueStringType"],
1231
1280
  # },
1232
1281
  # ],
@@ -1297,7 +1346,7 @@ module Aws::SecretsManager
1297
1346
  include Aws::Structure
1298
1347
  end
1299
1348
 
1300
- # The policy document that you provided isn't valid.
1349
+ # You provided a resource-based policy with syntax errors.
1301
1350
  #
1302
1351
  # @!attribute [rw] message
1303
1352
  # @return [String]
@@ -1324,7 +1373,8 @@ module Aws::SecretsManager
1324
1373
  include Aws::Structure
1325
1374
  end
1326
1375
 
1327
- # The resource policy did not prevent broad access to the secret.
1376
+ # The BlockPublicPolicy parameter is set to true and the resource policy
1377
+ # did not prevent broad access to the secret.
1328
1378
  #
1329
1379
  # @!attribute [rw] message
1330
1380
  # @return [String]
@@ -1348,8 +1398,8 @@ module Aws::SecretsManager
1348
1398
  #
1349
1399
  # @!attribute [rw] secret_id
1350
1400
  # Specifies the secret that you want to attach the resource-based
1351
- # policy to. You can specify either the ARN or the friendly name of
1352
- # the secret.
1401
+ # policy. You can specify either the ARN or the friendly name of the
1402
+ # secret.
1353
1403
  #
1354
1404
  # <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
1355
1405
  # complete ARN. You can specify a partial ARN too—for example, if you
@@ -1375,12 +1425,12 @@ module Aws::SecretsManager
1375
1425
  # @return [String]
1376
1426
  #
1377
1427
  # @!attribute [rw] resource_policy
1378
- # A JSON-formatted string that's constructed according to the grammar
1379
- # and syntax for an AWS resource-based policy. The policy in the
1380
- # string identifies who can access or manage this secret and its
1381
- # versions. For information on how to format a JSON parameter for the
1382
- # various command line tool environments, see [Using JSON for
1383
- # Parameters][1] in the *AWS CLI User Guide*.
1428
+ # A JSON-formatted string constructed according to the grammar and
1429
+ # syntax for an AWS resource-based policy. The policy in the string
1430
+ # identifies who can access or manage this secret and its versions.
1431
+ # For information on how to format a JSON parameter for the various
1432
+ # command line tool environments, see [Using JSON for Parameters][1]
1433
+ # in the *AWS CLI User Guide*.
1384
1434
  #
1385
1435
  #
1386
1436
  #
@@ -1388,8 +1438,9 @@ module Aws::SecretsManager
1388
1438
  # @return [String]
1389
1439
  #
1390
1440
  # @!attribute [rw] block_public_policy
1391
- # Makes an optional API call to Zelkova to validate the Resource
1392
- # Policy to prevent broad access to your secret.
1441
+ # (Optional) If you set the parameter, `BlockPublicPolicy` to true,
1442
+ # then you block resource-based policies that allow broad access to
1443
+ # the secret.
1393
1444
  # @return [Boolean]
1394
1445
  #
1395
1446
  # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/PutResourcePolicyRequest AWS API Documentation
@@ -1407,8 +1458,8 @@ module Aws::SecretsManager
1407
1458
  # @return [String]
1408
1459
  #
1409
1460
  # @!attribute [rw] name
1410
- # The friendly name of the secret that the retrieved by the
1411
- # resource-based policy.
1461
+ # The friendly name of the secret retrieved by the resource-based
1462
+ # policy.
1412
1463
  # @return [String]
1413
1464
  #
1414
1465
  # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/PutResourcePolicyResponse AWS API Documentation
@@ -1608,6 +1659,170 @@ module Aws::SecretsManager
1608
1659
  include Aws::Structure
1609
1660
  end
1610
1661
 
1662
+ # @note When making an API call, you may pass RemoveRegionsFromReplicationRequest
1663
+ # data as a hash:
1664
+ #
1665
+ # {
1666
+ # secret_id: "SecretIdType", # required
1667
+ # remove_replica_regions: ["RegionType"], # required
1668
+ # }
1669
+ #
1670
+ # @!attribute [rw] secret_id
1671
+ # Remove a secret by `SecretId` from replica Regions.
1672
+ # @return [String]
1673
+ #
1674
+ # @!attribute [rw] remove_replica_regions
1675
+ # Remove replication from specific Regions.
1676
+ # @return [Array<String>]
1677
+ #
1678
+ # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/RemoveRegionsFromReplicationRequest AWS API Documentation
1679
+ #
1680
+ class RemoveRegionsFromReplicationRequest < Struct.new(
1681
+ :secret_id,
1682
+ :remove_replica_regions)
1683
+ SENSITIVE = []
1684
+ include Aws::Structure
1685
+ end
1686
+
1687
+ # @!attribute [rw] arn
1688
+ # The secret `ARN` removed from replication regions.
1689
+ # @return [String]
1690
+ #
1691
+ # @!attribute [rw] replication_status
1692
+ # Describes the remaining replication status after you remove regions
1693
+ # from the replication list.
1694
+ # @return [Array<Types::ReplicationStatusType>]
1695
+ #
1696
+ # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/RemoveRegionsFromReplicationResponse AWS API Documentation
1697
+ #
1698
+ class RemoveRegionsFromReplicationResponse < Struct.new(
1699
+ :arn,
1700
+ :replication_status)
1701
+ SENSITIVE = []
1702
+ include Aws::Structure
1703
+ end
1704
+
1705
+ # (Optional) Custom type consisting of a `Region` (required) and the
1706
+ # `KmsKeyId` which can be an `ARN`, `Key ID`, or `Alias`.
1707
+ #
1708
+ # @note When making an API call, you may pass ReplicaRegionType
1709
+ # data as a hash:
1710
+ #
1711
+ # {
1712
+ # region: "RegionType",
1713
+ # kms_key_id: "KmsKeyIdType",
1714
+ # }
1715
+ #
1716
+ # @!attribute [rw] region
1717
+ # Describes a single instance of Region objects.
1718
+ # @return [String]
1719
+ #
1720
+ # @!attribute [rw] kms_key_id
1721
+ # Can be an `ARN`, `Key ID`, or `Alias`.
1722
+ # @return [String]
1723
+ #
1724
+ # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ReplicaRegionType AWS API Documentation
1725
+ #
1726
+ class ReplicaRegionType < Struct.new(
1727
+ :region,
1728
+ :kms_key_id)
1729
+ SENSITIVE = []
1730
+ include Aws::Structure
1731
+ end
1732
+
1733
+ # @note When making an API call, you may pass ReplicateSecretToRegionsRequest
1734
+ # data as a hash:
1735
+ #
1736
+ # {
1737
+ # secret_id: "SecretIdType", # required
1738
+ # add_replica_regions: [ # required
1739
+ # {
1740
+ # region: "RegionType",
1741
+ # kms_key_id: "KmsKeyIdType",
1742
+ # },
1743
+ # ],
1744
+ # force_overwrite_replica_secret: false,
1745
+ # }
1746
+ #
1747
+ # @!attribute [rw] secret_id
1748
+ # Use the `Secret Id` to replicate a secret to regions.
1749
+ # @return [String]
1750
+ #
1751
+ # @!attribute [rw] add_replica_regions
1752
+ # Add Regions to replicate the secret.
1753
+ # @return [Array<Types::ReplicaRegionType>]
1754
+ #
1755
+ # @!attribute [rw] force_overwrite_replica_secret
1756
+ # (Optional) If set, Secrets Manager replication overwrites a secret
1757
+ # with the same name in the destination region.
1758
+ # @return [Boolean]
1759
+ #
1760
+ # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ReplicateSecretToRegionsRequest AWS API Documentation
1761
+ #
1762
+ class ReplicateSecretToRegionsRequest < Struct.new(
1763
+ :secret_id,
1764
+ :add_replica_regions,
1765
+ :force_overwrite_replica_secret)
1766
+ SENSITIVE = []
1767
+ include Aws::Structure
1768
+ end
1769
+
1770
+ # @!attribute [rw] arn
1771
+ # Replicate a secret based on the `ReplicaRegionType`&gt; consisting
1772
+ # of a Region(required) and a KMSKeyId (optional) which can be the
1773
+ # ARN, KeyID, or Alias.
1774
+ # @return [String]
1775
+ #
1776
+ # @!attribute [rw] replication_status
1777
+ # Describes the secret replication status as `PENDING`, `SUCCESS` or
1778
+ # `FAIL`.
1779
+ # @return [Array<Types::ReplicationStatusType>]
1780
+ #
1781
+ # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ReplicateSecretToRegionsResponse AWS API Documentation
1782
+ #
1783
+ class ReplicateSecretToRegionsResponse < Struct.new(
1784
+ :arn,
1785
+ :replication_status)
1786
+ SENSITIVE = []
1787
+ include Aws::Structure
1788
+ end
1789
+
1790
+ # A replication object consisting of a `RegionReplicationStatus` object
1791
+ # and includes a Region, KMSKeyId, status, and status message.
1792
+ #
1793
+ # @!attribute [rw] region
1794
+ # The Region where replication occurs.
1795
+ # @return [String]
1796
+ #
1797
+ # @!attribute [rw] kms_key_id
1798
+ # Can be an `ARN`, `Key ID`, or `Alias`.
1799
+ # @return [String]
1800
+ #
1801
+ # @!attribute [rw] status
1802
+ # The status can be `InProgress`, `Failed`, or `InSync`.
1803
+ # @return [String]
1804
+ #
1805
+ # @!attribute [rw] status_message
1806
+ # Status message such as "*Secret with this name already exists in
1807
+ # this region*".
1808
+ # @return [String]
1809
+ #
1810
+ # @!attribute [rw] last_accessed_date
1811
+ # The date that you last accessed the secret in the Region.
1812
+ # @return [Time]
1813
+ #
1814
+ # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ReplicationStatusType AWS API Documentation
1815
+ #
1816
+ class ReplicationStatusType < Struct.new(
1817
+ :region,
1818
+ :kms_key_id,
1819
+ :status,
1820
+ :status_message,
1821
+ :last_accessed_date)
1822
+ SENSITIVE = []
1823
+ include Aws::Structure
1824
+ end
1825
+
1611
1826
  # A resource with the ID you requested already exists.
1612
1827
  #
1613
1828
  # @!attribute [rw] message
@@ -1886,8 +2101,9 @@ module Aws::SecretsManager
1886
2101
  # @return [Types::RotationRulesType]
1887
2102
  #
1888
2103
  # @!attribute [rw] last_rotated_date
1889
- # The last date and time that the rotation process for this secret was
1890
- # invoked.
2104
+ # The most recent date and time that the Secrets Manager rotation
2105
+ # process was successfully completed. This value is null if the secret
2106
+ # hasn't ever rotated.
1891
2107
  # @return [Time]
1892
2108
  #
1893
2109
  # @!attribute [rw] last_changed_date
@@ -1934,6 +2150,10 @@ module Aws::SecretsManager
1934
2150
  # The date and time when a secret was created.
1935
2151
  # @return [Time]
1936
2152
  #
2153
+ # @!attribute [rw] primary_region
2154
+ # The Region where Secrets Manager originated the secret.
2155
+ # @return [String]
2156
+ #
1937
2157
  # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/SecretListEntry AWS API Documentation
1938
2158
  #
1939
2159
  class SecretListEntry < Struct.new(
@@ -1951,7 +2171,8 @@ module Aws::SecretsManager
1951
2171
  :tags,
1952
2172
  :secret_versions_to_stages,
1953
2173
  :owning_service,
1954
- :created_date)
2174
+ :created_date,
2175
+ :primary_region)
1955
2176
  SENSITIVE = []
1956
2177
  include Aws::Structure
1957
2178
  end
@@ -1988,6 +2209,39 @@ module Aws::SecretsManager
1988
2209
  include Aws::Structure
1989
2210
  end
1990
2211
 
2212
+ # @note When making an API call, you may pass StopReplicationToReplicaRequest
2213
+ # data as a hash:
2214
+ #
2215
+ # {
2216
+ # secret_id: "SecretIdType", # required
2217
+ # }
2218
+ #
2219
+ # @!attribute [rw] secret_id
2220
+ # Response to `StopReplicationToReplica` of a secret, based on the
2221
+ # `SecretId`.
2222
+ # @return [String]
2223
+ #
2224
+ # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/StopReplicationToReplicaRequest AWS API Documentation
2225
+ #
2226
+ class StopReplicationToReplicaRequest < Struct.new(
2227
+ :secret_id)
2228
+ SENSITIVE = []
2229
+ include Aws::Structure
2230
+ end
2231
+
2232
+ # @!attribute [rw] arn
2233
+ # Response `StopReplicationToReplica` of a secret, based on the
2234
+ # `ARN,`.
2235
+ # @return [String]
2236
+ #
2237
+ # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/StopReplicationToReplicaResponse AWS API Documentation
2238
+ #
2239
+ class StopReplicationToReplicaResponse < Struct.new(
2240
+ :arn)
2241
+ SENSITIVE = []
2242
+ include Aws::Structure
2243
+ end
2244
+
1991
2245
  # A structure that contains information about a tag.
1992
2246
  #
1993
2247
  # @note When making an API call, you may pass Tag
@@ -2064,8 +2318,8 @@ module Aws::SecretsManager
2064
2318
  # information on how to format a JSON parameter for the various
2065
2319
  # command line tool environments, see [Using JSON for Parameters][1]
2066
2320
  # in the *AWS CLI User Guide*. For the AWS CLI, you can also use the
2067
- # syntax: `--Tags
2068
- # Key="Key1",Value="Value1",Key="Key2",Value="Value2"[,…]`
2321
+ # syntax: `--Tags Key="Key1",Value="Value1"
2322
+ # Key="Key2",Value="Value2"[,…]`
2069
2323
  #
2070
2324
  #
2071
2325
  #
@@ -2435,9 +2689,9 @@ module Aws::SecretsManager
2435
2689
  # }
2436
2690
  #
2437
2691
  # @!attribute [rw] secret_id
2438
- # The identifier for the secret that you want to validate a resource
2439
- # policy. You can specify either the Amazon Resource Name (ARN) or the
2440
- # friendly name of the secret.
2692
+ # (Optional) The identifier of the secret with the resource-based
2693
+ # policy you want to validate. You can specify either the Amazon
2694
+ # Resource Name (ARN) or the friendly name of the secret.
2441
2695
  #
2442
2696
  # <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
2443
2697
  # complete ARN. You can specify a partial ARN too—for example, if you
@@ -2463,7 +2717,16 @@ module Aws::SecretsManager
2463
2717
  # @return [String]
2464
2718
  #
2465
2719
  # @!attribute [rw] resource_policy
2466
- # Identifies the Resource Policy attached to the secret.
2720
+ # A JSON-formatted string constructed according to the grammar and
2721
+ # syntax for an AWS resource-based policy. The policy in the string
2722
+ # identifies who can access or manage this secret and its versions.
2723
+ # For information on how to format a JSON parameter for the various
2724
+ # command line tool environments, see [Using JSON for Parameters][1]
2725
+ # in the *AWS CLI User Guide*.publi
2726
+ #
2727
+ #
2728
+ #
2729
+ # [1]: http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
2467
2730
  # @return [String]
2468
2731
  #
2469
2732
  # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ValidateResourcePolicyRequest AWS API Documentation
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: aws-sdk-secretsmanager
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.44.0
4
+ version: 1.45.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Amazon Web Services
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-02-02 00:00:00.000000000 Z
11
+ date: 2021-03-03 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: aws-sdk-core