RubyGems - aws-sdk-secretsmanager - Versions diffs - 1.44.0 → 1.48.0 - Mend

aws-sdk-secretsmanager 1.44.0 → 1.48.0

Files changed (11) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +253 -0
data/LICENSE.txt +202 -0
data/VERSION +1 -0
data/lib/aws-sdk-secretsmanager.rb +2 -2
data/lib/aws-sdk-secretsmanager/client.rb +420 -210
data/lib/aws-sdk-secretsmanager/client_api.rb +105 -1
data/lib/aws-sdk-secretsmanager/errors.rb +1 -1
data/lib/aws-sdk-secretsmanager/resource.rb +1 -1
data/lib/aws-sdk-secretsmanager/types.rb +402 -127
metadata +11 -9

data/VERSION ADDED Viewed

	@@ -0,0 +1 @@
1	+ 1.48.0

data/lib/aws-sdk-secretsmanager.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
@@ -48,6 +48,6 @@ require_relative 'aws-sdk-secretsmanager/customizations'
 # @!group service
 module Aws::SecretsManager
-  GEM_VERSION = '1.44.0'
+  GEM_VERSION = '1.48.0'
 end

data/lib/aws-sdk-secretsmanager/client.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
@@ -479,25 +479,27 @@ module Aws::SecretsManager
     #
     # <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
     #   `SecretBinary` for a secret in the same account as the calling user
-    #   and that secret doesn't specify a AWS KMS encryption key, Secrets
-    #   Manager uses the account's default AWS managed customer master key
-    #   (CMK) with the alias `aws/secretsmanager`. If this key doesn't
-    #   already exist in your account then Secrets Manager creates it for
-    #   you automatically. All users and roles in the same AWS account
+    #   and that secret doesn't specify a Amazon Web Services KMS
+    #   encryption key, Secrets Manager uses the account's default Amazon
+    #   Web Services managed customer master key (CMK) with the alias
+    #   `aws/secretsmanager`. If this key doesn't already exist in your
+    #   account then Secrets Manager creates it for you automatically. All
+    #   users and roles in the same Amazon Web Services account
     #   automatically have access to use the default CMK. Note that if an
-    #   Secrets Manager API call results in AWS creating the account's
-    #   AWS-managed CMK, it can result in a one-time significant delay in
-    #   returning the result.
-    #
-    # * If the secret resides in a different AWS account from the
-    #   credentials calling an API that requires encryption or decryption of
-    #   the secret value then you must create and use a custom AWS KMS CMK
-    #   because you can't access the default CMK for the account using
-    #   credentials from a different AWS account. Store the ARN of the CMK
-    #   in the secret when you create the secret or when you update it by
-    #   including it in the `KMSKeyId`. If you call an API that must encrypt
-    #   or decrypt `SecretString` or `SecretBinary` using credentials from a
-    #   different account then the AWS KMS key policy must grant
+    #   Secrets Manager API call results in Amazon Web Services creating the
+    #   account's Amazon Web Services-managed CMK, it can result in a
+    #   one-time significant delay in returning the result.
+    #
+    # * If the secret resides in a different Amazon Web Services account
+    #   from the credentials calling an API that requires encryption or
+    #   decryption of the secret value then you must create and use a custom
+    #   Amazon Web Services KMS CMK because you can't access the default
+    #   CMK for the account using credentials from a different Amazon Web
+    #   Services account. Store the ARN of the CMK in the secret when you
+    #   create the secret or when you update it by including it in the
+    #   `KMSKeyId`. If you call an API that must encrypt or decrypt
+    #   `SecretString` or `SecretBinary` using credentials from a different
+    #   account then the Amazon Web Services KMS key policy must grant
     #   cross-account access to that other account's user or role for both
     #   the kms:GenerateDataKey and kms:Decrypt operations.
     #
@@ -511,13 +513,15 @@ module Aws::SecretsManager
     #
     # * secretsmanager:CreateSecret
     #
-    # * kms:GenerateDataKey - needed only if you use a customer-managed AWS
-    #   KMS key to encrypt the secret. You do not need this permission to
-    #   use the account default AWS managed CMK for Secrets Manager.
+    # * kms:GenerateDataKey - needed only if you use a customer-managed
+    #   Amazon Web Services KMS key to encrypt the secret. You do not need
+    #   this permission to use the account default Amazon Web Services
+    #   managed CMK for Secrets Manager.
     #
-    # * kms:Decrypt - needed only if you use a customer-managed AWS KMS key
-    #   to encrypt the secret. You do not need this permission to use the
-    #   account default AWS managed CMK for Secrets Manager.
+    # * kms:Decrypt - needed only if you use a customer-managed Amazon Web
+    #   Services KMS key to encrypt the secret. You do not need this
+    #   permission to use the account default Amazon Web Services managed
+    #   CMK for Secrets Manager.
     #
     # * secretsmanager:TagResource - needed only if you include the `Tags`
     #   parameter.
@@ -559,13 +563,13 @@ module Aws::SecretsManager
     #   initial version is created as part of the secret, and this parameter
     #   specifies a unique identifier for the new version.
     #
-    #   <note markdown="1"> If you use the AWS CLI or one of the AWS SDK to call this operation,
-    #   then you can leave this parameter empty. The CLI or SDK generates a
-    #   random UUID for you and includes it as the value for this parameter in
-    #   the request. If you don't use the SDK and instead generate a raw HTTP
-    #   request to the Secrets Manager service endpoint, then you must
-    #   generate a `ClientRequestToken` yourself for the new version and
-    #   include the value in the request.
+    #   <note markdown="1"> If you use the Amazon Web Services CLI or one of the Amazon Web
+    #   Services SDK to call this operation, then you can leave this parameter
+    #   empty. The CLI or SDK generates a random UUID for you and includes it
+    #   as the value for this parameter in the request. If you don't use the
+    #   SDK and instead generate a raw HTTP request to the Secrets Manager
+    #   service endpoint, then you must generate a `ClientRequestToken`
+    #   yourself for the new version and include the value in the request.
     #
     #    </note>
     #
@@ -584,7 +588,7 @@ module Aws::SecretsManager
     #
     #   * If a version with this value already exists and that version's
     #     `SecretString` and `SecretBinary` values are different from those in
-    #     the request then the request fails because you cannot modify an
+    #     the request, then the request fails because you cannot modify an
     #     existing version. Instead, use PutSecretValue to create a new
     #     version.
     #
@@ -601,20 +605,21 @@ module Aws::SecretsManager
     #   (Optional) Specifies a user-provided description of the secret.
     #
     # @option params [String] :kms_key_id
-    #   (Optional) Specifies the ARN, Key ID, or alias of the AWS KMS customer
-    #   master key (CMK) to be used to encrypt the `SecretString` or
-    #   `SecretBinary` values in the versions stored in this secret.
+    #   (Optional) Specifies the ARN, Key ID, or alias of the Amazon Web
+    #   Services KMS customer master key (CMK) to be used to encrypt the
+    #   `SecretString` or `SecretBinary` values in the versions stored in this
+    #   secret.
     #
-    #   You can specify any of the supported ways to identify a AWS KMS key
-    #   ID. If you need to reference a CMK in a different account, you can use
-    #   only the key ARN or the alias ARN.
+    #   You can specify any of the supported ways to identify a Amazon Web
+    #   Services KMS key ID. If you need to reference a CMK in a different
+    #   account, you can use only the key ARN or the alias ARN.
     #
     #   If you don't specify this value, then Secrets Manager defaults to
-    #   using the AWS account's default CMK (the one named
-    #   `aws/secretsmanager`). If a AWS KMS CMK with that name doesn't yet
-    #   exist, then Secrets Manager creates it for you automatically the first
-    #   time it needs to encrypt a version's `SecretString` or `SecretBinary`
-    #   fields.
+    #   using the Amazon Web Services account's default CMK (the one named
+    #   `aws/secretsmanager`). If a Amazon Web Services KMS CMK with that name
+    #   doesn't yet exist, then Secrets Manager creates it for you
+    #   automatically the first time it needs to encrypt a version's
+    #   `SecretString` or `SecretBinary` fields.
     #
     #   You can use the account default CMK to encrypt and decrypt only if you
     #   call this operation using credentials from the same account that owns
@@ -632,7 +637,8 @@ module Aws::SecretsManager
     #   both. They cannot both be empty.
     #
     #   This parameter is not available using the Secrets Manager console. It
-    #   can be accessed only by using the AWS CLI or one of the AWS SDKs.
+    #   can be accessed only by using the Amazon Web Services CLI or one of
+    #   the Amazon Web Services SDKs.
     #
     # @option params [String] :secret_string
     #   (Optional) Specifies text data that you want to encrypt and store in
@@ -650,7 +656,7 @@ module Aws::SecretsManager
     #   For storing multiple values, we recommend that you use a JSON text
     #   string argument and specify key/value pairs. For information on how to
     #   format a JSON parameter for the various command line tool
-    #   environments, see [Using JSON for Parameters][1] in the *AWS CLI User
+    #   environments, see [Using JSON for Parameters][1] in the *CLI User
     #   Guide*. For example:
     #
     #   `\{"username":"bob","password":"abc123xyz456"\}`
@@ -680,7 +686,7 @@ module Aws::SecretsManager
     #
     #   This parameter requires a JSON text string argument. For information
     #   on how to format a JSON parameter for the various command line tool
-    #   environments, see [Using JSON for Parameters][1] in the *AWS CLI User
+    #   environments, see [Using JSON for Parameters][1] in the *CLI User
     #   Guide*. For example:
     #
     #   `[\{"Key":"CostCenter","Value":"12345"\},\{"Key":"environment","Value":"production"\}]`
@@ -699,10 +705,10 @@ module Aws::SecretsManager
     #
     #   * Tag keys and values are case sensitive.
     #
-    #   * Do not use the `aws:` prefix in your tag names or values because AWS
-    #     reserves it for AWS use. You can't edit or delete tag names or
-    #     values with this prefix. Tags with this prefix do not count against
-    #     your tags per secret limit.
+    #   * Do not use the `aws:` prefix in your tag names or values because
+    #     Amazon Web Services reserves it for Amazon Web Services use. You
+    #     can't edit or delete tag names or values with this prefix. Tags
+    #     with this prefix do not count against your tags per secret limit.
     #
     #   * If you use your tagging schema across multiple services and
     #     resources, remember other services might have restrictions on
@@ -714,11 +720,21 @@ module Aws::SecretsManager
     #
     #   [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
     #
+    # @option params [Array<Types::ReplicaRegionType>] :add_replica_regions
+    #   (Optional) Add a list of regions to replicate secrets. Secrets Manager
+    #   replicates the KMSKeyID objects to the list of regions specified in
+    #   the parameter.
+    #
+    # @option params [Boolean] :force_overwrite_replica_secret
+    #   (Optional) If set, the replication overwrites a secret with the same
+    #   name in the destination region.
+    #
     # @return [Types::CreateSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateSecretResponse#arn #arn} => String
     #   * {Types::CreateSecretResponse#name #name} => String
     #   * {Types::CreateSecretResponse#version_id #version_id} => String
+    #   * {Types::CreateSecretResponse#replication_status #replication_status} => Array&lt;Types::ReplicationStatusType&gt;
     #
     #
     # @example Example: To create a basic secret
@@ -755,6 +771,13 @@ module Aws::SecretsManager
     #         value: "TagValueType",
     #       },
     #     ],
+    #     add_replica_regions: [
+    #       {
+    #         region: "RegionType",
+    #         kms_key_id: "KmsKeyIdType",
+    #       },
+    #     ],
+    #     force_overwrite_replica_secret: false,
     #   })
     #
     # @example Response structure
@@ -762,6 +785,12 @@ module Aws::SecretsManager
     #   resp.arn #=> String
     #   resp.name #=> String
     #   resp.version_id #=> String
+    #   resp.replication_status #=> Array
+    #   resp.replication_status[0].region #=> String
+    #   resp.replication_status[0].kms_key_id #=> String
+    #   resp.replication_status[0].status #=> String, one of "InSync", "Failed", "InProgress"
+    #   resp.replication_status[0].status_message #=> String
+    #   resp.replication_status[0].last_accessed_date #=> Time
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/CreateSecret AWS API Documentation
     #
@@ -786,8 +815,8 @@ module Aws::SecretsManager
     #
     # * To attach a resource policy to a secret, use PutResourcePolicy.
     #
-    # * To retrieve the current resource-based policy that's attached to a
-    #   secret, use GetResourcePolicy.
+    # * To retrieve the current resource-based policy attached to a secret,
+    #   use GetResourcePolicy.
     #
     # * To list all of the currently available secrets, use ListSecrets.
     #
@@ -857,7 +886,7 @@ module Aws::SecretsManager
       req.send_request(options)
     end
-    # Deletes an entire secret and all of its versions. You can optionally
+    # Deletes an entire secret and all of the versions. You can optionally
     # include a recovery window during which you can restore the secret. If
     # you don't specify a recovery window value, the operation defaults to
     # 30 days. Secrets Manager attaches a `DeletionDate` stamp to the secret
@@ -867,17 +896,17 @@ module Aws::SecretsManager
     # At any time before recovery window ends, you can use RestoreSecret to
     # remove the `DeletionDate` and cancel the deletion of the secret.
     #
-    # You cannot access the encrypted secret information in any secret that
-    # is scheduled for deletion. If you need to access that information, you
+    # You cannot access the encrypted secret information in any secret
+    # scheduled for deletion. If you need to access that information, you
     # must cancel the deletion with RestoreSecret and then retrieve the
     # information.
     #
     # <note markdown="1"> * There is no explicit operation to delete a version of a secret.
     #   Instead, remove all staging labels from the `VersionStage` field of
     #   a version. That marks the version as deprecated and allows Secrets
-    #   Manager to delete it as needed. Versions that do not have any
-    #   staging labels do not show up in ListSecretVersionIds unless you
-    #   specify `IncludeDeprecated`.
+    #   Manager to delete it as needed. Versions without any staging labels
+    #   do not show up in ListSecretVersionIds unless you specify
+    #   `IncludeDeprecated`.
     #
     # * The permanent secret deletion at the end of the waiting period is
     #   performed as a background task with low priority. There is no
@@ -902,8 +931,8 @@ module Aws::SecretsManager
     #   window has expired, use RestoreSecret.
     #
     # @option params [required, String] :secret_id
-    #   Specifies the secret that you want to delete. You can specify either
-    #   the Amazon Resource Name (ARN) or the friendly name of the secret.
+    #   Specifies the secret to delete. You can specify either the Amazon
+    #   Resource Name (ARN) or the friendly name of the secret.
     #
     #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
     #   complete ARN. You can specify a partial ARN too—for example, if you
@@ -928,10 +957,11 @@ module Aws::SecretsManager
     #
     # @option params [Integer] :recovery_window_in_days
     #   (Optional) Specifies the number of days that Secrets Manager waits
-    #   before it can delete the secret. You can't use both this parameter
-    #   and the `ForceDeleteWithoutRecovery` parameter in the same API call.
+    #   before Secrets Manager can delete the secret. You can't use both this
+    #   parameter and the `ForceDeleteWithoutRecovery` parameter in the same
+    #   API call.
     #
-    #   This value can range from 7 to 30 days. The default value is 30.
+    #   This value can range from 7 to 30 days with a default value of 30.
     #
     # @option params [Boolean] :force_delete_without_recovery
     #   (Optional) Specifies that the secret is to be deleted without any
@@ -946,10 +976,14 @@ module Aws::SecretsManager
     #
     #   Use this parameter with caution. This parameter causes the operation
     #   to skip the normal waiting period before the permanent deletion that
-    #   AWS would normally impose with the `RecoveryWindowInDays` parameter.
-    #   If you delete a secret with the `ForceDeleteWithouRecovery` parameter,
-    #   then you have no opportunity to recover the secret. It is permanently
-    #   lost.
+    #   Amazon Web Services would normally impose with the
+    #   `RecoveryWindowInDays` parameter. If you delete a secret with the
+    #   `ForceDeleteWithouRecovery` parameter, then you have no opportunity to
+    #   recover the secret. You lose the secret permanently.
+    #
+    #   If you use this parameter and include a previously deleted or
+    #   nonexistent secret, the operation does not return the error
+    #   `ResourceNotFoundException` in order to correctly handle retries.
     #
     # @return [Types::DeleteSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1020,7 +1054,8 @@ module Aws::SecretsManager
     # * To retrieve the encrypted secret information in a version of the
     #   secret, use GetSecretValue.
     #
-    # * To list all of the secrets in the AWS account, use ListSecrets.
+    # * To list all of the secrets in the Amazon Web Services account, use
+    #   ListSecrets.
     #
     # @option params [required, String] :secret_id
     #   The identifier of the secret whose details you want to retrieve. You
@@ -1065,6 +1100,8 @@ module Aws::SecretsManager
     #   * {Types::DescribeSecretResponse#version_ids_to_stages #version_ids_to_stages} => Hash&lt;String,Array&lt;String&gt;&gt;
     #   * {Types::DescribeSecretResponse#owning_service #owning_service} => String
     #   * {Types::DescribeSecretResponse#created_date #created_date} => Time
+    #   * {Types::DescribeSecretResponse#primary_region #primary_region} => String
+    #   * {Types::DescribeSecretResponse#replication_status #replication_status} => Array&lt;Types::ReplicationStatusType&gt;
     #
     #
     # @example Example: To retrieve the details of a secret
@@ -1136,6 +1173,13 @@ module Aws::SecretsManager
     #   resp.version_ids_to_stages["SecretVersionIdType"][0] #=> String
     #   resp.owning_service #=> String
     #   resp.created_date #=> Time
+    #   resp.primary_region #=> String
+    #   resp.replication_status #=> Array
+    #   resp.replication_status[0].region #=> String
+    #   resp.replication_status[0].kms_key_id #=> String
+    #   resp.replication_status[0].status #=> String, one of "InSync", "Failed", "InProgress"
+    #   resp.replication_status[0].status_message #=> String
+    #   resp.replication_status[0].last_accessed_date #=> Time
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/DescribeSecret AWS API Documentation
     #
@@ -1355,9 +1399,10 @@ module Aws::SecretsManager
     #
     # * secretsmanager:GetSecretValue
     #
-    # * kms:Decrypt - required only if you use a customer-managed AWS KMS
-    #   key to encrypt the secret. You do not need this permission to use
-    #   the account's default AWS managed CMK for Secrets Manager.
+    # * kms:Decrypt - required only if you use a customer-managed Amazon Web
+    #   Services KMS key to encrypt the secret. You do not need this
+    #   permission to use the account's default Amazon Web Services managed
+    #   CMK for Secrets Manager.
     #
     # **Related operations**
     #
@@ -1395,10 +1440,11 @@ module Aws::SecretsManager
     #
     # @option params [String] :version_id
     #   Specifies the unique identifier of the version of the secret that you
-    #   want to retrieve. If you specify this parameter then don't specify
-    #   `VersionStage`. If you don't specify either a `VersionStage` or
-    #   `VersionId` then the default is to perform the operation on the
-    #   version with the `VersionStage` value of `AWSCURRENT`.
+    #   want to retrieve. If you specify both this parameter and
+    #   `VersionStage`, the two parameters must refer to the same secret
+    #   version. If you don't specify either a `VersionStage` or `VersionId`
+    #   then the default is to perform the operation on the version with the
+    #   `VersionStage` value of `AWSCURRENT`.
     #
     #   This value is typically a [UUID-type][1] value with 32 hexadecimal
     #   digits.
@@ -1412,10 +1458,11 @@ module Aws::SecretsManager
     #   label attached to the version.
     #
     #   Staging labels are used to keep track of different versions during the
-    #   rotation process. If you use this parameter then don't specify
-    #   `VersionId`. If you don't specify either a `VersionStage` or
-    #   `VersionId`, then the default is to perform the operation on the
-    #   version with the `VersionStage` value of `AWSCURRENT`.
+    #   rotation process. If you specify both this parameter and `VersionId`,
+    #   the two parameters must refer to the same secret version . If you
+    #   don't specify either a `VersionStage` or `VersionId`, then the
+    #   default is to perform the operation on the version with the
+    #   `VersionStage` value of `AWSCURRENT`.
     #
     # @return [Types::GetSecretValueResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1621,6 +1668,8 @@ module Aws::SecretsManager
     #   resp.versions[0].version_stages[0] #=> String
     #   resp.versions[0].last_accessed_date #=> Time
     #   resp.versions[0].created_date #=> Time
+    #   resp.versions[0].kms_key_ids #=> Array
+    #   resp.versions[0].kms_key_ids[0] #=> String
     #   resp.next_token #=> String
     #   resp.arn #=> String
     #   resp.name #=> String
@@ -1634,11 +1683,11 @@ module Aws::SecretsManager
       req.send_request(options)
     end
-    # Lists all of the secrets that are stored by Secrets Manager in the AWS
-    # account. To list the versions currently stored for a specific secret,
-    # use ListSecretVersionIds. The encrypted fields `SecretString` and
-    # `SecretBinary` are not included in the output. To get that
-    # information, call the GetSecretValue operation.
+    # Lists all of the secrets that are stored by Secrets Manager in the
+    # Amazon Web Services account. To list the versions currently stored for
+    # a specific secret, use ListSecretVersionIds. The encrypted fields
+    # `SecretString` and `SecretBinary` are not included in the output. To
+    # get that information, call the GetSecretValue operation.
     #
     # <note markdown="1"> Always check the `NextToken` response parameter when calling any of
     # the `List*` operations. These operations can occasionally return an
@@ -1738,7 +1787,7 @@ module Aws::SecretsManager
     #     next_token: "NextTokenType",
     #     filters: [
     #       {
-    #         key: "description", # accepts description, name, tag-key, tag-value, all
+    #         key: "description", # accepts description, name, tag-key, tag-value, primary-region, all
     #         values: ["FilterValueStringType"],
     #       },
     #     ],
@@ -1767,6 +1816,7 @@ module Aws::SecretsManager
     #   resp.secret_list[0].secret_versions_to_stages["SecretVersionIdType"][0] #=> String
     #   resp.secret_list[0].owning_service #=> String
     #   resp.secret_list[0].created_date #=> Time
+    #   resp.secret_list[0].primary_region #=> String
     #   resp.next_token #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ListSecrets AWS API Documentation
@@ -1786,9 +1836,9 @@ module Aws::SecretsManager
     # identity-based and resource-based policies. The affected users and
     # roles receive the permissions that are permitted by all of the
     # relevant policies. For more information, see [Using Resource-Based
-    # Policies for AWS Secrets Manager][1]. For the complete description of
-    # the AWS policy syntax and grammar, see [IAM JSON Policy Reference][2]
-    # in the *IAM User Guide*.
+    # Policies for Amazon Web Services Secrets Manager][1]. For the complete
+    # description of the Amazon Web Services policy syntax and grammar, see
+    # [IAM JSON Policy Reference][2] in the *IAM User Guide*.
     #
     # **Minimum permissions**
     #
@@ -1803,8 +1853,8 @@ module Aws::SecretsManager
     # * To retrieve the resource policy attached to a secret, use
     #   GetResourcePolicy.
     #
-    # * To delete the resource-based policy that's attached to a secret,
-    #   use DeleteResourcePolicy.
+    # * To delete the resource-based policy attached to a secret, use
+    #   DeleteResourcePolicy.
     #
     # * To list all of the currently available secrets, use ListSecrets.
     #
@@ -1814,8 +1864,9 @@ module Aws::SecretsManager
     # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
     #
     # @option params [required, String] :secret_id
-    #   Specifies the secret that you want to attach the resource-based policy
-    #   to. You can specify either the ARN or the friendly name of the secret.
+    #   Specifies the secret that you want to attach the resource-based
+    #   policy. You can specify either the ARN or the friendly name of the
+    #   secret.
     #
     #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
     #   complete ARN. You can specify a partial ARN too—for example, if you
@@ -1839,20 +1890,21 @@ module Aws::SecretsManager
     #    </note>
     #
     # @option params [required, String] :resource_policy
-    #   A JSON-formatted string that's constructed according to the grammar
-    #   and syntax for an AWS resource-based policy. The policy in the string
-    #   identifies who can access or manage this secret and its versions. For
-    #   information on how to format a JSON parameter for the various command
-    #   line tool environments, see [Using JSON for Parameters][1] in the *AWS
-    #   CLI User Guide*.
+    #   A JSON-formatted string constructed according to the grammar and
+    #   syntax for an Amazon Web Services resource-based policy. The policy in
+    #   the string identifies who can access or manage this secret and its
+    #   versions. For information on how to format a JSON parameter for the
+    #   various command line tool environments, see [Using JSON for
+    #   Parameters][1] in the *CLI User Guide*.
     #
     #
     #
     #   [1]: http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
     #
     # @option params [Boolean] :block_public_policy
-    #   Makes an optional API call to Zelkova to validate the Resource Policy
-    #   to prevent broad access to your secret.
+    #   (Optional) If you set the parameter, `BlockPublicPolicy` to true, then
+    #   you block resource-based policies that allow broad access to the
+    #   secret.
     #
     # @return [Types::PutResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1905,7 +1957,7 @@ module Aws::SecretsManager
     #
     # <note markdown="1"> The Secrets Manager console uses only the `SecretString` field. To add
     # binary data to a secret with the `SecretBinary` field you must use the
-    # AWS CLI or one of the AWS SDKs.
+    # Amazon Web Services CLI or one of the Amazon Web Services SDKs.
     #
     #  </note>
     #
@@ -1913,13 +1965,12 @@ module Aws::SecretsManager
     #   Secrets Manager automatically attaches the staging label
     #   `AWSCURRENT` to the new version.
     #
-    # * If another version of this secret already exists, then this
-    #   operation does not automatically move any staging labels other than
-    #   those that you explicitly specify in the `VersionStages` parameter.
+    # * If you do not specify a value for VersionStages then Secrets Manager
+    #   automatically moves the staging label `AWSCURRENT` to this new
+    #   version.
     #
     # * If this operation moves the staging label `AWSCURRENT` from another
-    #   version to this version (because you included it in the
-    #   `StagingLabels` parameter) then Secrets Manager also automatically
+    #   version to this version, then Secrets Manager also automatically
     #   moves the staging label `AWSPREVIOUS` to the version that
     #   `AWSCURRENT` was removed from.
     #
@@ -1932,25 +1983,27 @@ module Aws::SecretsManager
     #
     # <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
     #   `SecretBinary` for a secret in the same account as the calling user
-    #   and that secret doesn't specify a AWS KMS encryption key, Secrets
-    #   Manager uses the account's default AWS managed customer master key
-    #   (CMK) with the alias `aws/secretsmanager`. If this key doesn't
-    #   already exist in your account then Secrets Manager creates it for
-    #   you automatically. All users and roles in the same AWS account
+    #   and that secret doesn't specify a Amazon Web Services KMS
+    #   encryption key, Secrets Manager uses the account's default Amazon
+    #   Web Services managed customer master key (CMK) with the alias
+    #   `aws/secretsmanager`. If this key doesn't already exist in your
+    #   account then Secrets Manager creates it for you automatically. All
+    #   users and roles in the same Amazon Web Services account
     #   automatically have access to use the default CMK. Note that if an
-    #   Secrets Manager API call results in AWS creating the account's
-    #   AWS-managed CMK, it can result in a one-time significant delay in
-    #   returning the result.
-    #
-    # * If the secret resides in a different AWS account from the
-    #   credentials calling an API that requires encryption or decryption of
-    #   the secret value then you must create and use a custom AWS KMS CMK
-    #   because you can't access the default CMK for the account using
-    #   credentials from a different AWS account. Store the ARN of the CMK
-    #   in the secret when you create the secret or when you update it by
-    #   including it in the `KMSKeyId`. If you call an API that must encrypt
-    #   or decrypt `SecretString` or `SecretBinary` using credentials from a
-    #   different account then the AWS KMS key policy must grant
+    #   Secrets Manager API call results in Amazon Web Services creating the
+    #   account's Amazon Web Services-managed CMK, it can result in a
+    #   one-time significant delay in returning the result.
+    #
+    # * If the secret resides in a different Amazon Web Services account
+    #   from the credentials calling an API that requires encryption or
+    #   decryption of the secret value then you must create and use a custom
+    #   Amazon Web Services KMS CMK because you can't access the default
+    #   CMK for the account using credentials from a different Amazon Web
+    #   Services account. Store the ARN of the CMK in the secret when you
+    #   create the secret or when you update it by including it in the
+    #   `KMSKeyId`. If you call an API that must encrypt or decrypt
+    #   `SecretString` or `SecretBinary` using credentials from a different
+    #   account then the Amazon Web Services KMS key policy must grant
     #   cross-account access to that other account's user or role for both
     #   the kms:GenerateDataKey and kms:Decrypt operations.
     #
@@ -1962,9 +2015,10 @@ module Aws::SecretsManager
     #
     # * secretsmanager:PutSecretValue
     #
-    # * kms:GenerateDataKey - needed only if you use a customer-managed AWS
-    #   KMS key to encrypt the secret. You do not need this permission to
-    #   use the account's default AWS managed CMK for Secrets Manager.
+    # * kms:GenerateDataKey - needed only if you use a customer-managed
+    #   Amazon Web Services KMS key to encrypt the secret. You do not need
+    #   this permission to use the account's default Amazon Web Services
+    #   managed CMK for Secrets Manager.
     #
     # **Related operations**
     #
@@ -2007,13 +2061,13 @@ module Aws::SecretsManager
     #   (Optional) Specifies a unique identifier for the new version of the
     #   secret.
     #
-    #   <note markdown="1"> If you use the AWS CLI or one of the AWS SDK to call this operation,
-    #   then you can leave this parameter empty. The CLI or SDK generates a
-    #   random UUID for you and includes that in the request. If you don't
-    #   use the SDK and instead generate a raw HTTP request to the Secrets
-    #   Manager service endpoint, then you must generate a
-    #   `ClientRequestToken` yourself for new versions and include that value
-    #   in the request.
+    #   <note markdown="1"> If you use the Amazon Web Services CLI or one of the Amazon Web
+    #   Services SDK to call this operation, then you can leave this parameter
+    #   empty. The CLI or SDK generates a random UUID for you and includes
+    #   that in the request. If you don't use the SDK and instead generate a
+    #   raw HTTP request to the Secrets Manager service endpoint, then you
+    #   must generate a `ClientRequestToken` yourself for new versions and
+    #   include that value in the request.
     #
     #    </note>
     #
@@ -2072,7 +2126,7 @@ module Aws::SecretsManager
     #   For storing multiple values, we recommend that you use a JSON text
     #   string argument and specify key/value pairs. For information on how to
     #   format a JSON parameter for the various command line tool
-    #   environments, see [Using JSON for Parameters][1] in the *AWS CLI User
+    #   environments, see [Using JSON for Parameters][1] in the *CLI User
     #   Guide*.
     #
     #   For example:
@@ -2158,6 +2212,95 @@ module Aws::SecretsManager
       req.send_request(options)
     end
+    # Remove regions from replication.
+    #
+    # @option params [required, String] :secret_id
+    #   Remove a secret by `SecretId` from replica Regions.
+    #
+    # @option params [required, Array<String>] :remove_replica_regions
+    #   Remove replication from specific Regions.
+    #
+    # @return [Types::RemoveRegionsFromReplicationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::RemoveRegionsFromReplicationResponse#arn #arn} => String
+    #   * {Types::RemoveRegionsFromReplicationResponse#replication_status #replication_status} => Array&lt;Types::ReplicationStatusType&gt;
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.remove_regions_from_replication({
+    #     secret_id: "SecretIdType", # required
+    #     remove_replica_regions: ["RegionType"], # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.arn #=> String
+    #   resp.replication_status #=> Array
+    #   resp.replication_status[0].region #=> String
+    #   resp.replication_status[0].kms_key_id #=> String
+    #   resp.replication_status[0].status #=> String, one of "InSync", "Failed", "InProgress"
+    #   resp.replication_status[0].status_message #=> String
+    #   resp.replication_status[0].last_accessed_date #=> Time
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/RemoveRegionsFromReplication AWS API Documentation
+    #
+    # @overload remove_regions_from_replication(params = {})
+    # @param [Hash] params ({})
+    def remove_regions_from_replication(params = {}, options = {})
+      req = build_request(:remove_regions_from_replication, params)
+      req.send_request(options)
+    end
+    # Converts an existing secret to a multi-Region secret and begins
+    # replication the secret to a list of new regions.
+    #
+    # @option params [required, String] :secret_id
+    #   Use the `Secret Id` to replicate a secret to regions.
+    #
+    # @option params [required, Array<Types::ReplicaRegionType>] :add_replica_regions
+    #   Add Regions to replicate the secret.
+    #
+    # @option params [Boolean] :force_overwrite_replica_secret
+    #   (Optional) If set, Secrets Manager replication overwrites a secret
+    #   with the same name in the destination region.
+    #
+    # @return [Types::ReplicateSecretToRegionsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::ReplicateSecretToRegionsResponse#arn #arn} => String
+    #   * {Types::ReplicateSecretToRegionsResponse#replication_status #replication_status} => Array&lt;Types::ReplicationStatusType&gt;
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.replicate_secret_to_regions({
+    #     secret_id: "SecretIdType", # required
+    #     add_replica_regions: [ # required
+    #       {
+    #         region: "RegionType",
+    #         kms_key_id: "KmsKeyIdType",
+    #       },
+    #     ],
+    #     force_overwrite_replica_secret: false,
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.arn #=> String
+    #   resp.replication_status #=> Array
+    #   resp.replication_status[0].region #=> String
+    #   resp.replication_status[0].kms_key_id #=> String
+    #   resp.replication_status[0].status #=> String, one of "InSync", "Failed", "InProgress"
+    #   resp.replication_status[0].status_message #=> String
+    #   resp.replication_status[0].last_accessed_date #=> Time
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ReplicateSecretToRegions AWS API Documentation
+    #
+    # @overload replicate_secret_to_regions(params = {})
+    # @param [Hash] params ({})
+    def replicate_secret_to_regions(params = {}, options = {})
+      req = build_request(:replicate_secret_to_regions, params)
+      req.send_request(options)
+    end
     # Cancels the scheduled deletion of a secret by removing the
     # `DeletedDate` time stamp. This makes the secret accessible to query
     # once again.
@@ -2250,16 +2393,17 @@ module Aws::SecretsManager
     # secret. After the rotation completes, the protected service and its
     # clients all use the new version of the secret.
     #
-    # This required configuration information includes the ARN of an AWS
-    # Lambda function and the time between scheduled rotations. The Lambda
-    # rotation function creates a new version of the secret and creates or
-    # updates the credentials on the protected service to match. After
-    # testing the new credentials, the function marks the new secret with
-    # the staging label `AWSCURRENT` so that your clients all immediately
-    # begin to use the new version. For more information about rotating
-    # secrets and how to configure a Lambda function to rotate the secrets
-    # for your protected service, see [Rotating Secrets in AWS Secrets
-    # Manager][1] in the *AWS Secrets Manager User Guide*.
+    # This required configuration information includes the ARN of an Amazon
+    # Web Services Lambda function and optionally, the time between
+    # scheduled rotations. The Lambda rotation function creates a new
+    # version of the secret and creates or updates the credentials on the
+    # protected service to match. After testing the new credentials, the
+    # function marks the new secret with the staging label `AWSCURRENT` so
+    # that your clients all immediately begin to use the new version. For
+    # more information about rotating secrets and how to configure a Lambda
+    # function to rotate the secrets for your protected service, see
+    # [Rotating Secrets in Amazon Web Services Secrets Manager][1] in the
+    # *Amazon Web Services Secrets Manager User Guide*.
     #
     # Secrets Manager schedules the next rotation when the previous one
     # completes. Secrets Manager schedules the date by adding the rotation
@@ -2336,13 +2480,13 @@ module Aws::SecretsManager
     #   (Optional) Specifies a unique identifier for the new version of the
     #   secret that helps ensure idempotency.
     #
-    #   If you use the AWS CLI or one of the AWS SDK to call this operation,
-    #   then you can leave this parameter empty. The CLI or SDK generates a
-    #   random UUID for you and includes that in the request for this
-    #   parameter. If you don't use the SDK and instead generate a raw HTTP
-    #   request to the Secrets Manager service endpoint, then you must
-    #   generate a `ClientRequestToken` yourself for new versions and include
-    #   that value in the request.
+    #   If you use the Amazon Web Services CLI or one of the Amazon Web
+    #   Services SDK to call this operation, then you can leave this parameter
+    #   empty. The CLI or SDK generates a random UUID for you and includes
+    #   that in the request for this parameter. If you don't use the SDK and
+    #   instead generate a raw HTTP request to the Secrets Manager service
+    #   endpoint, then you must generate a `ClientRequestToken` yourself for
+    #   new versions and include that value in the request.
     #
     #   You only need to specify your own value if you implement your own
     #   retry logic and want to ensure that a given secret is not created
@@ -2400,6 +2544,36 @@ module Aws::SecretsManager
       req.send_request(options)
     end
+    # Removes the secret from replication and promotes the secret to a
+    # regional secret in the replica Region.
+    #
+    # @option params [required, String] :secret_id
+    #   Response to `StopReplicationToReplica` of a secret, based on the
+    #   `SecretId`.
+    #
+    # @return [Types::StopReplicationToReplicaResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::StopReplicationToReplicaResponse#arn #arn} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.stop_replication_to_replica({
+    #     secret_id: "SecretIdType", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.arn #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/StopReplicationToReplica AWS API Documentation
+    #
+    # @overload stop_replication_to_replica(params = {})
+    # @param [Hash] params ({})
+    def stop_replication_to_replica(params = {}, options = {})
+      req = build_request(:stop_replication_to_replica, params)
+      req.send_request(options)
+    end
     # Attaches one or more tags, each consisting of a key name and a value,
     # to the specified secret. Tags are part of the secret's overall
     # metadata, and are not associated with any specific version of the
@@ -2416,10 +2590,10 @@ module Aws::SecretsManager
     #
     # * Tag keys and values are case sensitive.
     #
-    # * Do not use the `aws:` prefix in your tag names or values because AWS
-    #   reserves it for AWS use. You can't edit or delete tag names or
-    #   values with this prefix. Tags with this prefix do not count against
-    #   your tags per secret limit.
+    # * Do not use the `aws:` prefix in your tag names or values because
+    #   Amazon Web Services reserves it for Amazon Web Services use. You
+    #   can't edit or delete tag names or values with this prefix. Tags
+    #   with this prefix do not count against your tags per secret limit.
     #
     # * If you use your tagging schema across multiple services and
     #   resources, remember other services might have restrictions on
@@ -2479,9 +2653,9 @@ module Aws::SecretsManager
     #
     #   This parameter to the API requires a JSON text string argument. For
     #   information on how to format a JSON parameter for the various command
-    #   line tool environments, see [Using JSON for Parameters][1] in the *AWS
-    #   CLI User Guide*. For the AWS CLI, you can also use the syntax: `--Tags
-    #   Key="Key1",Value="Value1",Key="Key2",Value="Value2"[,…]`
+    #   line tool environments, see [Using JSON for Parameters][1] in the *CLI
+    #   User Guide*. For the CLI, you can also use the syntax: `--Tags
+    #   Key="Key1",Value="Value1" Key="Key2",Value="Value2"[,…]`
     #
     #
     #
@@ -2587,8 +2761,8 @@ module Aws::SecretsManager
     #
     #   This parameter to the API requires a JSON text string argument. For
     #   information on how to format a JSON parameter for the various command
-    #   line tool environments, see [Using JSON for Parameters][1] in the *AWS
-    #   CLI User Guide*.
+    #   line tool environments, see [Using JSON for Parameters][1] in the *CLI
+    #   User Guide*.
     #
     #
     #
@@ -2636,7 +2810,8 @@ module Aws::SecretsManager
     # <note markdown="1"> The Secrets Manager console uses only the `SecretString` parameter and
     # therefore limits you to encrypting and storing only a text string. To
     # encrypt and store binary data as part of the version of a secret, you
-    # must use either the AWS CLI or one of the AWS SDKs.
+    # must use either the Amazon Web Services CLI or one of the Amazon Web
+    # Services SDKs.
     #
     #  </note>
     #
@@ -2651,25 +2826,27 @@ module Aws::SecretsManager
     #
     # <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
     #   `SecretBinary` for a secret in the same account as the calling user
-    #   and that secret doesn't specify a AWS KMS encryption key, Secrets
-    #   Manager uses the account's default AWS managed customer master key
-    #   (CMK) with the alias `aws/secretsmanager`. If this key doesn't
-    #   already exist in your account then Secrets Manager creates it for
-    #   you automatically. All users and roles in the same AWS account
+    #   and that secret doesn't specify a Amazon Web Services KMS
+    #   encryption key, Secrets Manager uses the account's default Amazon
+    #   Web Services managed customer master key (CMK) with the alias
+    #   `aws/secretsmanager`. If this key doesn't already exist in your
+    #   account then Secrets Manager creates it for you automatically. All
+    #   users and roles in the same Amazon Web Services account
     #   automatically have access to use the default CMK. Note that if an
-    #   Secrets Manager API call results in AWS creating the account's
-    #   AWS-managed CMK, it can result in a one-time significant delay in
-    #   returning the result.
-    #
-    # * If the secret resides in a different AWS account from the
-    #   credentials calling an API that requires encryption or decryption of
-    #   the secret value then you must create and use a custom AWS KMS CMK
-    #   because you can't access the default CMK for the account using
-    #   credentials from a different AWS account. Store the ARN of the CMK
-    #   in the secret when you create the secret or when you update it by
-    #   including it in the `KMSKeyId`. If you call an API that must encrypt
-    #   or decrypt `SecretString` or `SecretBinary` using credentials from a
-    #   different account then the AWS KMS key policy must grant
+    #   Secrets Manager API call results in Amazon Web Services creating the
+    #   account's Amazon Web Services-managed CMK, it can result in a
+    #   one-time significant delay in returning the result.
+    #
+    # * If the secret resides in a different Amazon Web Services account
+    #   from the credentials calling an API that requires encryption or
+    #   decryption of the secret value then you must create and use a custom
+    #   Amazon Web Services KMS CMK because you can't access the default
+    #   CMK for the account using credentials from a different Amazon Web
+    #   Services account. Store the ARN of the CMK in the secret when you
+    #   create the secret or when you update it by including it in the
+    #   `KMSKeyId`. If you call an API that must encrypt or decrypt
+    #   `SecretString` or `SecretBinary` using credentials from a different
+    #   account then the Amazon Web Services KMS key policy must grant
     #   cross-account access to that other account's user or role for both
     #   the kms:GenerateDataKey and kms:Decrypt operations.
     #
@@ -2681,13 +2858,15 @@ module Aws::SecretsManager
     #
     # * secretsmanager:UpdateSecret
     #
-    # * kms:GenerateDataKey - needed only if you use a custom AWS KMS key to
-    #   encrypt the secret. You do not need this permission to use the
-    #   account's AWS managed CMK for Secrets Manager.
+    # * kms:GenerateDataKey - needed only if you use a custom Amazon Web
+    #   Services KMS key to encrypt the secret. You do not need this
+    #   permission to use the account's Amazon Web Services managed CMK for
+    #   Secrets Manager.
     #
-    # * kms:Decrypt - needed only if you use a custom AWS KMS key to encrypt
-    #   the secret. You do not need this permission to use the account's
-    #   AWS managed CMK for Secrets Manager.
+    # * kms:Decrypt - needed only if you use a custom Amazon Web Services
+    #   KMS key to encrypt the secret. You do not need this permission to
+    #   use the account's Amazon Web Services managed CMK for Secrets
+    #   Manager.
     #
     # **Related operations**
     #
@@ -2731,13 +2910,13 @@ module Aws::SecretsManager
     #   parameter specifies a unique identifier for the new version that helps
     #   ensure idempotency.
     #
-    #   If you use the AWS CLI or one of the AWS SDK to call this operation,
-    #   then you can leave this parameter empty. The CLI or SDK generates a
-    #   random UUID for you and includes that in the request. If you don't
-    #   use the SDK and instead generate a raw HTTP request to the Secrets
-    #   Manager service endpoint, then you must generate a
-    #   `ClientRequestToken` yourself for new versions and include that value
-    #   in the request.
+    #   If you use the Amazon Web Services CLI or one of the Amazon Web
+    #   Services SDK to call this operation, then you can leave this parameter
+    #   empty. The CLI or SDK generates a random UUID for you and includes
+    #   that in the request. If you don't use the SDK and instead generate a
+    #   raw HTTP request to the Secrets Manager service endpoint, then you
+    #   must generate a `ClientRequestToken` yourself for new versions and
+    #   include that value in the request.
     #
     #   You typically only need to interact with this value if you implement
     #   your own retry logic and want to ensure that a given secret is not
@@ -2775,9 +2954,9 @@ module Aws::SecretsManager
     #   secret.
     #
     # @option params [String] :kms_key_id
-    #   (Optional) Specifies an updated ARN or alias of the AWS KMS customer
-    #   master key (CMK) to be used to encrypt the protected text in new
-    #   versions of this secret.
+    #   (Optional) Specifies an updated ARN or alias of the Amazon Web
+    #   Services KMS customer master key (CMK) to be used to encrypt the
+    #   protected text in new versions of this secret.
     #
     #   You can only use the account's default CMK to encrypt and decrypt if
     #   you call this operation using credentials from the same account that
@@ -2812,7 +2991,7 @@ module Aws::SecretsManager
     #   For storing multiple values, we recommend that you use a JSON text
     #   string argument and specify key/value pairs. For information on how to
     #   format a JSON parameter for the various command line tool
-    #   environments, see [Using JSON for Parameters][1] in the *AWS CLI User
+    #   environments, see [Using JSON for Parameters][1] in the *CLI User
     #   Guide*. For example:
     #
     #   `[\{"username":"bob"\},\{"password":"abc123xyz456"\}]`
@@ -2918,8 +3097,8 @@ module Aws::SecretsManager
     # of a secret at a time. If a staging label to be added is already
     # attached to another version, then it is moved--removed from the other
     # version first and then attached to this one. For more information
-    # about staging labels, see [Staging Labels][1] in the *AWS Secrets
-    # Manager User Guide*.
+    # about staging labels, see [Staging Labels][1] in the *Amazon Web
+    # Services Secrets Manager User Guide*.
     #
     # The staging labels that you specify in the `VersionStage` parameter
     # are added to the existing list of staging labels--they don't replace
@@ -3088,16 +3267,38 @@ module Aws::SecretsManager
       req.send_request(options)
     end
-    # Validates the JSON text of the resource-based policy document attached
-    # to the specified secret. The JSON request string input and response
-    # output displays formatted code with white space and line breaks for
-    # better readability. Submit your input as a single line JSON string. A
-    # resource-based policy is optional.
+    # Validates that the resource policy does not grant a wide range of IAM
+    # principals access to your secret. The JSON request string input and
+    # response output displays formatted code with white space and line
+    # breaks for better readability. Submit your input as a single line JSON
+    # string. A resource-based policy is optional for secrets.
+    #
+    # The API performs three checks when validating the secret:
+    #
+    # * Sends a call to [Zelkova][1], an automated reasoning engine, to
+    #   ensure your Resource Policy does not allow broad access to your
+    #   secret.
+    #
+    # * Checks for correct syntax in a policy.
+    #
+    # * Verifies the policy does not lock out a caller.
+    #
+    # **Minimum Permissions**
+    #
+    # You must have the permissions required to access the following APIs:
+    #
+    # * `secretsmanager:PutResourcePolicy`
+    #
+    # * `secretsmanager:ValidateResourcePolicy`
+    #
+    #
+    #
+    # [1]: https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/
     #
     # @option params [String] :secret_id
-    #   The identifier for the secret that you want to validate a resource
-    #   policy. You can specify either the Amazon Resource Name (ARN) or the
-    #   friendly name of the secret.
+    #   (Optional) The identifier of the secret with the resource-based policy
+    #   you want to validate. You can specify either the Amazon Resource Name
+    #   (ARN) or the friendly name of the secret.
     #
     #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
     #   complete ARN. You can specify a partial ARN too—for example, if you
@@ -3121,7 +3322,16 @@ module Aws::SecretsManager
     #    </note>
     #
     # @option params [required, String] :resource_policy
-    #   Identifies the Resource Policy attached to the secret.
+    #   A JSON-formatted string constructed according to the grammar and
+    #   syntax for an Amazon Web Services resource-based policy. The policy in
+    #   the string identifies who can access or manage this secret and its
+    #   versions. For information on how to format a JSON parameter for the
+    #   various command line tool environments, see [Using JSON for
+    #   Parameters][1] in the *CLI User Guide*.publi
+    #
+    #
+    #
+    #   [1]: http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
     #
     # @return [Types::ValidateResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -3181,7 +3391,7 @@ module Aws::SecretsManager
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-secretsmanager'
-      context[:gem_version] = '1.44.0'
+      context[:gem_version] = '1.48.0'
       Seahorse::Client::Request.new(handlers, context)
     end