aws-sdk-secretsmanager 1.51.0 → 1.55.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +20 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-secretsmanager/client.rb +509 -1055
- data/lib/aws-sdk-secretsmanager/types.rb +468 -632
- data/lib/aws-sdk-secretsmanager.rb +1 -1
- metadata +4 -4
@@ -27,6 +27,7 @@ require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
|
|
27
27
|
require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
|
28
28
|
require 'aws-sdk-core/plugins/transfer_encoding.rb'
|
29
29
|
require 'aws-sdk-core/plugins/http_checksum.rb'
|
30
|
+
require 'aws-sdk-core/plugins/defaults_mode.rb'
|
30
31
|
require 'aws-sdk-core/plugins/signature_v4.rb'
|
31
32
|
require 'aws-sdk-core/plugins/protocols/json_rpc.rb'
|
32
33
|
|
@@ -73,6 +74,7 @@ module Aws::SecretsManager
|
|
73
74
|
add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
|
74
75
|
add_plugin(Aws::Plugins::TransferEncoding)
|
75
76
|
add_plugin(Aws::Plugins::HttpChecksum)
|
77
|
+
add_plugin(Aws::Plugins::DefaultsMode)
|
76
78
|
add_plugin(Aws::Plugins::SignatureV4)
|
77
79
|
add_plugin(Aws::Plugins::Protocols::JsonRpc)
|
78
80
|
|
@@ -119,7 +121,9 @@ module Aws::SecretsManager
|
|
119
121
|
# * EC2/ECS IMDS instance profile - When used by default, the timeouts
|
120
122
|
# are very aggressive. Construct and pass an instance of
|
121
123
|
# `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
|
122
|
-
# enable retries and extended timeouts.
|
124
|
+
# enable retries and extended timeouts. Instance profile credential
|
125
|
+
# fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED']
|
126
|
+
# to true.
|
123
127
|
#
|
124
128
|
# @option options [required, String] :region
|
125
129
|
# The AWS region to connect to. The configured `:region` is
|
@@ -173,6 +177,10 @@ module Aws::SecretsManager
|
|
173
177
|
# Used only in `standard` and adaptive retry modes. Specifies whether to apply
|
174
178
|
# a clock skew correction and retry requests with skewed client clocks.
|
175
179
|
#
|
180
|
+
# @option options [String] :defaults_mode ("legacy")
|
181
|
+
# See {Aws::DefaultsModeConfiguration} for a list of the
|
182
|
+
# accepted modes and the configuration defaults that are included.
|
183
|
+
#
|
176
184
|
# @option options [Boolean] :disable_host_prefix_injection (false)
|
177
185
|
# Set to true to disable SDK automatically adding host prefix
|
178
186
|
# to default service endpoint when available.
|
@@ -285,6 +293,15 @@ module Aws::SecretsManager
|
|
285
293
|
# ** Please note ** When response stubbing is enabled, no HTTP
|
286
294
|
# requests are made, and retries are disabled.
|
287
295
|
#
|
296
|
+
# @option options [Boolean] :use_dualstack_endpoint
|
297
|
+
# When set to `true`, dualstack enabled endpoints (with `.aws` TLD)
|
298
|
+
# will be used if available.
|
299
|
+
#
|
300
|
+
# @option options [Boolean] :use_fips_endpoint
|
301
|
+
# When set to `true`, fips compatible endpoints will be used if available.
|
302
|
+
# When a `fips` region is used, the region is normalized and this config
|
303
|
+
# is set to `true`.
|
304
|
+
#
|
288
305
|
# @option options [Boolean] :validate_params (true)
|
289
306
|
# When `true`, request parameters are validated before
|
290
307
|
# sending the request.
|
@@ -296,7 +313,7 @@ module Aws::SecretsManager
|
|
296
313
|
# seconds to wait when opening a HTTP session before raising a
|
297
314
|
# `Timeout::Error`.
|
298
315
|
#
|
299
|
-
# @option options [
|
316
|
+
# @option options [Float] :http_read_timeout (60) The default
|
300
317
|
# number of seconds to wait for response data. This value can
|
301
318
|
# safely be set per-request on the session.
|
302
319
|
#
|
@@ -312,6 +329,9 @@ module Aws::SecretsManager
|
|
312
329
|
# disables this behaviour. This value can safely be set per
|
313
330
|
# request on the session.
|
314
331
|
#
|
332
|
+
# @option options [Float] :ssl_timeout (nil) Sets the SSL timeout
|
333
|
+
# in seconds.
|
334
|
+
#
|
315
335
|
# @option options [Boolean] :http_wire_trace (false) When `true`,
|
316
336
|
# HTTP debug output will be sent to the `:logger`.
|
317
337
|
#
|
@@ -337,60 +357,23 @@ module Aws::SecretsManager
|
|
337
357
|
|
338
358
|
# @!group API Operations
|
339
359
|
|
340
|
-
#
|
341
|
-
#
|
342
|
-
#
|
343
|
-
# To re-enable scheduled rotation, call RotateSecret with
|
344
|
-
# `AutomaticallyRotateAfterDays` set to a value greater than 0. This
|
345
|
-
# immediately rotates your secret and then enables the automatic
|
346
|
-
# schedule.
|
347
|
-
#
|
348
|
-
# <note markdown="1"> If you cancel a rotation while in progress, it can leave the
|
349
|
-
# `VersionStage` labels in an unexpected state. Depending on the step of
|
350
|
-
# the rotation in progress, you might need to remove the staging label
|
351
|
-
# `AWSPENDING` from the partially created version, specified by the
|
352
|
-
# `VersionId` response value. You should also evaluate the partially
|
353
|
-
# rotated new version to see if it should be deleted, which you can do
|
354
|
-
# by removing all staging labels from the new version `VersionStage`
|
355
|
-
# field.
|
356
|
-
#
|
357
|
-
# </note>
|
358
|
-
#
|
359
|
-
# To successfully start a rotation, the staging label `AWSPENDING` must
|
360
|
-
# be in one of the following states:
|
361
|
-
#
|
362
|
-
# * Not attached to any version at all
|
363
|
-
#
|
364
|
-
# * Attached to the same version as the staging label `AWSCURRENT`
|
365
|
-
#
|
366
|
-
# If the staging label `AWSPENDING` attached to a different version than
|
367
|
-
# the version with `AWSCURRENT` then the attempt to rotate fails.
|
368
|
-
#
|
369
|
-
# **Minimum permissions**
|
370
|
-
#
|
371
|
-
# To run this command, you must have the following permissions:
|
372
|
-
#
|
373
|
-
# * secretsmanager:CancelRotateSecret
|
374
|
-
#
|
375
|
-
# ^
|
376
|
-
#
|
377
|
-
# **Related operations**
|
360
|
+
# Turns off automatic rotation, and if a rotation is currently in
|
361
|
+
# progress, cancels the rotation.
|
378
362
|
#
|
379
|
-
#
|
380
|
-
# rotation, use RotateSecret.
|
363
|
+
# To turn on automatic rotation again, call RotateSecret.
|
381
364
|
#
|
382
|
-
#
|
383
|
-
#
|
365
|
+
# <note markdown="1"> If you cancel a rotation in progress, it can leave the `VersionStage`
|
366
|
+
# labels in an unexpected state. Depending on the step of the rotation
|
367
|
+
# in progress, you might need to remove the staging label `AWSPENDING`
|
368
|
+
# from the partially created version, specified by the `VersionId`
|
369
|
+
# response value. We recommend you also evaluate the partially rotated
|
370
|
+
# new version to see if it should be deleted. You can delete a version
|
371
|
+
# by removing all staging labels from it.
|
384
372
|
#
|
385
|
-
#
|
386
|
-
#
|
387
|
-
# * To list all of the versions currently associated with a secret, use
|
388
|
-
# ListSecretVersionIds.
|
373
|
+
# </note>
|
389
374
|
#
|
390
375
|
# @option params [required, String] :secret_id
|
391
|
-
#
|
392
|
-
# either the Amazon Resource Name (ARN) or the friendly name of the
|
393
|
-
# secret.
|
376
|
+
# The ARN or name of the secret.
|
394
377
|
#
|
395
378
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
396
379
|
# partial ARN.
|
@@ -439,119 +422,64 @@ module Aws::SecretsManager
|
|
439
422
|
req.send_request(options)
|
440
423
|
end
|
441
424
|
|
442
|
-
# Creates a new secret. A secret
|
443
|
-
#
|
444
|
-
# the
|
445
|
-
#
|
446
|
-
# Secrets Manager
|
447
|
-
#
|
448
|
-
#
|
449
|
-
#
|
450
|
-
#
|
451
|
-
#
|
452
|
-
#
|
453
|
-
#
|
454
|
-
#
|
455
|
-
# You provide the secret data to be encrypted by putting text in either
|
456
|
-
# the `SecretString` parameter or binary data in the `SecretBinary`
|
425
|
+
# Creates a new secret. A *secret* is a set of credentials, such as a
|
426
|
+
# user name and password, that you store in an encrypted form in Secrets
|
427
|
+
# Manager. The secret also includes the connection information to access
|
428
|
+
# a database or other service, which Secrets Manager doesn't encrypt. A
|
429
|
+
# secret in Secrets Manager consists of both the protected secret data
|
430
|
+
# and the important information needed to manage the secret.
|
431
|
+
#
|
432
|
+
# For information about creating a secret in the console, see [Create a
|
433
|
+
# secret][1].
|
434
|
+
#
|
435
|
+
# To create a secret, you can provide the secret value to be encrypted
|
436
|
+
# in either the `SecretString` parameter or the `SecretBinary`
|
457
437
|
# parameter, but not both. If you include `SecretString` or
|
458
|
-
# `SecretBinary` then Secrets Manager
|
459
|
-
#
|
460
|
-
# the new version.
|
461
|
-
#
|
462
|
-
# <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
|
463
|
-
# `SecretBinary` for a secret in the same account as the calling user
|
464
|
-
# and that secret doesn't specify a Amazon Web Services KMS
|
465
|
-
# encryption key, Secrets Manager uses the account's default Amazon
|
466
|
-
# Web Services managed customer master key (CMK) with the alias
|
467
|
-
# `aws/secretsmanager`. If this key doesn't already exist in your
|
468
|
-
# account then Secrets Manager creates it for you automatically. All
|
469
|
-
# users and roles in the same Amazon Web Services account
|
470
|
-
# automatically have access to use the default CMK. Note that if an
|
471
|
-
# Secrets Manager API call results in Amazon Web Services creating the
|
472
|
-
# account's Amazon Web Services-managed CMK, it can result in a
|
473
|
-
# one-time significant delay in returning the result.
|
474
|
-
#
|
475
|
-
# * If the secret resides in a different Amazon Web Services account
|
476
|
-
# from the credentials calling an API that requires encryption or
|
477
|
-
# decryption of the secret value then you must create and use a custom
|
478
|
-
# Amazon Web Services KMS CMK because you can't access the default
|
479
|
-
# CMK for the account using credentials from a different Amazon Web
|
480
|
-
# Services account. Store the ARN of the CMK in the secret when you
|
481
|
-
# create the secret or when you update it by including it in the
|
482
|
-
# `KMSKeyId`. If you call an API that must encrypt or decrypt
|
483
|
-
# `SecretString` or `SecretBinary` using credentials from a different
|
484
|
-
# account then the Amazon Web Services KMS key policy must grant
|
485
|
-
# cross-account access to that other account's user or role for both
|
486
|
-
# the kms:GenerateDataKey and kms:Decrypt operations.
|
487
|
-
#
|
488
|
-
# </note>
|
489
|
-
#
|
490
|
-
#
|
491
|
-
#
|
492
|
-
# **Minimum permissions**
|
493
|
-
#
|
494
|
-
# To run this command, you must have the following permissions:
|
495
|
-
#
|
496
|
-
# * secretsmanager:CreateSecret
|
497
|
-
#
|
498
|
-
# * kms:GenerateDataKey - needed only if you use a customer-managed
|
499
|
-
# Amazon Web Services KMS key to encrypt the secret. You do not need
|
500
|
-
# this permission to use the account default Amazon Web Services
|
501
|
-
# managed CMK for Secrets Manager.
|
502
|
-
#
|
503
|
-
# * kms:Decrypt - needed only if you use a customer-managed Amazon Web
|
504
|
-
# Services KMS key to encrypt the secret. You do not need this
|
505
|
-
# permission to use the account default Amazon Web Services managed
|
506
|
-
# CMK for Secrets Manager.
|
507
|
-
#
|
508
|
-
# * secretsmanager:TagResource - needed only if you include the `Tags`
|
509
|
-
# parameter.
|
438
|
+
# `SecretBinary` then Secrets Manager creates an initial secret version
|
439
|
+
# and automatically attaches the staging label `AWSCURRENT` to it.
|
510
440
|
#
|
511
|
-
#
|
441
|
+
# If you don't specify an KMS encryption key, Secrets Manager uses the
|
442
|
+
# Amazon Web Services managed key `aws/secretsmanager`. If this key
|
443
|
+
# doesn't already exist in your account, then Secrets Manager creates
|
444
|
+
# it for you automatically. All users and roles in the Amazon Web
|
445
|
+
# Services account automatically have access to use
|
446
|
+
# `aws/secretsmanager`. Creating `aws/secretsmanager` can result in a
|
447
|
+
# one-time significant delay in returning the result.
|
512
448
|
#
|
513
|
-
#
|
449
|
+
# If the secret is in a different Amazon Web Services account from the
|
450
|
+
# credentials calling the API, then you can't use `aws/secretsmanager`
|
451
|
+
# to encrypt the secret, and you must create and use a customer managed
|
452
|
+
# KMS key.
|
514
453
|
#
|
515
|
-
# * To modify an existing secret, use UpdateSecret.
|
516
454
|
#
|
517
|
-
# * To create a new version of a secret, use PutSecretValue.
|
518
455
|
#
|
519
|
-
#
|
520
|
-
# use GetSecretValue.
|
521
|
-
#
|
522
|
-
# * To retrieve all other details for a secret, use DescribeSecret. This
|
523
|
-
# does not include the encrypted secure string and secure binary
|
524
|
-
# values.
|
525
|
-
#
|
526
|
-
# * To retrieve the list of secret versions associated with the current
|
527
|
-
# secret, use DescribeSecret and examine the `SecretVersionsToStages`
|
528
|
-
# response value.
|
456
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html
|
529
457
|
#
|
530
458
|
# @option params [required, String] :name
|
531
|
-
#
|
459
|
+
# The name of the new secret.
|
532
460
|
#
|
533
|
-
# The secret name
|
534
|
-
# characters
|
461
|
+
# The secret name can contain ASCII letters, numbers, and the following
|
462
|
+
# characters: /\_+=.@-
|
535
463
|
#
|
536
|
-
#
|
464
|
+
# Do not end your secret name with a hyphen followed by six characters.
|
537
465
|
# If you do so, you risk confusion and unexpected results when searching
|
538
466
|
# for a secret by partial ARN. Secrets Manager automatically adds a
|
539
|
-
# hyphen and six random characters at the end of
|
540
|
-
#
|
541
|
-
# </note>
|
467
|
+
# hyphen and six random characters after the secret name at the end of
|
468
|
+
# the ARN.
|
542
469
|
#
|
543
470
|
# @option params [String] :client_request_token
|
544
|
-
#
|
545
|
-
# initial version
|
546
|
-
# specifies
|
471
|
+
# If you include `SecretString` or `SecretBinary`, then Secrets Manager
|
472
|
+
# creates an initial version for the secret, and this parameter
|
473
|
+
# specifies the unique identifier for the new version.
|
547
474
|
#
|
548
475
|
# <note markdown="1"> If you use the Amazon Web Services CLI or one of the Amazon Web
|
549
|
-
# Services
|
550
|
-
# empty. The CLI or SDK generates a random UUID for you and
|
551
|
-
# as the value for this parameter in the request. If you
|
552
|
-
# SDK and instead generate a raw HTTP request to the
|
553
|
-
# service endpoint, then you must generate a
|
554
|
-
# yourself for the new version and include the
|
476
|
+
# Services SDKs to call this operation, then you can leave this
|
477
|
+
# parameter empty. The CLI or SDK generates a random UUID for you and
|
478
|
+
# includes it as the value for this parameter in the request. If you
|
479
|
+
# don't use the SDK and instead generate a raw HTTP request to the
|
480
|
+
# Secrets Manager service endpoint, then you must generate a
|
481
|
+
# `ClientRequestToken` yourself for the new version and include the
|
482
|
+
# value in the request.
|
555
483
|
#
|
556
484
|
# </note>
|
557
485
|
#
|
@@ -584,99 +512,79 @@ module Aws::SecretsManager
|
|
584
512
|
# [1]: https://wikipedia.org/wiki/Universally_unique_identifier
|
585
513
|
#
|
586
514
|
# @option params [String] :description
|
587
|
-
#
|
515
|
+
# The description of the secret.
|
588
516
|
#
|
589
517
|
# @option params [String] :kms_key_id
|
590
|
-
#
|
591
|
-
#
|
592
|
-
# `SecretString` or `SecretBinary` values in the versions stored in this
|
593
|
-
# secret.
|
518
|
+
# The ARN, key ID, or alias of the KMS key that Secrets Manager uses to
|
519
|
+
# encrypt the secret value in the secret.
|
594
520
|
#
|
595
|
-
#
|
596
|
-
#
|
597
|
-
# account, you can use only the key ARN or the alias ARN.
|
521
|
+
# To use a KMS key in a different account, use the key ARN or the alias
|
522
|
+
# ARN.
|
598
523
|
#
|
599
|
-
# If you don't specify this value, then Secrets Manager
|
600
|
-
#
|
601
|
-
#
|
602
|
-
#
|
603
|
-
# automatically the first time it needs to encrypt a version's
|
604
|
-
# `SecretString` or `SecretBinary` fields.
|
524
|
+
# If you don't specify this value, then Secrets Manager uses the key
|
525
|
+
# `aws/secretsmanager`. If that key doesn't yet exist, then Secrets
|
526
|
+
# Manager creates it for you automatically the first time it encrypts
|
527
|
+
# the secret value.
|
605
528
|
#
|
606
|
-
#
|
607
|
-
#
|
608
|
-
# the secret
|
609
|
-
#
|
529
|
+
# If the secret is in a different Amazon Web Services account from the
|
530
|
+
# credentials calling the API, then you can't use `aws/secretsmanager`
|
531
|
+
# to encrypt the secret, and you must create and use a customer managed
|
532
|
+
# KMS key.
|
610
533
|
#
|
611
534
|
# @option params [String, StringIO, File] :secret_binary
|
612
|
-
#
|
613
|
-
#
|
614
|
-
#
|
615
|
-
# file and then use the appropriate technique for your tool to pass the
|
616
|
-
# contents of the file as a parameter.
|
535
|
+
# The binary data to encrypt and store in the new version of the secret.
|
536
|
+
# We recommend that you store your binary data in a file and then pass
|
537
|
+
# the contents of the file as a parameter.
|
617
538
|
#
|
618
539
|
# Either `SecretString` or `SecretBinary` must have a value, but not
|
619
|
-
# both.
|
540
|
+
# both.
|
620
541
|
#
|
621
|
-
# This parameter is not available
|
622
|
-
# can be accessed only by using the Amazon Web Services CLI or one of
|
623
|
-
# the Amazon Web Services SDKs.
|
542
|
+
# This parameter is not available in the Secrets Manager console.
|
624
543
|
#
|
625
544
|
# @option params [String] :secret_string
|
626
|
-
#
|
627
|
-
#
|
545
|
+
# The text data to encrypt and store in this new version of the secret.
|
546
|
+
# We recommend you use a JSON structure of key/value pairs for your
|
547
|
+
# secret value.
|
628
548
|
#
|
629
549
|
# Either `SecretString` or `SecretBinary` must have a value, but not
|
630
|
-
# both.
|
550
|
+
# both.
|
631
551
|
#
|
632
552
|
# If you create a secret by using the Secrets Manager console then
|
633
553
|
# Secrets Manager puts the protected secret text in only the
|
634
554
|
# `SecretString` parameter. The Secrets Manager console stores the
|
635
|
-
# information as a JSON structure of key/value pairs that
|
636
|
-
# rotation function
|
637
|
-
#
|
638
|
-
# For storing multiple values, we recommend that you use a JSON text
|
639
|
-
# string argument and specify key/value pairs. For more information, see
|
640
|
-
# [Specifying parameter values for the Amazon Web Services CLI][1] in
|
641
|
-
# the Amazon Web Services CLI User Guide.
|
642
|
-
#
|
643
|
-
#
|
644
|
-
#
|
645
|
-
# [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-parameters.html
|
555
|
+
# information as a JSON structure of key/value pairs that a Lambda
|
556
|
+
# rotation function can parse.
|
646
557
|
#
|
647
558
|
# @option params [Array<Types::Tag>] :tags
|
648
|
-
#
|
649
|
-
#
|
650
|
-
# operation only appends tags to the existing list of tags. To remove
|
651
|
-
# tags, you must use UntagResource.
|
559
|
+
# A list of tags to attach to the secret. Each tag is a key and value
|
560
|
+
# pair of strings in a JSON text string, for example:
|
652
561
|
#
|
653
|
-
#
|
654
|
-
# "ABC" is a different tag from one with key "abc".
|
562
|
+
# `[\{"Key":"CostCenter","Value":"12345"\},\{"Key":"environment","Value":"production"\}]`
|
655
563
|
#
|
656
|
-
#
|
657
|
-
#
|
658
|
-
# permissions. If the successful completion of this operation would
|
659
|
-
# result in you losing your permissions for this secret, then this
|
660
|
-
# operation is blocked and returns an `Access Denied` error.
|
564
|
+
# Secrets Manager tag key names are case sensitive. A tag with the key
|
565
|
+
# "ABC" is a different tag from one with key "abc".
|
661
566
|
#
|
662
|
-
#
|
663
|
-
#
|
664
|
-
#
|
665
|
-
#
|
567
|
+
# If you check tags in permissions policies as part of your security
|
568
|
+
# strategy, then adding or removing a tag can change permissions. If the
|
569
|
+
# completion of this operation would result in you losing your
|
570
|
+
# permissions for this secret, then Secrets Manager blocks the operation
|
571
|
+
# and returns an `Access Denied` error. For more information, see
|
572
|
+
# [Control access to secrets using tags][1] and [Limit access to
|
573
|
+
# identities with tags that match secrets' tags][2].
|
666
574
|
#
|
667
|
-
#
|
668
|
-
#
|
669
|
-
#
|
575
|
+
# For information about how to format a JSON parameter for the various
|
576
|
+
# command line tool environments, see [Using JSON for Parameters][3]. If
|
577
|
+
# your command-line tool or SDK requires quotation marks around the
|
670
578
|
# parameter, you should use single quotes to avoid confusion with the
|
671
579
|
# double quotes required in the JSON text.
|
672
580
|
#
|
673
|
-
# The following
|
581
|
+
# The following restrictions apply to tags:
|
674
582
|
#
|
675
|
-
# * Maximum number of tags per secret
|
583
|
+
# * Maximum number of tags per secret: 50
|
676
584
|
#
|
677
|
-
# * Maximum key length
|
585
|
+
# * Maximum key length: 127 Unicode characters in UTF-8
|
678
586
|
#
|
679
|
-
# * Maximum value length
|
587
|
+
# * Maximum value length: 255 Unicode characters in UTF-8
|
680
588
|
#
|
681
589
|
# * Tag keys and values are case sensitive.
|
682
590
|
#
|
@@ -686,23 +594,23 @@ module Aws::SecretsManager
|
|
686
594
|
# with this prefix do not count against your tags per secret limit.
|
687
595
|
#
|
688
596
|
# * If you use your tagging schema across multiple services and
|
689
|
-
# resources,
|
690
|
-
#
|
691
|
-
#
|
597
|
+
# resources, other services might have restrictions on allowed
|
598
|
+
# characters. Generally allowed characters: letters, spaces, and
|
599
|
+
# numbers representable in UTF-8, plus the following special
|
692
600
|
# characters: + - = . \_ : / @.
|
693
601
|
#
|
694
602
|
#
|
695
603
|
#
|
696
|
-
# [1]: https://docs.aws.amazon.com/
|
604
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#tag-secrets-abac
|
605
|
+
# [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#auth-and-access_tags2
|
606
|
+
# [3]: https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
|
697
607
|
#
|
698
608
|
# @option params [Array<Types::ReplicaRegionType>] :add_replica_regions
|
699
|
-
#
|
700
|
-
# replicates the KMSKeyID objects to the list of regions specified in
|
701
|
-
# the parameter.
|
609
|
+
# A list of Regions and KMS keys to replicate secrets.
|
702
610
|
#
|
703
611
|
# @option params [Boolean] :force_overwrite_replica_secret
|
704
|
-
#
|
705
|
-
#
|
612
|
+
# Specifies whether to overwrite a secret with the same name in the
|
613
|
+
# destination Region.
|
706
614
|
#
|
707
615
|
# @return [Types::CreateSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
708
616
|
#
|
@@ -777,28 +685,11 @@ module Aws::SecretsManager
|
|
777
685
|
end
|
778
686
|
|
779
687
|
# Deletes the resource-based permission policy attached to the secret.
|
780
|
-
#
|
781
|
-
# **Minimum permissions**
|
782
|
-
#
|
783
|
-
# To run this command, you must have the following permissions:
|
784
|
-
#
|
785
|
-
# * secretsmanager:DeleteResourcePolicy
|
786
|
-
#
|
787
|
-
# ^
|
788
|
-
#
|
789
|
-
# **Related operations**
|
790
|
-
#
|
791
|
-
# * To attach a resource policy to a secret, use PutResourcePolicy.
|
792
|
-
#
|
793
|
-
# * To retrieve the current resource-based policy attached to a secret,
|
794
|
-
# use GetResourcePolicy.
|
795
|
-
#
|
796
|
-
# * To list all of the currently available secrets, use ListSecrets.
|
688
|
+
# To attach a policy to a secret, use PutResourcePolicy.
|
797
689
|
#
|
798
690
|
# @option params [required, String] :secret_id
|
799
|
-
#
|
800
|
-
#
|
801
|
-
# Name (ARN) or the friendly name of the secret.
|
691
|
+
# The ARN or name of the secret to delete the attached resource-based
|
692
|
+
# policy for.
|
802
693
|
#
|
803
694
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
804
695
|
# partial ARN.
|
@@ -843,86 +734,62 @@ module Aws::SecretsManager
|
|
843
734
|
req.send_request(options)
|
844
735
|
end
|
845
736
|
|
846
|
-
# Deletes
|
847
|
-
#
|
848
|
-
#
|
849
|
-
#
|
850
|
-
#
|
851
|
-
#
|
852
|
-
#
|
853
|
-
# At any time before recovery window ends, you can use RestoreSecret to
|
854
|
-
# remove the `DeletionDate` and cancel the deletion of the secret.
|
855
|
-
#
|
856
|
-
# You cannot access the encrypted secret information in any secret
|
857
|
-
# scheduled for deletion. If you need to access that information, you
|
858
|
-
# must cancel the deletion with RestoreSecret and then retrieve the
|
859
|
-
# information.
|
860
|
-
#
|
861
|
-
# <note markdown="1"> * There is no explicit operation to delete a version of a secret.
|
862
|
-
# Instead, remove all staging labels from the `VersionStage` field of
|
863
|
-
# a version. That marks the version as deprecated and allows Secrets
|
864
|
-
# Manager to delete it as needed. Versions without any staging labels
|
865
|
-
# do not show up in ListSecretVersionIds unless you specify
|
866
|
-
# `IncludeDeprecated`.
|
867
|
-
#
|
868
|
-
# * The permanent secret deletion at the end of the waiting period is
|
869
|
-
# performed as a background task with low priority. There is no
|
870
|
-
# guarantee of a specific time after the recovery window for the
|
871
|
-
# actual delete operation to occur.
|
737
|
+
# Deletes a secret and all of its versions. You can specify a recovery
|
738
|
+
# window during which you can restore the secret. The minimum recovery
|
739
|
+
# window is 7 days. The default recovery window is 30 days. Secrets
|
740
|
+
# Manager attaches a `DeletionDate` stamp to the secret that specifies
|
741
|
+
# the end of the recovery window. At the end of the recovery window,
|
742
|
+
# Secrets Manager deletes the secret permanently.
|
872
743
|
#
|
873
|
-
#
|
874
|
-
#
|
875
|
-
# **Minimum permissions**
|
744
|
+
# For information about deleting a secret in the console, see
|
745
|
+
# [https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage\_delete-secret.html][1].
|
876
746
|
#
|
877
|
-
#
|
747
|
+
# Secrets Manager performs the permanent secret deletion at the end of
|
748
|
+
# the waiting period as a background task with low priority. There is no
|
749
|
+
# guarantee of a specific time after the recovery window for the
|
750
|
+
# permanent delete to occur.
|
878
751
|
#
|
879
|
-
#
|
752
|
+
# At any time before recovery window ends, you can use RestoreSecret to
|
753
|
+
# remove the `DeletionDate` and cancel the deletion of the secret.
|
880
754
|
#
|
881
|
-
#
|
755
|
+
# In a secret scheduled for deletion, you cannot access the encrypted
|
756
|
+
# secret value. To access that information, first cancel the deletion
|
757
|
+
# with RestoreSecret and then retrieve the information.
|
882
758
|
#
|
883
|
-
# **Related operations**
|
884
759
|
#
|
885
|
-
# * To create a secret, use CreateSecret.
|
886
760
|
#
|
887
|
-
#
|
888
|
-
# window has expired, use RestoreSecret.
|
761
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_delete-secret.html
|
889
762
|
#
|
890
763
|
# @option params [required, String] :secret_id
|
891
|
-
#
|
892
|
-
# Resource Name (ARN) or the friendly name of the secret.
|
764
|
+
# The ARN or name of the secret to delete.
|
893
765
|
#
|
894
766
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
895
767
|
# partial ARN.
|
896
768
|
#
|
897
769
|
# @option params [Integer] :recovery_window_in_days
|
898
|
-
#
|
899
|
-
#
|
900
|
-
#
|
901
|
-
#
|
902
|
-
#
|
903
|
-
# This value can range from 7 to 30 days with a default value of 30.
|
770
|
+
# The number of days from 7 to 30 that Secrets Manager waits before
|
771
|
+
# permanently deleting the secret. You can't use both this parameter
|
772
|
+
# and `ForceDeleteWithoutRecovery` in the same call. If you don't use
|
773
|
+
# either, then Secrets Manager defaults to a 30 day recovery window.
|
904
774
|
#
|
905
775
|
# @option params [Boolean] :force_delete_without_recovery
|
906
|
-
#
|
907
|
-
#
|
908
|
-
#
|
776
|
+
# Specifies whether to delete the secret without any recovery window.
|
777
|
+
# You can't use both this parameter and `RecoveryWindowInDays` in the
|
778
|
+
# same call. If you don't use either, then Secrets Manager defaults to
|
779
|
+
# a 30 day recovery window.
|
909
780
|
#
|
910
|
-
#
|
911
|
-
# there
|
912
|
-
#
|
913
|
-
#
|
914
|
-
#
|
781
|
+
# Secrets Manager performs the actual deletion with an asynchronous
|
782
|
+
# background process, so there might be a short delay before the secret
|
783
|
+
# is permanently deleted. If you delete a secret and then immediately
|
784
|
+
# create a secret with the same name, use appropriate back off and retry
|
785
|
+
# logic.
|
915
786
|
#
|
916
787
|
# Use this parameter with caution. This parameter causes the operation
|
917
|
-
# to skip the normal
|
918
|
-
#
|
919
|
-
#
|
920
|
-
#
|
921
|
-
#
|
922
|
-
#
|
923
|
-
# If you use this parameter and include a previously deleted or
|
924
|
-
# nonexistent secret, the operation does not return the error
|
925
|
-
# `ResourceNotFoundException` in order to correctly handle retries.
|
788
|
+
# to skip the normal recovery window before the permanent deletion that
|
789
|
+
# Secrets Manager would normally impose with the `RecoveryWindowInDays`
|
790
|
+
# parameter. If you delete a secret with the `ForceDeleteWithouRecovery`
|
791
|
+
# parameter, then you have no opportunity to recover the secret. You
|
792
|
+
# lose the secret permanently.
|
926
793
|
#
|
927
794
|
# @return [Types::DeleteSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
928
795
|
#
|
@@ -973,33 +840,11 @@ module Aws::SecretsManager
|
|
973
840
|
end
|
974
841
|
|
975
842
|
# Retrieves the details of a secret. It does not include the encrypted
|
976
|
-
#
|
843
|
+
# secret value. Secrets Manager only returns fields that have a value in
|
977
844
|
# the response.
|
978
845
|
#
|
979
|
-
# **Minimum permissions**
|
980
|
-
#
|
981
|
-
# To run this command, you must have the following permissions:
|
982
|
-
#
|
983
|
-
# * secretsmanager:DescribeSecret
|
984
|
-
#
|
985
|
-
# ^
|
986
|
-
#
|
987
|
-
# **Related operations**
|
988
|
-
#
|
989
|
-
# * To create a secret, use CreateSecret.
|
990
|
-
#
|
991
|
-
# * To modify a secret, use UpdateSecret.
|
992
|
-
#
|
993
|
-
# * To retrieve the encrypted secret information in a version of the
|
994
|
-
# secret, use GetSecretValue.
|
995
|
-
#
|
996
|
-
# * To list all of the secrets in the Amazon Web Services account, use
|
997
|
-
# ListSecrets.
|
998
|
-
#
|
999
846
|
# @option params [required, String] :secret_id
|
1000
|
-
# The
|
1001
|
-
# can specify either the Amazon Resource Name (ARN) or the friendly name
|
1002
|
-
# of the secret.
|
847
|
+
# The ARN or name of the secret.
|
1003
848
|
#
|
1004
849
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
1005
850
|
# partial ARN.
|
@@ -1111,66 +956,45 @@ module Aws::SecretsManager
|
|
1111
956
|
req.send_request(options)
|
1112
957
|
end
|
1113
958
|
|
1114
|
-
# Generates a random password
|
1115
|
-
#
|
1116
|
-
#
|
1117
|
-
# include every character type that the system you are generating a
|
1118
|
-
# password for can support.
|
1119
|
-
#
|
1120
|
-
# **Minimum permissions**
|
1121
|
-
#
|
1122
|
-
# To run this command, you must have the following permissions:
|
1123
|
-
#
|
1124
|
-
# * secretsmanager:GetRandomPassword
|
1125
|
-
#
|
1126
|
-
# ^
|
959
|
+
# Generates a random password. We recommend that you specify the maximum
|
960
|
+
# length and include every character type that the system you are
|
961
|
+
# generating a password for can support.
|
1127
962
|
#
|
1128
963
|
# @option params [Integer] :password_length
|
1129
|
-
# The
|
1130
|
-
#
|
964
|
+
# The length of the password. If you don't include this parameter, the
|
965
|
+
# default length is 32 characters.
|
1131
966
|
#
|
1132
967
|
# @option params [String] :exclude_characters
|
1133
|
-
# A string
|
1134
|
-
# generated password. The default is that all characters from the
|
1135
|
-
# included sets can be used.
|
968
|
+
# A string of the characters that you don't want in the password.
|
1136
969
|
#
|
1137
970
|
# @option params [Boolean] :exclude_numbers
|
1138
|
-
# Specifies
|
1139
|
-
#
|
1140
|
-
# be included.
|
971
|
+
# Specifies whether to exclude numbers from the password. If you don't
|
972
|
+
# include this switch, the password can contain numbers.
|
1141
973
|
#
|
1142
974
|
# @option params [Boolean] :exclude_punctuation
|
1143
|
-
# Specifies
|
1144
|
-
#
|
1145
|
-
#
|
1146
|
-
#
|
1147
|
-
# The following are the punctuation characters that *can* be included in
|
1148
|
-
# the generated password if you don't explicitly exclude them with
|
1149
|
-
# `ExcludeCharacters` or `ExcludePunctuation`\:
|
1150
|
-
#
|
1151
|
-
# `` ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` \{ | \} ~
|
1152
|
-
# ``
|
975
|
+
# Specifies whether to exclude the following punctuation characters from
|
976
|
+
# the password: `` ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _
|
977
|
+
# ` \{ | \} ~ ``. If you don't include this switch, the password can
|
978
|
+
# contain punctuation.
|
1153
979
|
#
|
1154
980
|
# @option params [Boolean] :exclude_uppercase
|
1155
|
-
# Specifies
|
1156
|
-
#
|
1157
|
-
#
|
981
|
+
# Specifies whether to exclude uppercase letters from the password. If
|
982
|
+
# you don't include this switch, the password can contain uppercase
|
983
|
+
# letters.
|
1158
984
|
#
|
1159
985
|
# @option params [Boolean] :exclude_lowercase
|
1160
|
-
# Specifies
|
1161
|
-
#
|
1162
|
-
#
|
986
|
+
# Specifies whether to exclude lowercase letters from the password. If
|
987
|
+
# you don't include this switch, the password can contain lowercase
|
988
|
+
# letters.
|
1163
989
|
#
|
1164
990
|
# @option params [Boolean] :include_space
|
1165
|
-
# Specifies
|
1166
|
-
#
|
1167
|
-
# space character is not included.
|
991
|
+
# Specifies whether to include the space character. If you include this
|
992
|
+
# switch, the password can contain space characters.
|
1168
993
|
#
|
1169
994
|
# @option params [Boolean] :require_each_included_type
|
1170
|
-
#
|
1171
|
-
#
|
1172
|
-
#
|
1173
|
-
# character type.
|
995
|
+
# Specifies whether to include at least one upper and lowercase letter,
|
996
|
+
# one number, and one punctuation. If you don't include this switch,
|
997
|
+
# the password contains at least one of every character type.
|
1174
998
|
#
|
1175
999
|
# @return [Types::GetRandomPasswordResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1176
1000
|
#
|
@@ -1220,31 +1044,17 @@ module Aws::SecretsManager
|
|
1220
1044
|
end
|
1221
1045
|
|
1222
1046
|
# Retrieves the JSON text of the resource-based policy document attached
|
1223
|
-
# to the
|
1224
|
-
#
|
1225
|
-
#
|
1226
|
-
#
|
1227
|
-
# **Minimum permissions**
|
1228
|
-
#
|
1229
|
-
# To run this command, you must have the following permissions:
|
1230
|
-
#
|
1231
|
-
# * secretsmanager:GetResourcePolicy
|
1232
|
-
#
|
1233
|
-
# ^
|
1047
|
+
# to the secret. For more information about permissions policies
|
1048
|
+
# attached to a secret, see [Permissions policies attached to a
|
1049
|
+
# secret][1].
|
1234
1050
|
#
|
1235
|
-
# **Related operations**
|
1236
1051
|
#
|
1237
|
-
# * To attach a resource policy to a secret, use PutResourcePolicy.
|
1238
1052
|
#
|
1239
|
-
#
|
1240
|
-
# DeleteResourcePolicy.
|
1241
|
-
#
|
1242
|
-
# * To list all of the currently available secrets, use ListSecrets.
|
1053
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html
|
1243
1054
|
#
|
1244
1055
|
# @option params [required, String] :secret_id
|
1245
|
-
#
|
1246
|
-
#
|
1247
|
-
# Name (ARN) or the friendly name of the secret.
|
1056
|
+
# The ARN or name of the secret to retrieve the attached resource-based
|
1057
|
+
# policy for.
|
1248
1058
|
#
|
1249
1059
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
1250
1060
|
# partial ARN.
|
@@ -1296,40 +1106,30 @@ module Aws::SecretsManager
|
|
1296
1106
|
# `SecretBinary` from the specified version of a secret, whichever
|
1297
1107
|
# contains content.
|
1298
1108
|
#
|
1299
|
-
#
|
1300
|
-
#
|
1301
|
-
# To run this command, you must have the following permissions:
|
1302
|
-
#
|
1303
|
-
# * secretsmanager:GetSecretValue
|
1109
|
+
# For information about retrieving the secret value in the console, see
|
1110
|
+
# [Retrieve secrets][1].
|
1304
1111
|
#
|
1305
|
-
#
|
1306
|
-
#
|
1307
|
-
#
|
1308
|
-
#
|
1112
|
+
# To run this command, you must have `secretsmanager:GetSecretValue`
|
1113
|
+
# permissions. If the secret is encrypted using a customer-managed key
|
1114
|
+
# instead of the Amazon Web Services managed key `aws/secretsmanager`,
|
1115
|
+
# then you also need `kms:Decrypt` permissions for that key.
|
1309
1116
|
#
|
1310
|
-
# **Related operations**
|
1311
1117
|
#
|
1312
|
-
# * To create a new version of the secret with different encrypted
|
1313
|
-
# information, use PutSecretValue.
|
1314
1118
|
#
|
1315
|
-
#
|
1316
|
-
# DescribeSecret.
|
1119
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html
|
1317
1120
|
#
|
1318
1121
|
# @option params [required, String] :secret_id
|
1319
|
-
#
|
1320
|
-
# You can specify either the Amazon Resource Name (ARN) or the friendly
|
1321
|
-
# name of the secret.
|
1122
|
+
# The ARN or name of the secret to retrieve.
|
1322
1123
|
#
|
1323
1124
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
1324
1125
|
# partial ARN.
|
1325
1126
|
#
|
1326
1127
|
# @option params [String] :version_id
|
1327
|
-
#
|
1328
|
-
#
|
1329
|
-
#
|
1330
|
-
#
|
1331
|
-
#
|
1332
|
-
# `VersionStage` value of `AWSCURRENT`.
|
1128
|
+
# The unique identifier of the version of the secret to retrieve. If you
|
1129
|
+
# include both this parameter and `VersionStage`, the two parameters
|
1130
|
+
# must refer to the same secret version. If you don't specify either a
|
1131
|
+
# `VersionStage` or `VersionId`, then Secrets Manager returns the
|
1132
|
+
# `AWSCURRENT` version.
|
1333
1133
|
#
|
1334
1134
|
# This value is typically a [UUID-type][1] value with 32 hexadecimal
|
1335
1135
|
# digits.
|
@@ -1339,15 +1139,13 @@ module Aws::SecretsManager
|
|
1339
1139
|
# [1]: https://wikipedia.org/wiki/Universally_unique_identifier
|
1340
1140
|
#
|
1341
1141
|
# @option params [String] :version_stage
|
1342
|
-
#
|
1343
|
-
# label attached to the version.
|
1142
|
+
# The staging label of the version of the secret to retrieve.
|
1344
1143
|
#
|
1345
|
-
#
|
1346
|
-
# rotation process. If you
|
1347
|
-
# the two parameters must refer to the same
|
1348
|
-
# don't specify either a `VersionStage` or
|
1349
|
-
#
|
1350
|
-
# `VersionStage` value of `AWSCURRENT`.
|
1144
|
+
# Secrets Manager uses staging labels to keep track of different
|
1145
|
+
# versions during the rotation process. If you include both this
|
1146
|
+
# parameter and `VersionId`, the two parameters must refer to the same
|
1147
|
+
# secret version. If you don't specify either a `VersionStage` or
|
1148
|
+
# `VersionId`, Secrets Manager returns the `AWSCURRENT` version.
|
1351
1149
|
#
|
1352
1150
|
# @return [Types::GetSecretValueResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1353
1151
|
#
|
@@ -1411,66 +1209,40 @@ module Aws::SecretsManager
|
|
1411
1209
|
req.send_request(options)
|
1412
1210
|
end
|
1413
1211
|
|
1414
|
-
# Lists
|
1415
|
-
# does not include the `SecretString` or `SecretBinary` fields. By
|
1416
|
-
# default, the list includes only versions that have at least one
|
1417
|
-
# staging label in `VersionStage` attached.
|
1418
|
-
#
|
1419
|
-
# <note markdown="1"> Always check the `NextToken` response parameter when calling any of
|
1420
|
-
# the `List*` operations. These operations can occasionally return an
|
1421
|
-
# empty or shorter than expected list of results even when there more
|
1422
|
-
# results become available. When this happens, the `NextToken` response
|
1423
|
-
# parameter contains a value to pass to the next call to the same API to
|
1424
|
-
# request the next part of the list.
|
1212
|
+
# Lists the versions for a secret.
|
1425
1213
|
#
|
1426
|
-
#
|
1427
|
-
#
|
1428
|
-
# **Minimum permissions**
|
1429
|
-
#
|
1430
|
-
# To run this command, you must have the following permissions:
|
1431
|
-
#
|
1432
|
-
# * secretsmanager:ListSecretVersionIds
|
1214
|
+
# To list the secrets in the account, use ListSecrets.
|
1433
1215
|
#
|
1434
|
-
#
|
1216
|
+
# To get the secret value from `SecretString` or `SecretBinary`, call
|
1217
|
+
# GetSecretValue.
|
1435
1218
|
#
|
1436
|
-
# **
|
1437
|
-
#
|
1438
|
-
# * To list the secrets in an account, use ListSecrets.
|
1219
|
+
# **Minimum permissions**
|
1439
1220
|
#
|
1440
|
-
#
|
1221
|
+
# To run this command, you must have
|
1222
|
+
# `secretsmanager:ListSecretVersionIds` permissions.
|
1441
1223
|
#
|
1442
1224
|
# @option params [required, String] :secret_id
|
1443
|
-
# The
|
1444
|
-
# list. You can specify either the Amazon Resource Name (ARN) or the
|
1445
|
-
# friendly name of the secret.
|
1225
|
+
# The ARN or name of the secret whose versions you want to list.
|
1446
1226
|
#
|
1447
1227
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
1448
1228
|
# partial ARN.
|
1449
1229
|
#
|
1450
1230
|
# @option params [Integer] :max_results
|
1451
|
-
#
|
1452
|
-
#
|
1453
|
-
#
|
1454
|
-
#
|
1455
|
-
#
|
1456
|
-
# request parameter in the next call to the operation to get the next
|
1457
|
-
# part of the results. Note that Secrets Manager might return fewer
|
1458
|
-
# results than the maximum even when there are more results available.
|
1459
|
-
# You should check `NextToken` after every operation to ensure that you
|
1460
|
-
# receive all of the results.
|
1231
|
+
# The number of results to include in the response.
|
1232
|
+
#
|
1233
|
+
# If there are more results available, in the response, Secrets Manager
|
1234
|
+
# includes `NextToken`. To get the next results, call
|
1235
|
+
# `ListSecretVersionIds` again with the value from `NextToken`.
|
1461
1236
|
#
|
1462
1237
|
# @option params [String] :next_token
|
1463
|
-
#
|
1464
|
-
#
|
1465
|
-
#
|
1466
|
-
# previous call `NextToken` response to indicate where the output should
|
1467
|
-
# continue from.
|
1238
|
+
# A token that indicates where the output should continue from, if a
|
1239
|
+
# previous call did not show all results. To get the next results, call
|
1240
|
+
# `ListSecretVersionIds` again with this value.
|
1468
1241
|
#
|
1469
1242
|
# @option params [Boolean] :include_deprecated
|
1470
|
-
#
|
1471
|
-
#
|
1472
|
-
#
|
1473
|
-
# Manager as needed.
|
1243
|
+
# Specifies whether to include versions of secrets that don't have any
|
1244
|
+
# staging labels attached to them. Versions without staging labels are
|
1245
|
+
# considered deprecated and are subject to deletion by Secrets Manager.
|
1474
1246
|
#
|
1475
1247
|
# @return [Types::ListSecretVersionIdsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1476
1248
|
#
|
@@ -1550,56 +1322,40 @@ module Aws::SecretsManager
|
|
1550
1322
|
req.send_request(options)
|
1551
1323
|
end
|
1552
1324
|
|
1553
|
-
# Lists
|
1554
|
-
#
|
1555
|
-
# a specific secret, use ListSecretVersionIds. The encrypted fields
|
1556
|
-
# `SecretString` and `SecretBinary` are not included in the output. To
|
1557
|
-
# get that information, call the GetSecretValue operation.
|
1558
|
-
#
|
1559
|
-
# <note markdown="1"> Always check the `NextToken` response parameter when calling any of
|
1560
|
-
# the `List*` operations. These operations can occasionally return an
|
1561
|
-
# empty or shorter than expected list of results even when there more
|
1562
|
-
# results become available. When this happens, the `NextToken` response
|
1563
|
-
# parameter contains a value to pass to the next call to the same API to
|
1564
|
-
# request the next part of the list.
|
1325
|
+
# Lists the secrets that are stored by Secrets Manager in the Amazon Web
|
1326
|
+
# Services account.
|
1565
1327
|
#
|
1566
|
-
#
|
1328
|
+
# To list the versions of a secret, use ListSecretVersionIds.
|
1567
1329
|
#
|
1568
|
-
#
|
1330
|
+
# To get the secret value from `SecretString` or `SecretBinary`, call
|
1331
|
+
# GetSecretValue.
|
1569
1332
|
#
|
1570
|
-
#
|
1333
|
+
# For information about finding secrets in the console, see [Enhanced
|
1334
|
+
# search capabilities for secrets in Secrets Manager][1].
|
1571
1335
|
#
|
1572
|
-
#
|
1336
|
+
# **Minimum permissions**
|
1573
1337
|
#
|
1574
|
-
#
|
1338
|
+
# To run this command, you must have `secretsmanager:ListSecrets`
|
1339
|
+
# permissions.
|
1575
1340
|
#
|
1576
|
-
# **Related operations**
|
1577
1341
|
#
|
1578
|
-
# * To list the versions attached to a secret, use ListSecretVersionIds.
|
1579
1342
|
#
|
1580
|
-
#
|
1343
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_search-secret.html
|
1581
1344
|
#
|
1582
1345
|
# @option params [Integer] :max_results
|
1583
|
-
#
|
1584
|
-
#
|
1585
|
-
#
|
1586
|
-
#
|
1587
|
-
#
|
1588
|
-
# request parameter in the next call to the operation to get the next
|
1589
|
-
# part of the results. Note that Secrets Manager might return fewer
|
1590
|
-
# results than the maximum even when there are more results available.
|
1591
|
-
# You should check `NextToken` after every operation to ensure that you
|
1592
|
-
# receive all of the results.
|
1346
|
+
# The number of results to include in the response.
|
1347
|
+
#
|
1348
|
+
# If there are more results available, in the response, Secrets Manager
|
1349
|
+
# includes `NextToken`. To get the next results, call `ListSecrets`
|
1350
|
+
# again with the value from `NextToken`.
|
1593
1351
|
#
|
1594
1352
|
# @option params [String] :next_token
|
1595
|
-
#
|
1596
|
-
#
|
1597
|
-
#
|
1598
|
-
# previous call `NextToken` response to indicate where the output should
|
1599
|
-
# continue from.
|
1353
|
+
# A token that indicates where the output should continue from, if a
|
1354
|
+
# previous call did not show all results. To get the next results, call
|
1355
|
+
# `ListSecrets` again with this value.
|
1600
1356
|
#
|
1601
1357
|
# @option params [Array<Types::Filter>] :filters
|
1602
|
-
#
|
1358
|
+
# The filters to apply to the list of secrets.
|
1603
1359
|
#
|
1604
1360
|
# @option params [String] :sort_order
|
1605
1361
|
# Lists secrets in the requested order.
|
@@ -1695,65 +1451,37 @@ module Aws::SecretsManager
|
|
1695
1451
|
req.send_request(options)
|
1696
1452
|
end
|
1697
1453
|
|
1698
|
-
# Attaches
|
1699
|
-
#
|
1700
|
-
#
|
1701
|
-
# the secret's Amazon Resource Name (ARN) in the policy statement's
|
1702
|
-
# `Resources` element. You can also use a combination of both
|
1703
|
-
# identity-based and resource-based policies. The affected users and
|
1704
|
-
# roles receive the permissions that are permitted by all of the
|
1705
|
-
# relevant policies. For more information, see [Using Resource-Based
|
1706
|
-
# Policies for Amazon Web Services Secrets Manager][1]. For the complete
|
1707
|
-
# description of the Amazon Web Services policy syntax and grammar, see
|
1708
|
-
# [IAM JSON Policy Reference][2] in the *IAM User Guide*.
|
1709
|
-
#
|
1710
|
-
# **Minimum permissions**
|
1711
|
-
#
|
1712
|
-
# To run this command, you must have the following permissions:
|
1713
|
-
#
|
1714
|
-
# * secretsmanager:PutResourcePolicy
|
1715
|
-
#
|
1716
|
-
# ^
|
1454
|
+
# Attaches a resource-based permission policy to a secret. A
|
1455
|
+
# resource-based policy is optional. For more information, see
|
1456
|
+
# [Authentication and access control for Secrets Manager][1]
|
1717
1457
|
#
|
1718
|
-
#
|
1458
|
+
# For information about attaching a policy in the console, see [Attach a
|
1459
|
+
# permissions policy to a secret][2].
|
1719
1460
|
#
|
1720
|
-
# * To retrieve the resource policy attached to a secret, use
|
1721
|
-
# GetResourcePolicy.
|
1722
1461
|
#
|
1723
|
-
# * To delete the resource-based policy attached to a secret, use
|
1724
|
-
# DeleteResourcePolicy.
|
1725
1462
|
#
|
1726
|
-
#
|
1727
|
-
#
|
1728
|
-
#
|
1729
|
-
#
|
1730
|
-
# [1]: http://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html
|
1731
|
-
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
1463
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
1464
|
+
# [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html
|
1732
1465
|
#
|
1733
1466
|
# @option params [required, String] :secret_id
|
1734
|
-
#
|
1735
|
-
# policy. You can specify either the ARN or the friendly name of the
|
1736
|
-
# secret.
|
1467
|
+
# The ARN or name of the secret to attach the resource-based policy.
|
1737
1468
|
#
|
1738
1469
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
1739
1470
|
# partial ARN.
|
1740
1471
|
#
|
1741
1472
|
# @option params [required, String] :resource_policy
|
1742
|
-
# A JSON-formatted string
|
1743
|
-
#
|
1744
|
-
# the string identifies who can access or manage this secret and its
|
1745
|
-
# versions. For information on how to format a JSON parameter for the
|
1746
|
-
# various command line tool environments, see [Using JSON for
|
1747
|
-
# Parameters][1] in the *CLI User Guide*.
|
1473
|
+
# A JSON-formatted string for an Amazon Web Services resource-based
|
1474
|
+
# policy. For example policies, see [Permissions policy examples][1].
|
1748
1475
|
#
|
1749
1476
|
#
|
1750
1477
|
#
|
1751
|
-
# [1]:
|
1478
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html
|
1752
1479
|
#
|
1753
1480
|
# @option params [Boolean] :block_public_policy
|
1754
|
-
#
|
1755
|
-
#
|
1756
|
-
#
|
1481
|
+
# Specifies whether to block resource-based policies that allow broad
|
1482
|
+
# access to the secret. By default, Secrets Manager blocks policies that
|
1483
|
+
# allow broad access, for example those that use a wildcard for the
|
1484
|
+
# principal.
|
1757
1485
|
#
|
1758
1486
|
# @return [Types::PutResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1759
1487
|
#
|
@@ -1798,11 +1526,9 @@ module Aws::SecretsManager
|
|
1798
1526
|
req.send_request(options)
|
1799
1527
|
end
|
1800
1528
|
|
1801
|
-
#
|
1802
|
-
#
|
1803
|
-
#
|
1804
|
-
# `SecretBinary` value. You can also specify the staging labels that are
|
1805
|
-
# initially attached to the new version.
|
1529
|
+
# Creates a new version with a new encrypted secret value and attaches
|
1530
|
+
# it to the secret. The version can contain a new `SecretString` value
|
1531
|
+
# or a new `SecretBinary` value.
|
1806
1532
|
#
|
1807
1533
|
# We recommend you avoid calling `PutSecretValue` at a sustained rate of
|
1808
1534
|
# more than once every 10 minutes. When you update the secret value,
|
@@ -1813,116 +1539,64 @@ module Aws::SecretsManager
|
|
1813
1539
|
# versions than Secrets Manager removes, and you will reach the quota
|
1814
1540
|
# for secret versions.
|
1815
1541
|
#
|
1816
|
-
#
|
1817
|
-
#
|
1818
|
-
#
|
1819
|
-
#
|
1820
|
-
#
|
1821
|
-
#
|
1822
|
-
#
|
1823
|
-
#
|
1824
|
-
#
|
1825
|
-
#
|
1826
|
-
#
|
1827
|
-
#
|
1828
|
-
#
|
1829
|
-
#
|
1830
|
-
#
|
1831
|
-
#
|
1832
|
-
#
|
1833
|
-
#
|
1834
|
-
# can only create new ones.
|
1835
|
-
#
|
1836
|
-
# <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
|
1837
|
-
# `SecretBinary` for a secret in the same account as the calling user
|
1838
|
-
# and that secret doesn't specify a Amazon Web Services KMS
|
1839
|
-
# encryption key, Secrets Manager uses the account's default Amazon
|
1840
|
-
# Web Services managed customer master key (CMK) with the alias
|
1841
|
-
# `aws/secretsmanager`. If this key doesn't already exist in your
|
1842
|
-
# account then Secrets Manager creates it for you automatically. All
|
1843
|
-
# users and roles in the same Amazon Web Services account
|
1844
|
-
# automatically have access to use the default CMK. Note that if an
|
1845
|
-
# Secrets Manager API call results in Amazon Web Services creating the
|
1846
|
-
# account's Amazon Web Services-managed CMK, it can result in a
|
1847
|
-
# one-time significant delay in returning the result.
|
1848
|
-
#
|
1849
|
-
# * If the secret resides in a different Amazon Web Services account
|
1850
|
-
# from the credentials calling an API that requires encryption or
|
1851
|
-
# decryption of the secret value then you must create and use a custom
|
1852
|
-
# Amazon Web Services KMS CMK because you can't access the default
|
1853
|
-
# CMK for the account using credentials from a different Amazon Web
|
1854
|
-
# Services account. Store the ARN of the CMK in the secret when you
|
1855
|
-
# create the secret or when you update it by including it in the
|
1856
|
-
# `KMSKeyId`. If you call an API that must encrypt or decrypt
|
1857
|
-
# `SecretString` or `SecretBinary` using credentials from a different
|
1858
|
-
# account then the Amazon Web Services KMS key policy must grant
|
1859
|
-
# cross-account access to that other account's user or role for both
|
1860
|
-
# the kms:GenerateDataKey and kms:Decrypt operations.
|
1861
|
-
#
|
1862
|
-
# </note>
|
1863
|
-
#
|
1864
|
-
# **Minimum permissions**
|
1865
|
-
#
|
1866
|
-
# To run this command, you must have the following permissions:
|
1867
|
-
#
|
1868
|
-
# * secretsmanager:PutSecretValue
|
1869
|
-
#
|
1870
|
-
# * kms:GenerateDataKey - needed only if you use a customer-managed
|
1871
|
-
# Amazon Web Services KMS key to encrypt the secret. You do not need
|
1872
|
-
# this permission to use the account's default Amazon Web Services
|
1873
|
-
# managed CMK for Secrets Manager.
|
1874
|
-
#
|
1875
|
-
# **Related operations**
|
1876
|
-
#
|
1877
|
-
# * To retrieve the encrypted value you store in the version of a
|
1878
|
-
# secret, use GetSecretValue.
|
1879
|
-
#
|
1880
|
-
# * To create a secret, use CreateSecret.
|
1881
|
-
#
|
1882
|
-
# * To get the details for a secret, use DescribeSecret.
|
1883
|
-
#
|
1884
|
-
# * To list the versions attached to a secret, use ListSecretVersionIds.
|
1542
|
+
# You can specify the staging labels to attach to the new version in
|
1543
|
+
# `VersionStages`. If you don't include `VersionStages`, then Secrets
|
1544
|
+
# Manager automatically moves the staging label `AWSCURRENT` to this
|
1545
|
+
# version. If this operation creates the first version for the secret,
|
1546
|
+
# then Secrets Manager automatically attaches the staging label
|
1547
|
+
# `AWSCURRENT` to it .
|
1548
|
+
#
|
1549
|
+
# If this operation moves the staging label `AWSCURRENT` from another
|
1550
|
+
# version to this version, then Secrets Manager also automatically moves
|
1551
|
+
# the staging label `AWSPREVIOUS` to the version that `AWSCURRENT` was
|
1552
|
+
# removed from.
|
1553
|
+
#
|
1554
|
+
# This operation is idempotent. If a version with a `VersionId` with the
|
1555
|
+
# same value as the `ClientRequestToken` parameter already exists, and
|
1556
|
+
# you specify the same secret data, the operation succeeds but does
|
1557
|
+
# nothing. However, if the secret data is different, then the operation
|
1558
|
+
# fails because you can't modify an existing version; you can only
|
1559
|
+
# create new ones.
|
1885
1560
|
#
|
1886
1561
|
# @option params [required, String] :secret_id
|
1887
|
-
#
|
1888
|
-
# specify either the Amazon Resource Name (ARN) or the friendly name of
|
1889
|
-
# the secret. The secret must already exist.
|
1562
|
+
# The ARN or name of the secret to add a new version to.
|
1890
1563
|
#
|
1891
1564
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
1892
1565
|
# partial ARN.
|
1893
1566
|
#
|
1567
|
+
# If the secret doesn't already exist, use `CreateSecret` instead.
|
1568
|
+
#
|
1894
1569
|
# @option params [String] :client_request_token
|
1895
|
-
#
|
1896
|
-
# secret.
|
1570
|
+
# A unique identifier for the new version of the secret.
|
1897
1571
|
#
|
1898
1572
|
# <note markdown="1"> If you use the Amazon Web Services CLI or one of the Amazon Web
|
1899
|
-
# Services
|
1900
|
-
# empty
|
1901
|
-
#
|
1902
|
-
#
|
1903
|
-
#
|
1904
|
-
#
|
1573
|
+
# Services SDKs to call this operation, then you can leave this
|
1574
|
+
# parameter empty because they generate a random UUID for you. If you
|
1575
|
+
# don't use the SDK and instead generate a raw HTTP request to the
|
1576
|
+
# Secrets Manager service endpoint, then you must generate a
|
1577
|
+
# `ClientRequestToken` yourself for new versions and include that value
|
1578
|
+
# in the request.
|
1905
1579
|
#
|
1906
1580
|
# </note>
|
1907
1581
|
#
|
1908
1582
|
# This value helps ensure idempotency. Secrets Manager uses this value
|
1909
1583
|
# to prevent the accidental creation of duplicate versions if there are
|
1910
|
-
# failures and retries during the Lambda rotation function
|
1911
|
-
#
|
1912
|
-
#
|
1584
|
+
# failures and retries during the Lambda rotation function processing.
|
1585
|
+
# We recommend that you generate a [UUID-type][1] value to ensure
|
1586
|
+
# uniqueness within the specified secret.
|
1913
1587
|
#
|
1914
1588
|
# * If the `ClientRequestToken` value isn't already associated with a
|
1915
1589
|
# version of the secret then a new version of the secret is created.
|
1916
1590
|
#
|
1917
1591
|
# * If a version with this value already exists and that version's
|
1918
1592
|
# `SecretString` or `SecretBinary` values are the same as those in the
|
1919
|
-
# request then the request is ignored
|
1593
|
+
# request then the request is ignored. The operation is idempotent.
|
1920
1594
|
#
|
1921
1595
|
# * If a version with this value already exists and the version of the
|
1922
1596
|
# `SecretString` and `SecretBinary` values are different from those in
|
1923
|
-
# the request then the request fails because you
|
1924
|
-
#
|
1925
|
-
#
|
1597
|
+
# the request, then the request fails because you can't modify a
|
1598
|
+
# secret version. You can only create new versions to store new secret
|
1599
|
+
# values.
|
1926
1600
|
#
|
1927
1601
|
# This value becomes the `VersionId` of the new version.
|
1928
1602
|
#
|
@@ -1934,52 +1608,37 @@ module Aws::SecretsManager
|
|
1934
1608
|
# [1]: https://wikipedia.org/wiki/Universally_unique_identifier
|
1935
1609
|
#
|
1936
1610
|
# @option params [String, StringIO, File] :secret_binary
|
1937
|
-
#
|
1938
|
-
#
|
1939
|
-
#
|
1940
|
-
# file
|
1941
|
-
# contents of the file as a parameter. Either `SecretBinary` or
|
1942
|
-
# `SecretString` must have a value, but not both. They cannot both be
|
1943
|
-
# empty.
|
1611
|
+
# The binary data to encrypt and store in the new version of the secret.
|
1612
|
+
# To use this parameter in the command-line tools, we recommend that you
|
1613
|
+
# store your binary data in a file and then pass the contents of the
|
1614
|
+
# file as a parameter.
|
1944
1615
|
#
|
1945
|
-
#
|
1946
|
-
# Manager console.
|
1616
|
+
# You must include `SecretBinary` or `SecretString`, but not both.
|
1947
1617
|
#
|
1948
|
-
#
|
1949
|
-
# (Optional) Specifies text data that you want to encrypt and store in
|
1950
|
-
# this new version of the secret. Either `SecretString` or
|
1951
|
-
# `SecretBinary` must have a value, but not both. They cannot both be
|
1952
|
-
# empty.
|
1953
|
-
#
|
1954
|
-
# If you create this secret by using the Secrets Manager console then
|
1955
|
-
# Secrets Manager puts the protected secret text in only the
|
1956
|
-
# `SecretString` parameter. The Secrets Manager console stores the
|
1957
|
-
# information as a JSON structure of key/value pairs that the default
|
1958
|
-
# Lambda rotation function knows how to parse.
|
1959
|
-
#
|
1960
|
-
# For storing multiple values, we recommend that you use a JSON text
|
1961
|
-
# string argument and specify key/value pairs. For more information, see
|
1962
|
-
# [Specifying parameter values for the Amazon Web Services CLI][1] in
|
1963
|
-
# the Amazon Web Services CLI User Guide.
|
1618
|
+
# You can't access this value from the Secrets Manager console.
|
1964
1619
|
#
|
1620
|
+
# @option params [String] :secret_string
|
1621
|
+
# The text to encrypt and store in the new version of the secret.
|
1965
1622
|
#
|
1623
|
+
# You must include `SecretBinary` or `SecretString`, but not both.
|
1966
1624
|
#
|
1967
|
-
#
|
1625
|
+
# We recommend you create the secret string as JSON key/value pairs, as
|
1626
|
+
# shown in the example.
|
1968
1627
|
#
|
1969
1628
|
# @option params [Array<String>] :version_stages
|
1970
|
-
#
|
1971
|
-
#
|
1972
|
-
#
|
1973
|
-
#
|
1974
|
-
# A staging label must be unique to a single version of the secret. If
|
1975
|
-
# you specify a staging label that's already associated with a
|
1976
|
-
# different version of the same secret then that staging label is
|
1977
|
-
# automatically removed from the other version and attached to this
|
1978
|
-
# version.
|
1629
|
+
# A list of staging labels to attach to this version of the secret.
|
1630
|
+
# Secrets Manager uses staging labels to track versions of a secret
|
1631
|
+
# through the rotation process.
|
1979
1632
|
#
|
1980
|
-
# If you
|
1981
|
-
#
|
1982
|
-
# version.
|
1633
|
+
# If you specify a staging label that's already associated with a
|
1634
|
+
# different version of the same secret, then Secrets Manager removes the
|
1635
|
+
# label from the other version and attaches it to this version. If you
|
1636
|
+
# specify `AWSCURRENT`, and it is already attached to another version,
|
1637
|
+
# then Secrets Manager also moves the staging label `AWSPREVIOUS` to the
|
1638
|
+
# version that `AWSCURRENT` was removed from.
|
1639
|
+
#
|
1640
|
+
# If you don't include `VersionStages`, then Secrets Manager
|
1641
|
+
# automatically moves the staging label `AWSCURRENT` to this version.
|
1983
1642
|
#
|
1984
1643
|
# @return [Types::PutSecretValueResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1985
1644
|
#
|
@@ -2037,13 +1696,14 @@ module Aws::SecretsManager
|
|
2037
1696
|
req.send_request(options)
|
2038
1697
|
end
|
2039
1698
|
|
2040
|
-
#
|
1699
|
+
# For a secret that is replicated to other Regions, deletes the secret
|
1700
|
+
# replicas from the Regions you specify.
|
2041
1701
|
#
|
2042
1702
|
# @option params [required, String] :secret_id
|
2043
|
-
#
|
1703
|
+
# The ARN or name of the secret.
|
2044
1704
|
#
|
2045
1705
|
# @option params [required, Array<String>] :remove_replica_regions
|
2046
|
-
#
|
1706
|
+
# The Regions of the replicas to remove.
|
2047
1707
|
#
|
2048
1708
|
# @return [Types::RemoveRegionsFromReplicationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
2049
1709
|
#
|
@@ -2076,18 +1736,21 @@ module Aws::SecretsManager
|
|
2076
1736
|
req.send_request(options)
|
2077
1737
|
end
|
2078
1738
|
|
2079
|
-
#
|
2080
|
-
#
|
1739
|
+
# Replicates the secret to a new Regions. See [Multi-Region secrets][1].
|
1740
|
+
#
|
1741
|
+
#
|
1742
|
+
#
|
1743
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/create-manage-multi-region-secrets.html
|
2081
1744
|
#
|
2082
1745
|
# @option params [required, String] :secret_id
|
2083
|
-
#
|
1746
|
+
# The ARN or name of the secret to replicate.
|
2084
1747
|
#
|
2085
1748
|
# @option params [required, Array<Types::ReplicaRegionType>] :add_replica_regions
|
2086
|
-
#
|
1749
|
+
# A list of Regions in which to replicate the secret.
|
2087
1750
|
#
|
2088
1751
|
# @option params [Boolean] :force_overwrite_replica_secret
|
2089
|
-
#
|
2090
|
-
#
|
1752
|
+
# Specifies whether to overwrite a secret with the same name in the
|
1753
|
+
# destination Region.
|
2091
1754
|
#
|
2092
1755
|
# @return [Types::ReplicateSecretToRegionsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
2093
1756
|
#
|
@@ -2127,27 +1790,11 @@ module Aws::SecretsManager
|
|
2127
1790
|
end
|
2128
1791
|
|
2129
1792
|
# Cancels the scheduled deletion of a secret by removing the
|
2130
|
-
# `DeletedDate` time stamp.
|
2131
|
-
#
|
2132
|
-
#
|
2133
|
-
# **Minimum permissions**
|
2134
|
-
#
|
2135
|
-
# To run this command, you must have the following permissions:
|
2136
|
-
#
|
2137
|
-
# * secretsmanager:RestoreSecret
|
2138
|
-
#
|
2139
|
-
# ^
|
2140
|
-
#
|
2141
|
-
# **Related operations**
|
2142
|
-
#
|
2143
|
-
# * To delete a secret, use DeleteSecret.
|
2144
|
-
#
|
2145
|
-
# ^
|
1793
|
+
# `DeletedDate` time stamp. You can access a secret again after it has
|
1794
|
+
# been restored.
|
2146
1795
|
#
|
2147
1796
|
# @option params [required, String] :secret_id
|
2148
|
-
#
|
2149
|
-
# scheduled deletion. You can specify either the Amazon Resource Name
|
2150
|
-
# (ARN) or the friendly name of the secret.
|
1797
|
+
# The ARN or name of the secret to restore.
|
2151
1798
|
#
|
2152
1799
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
2153
1800
|
# partial ARN.
|
@@ -2192,82 +1839,52 @@ module Aws::SecretsManager
|
|
2192
1839
|
req.send_request(options)
|
2193
1840
|
end
|
2194
1841
|
|
2195
|
-
# Configures and starts the asynchronous process of rotating
|
2196
|
-
#
|
2197
|
-
#
|
2198
|
-
#
|
2199
|
-
#
|
2200
|
-
#
|
2201
|
-
#
|
2202
|
-
#
|
2203
|
-
#
|
2204
|
-
#
|
2205
|
-
#
|
2206
|
-
#
|
2207
|
-
#
|
2208
|
-
#
|
2209
|
-
#
|
2210
|
-
#
|
2211
|
-
#
|
2212
|
-
#
|
2213
|
-
#
|
2214
|
-
#
|
2215
|
-
# Secrets Manager schedules the next rotation when the previous one
|
2216
|
-
# completes. Secrets Manager schedules the date by adding the rotation
|
2217
|
-
# interval (number of days) to the actual date of the last rotation. The
|
2218
|
-
# service chooses the hour within that 24-hour date window randomly. The
|
2219
|
-
# minute is also chosen somewhat randomly, but weighted towards the top
|
2220
|
-
# of the hour and influenced by a variety of factors that help
|
2221
|
-
# distribute load.
|
2222
|
-
#
|
2223
|
-
# The rotation function must end with the versions of the secret in one
|
2224
|
-
# of two states:
|
2225
|
-
#
|
2226
|
-
# * The `AWSPENDING` and `AWSCURRENT` staging labels are attached to the
|
2227
|
-
# same version of the secret, or
|
2228
|
-
#
|
2229
|
-
# * The `AWSPENDING` staging label is not attached to any version of the
|
2230
|
-
# secret.
|
1842
|
+
# Configures and starts the asynchronous process of rotating the secret.
|
1843
|
+
#
|
1844
|
+
# If you include the configuration parameters, the operation sets the
|
1845
|
+
# values for the secret and then immediately starts a rotation. If you
|
1846
|
+
# don't include the configuration parameters, the operation starts a
|
1847
|
+
# rotation with the values already stored in the secret. For more
|
1848
|
+
# information about rotation, see [Rotate secrets][1].
|
1849
|
+
#
|
1850
|
+
# To configure rotation, you include the ARN of an Amazon Web Services
|
1851
|
+
# Lambda function and the schedule for the rotation. The Lambda rotation
|
1852
|
+
# function creates a new version of the secret and creates or updates
|
1853
|
+
# the credentials on the database or service to match. After testing the
|
1854
|
+
# new credentials, the function marks the new secret version with the
|
1855
|
+
# staging label `AWSCURRENT`. Then anyone who retrieves the secret gets
|
1856
|
+
# the new version. For more information, see [How rotation works][2].
|
1857
|
+
#
|
1858
|
+
# When rotation is successful, the `AWSPENDING` staging label might be
|
1859
|
+
# attached to the same version as the `AWSCURRENT` version, or it might
|
1860
|
+
# not be attached to any version.
|
2231
1861
|
#
|
2232
1862
|
# If the `AWSPENDING` staging label is present but not attached to the
|
2233
|
-
# same version as `AWSCURRENT
|
1863
|
+
# same version as `AWSCURRENT`, then any later invocation of
|
2234
1864
|
# `RotateSecret` assumes that a previous rotation request is still in
|
2235
1865
|
# progress and returns an error.
|
2236
1866
|
#
|
2237
|
-
#
|
2238
|
-
#
|
2239
|
-
#
|
2240
|
-
#
|
2241
|
-
# * secretsmanager:RotateSecret
|
2242
|
-
#
|
2243
|
-
# * lambda:InvokeFunction (on the function specified in the secret's
|
2244
|
-
# metadata)
|
2245
|
-
#
|
2246
|
-
# **Related operations**
|
2247
|
-
#
|
2248
|
-
# * To list the secrets in your account, use ListSecrets.
|
2249
|
-
#
|
2250
|
-
# * To get the details for a version of a secret, use DescribeSecret.
|
2251
|
-
#
|
2252
|
-
# * To create a new version of a secret, use CreateSecret.
|
2253
|
-
#
|
2254
|
-
# * To attach staging labels to or remove staging labels from a version
|
2255
|
-
# of a secret, use UpdateSecretVersionStage.
|
1867
|
+
# To run this command, you must have `secretsmanager:RotateSecret`
|
1868
|
+
# permissions and `lambda:InvokeFunction` permissions on the function
|
1869
|
+
# specified in the secret's metadata.
|
2256
1870
|
#
|
2257
1871
|
#
|
2258
1872
|
#
|
2259
1873
|
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html
|
1874
|
+
# [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html
|
2260
1875
|
#
|
2261
1876
|
# @option params [required, String] :secret_id
|
2262
|
-
#
|
2263
|
-
# the Amazon Resource Name (ARN) or the friendly name of the secret.
|
1877
|
+
# The ARN or name of the secret to rotate.
|
2264
1878
|
#
|
2265
1879
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
2266
1880
|
# partial ARN.
|
2267
1881
|
#
|
2268
1882
|
# @option params [String] :client_request_token
|
2269
|
-
#
|
2270
|
-
#
|
1883
|
+
# A unique identifier for the new version of the secret that helps
|
1884
|
+
# ensure idempotency. Secrets Manager uses this value to prevent the
|
1885
|
+
# accidental creation of duplicate versions if there are failures and
|
1886
|
+
# retries during rotation. This value becomes the `VersionId` of the new
|
1887
|
+
# version.
|
2271
1888
|
#
|
2272
1889
|
# If you use the Amazon Web Services CLI or one of the Amazon Web
|
2273
1890
|
# Services SDK to call this operation, then you can leave this parameter
|
@@ -2277,15 +1894,10 @@ module Aws::SecretsManager
|
|
2277
1894
|
# endpoint, then you must generate a `ClientRequestToken` yourself for
|
2278
1895
|
# new versions and include that value in the request.
|
2279
1896
|
#
|
2280
|
-
# You only need to specify
|
2281
|
-
#
|
2282
|
-
# twice. We recommend that you generate a
|
2283
|
-
# uniqueness within the specified secret.
|
2284
|
-
#
|
2285
|
-
# Secrets Manager uses this value to prevent the accidental creation of
|
2286
|
-
# duplicate versions if there are failures and retries during the
|
2287
|
-
# function's processing. This value becomes the `VersionId` of the new
|
2288
|
-
# version.
|
1897
|
+
# You only need to specify this value if you implement your own retry
|
1898
|
+
# logic and you want to ensure that Secrets Manager doesn't attempt to
|
1899
|
+
# create a secret version twice. We recommend that you generate a
|
1900
|
+
# [UUID-type][1] value to ensure uniqueness within the specified secret.
|
2289
1901
|
#
|
2290
1902
|
# **A suitable default value is auto-generated.** You should normally
|
2291
1903
|
# not need to pass this option.**
|
@@ -2295,8 +1907,7 @@ module Aws::SecretsManager
|
|
2295
1907
|
# [1]: https://wikipedia.org/wiki/Universally_unique_identifier
|
2296
1908
|
#
|
2297
1909
|
# @option params [String] :rotation_lambda_arn
|
2298
|
-
#
|
2299
|
-
# the secret.
|
1910
|
+
# The ARN of the Lambda rotation function that can rotate the secret.
|
2300
1911
|
#
|
2301
1912
|
# @option params [Types::RotationRulesType] :rotation_rules
|
2302
1913
|
# A structure that defines the rotation configuration for this secret.
|
@@ -2333,12 +1944,14 @@ module Aws::SecretsManager
|
|
2333
1944
|
req.send_request(options)
|
2334
1945
|
end
|
2335
1946
|
|
2336
|
-
# Removes the
|
2337
|
-
#
|
1947
|
+
# Removes the link between the replica secret and the primary secret and
|
1948
|
+
# promotes the replica to a primary secret in the replica Region.
|
1949
|
+
#
|
1950
|
+
# You must call this operation from the Region in which you want to
|
1951
|
+
# promote the replica to a primary secret.
|
2338
1952
|
#
|
2339
1953
|
# @option params [required, String] :secret_id
|
2340
|
-
#
|
2341
|
-
# `SecretId`.
|
1954
|
+
# The ARN of the primary secret.
|
2342
1955
|
#
|
2343
1956
|
# @return [Types::StopReplicationToReplicaResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
2344
1957
|
#
|
@@ -2363,19 +1976,18 @@ module Aws::SecretsManager
|
|
2363
1976
|
req.send_request(options)
|
2364
1977
|
end
|
2365
1978
|
|
2366
|
-
# Attaches
|
2367
|
-
#
|
2368
|
-
#
|
2369
|
-
#
|
2370
|
-
# To remove tags, you must use UntagResource.
|
1979
|
+
# Attaches tags to a secret. Tags consist of a key name and a value.
|
1980
|
+
# Tags are part of the secret's metadata. They are not associated with
|
1981
|
+
# specific versions of the secret. This operation appends tags to the
|
1982
|
+
# existing list of tags.
|
2371
1983
|
#
|
2372
|
-
# The following
|
1984
|
+
# The following restrictions apply to tags:
|
2373
1985
|
#
|
2374
|
-
# * Maximum number of tags per secret
|
1986
|
+
# * Maximum number of tags per secret: 50
|
2375
1987
|
#
|
2376
|
-
# * Maximum key length
|
1988
|
+
# * Maximum key length: 127 Unicode characters in UTF-8
|
2377
1989
|
#
|
2378
|
-
# * Maximum value length
|
1990
|
+
# * Maximum value length: 255 Unicode characters in UTF-8
|
2379
1991
|
#
|
2380
1992
|
# * Tag keys and values are case sensitive.
|
2381
1993
|
#
|
@@ -2385,9 +1997,9 @@ module Aws::SecretsManager
|
|
2385
1997
|
# with this prefix do not count against your tags per secret limit.
|
2386
1998
|
#
|
2387
1999
|
# * If you use your tagging schema across multiple services and
|
2388
|
-
# resources,
|
2389
|
-
#
|
2390
|
-
#
|
2000
|
+
# resources, other services might have restrictions on allowed
|
2001
|
+
# characters. Generally allowed characters: letters, spaces, and
|
2002
|
+
# numbers representable in UTF-8, plus the following special
|
2391
2003
|
# characters: + - = . \_ : / @.
|
2392
2004
|
#
|
2393
2005
|
# If you use tags as part of your security strategy, then adding or
|
@@ -2395,34 +2007,17 @@ module Aws::SecretsManager
|
|
2395
2007
|
# operation would result in you losing your permissions for this secret,
|
2396
2008
|
# then the operation is blocked and returns an Access Denied error.
|
2397
2009
|
#
|
2398
|
-
# **Minimum permissions**
|
2399
|
-
#
|
2400
|
-
# To run this command, you must have the following permissions:
|
2401
|
-
#
|
2402
|
-
# * secretsmanager:TagResource
|
2403
|
-
#
|
2404
|
-
# ^
|
2405
|
-
#
|
2406
|
-
# **Related operations**
|
2407
|
-
#
|
2408
|
-
# * To remove one or more tags from the collection attached to a secret,
|
2409
|
-
# use UntagResource.
|
2410
|
-
#
|
2411
|
-
# * To view the list of tags attached to a secret, use DescribeSecret.
|
2412
|
-
#
|
2413
2010
|
# @option params [required, String] :secret_id
|
2414
|
-
# The identifier for the secret
|
2415
|
-
#
|
2416
|
-
#
|
2011
|
+
# The identifier for the secret to attach tags to. You can specify
|
2012
|
+
# either the Amazon Resource Name (ARN) or the friendly name of the
|
2013
|
+
# secret.
|
2417
2014
|
#
|
2418
2015
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
2419
2016
|
# partial ARN.
|
2420
2017
|
#
|
2421
2018
|
# @option params [required, Array<Types::Tag>] :tags
|
2422
|
-
# The tags to attach to the secret
|
2423
|
-
# a `Key` and a `Value`.
|
2424
|
-
#
|
2425
|
-
# This parameter to the API requires a JSON text string argument.
|
2019
|
+
# The tags to attach to the secret as a JSON text string argument. Each
|
2020
|
+
# element in the list consists of a `Key` and a `Value`.
|
2426
2021
|
#
|
2427
2022
|
# For storing multiple values, we recommend that you use a JSON text
|
2428
2023
|
# string argument and specify key/value pairs. For more information, see
|
@@ -2476,7 +2071,7 @@ module Aws::SecretsManager
|
|
2476
2071
|
req.send_request(options)
|
2477
2072
|
end
|
2478
2073
|
|
2479
|
-
# Removes
|
2074
|
+
# Removes specific tags from a secret.
|
2480
2075
|
#
|
2481
2076
|
# This operation is idempotent. If a requested tag is not attached to
|
2482
2077
|
# the secret, no error is returned and the secret metadata is unchanged.
|
@@ -2486,25 +2081,8 @@ module Aws::SecretsManager
|
|
2486
2081
|
# would result in you losing your permissions for this secret, then the
|
2487
2082
|
# operation is blocked and returns an Access Denied error.
|
2488
2083
|
#
|
2489
|
-
# **Minimum permissions**
|
2490
|
-
#
|
2491
|
-
# To run this command, you must have the following permissions:
|
2492
|
-
#
|
2493
|
-
# * secretsmanager:UntagResource
|
2494
|
-
#
|
2495
|
-
# ^
|
2496
|
-
#
|
2497
|
-
# **Related operations**
|
2498
|
-
#
|
2499
|
-
# * To add one or more tags to the collection attached to a secret, use
|
2500
|
-
# TagResource.
|
2501
|
-
#
|
2502
|
-
# * To view the list of tags attached to a secret, use DescribeSecret.
|
2503
|
-
#
|
2504
2084
|
# @option params [required, String] :secret_id
|
2505
|
-
# The
|
2506
|
-
# can specify either the Amazon Resource Name (ARN) or the friendly name
|
2507
|
-
# of the secret.
|
2085
|
+
# The ARN or name of the secret.
|
2508
2086
|
#
|
2509
2087
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
2510
2088
|
# partial ARN.
|
@@ -2513,7 +2091,7 @@ module Aws::SecretsManager
|
|
2513
2091
|
# A list of tag key names to remove from the secret. You don't specify
|
2514
2092
|
# the value. Both the key and its associated value are removed.
|
2515
2093
|
#
|
2516
|
-
# This parameter
|
2094
|
+
# This parameter requires a JSON text string argument.
|
2517
2095
|
#
|
2518
2096
|
# For storing multiple values, we recommend that you use a JSON text
|
2519
2097
|
# string argument and specify key/value pairs. For more information, see
|
@@ -2556,9 +2134,8 @@ module Aws::SecretsManager
|
|
2556
2134
|
req.send_request(options)
|
2557
2135
|
end
|
2558
2136
|
|
2559
|
-
# Modifies
|
2560
|
-
#
|
2561
|
-
# To change the secret value, you can also use PutSecretValue.
|
2137
|
+
# Modifies the details of a secret, including metadata and the secret
|
2138
|
+
# value. To change the secret value, you can also use PutSecretValue.
|
2562
2139
|
#
|
2563
2140
|
# To change the rotation configuration of a secret, use RotateSecret
|
2564
2141
|
# instead.
|
@@ -2572,185 +2149,99 @@ module Aws::SecretsManager
|
|
2572
2149
|
# you create more versions than Secrets Manager removes, and you will
|
2573
2150
|
# reach the quota for secret versions.
|
2574
2151
|
#
|
2575
|
-
#
|
2576
|
-
#
|
2577
|
-
#
|
2578
|
-
#
|
2579
|
-
#
|
2580
|
-
#
|
2581
|
-
#
|
2582
|
-
#
|
2583
|
-
#
|
2584
|
-
#
|
2585
|
-
#
|
2586
|
-
#
|
2587
|
-
#
|
2588
|
-
#
|
2589
|
-
#
|
2590
|
-
#
|
2591
|
-
#
|
2592
|
-
#
|
2593
|
-
#
|
2594
|
-
#
|
2595
|
-
#
|
2596
|
-
#
|
2597
|
-
#
|
2598
|
-
#
|
2599
|
-
#
|
2600
|
-
#
|
2601
|
-
# Secrets Manager API call results in Amazon Web Services creating the
|
2602
|
-
# account's Amazon Web Services-managed CMK, it can result in a
|
2603
|
-
# one-time significant delay in returning the result.
|
2604
|
-
#
|
2605
|
-
# * If the secret resides in a different Amazon Web Services account
|
2606
|
-
# from the credentials calling an API that requires encryption or
|
2607
|
-
# decryption of the secret value then you must create and use a custom
|
2608
|
-
# Amazon Web Services KMS CMK because you can't access the default
|
2609
|
-
# CMK for the account using credentials from a different Amazon Web
|
2610
|
-
# Services account. Store the ARN of the CMK in the secret when you
|
2611
|
-
# create the secret or when you update it by including it in the
|
2612
|
-
# `KMSKeyId`. If you call an API that must encrypt or decrypt
|
2613
|
-
# `SecretString` or `SecretBinary` using credentials from a different
|
2614
|
-
# account then the Amazon Web Services KMS key policy must grant
|
2615
|
-
# cross-account access to that other account's user or role for both
|
2616
|
-
# the kms:GenerateDataKey and kms:Decrypt operations.
|
2617
|
-
#
|
2618
|
-
# </note>
|
2619
|
-
#
|
2620
|
-
# **Minimum permissions**
|
2621
|
-
#
|
2622
|
-
# To run this command, you must have the following permissions:
|
2623
|
-
#
|
2624
|
-
# * secretsmanager:UpdateSecret
|
2625
|
-
#
|
2626
|
-
# * kms:GenerateDataKey - needed only if you use a custom Amazon Web
|
2627
|
-
# Services KMS key to encrypt the secret. You do not need this
|
2628
|
-
# permission to use the account's Amazon Web Services managed CMK for
|
2629
|
-
# Secrets Manager.
|
2630
|
-
#
|
2631
|
-
# * kms:Decrypt - needed only if you use a custom Amazon Web Services
|
2632
|
-
# KMS key to encrypt the secret. You do not need this permission to
|
2633
|
-
# use the account's Amazon Web Services managed CMK for Secrets
|
2634
|
-
# Manager.
|
2635
|
-
#
|
2636
|
-
# **Related operations**
|
2637
|
-
#
|
2638
|
-
# * To create a new secret, use CreateSecret.
|
2639
|
-
#
|
2640
|
-
# * To add only a new version to an existing secret, use PutSecretValue.
|
2641
|
-
#
|
2642
|
-
# * To get the details for a secret, use DescribeSecret.
|
2643
|
-
#
|
2644
|
-
# * To list the versions contained in a secret, use
|
2645
|
-
# ListSecretVersionIds.
|
2152
|
+
# If you include `SecretString` or `SecretBinary` to create a new secret
|
2153
|
+
# version, Secrets Manager automatically attaches the staging label
|
2154
|
+
# `AWSCURRENT` to the new version.
|
2155
|
+
#
|
2156
|
+
# If you call this operation with a `VersionId` that matches an existing
|
2157
|
+
# version's `ClientRequestToken`, the operation results in an error.
|
2158
|
+
# You can't modify an existing version, you can only create a new
|
2159
|
+
# version. To remove a version, remove all staging labels from it. See
|
2160
|
+
# UpdateSecretVersionStage.
|
2161
|
+
#
|
2162
|
+
# If you don't specify an KMS encryption key, Secrets Manager uses the
|
2163
|
+
# Amazon Web Services managed key `aws/secretsmanager`. If this key
|
2164
|
+
# doesn't already exist in your account, then Secrets Manager creates
|
2165
|
+
# it for you automatically. All users and roles in the Amazon Web
|
2166
|
+
# Services account automatically have access to use
|
2167
|
+
# `aws/secretsmanager`. Creating `aws/secretsmanager` can result in a
|
2168
|
+
# one-time significant delay in returning the result.
|
2169
|
+
#
|
2170
|
+
# If the secret is in a different Amazon Web Services account from the
|
2171
|
+
# credentials calling the API, then you can't use `aws/secretsmanager`
|
2172
|
+
# to encrypt the secret, and you must create and use a customer managed
|
2173
|
+
# key.
|
2174
|
+
#
|
2175
|
+
# To run this command, you must have `secretsmanager:UpdateSecret`
|
2176
|
+
# permissions. If you use a customer managed key, you must also have
|
2177
|
+
# `kms:GenerateDataKey` and `kms:Decrypt` permissions .
|
2646
2178
|
#
|
2647
2179
|
# @option params [required, String] :secret_id
|
2648
|
-
#
|
2649
|
-
# add a new version. You can specify either the Amazon Resource Name
|
2650
|
-
# (ARN) or the friendly name of the secret.
|
2180
|
+
# The ARN or name of the secret.
|
2651
2181
|
#
|
2652
2182
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
2653
2183
|
# partial ARN.
|
2654
2184
|
#
|
2655
2185
|
# @option params [String] :client_request_token
|
2656
|
-
#
|
2657
|
-
#
|
2658
|
-
#
|
2659
|
-
#
|
2660
|
-
# If you use the Amazon Web Services CLI or one of the Amazon Web
|
2661
|
-
# Services SDK to call this operation, then you can leave this parameter
|
2662
|
-
# empty. The CLI or SDK generates a random UUID for you and includes
|
2663
|
-
# that in the request. If you don't use the SDK and instead generate a
|
2664
|
-
# raw HTTP request to the Secrets Manager service endpoint, then you
|
2665
|
-
# must generate a `ClientRequestToken` yourself for new versions and
|
2666
|
-
# include that value in the request.
|
2667
|
-
#
|
2668
|
-
# You typically only need to interact with this value if you implement
|
2669
|
-
# your own retry logic and want to ensure that a given secret is not
|
2670
|
-
# created twice. We recommend that you generate a [UUID-type][1] value
|
2671
|
-
# to ensure uniqueness within the specified secret.
|
2672
|
-
#
|
2673
|
-
# Secrets Manager uses this value to prevent the accidental creation of
|
2674
|
-
# duplicate versions if there are failures and retries during the Lambda
|
2675
|
-
# rotation function's processing.
|
2186
|
+
# If you include `SecretString` or `SecretBinary`, then Secrets Manager
|
2187
|
+
# creates a new version for the secret, and this parameter specifies the
|
2188
|
+
# unique identifier for the new version.
|
2676
2189
|
#
|
2677
|
-
#
|
2678
|
-
#
|
2679
|
-
#
|
2680
|
-
#
|
2681
|
-
#
|
2682
|
-
#
|
2683
|
-
#
|
2190
|
+
# <note markdown="1"> If you use the Amazon Web Services CLI or one of the Amazon Web
|
2191
|
+
# Services SDKs to call this operation, then you can leave this
|
2192
|
+
# parameter empty. The CLI or SDK generates a random UUID for you and
|
2193
|
+
# includes it as the value for this parameter in the request. If you
|
2194
|
+
# don't use the SDK and instead generate a raw HTTP request to the
|
2195
|
+
# Secrets Manager service endpoint, then you must generate a
|
2196
|
+
# `ClientRequestToken` yourself for the new version and include the
|
2197
|
+
# value in the request.
|
2684
2198
|
#
|
2685
|
-
#
|
2686
|
-
# `SecretString` and `SecretBinary` values are different from the
|
2687
|
-
# request then an error occurs because you cannot modify an existing
|
2688
|
-
# secret value.
|
2199
|
+
# </note>
|
2689
2200
|
#
|
2690
2201
|
# This value becomes the `VersionId` of the new version.
|
2691
2202
|
#
|
2692
2203
|
# **A suitable default value is auto-generated.** You should normally
|
2693
2204
|
# not need to pass this option.**
|
2694
2205
|
#
|
2695
|
-
#
|
2696
|
-
#
|
2697
|
-
# [1]: https://wikipedia.org/wiki/Universally_unique_identifier
|
2698
|
-
#
|
2699
2206
|
# @option params [String] :description
|
2700
|
-
#
|
2701
|
-
# secret.
|
2207
|
+
# The description of the secret.
|
2702
2208
|
#
|
2703
2209
|
# @option params [String] :kms_key_id
|
2704
|
-
#
|
2705
|
-
#
|
2706
|
-
#
|
2707
|
-
#
|
2708
|
-
#
|
2709
|
-
# staging labels, see [Staging Labels][1] in the *Amazon Web Services
|
2710
|
-
# Secrets Manager User Guide*.
|
2210
|
+
# The ARN, key ID, or alias of the KMS key that Secrets Manager uses to
|
2211
|
+
# encrypt new secret versions as well as any existing versions the
|
2212
|
+
# staging labels `AWSCURRENT`, `AWSPENDING`, or `AWSPREVIOUS`. For more
|
2213
|
+
# information about versions and staging labels, see [Concepts:
|
2214
|
+
# Version][1].
|
2711
2215
|
#
|
2712
|
-
# You can only use the
|
2713
|
-
# you call this operation using credentials from
|
2714
|
-
#
|
2715
|
-
#
|
2716
|
-
#
|
2717
|
-
# secret and the
|
2216
|
+
# You can only use the Amazon Web Services managed key
|
2217
|
+
# `aws/secretsmanager` if you call this operation using credentials from
|
2218
|
+
# the same Amazon Web Services account that owns the secret. If the
|
2219
|
+
# secret is in a different account, then you must use a customer managed
|
2220
|
+
# key and provide the ARN of that KMS key in this field. The user making
|
2221
|
+
# the call must have permissions to both the secret and the KMS key in
|
2222
|
+
# their respective accounts.
|
2718
2223
|
#
|
2719
2224
|
#
|
2720
2225
|
#
|
2721
|
-
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/
|
2226
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/getting-started.html#term_version
|
2722
2227
|
#
|
2723
2228
|
# @option params [String, StringIO, File] :secret_binary
|
2724
|
-
#
|
2725
|
-
#
|
2726
|
-
#
|
2727
|
-
# file and then use the appropriate technique for your tool to pass the
|
2728
|
-
# contents of the file as a parameter. Either `SecretBinary` or
|
2729
|
-
# `SecretString` must have a value, but not both. They cannot both be
|
2730
|
-
# empty.
|
2229
|
+
# The binary data to encrypt and store in the new version of the secret.
|
2230
|
+
# We recommend that you store your binary data in a file and then pass
|
2231
|
+
# the contents of the file as a parameter.
|
2731
2232
|
#
|
2732
|
-
#
|
2733
|
-
#
|
2734
|
-
# @option params [String] :secret_string
|
2735
|
-
# (Optional) Specifies updated text data that you want to encrypt and
|
2736
|
-
# store in this new version of the secret. Either `SecretBinary` or
|
2737
|
-
# `SecretString` must have a value, but not both. They cannot both be
|
2738
|
-
# empty.
|
2739
|
-
#
|
2740
|
-
# If you create this secret by using the Secrets Manager console then
|
2741
|
-
# Secrets Manager puts the protected secret text in only the
|
2742
|
-
# `SecretString` parameter. The Secrets Manager console stores the
|
2743
|
-
# information as a JSON structure of key/value pairs that the default
|
2744
|
-
# Lambda rotation function knows how to parse.
|
2745
|
-
#
|
2746
|
-
# For storing multiple values, we recommend that you use a JSON text
|
2747
|
-
# string argument and specify key/value pairs. For more information, see
|
2748
|
-
# [Specifying parameter values for the Amazon Web Services CLI][1] in
|
2749
|
-
# the Amazon Web Services CLI User Guide.
|
2233
|
+
# Either `SecretBinary` or `SecretString` must have a value, but not
|
2234
|
+
# both.
|
2750
2235
|
#
|
2236
|
+
# You can't access this parameter in the Secrets Manager console.
|
2751
2237
|
#
|
2238
|
+
# @option params [String] :secret_string
|
2239
|
+
# The text data to encrypt and store in the new version of the secret.
|
2240
|
+
# We recommend you use a JSON structure of key/value pairs for your
|
2241
|
+
# secret value.
|
2752
2242
|
#
|
2753
|
-
#
|
2243
|
+
# Either `SecretBinary` or `SecretString` must have a value, but not
|
2244
|
+
# both.
|
2754
2245
|
#
|
2755
2246
|
# @return [Types::UpdateSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
2756
2247
|
#
|
@@ -2834,18 +2325,17 @@ module Aws::SecretsManager
|
|
2834
2325
|
req.send_request(options)
|
2835
2326
|
end
|
2836
2327
|
|
2837
|
-
# Modifies the staging labels attached to a version of a secret.
|
2838
|
-
#
|
2839
|
-
# rotation process.
|
2840
|
-
#
|
2841
|
-
#
|
2842
|
-
#
|
2843
|
-
#
|
2844
|
-
#
|
2328
|
+
# Modifies the staging labels attached to a version of a secret. Secrets
|
2329
|
+
# Manager uses staging labels to track a version as it progresses
|
2330
|
+
# through the secret rotation process. Each staging label can be
|
2331
|
+
# attached to only one version at a time. To add a staging label to a
|
2332
|
+
# version when it is already attached to another version, Secrets
|
2333
|
+
# Manager first removes it from the other version first and then
|
2334
|
+
# attaches it to this one. For more information about versions and
|
2335
|
+
# staging labels, see [Concepts: Version][1].
|
2845
2336
|
#
|
2846
2337
|
# The staging labels that you specify in the `VersionStage` parameter
|
2847
|
-
# are added to the existing list of staging labels
|
2848
|
-
# it.
|
2338
|
+
# are added to the existing list of staging labels for the version.
|
2849
2339
|
#
|
2850
2340
|
# You can move the `AWSCURRENT` staging label to this version by
|
2851
2341
|
# including it in this call.
|
@@ -2860,30 +2350,13 @@ module Aws::SecretsManager
|
|
2860
2350
|
# then the version is considered to be 'deprecated' and can be deleted
|
2861
2351
|
# by Secrets Manager.
|
2862
2352
|
#
|
2863
|
-
# **Minimum permissions**
|
2864
|
-
#
|
2865
|
-
# To run this command, you must have the following permissions:
|
2866
|
-
#
|
2867
|
-
# * secretsmanager:UpdateSecretVersionStage
|
2868
|
-
#
|
2869
|
-
# ^
|
2870
|
-
#
|
2871
|
-
# **Related operations**
|
2872
|
-
#
|
2873
|
-
# * To get the list of staging labels that are currently associated with
|
2874
|
-
# a version of a secret, use ` DescribeSecret ` and examine the
|
2875
|
-
# `SecretVersionsToStages` response value.
|
2876
|
-
#
|
2877
|
-
# ^
|
2878
|
-
#
|
2879
2353
|
#
|
2880
2354
|
#
|
2881
|
-
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/
|
2355
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/getting-started.html#term_version
|
2882
2356
|
#
|
2883
2357
|
# @option params [required, String] :secret_id
|
2884
|
-
#
|
2885
|
-
#
|
2886
|
-
# (ARN) or the friendly name of the secret.
|
2358
|
+
# The ARN or the name of the secret with the version and staging
|
2359
|
+
# labelsto modify.
|
2887
2360
|
#
|
2888
2361
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
2889
2362
|
# partial ARN.
|
@@ -2892,18 +2365,16 @@ module Aws::SecretsManager
|
|
2892
2365
|
# The staging label to add to this version.
|
2893
2366
|
#
|
2894
2367
|
# @option params [String] :remove_from_version_id
|
2895
|
-
#
|
2896
|
-
#
|
2897
|
-
#
|
2898
|
-
#
|
2899
|
-
#
|
2900
|
-
#
|
2901
|
-
# operation fails.
|
2368
|
+
# The ID of the version that the staging label is to be removed from. If
|
2369
|
+
# the staging label you are trying to attach to one version is already
|
2370
|
+
# attached to a different version, then you must include this parameter
|
2371
|
+
# and specify the version that the label is to be removed from. If the
|
2372
|
+
# label is attached and you either do not specify this parameter, or the
|
2373
|
+
# version ID does not match, then the operation fails.
|
2902
2374
|
#
|
2903
2375
|
# @option params [String] :move_to_version_id
|
2904
|
-
#
|
2905
|
-
#
|
2906
|
-
# specify this parameter.
|
2376
|
+
# The ID of the version to add the staging label to. To remove a label
|
2377
|
+
# from a version, then do not specify this parameter.
|
2907
2378
|
#
|
2908
2379
|
# If the staging label is already attached to a different version of the
|
2909
2380
|
# secret, then you must also specify the `RemoveFromVersionId`
|
@@ -2992,53 +2463,36 @@ module Aws::SecretsManager
|
|
2992
2463
|
req.send_request(options)
|
2993
2464
|
end
|
2994
2465
|
|
2995
|
-
# Validates that
|
2996
|
-
# principals access to your secret.
|
2997
|
-
#
|
2998
|
-
# breaks for better readability. Submit your input as a single line JSON
|
2999
|
-
# string. A resource-based policy is optional for secrets.
|
2466
|
+
# Validates that a resource policy does not grant a wide range of
|
2467
|
+
# principals access to your secret. A resource-based policy is optional
|
2468
|
+
# for secrets.
|
3000
2469
|
#
|
3001
|
-
# The API performs three checks when validating the
|
2470
|
+
# The API performs three checks when validating the policy:
|
3002
2471
|
#
|
3003
2472
|
# * Sends a call to [Zelkova][1], an automated reasoning engine, to
|
3004
|
-
# ensure your
|
3005
|
-
# secret.
|
2473
|
+
# ensure your resource policy does not allow broad access to your
|
2474
|
+
# secret, for example policies that use a wildcard for the principal.
|
3006
2475
|
#
|
3007
2476
|
# * Checks for correct syntax in a policy.
|
3008
2477
|
#
|
3009
2478
|
# * Verifies the policy does not lock out a caller.
|
3010
2479
|
#
|
3011
|
-
# **Minimum Permissions**
|
3012
|
-
#
|
3013
|
-
# You must have the permissions required to access the following APIs:
|
3014
|
-
#
|
3015
|
-
# * `secretsmanager:PutResourcePolicy`
|
3016
|
-
#
|
3017
|
-
# * `secretsmanager:ValidateResourcePolicy`
|
3018
|
-
#
|
3019
2480
|
#
|
3020
2481
|
#
|
3021
2482
|
# [1]: https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/
|
3022
2483
|
#
|
3023
2484
|
# @option params [String] :secret_id
|
3024
|
-
#
|
3025
|
-
# you want to validate. You can specify either the Amazon Resource Name
|
3026
|
-
# (ARN) or the friendly name of the secret.
|
3027
|
-
#
|
3028
|
-
# For an ARN, we recommend that you specify a complete ARN rather than a
|
3029
|
-
# partial ARN.
|
2485
|
+
# This field is reserved for internal use.
|
3030
2486
|
#
|
3031
2487
|
# @option params [required, String] :resource_policy
|
3032
|
-
# A JSON-formatted string
|
3033
|
-
#
|
3034
|
-
#
|
3035
|
-
#
|
3036
|
-
# various command line tool environments, see [Using JSON for
|
3037
|
-
# Parameters][1] in the *CLI User Guide*.publi
|
2488
|
+
# A JSON-formatted string that contains an Amazon Web Services
|
2489
|
+
# resource-based policy. The policy in the string identifies who can
|
2490
|
+
# access or manage this secret and its versions. For example policies,
|
2491
|
+
# see [Permissions policy examples][1].
|
3038
2492
|
#
|
3039
2493
|
#
|
3040
2494
|
#
|
3041
|
-
# [1]:
|
2495
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html
|
3042
2496
|
#
|
3043
2497
|
# @return [Types::ValidateResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
3044
2498
|
#
|
@@ -3098,7 +2552,7 @@ module Aws::SecretsManager
|
|
3098
2552
|
params: params,
|
3099
2553
|
config: config)
|
3100
2554
|
context[:gem_name] = 'aws-sdk-secretsmanager'
|
3101
|
-
context[:gem_version] = '1.
|
2555
|
+
context[:gem_version] = '1.55.0'
|
3102
2556
|
Seahorse::Client::Request.new(handlers, context)
|
3103
2557
|
end
|
3104
2558
|
|