aws-sdk-secretsmanager 1.51.0 → 1.55.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -27,6 +27,7 @@ require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
27
27
  require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
28
28
  require 'aws-sdk-core/plugins/transfer_encoding.rb'
29
29
  require 'aws-sdk-core/plugins/http_checksum.rb'
30
+ require 'aws-sdk-core/plugins/defaults_mode.rb'
30
31
  require 'aws-sdk-core/plugins/signature_v4.rb'
31
32
  require 'aws-sdk-core/plugins/protocols/json_rpc.rb'
32
33
 
@@ -73,6 +74,7 @@ module Aws::SecretsManager
73
74
  add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
74
75
  add_plugin(Aws::Plugins::TransferEncoding)
75
76
  add_plugin(Aws::Plugins::HttpChecksum)
77
+ add_plugin(Aws::Plugins::DefaultsMode)
76
78
  add_plugin(Aws::Plugins::SignatureV4)
77
79
  add_plugin(Aws::Plugins::Protocols::JsonRpc)
78
80
 
@@ -119,7 +121,9 @@ module Aws::SecretsManager
119
121
  # * EC2/ECS IMDS instance profile - When used by default, the timeouts
120
122
  # are very aggressive. Construct and pass an instance of
121
123
  # `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
122
- # enable retries and extended timeouts.
124
+ # enable retries and extended timeouts. Instance profile credential
125
+ # fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED']
126
+ # to true.
123
127
  #
124
128
  # @option options [required, String] :region
125
129
  # The AWS region to connect to. The configured `:region` is
@@ -173,6 +177,10 @@ module Aws::SecretsManager
173
177
  # Used only in `standard` and adaptive retry modes. Specifies whether to apply
174
178
  # a clock skew correction and retry requests with skewed client clocks.
175
179
  #
180
+ # @option options [String] :defaults_mode ("legacy")
181
+ # See {Aws::DefaultsModeConfiguration} for a list of the
182
+ # accepted modes and the configuration defaults that are included.
183
+ #
176
184
  # @option options [Boolean] :disable_host_prefix_injection (false)
177
185
  # Set to true to disable SDK automatically adding host prefix
178
186
  # to default service endpoint when available.
@@ -285,6 +293,15 @@ module Aws::SecretsManager
285
293
  # ** Please note ** When response stubbing is enabled, no HTTP
286
294
  # requests are made, and retries are disabled.
287
295
  #
296
+ # @option options [Boolean] :use_dualstack_endpoint
297
+ # When set to `true`, dualstack enabled endpoints (with `.aws` TLD)
298
+ # will be used if available.
299
+ #
300
+ # @option options [Boolean] :use_fips_endpoint
301
+ # When set to `true`, fips compatible endpoints will be used if available.
302
+ # When a `fips` region is used, the region is normalized and this config
303
+ # is set to `true`.
304
+ #
288
305
  # @option options [Boolean] :validate_params (true)
289
306
  # When `true`, request parameters are validated before
290
307
  # sending the request.
@@ -296,7 +313,7 @@ module Aws::SecretsManager
296
313
  # seconds to wait when opening a HTTP session before raising a
297
314
  # `Timeout::Error`.
298
315
  #
299
- # @option options [Integer] :http_read_timeout (60) The default
316
+ # @option options [Float] :http_read_timeout (60) The default
300
317
  # number of seconds to wait for response data. This value can
301
318
  # safely be set per-request on the session.
302
319
  #
@@ -312,6 +329,9 @@ module Aws::SecretsManager
312
329
  # disables this behaviour. This value can safely be set per
313
330
  # request on the session.
314
331
  #
332
+ # @option options [Float] :ssl_timeout (nil) Sets the SSL timeout
333
+ # in seconds.
334
+ #
315
335
  # @option options [Boolean] :http_wire_trace (false) When `true`,
316
336
  # HTTP debug output will be sent to the `:logger`.
317
337
  #
@@ -337,60 +357,23 @@ module Aws::SecretsManager
337
357
 
338
358
  # @!group API Operations
339
359
 
340
- # Disables automatic scheduled rotation and cancels the rotation of a
341
- # secret if currently in progress.
342
- #
343
- # To re-enable scheduled rotation, call RotateSecret with
344
- # `AutomaticallyRotateAfterDays` set to a value greater than 0. This
345
- # immediately rotates your secret and then enables the automatic
346
- # schedule.
347
- #
348
- # <note markdown="1"> If you cancel a rotation while in progress, it can leave the
349
- # `VersionStage` labels in an unexpected state. Depending on the step of
350
- # the rotation in progress, you might need to remove the staging label
351
- # `AWSPENDING` from the partially created version, specified by the
352
- # `VersionId` response value. You should also evaluate the partially
353
- # rotated new version to see if it should be deleted, which you can do
354
- # by removing all staging labels from the new version `VersionStage`
355
- # field.
356
- #
357
- # </note>
358
- #
359
- # To successfully start a rotation, the staging label `AWSPENDING` must
360
- # be in one of the following states:
361
- #
362
- # * Not attached to any version at all
363
- #
364
- # * Attached to the same version as the staging label `AWSCURRENT`
365
- #
366
- # If the staging label `AWSPENDING` attached to a different version than
367
- # the version with `AWSCURRENT` then the attempt to rotate fails.
368
- #
369
- # **Minimum permissions**
370
- #
371
- # To run this command, you must have the following permissions:
372
- #
373
- # * secretsmanager:CancelRotateSecret
374
- #
375
- # ^
376
- #
377
- # **Related operations**
360
+ # Turns off automatic rotation, and if a rotation is currently in
361
+ # progress, cancels the rotation.
378
362
  #
379
- # * To configure rotation for a secret or to manually trigger a
380
- # rotation, use RotateSecret.
363
+ # To turn on automatic rotation again, call RotateSecret.
381
364
  #
382
- # * To get the rotation configuration details for a secret, use
383
- # DescribeSecret.
365
+ # <note markdown="1"> If you cancel a rotation in progress, it can leave the `VersionStage`
366
+ # labels in an unexpected state. Depending on the step of the rotation
367
+ # in progress, you might need to remove the staging label `AWSPENDING`
368
+ # from the partially created version, specified by the `VersionId`
369
+ # response value. We recommend you also evaluate the partially rotated
370
+ # new version to see if it should be deleted. You can delete a version
371
+ # by removing all staging labels from it.
384
372
  #
385
- # * To list all of the currently available secrets, use ListSecrets.
386
- #
387
- # * To list all of the versions currently associated with a secret, use
388
- # ListSecretVersionIds.
373
+ # </note>
389
374
  #
390
375
  # @option params [required, String] :secret_id
391
- # Specifies the secret to cancel a rotation request. You can specify
392
- # either the Amazon Resource Name (ARN) or the friendly name of the
393
- # secret.
376
+ # The ARN or name of the secret.
394
377
  #
395
378
  # For an ARN, we recommend that you specify a complete ARN rather than a
396
379
  # partial ARN.
@@ -439,119 +422,64 @@ module Aws::SecretsManager
439
422
  req.send_request(options)
440
423
  end
441
424
 
442
- # Creates a new secret. A secret in Secrets Manager consists of both the
443
- # protected secret data and the important information needed to manage
444
- # the secret.
445
- #
446
- # Secrets Manager stores the encrypted secret data in one of a
447
- # collection of "versions" associated with the secret. Each version
448
- # contains a copy of the encrypted secret data. Each version is
449
- # associated with one or more "staging labels" that identify where the
450
- # version is in the rotation cycle. The `SecretVersionsToStages` field
451
- # of the secret contains the mapping of staging labels to the active
452
- # versions of the secret. Versions without a staging label are
453
- # considered deprecated and not included in the list.
454
- #
455
- # You provide the secret data to be encrypted by putting text in either
456
- # the `SecretString` parameter or binary data in the `SecretBinary`
425
+ # Creates a new secret. A *secret* is a set of credentials, such as a
426
+ # user name and password, that you store in an encrypted form in Secrets
427
+ # Manager. The secret also includes the connection information to access
428
+ # a database or other service, which Secrets Manager doesn't encrypt. A
429
+ # secret in Secrets Manager consists of both the protected secret data
430
+ # and the important information needed to manage the secret.
431
+ #
432
+ # For information about creating a secret in the console, see [Create a
433
+ # secret][1].
434
+ #
435
+ # To create a secret, you can provide the secret value to be encrypted
436
+ # in either the `SecretString` parameter or the `SecretBinary`
457
437
  # parameter, but not both. If you include `SecretString` or
458
- # `SecretBinary` then Secrets Manager also creates an initial secret
459
- # version and automatically attaches the staging label `AWSCURRENT` to
460
- # the new version.
461
- #
462
- # <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
463
- # `SecretBinary` for a secret in the same account as the calling user
464
- # and that secret doesn't specify a Amazon Web Services KMS
465
- # encryption key, Secrets Manager uses the account's default Amazon
466
- # Web Services managed customer master key (CMK) with the alias
467
- # `aws/secretsmanager`. If this key doesn't already exist in your
468
- # account then Secrets Manager creates it for you automatically. All
469
- # users and roles in the same Amazon Web Services account
470
- # automatically have access to use the default CMK. Note that if an
471
- # Secrets Manager API call results in Amazon Web Services creating the
472
- # account's Amazon Web Services-managed CMK, it can result in a
473
- # one-time significant delay in returning the result.
474
- #
475
- # * If the secret resides in a different Amazon Web Services account
476
- # from the credentials calling an API that requires encryption or
477
- # decryption of the secret value then you must create and use a custom
478
- # Amazon Web Services KMS CMK because you can't access the default
479
- # CMK for the account using credentials from a different Amazon Web
480
- # Services account. Store the ARN of the CMK in the secret when you
481
- # create the secret or when you update it by including it in the
482
- # `KMSKeyId`. If you call an API that must encrypt or decrypt
483
- # `SecretString` or `SecretBinary` using credentials from a different
484
- # account then the Amazon Web Services KMS key policy must grant
485
- # cross-account access to that other account's user or role for both
486
- # the kms:GenerateDataKey and kms:Decrypt operations.
487
- #
488
- # </note>
489
- #
490
- #
491
- #
492
- # **Minimum permissions**
493
- #
494
- # To run this command, you must have the following permissions:
495
- #
496
- # * secretsmanager:CreateSecret
497
- #
498
- # * kms:GenerateDataKey - needed only if you use a customer-managed
499
- # Amazon Web Services KMS key to encrypt the secret. You do not need
500
- # this permission to use the account default Amazon Web Services
501
- # managed CMK for Secrets Manager.
502
- #
503
- # * kms:Decrypt - needed only if you use a customer-managed Amazon Web
504
- # Services KMS key to encrypt the secret. You do not need this
505
- # permission to use the account default Amazon Web Services managed
506
- # CMK for Secrets Manager.
507
- #
508
- # * secretsmanager:TagResource - needed only if you include the `Tags`
509
- # parameter.
438
+ # `SecretBinary` then Secrets Manager creates an initial secret version
439
+ # and automatically attaches the staging label `AWSCURRENT` to it.
510
440
  #
511
- # **Related operations**
441
+ # If you don't specify an KMS encryption key, Secrets Manager uses the
442
+ # Amazon Web Services managed key `aws/secretsmanager`. If this key
443
+ # doesn't already exist in your account, then Secrets Manager creates
444
+ # it for you automatically. All users and roles in the Amazon Web
445
+ # Services account automatically have access to use
446
+ # `aws/secretsmanager`. Creating `aws/secretsmanager` can result in a
447
+ # one-time significant delay in returning the result.
512
448
  #
513
- # * To delete a secret, use DeleteSecret.
449
+ # If the secret is in a different Amazon Web Services account from the
450
+ # credentials calling the API, then you can't use `aws/secretsmanager`
451
+ # to encrypt the secret, and you must create and use a customer managed
452
+ # KMS key.
514
453
  #
515
- # * To modify an existing secret, use UpdateSecret.
516
454
  #
517
- # * To create a new version of a secret, use PutSecretValue.
518
455
  #
519
- # * To retrieve the encrypted secure string and secure binary values,
520
- # use GetSecretValue.
521
- #
522
- # * To retrieve all other details for a secret, use DescribeSecret. This
523
- # does not include the encrypted secure string and secure binary
524
- # values.
525
- #
526
- # * To retrieve the list of secret versions associated with the current
527
- # secret, use DescribeSecret and examine the `SecretVersionsToStages`
528
- # response value.
456
+ # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html
529
457
  #
530
458
  # @option params [required, String] :name
531
- # Specifies the friendly name of the new secret.
459
+ # The name of the new secret.
532
460
  #
533
- # The secret name must be ASCII letters, digits, or the following
534
- # characters : /\_+=.@-
461
+ # The secret name can contain ASCII letters, numbers, and the following
462
+ # characters: /\_+=.@-
535
463
  #
536
- # <note markdown="1"> Do not end your secret name with a hyphen followed by six characters.
464
+ # Do not end your secret name with a hyphen followed by six characters.
537
465
  # If you do so, you risk confusion and unexpected results when searching
538
466
  # for a secret by partial ARN. Secrets Manager automatically adds a
539
- # hyphen and six random characters at the end of the ARN.
540
- #
541
- # </note>
467
+ # hyphen and six random characters after the secret name at the end of
468
+ # the ARN.
542
469
  #
543
470
  # @option params [String] :client_request_token
544
- # (Optional) If you include `SecretString` or `SecretBinary`, then an
545
- # initial version is created as part of the secret, and this parameter
546
- # specifies a unique identifier for the new version.
471
+ # If you include `SecretString` or `SecretBinary`, then Secrets Manager
472
+ # creates an initial version for the secret, and this parameter
473
+ # specifies the unique identifier for the new version.
547
474
  #
548
475
  # <note markdown="1"> If you use the Amazon Web Services CLI or one of the Amazon Web
549
- # Services SDK to call this operation, then you can leave this parameter
550
- # empty. The CLI or SDK generates a random UUID for you and includes it
551
- # as the value for this parameter in the request. If you don't use the
552
- # SDK and instead generate a raw HTTP request to the Secrets Manager
553
- # service endpoint, then you must generate a `ClientRequestToken`
554
- # yourself for the new version and include the value in the request.
476
+ # Services SDKs to call this operation, then you can leave this
477
+ # parameter empty. The CLI or SDK generates a random UUID for you and
478
+ # includes it as the value for this parameter in the request. If you
479
+ # don't use the SDK and instead generate a raw HTTP request to the
480
+ # Secrets Manager service endpoint, then you must generate a
481
+ # `ClientRequestToken` yourself for the new version and include the
482
+ # value in the request.
555
483
  #
556
484
  # </note>
557
485
  #
@@ -584,99 +512,79 @@ module Aws::SecretsManager
584
512
  # [1]: https://wikipedia.org/wiki/Universally_unique_identifier
585
513
  #
586
514
  # @option params [String] :description
587
- # (Optional) Specifies a user-provided description of the secret.
515
+ # The description of the secret.
588
516
  #
589
517
  # @option params [String] :kms_key_id
590
- # (Optional) Specifies the ARN, Key ID, or alias of the Amazon Web
591
- # Services KMS customer master key (CMK) to be used to encrypt the
592
- # `SecretString` or `SecretBinary` values in the versions stored in this
593
- # secret.
518
+ # The ARN, key ID, or alias of the KMS key that Secrets Manager uses to
519
+ # encrypt the secret value in the secret.
594
520
  #
595
- # You can specify any of the supported ways to identify a Amazon Web
596
- # Services KMS key ID. If you need to reference a CMK in a different
597
- # account, you can use only the key ARN or the alias ARN.
521
+ # To use a KMS key in a different account, use the key ARN or the alias
522
+ # ARN.
598
523
  #
599
- # If you don't specify this value, then Secrets Manager defaults to
600
- # using the Amazon Web Services account's default CMK (the one named
601
- # `aws/secretsmanager`). If a Amazon Web Services KMS CMK with that name
602
- # doesn't yet exist, then Secrets Manager creates it for you
603
- # automatically the first time it needs to encrypt a version's
604
- # `SecretString` or `SecretBinary` fields.
524
+ # If you don't specify this value, then Secrets Manager uses the key
525
+ # `aws/secretsmanager`. If that key doesn't yet exist, then Secrets
526
+ # Manager creates it for you automatically the first time it encrypts
527
+ # the secret value.
605
528
  #
606
- # You can use the account default CMK to encrypt and decrypt only if you
607
- # call this operation using credentials from the same account that owns
608
- # the secret. If the secret resides in a different account, then you
609
- # must create a custom CMK and specify the ARN in this field.
529
+ # If the secret is in a different Amazon Web Services account from the
530
+ # credentials calling the API, then you can't use `aws/secretsmanager`
531
+ # to encrypt the secret, and you must create and use a customer managed
532
+ # KMS key.
610
533
  #
611
534
  # @option params [String, StringIO, File] :secret_binary
612
- # (Optional) Specifies binary data that you want to encrypt and store in
613
- # the new version of the secret. To use this parameter in the
614
- # command-line tools, we recommend that you store your binary data in a
615
- # file and then use the appropriate technique for your tool to pass the
616
- # contents of the file as a parameter.
535
+ # The binary data to encrypt and store in the new version of the secret.
536
+ # We recommend that you store your binary data in a file and then pass
537
+ # the contents of the file as a parameter.
617
538
  #
618
539
  # Either `SecretString` or `SecretBinary` must have a value, but not
619
- # both. They cannot both be empty.
540
+ # both.
620
541
  #
621
- # This parameter is not available using the Secrets Manager console. It
622
- # can be accessed only by using the Amazon Web Services CLI or one of
623
- # the Amazon Web Services SDKs.
542
+ # This parameter is not available in the Secrets Manager console.
624
543
  #
625
544
  # @option params [String] :secret_string
626
- # (Optional) Specifies text data that you want to encrypt and store in
627
- # this new version of the secret.
545
+ # The text data to encrypt and store in this new version of the secret.
546
+ # We recommend you use a JSON structure of key/value pairs for your
547
+ # secret value.
628
548
  #
629
549
  # Either `SecretString` or `SecretBinary` must have a value, but not
630
- # both. They cannot both be empty.
550
+ # both.
631
551
  #
632
552
  # If you create a secret by using the Secrets Manager console then
633
553
  # Secrets Manager puts the protected secret text in only the
634
554
  # `SecretString` parameter. The Secrets Manager console stores the
635
- # information as a JSON structure of key/value pairs that the Lambda
636
- # rotation function knows how to parse.
637
- #
638
- # For storing multiple values, we recommend that you use a JSON text
639
- # string argument and specify key/value pairs. For more information, see
640
- # [Specifying parameter values for the Amazon Web Services CLI][1] in
641
- # the Amazon Web Services CLI User Guide.
642
- #
643
- #
644
- #
645
- # [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-parameters.html
555
+ # information as a JSON structure of key/value pairs that a Lambda
556
+ # rotation function can parse.
646
557
  #
647
558
  # @option params [Array<Types::Tag>] :tags
648
- # (Optional) Specifies a list of user-defined tags that are attached to
649
- # the secret. Each tag is a "Key" and "Value" pair of strings. This
650
- # operation only appends tags to the existing list of tags. To remove
651
- # tags, you must use UntagResource.
559
+ # A list of tags to attach to the secret. Each tag is a key and value
560
+ # pair of strings in a JSON text string, for example:
652
561
  #
653
- # * Secrets Manager tag key names are case sensitive. A tag with the key
654
- # "ABC" is a different tag from one with key "abc".
562
+ # `[\{"Key":"CostCenter","Value":"12345"\},\{"Key":"environment","Value":"production"\}]`
655
563
  #
656
- # * If you check tags in IAM policy `Condition` elements as part of your
657
- # security strategy, then adding or removing a tag can change
658
- # permissions. If the successful completion of this operation would
659
- # result in you losing your permissions for this secret, then this
660
- # operation is blocked and returns an `Access Denied` error.
564
+ # Secrets Manager tag key names are case sensitive. A tag with the key
565
+ # "ABC" is a different tag from one with key "abc".
661
566
  #
662
- # This parameter requires a JSON text string argument. For information
663
- # on how to format a JSON parameter for the various command line tool
664
- # environments, see [Using JSON for Parameters][1] in the *CLI User
665
- # Guide*. For example:
567
+ # If you check tags in permissions policies as part of your security
568
+ # strategy, then adding or removing a tag can change permissions. If the
569
+ # completion of this operation would result in you losing your
570
+ # permissions for this secret, then Secrets Manager blocks the operation
571
+ # and returns an `Access Denied` error. For more information, see
572
+ # [Control access to secrets using tags][1] and [Limit access to
573
+ # identities with tags that match secrets' tags][2].
666
574
  #
667
- # `[\{"Key":"CostCenter","Value":"12345"\},\{"Key":"environment","Value":"production"\}]`
668
- #
669
- # If your command-line tool or SDK requires quotation marks around the
575
+ # For information about how to format a JSON parameter for the various
576
+ # command line tool environments, see [Using JSON for Parameters][3]. If
577
+ # your command-line tool or SDK requires quotation marks around the
670
578
  # parameter, you should use single quotes to avoid confusion with the
671
579
  # double quotes required in the JSON text.
672
580
  #
673
- # The following basic restrictions apply to tags:
581
+ # The following restrictions apply to tags:
674
582
  #
675
- # * Maximum number of tags per secret50
583
+ # * Maximum number of tags per secret: 50
676
584
  #
677
- # * Maximum key length127 Unicode characters in UTF-8
585
+ # * Maximum key length: 127 Unicode characters in UTF-8
678
586
  #
679
- # * Maximum value length255 Unicode characters in UTF-8
587
+ # * Maximum value length: 255 Unicode characters in UTF-8
680
588
  #
681
589
  # * Tag keys and values are case sensitive.
682
590
  #
@@ -686,23 +594,23 @@ module Aws::SecretsManager
686
594
  # with this prefix do not count against your tags per secret limit.
687
595
  #
688
596
  # * If you use your tagging schema across multiple services and
689
- # resources, remember other services might have restrictions on
690
- # allowed characters. Generally allowed characters: letters, spaces,
691
- # and numbers representable in UTF-8, plus the following special
597
+ # resources, other services might have restrictions on allowed
598
+ # characters. Generally allowed characters: letters, spaces, and
599
+ # numbers representable in UTF-8, plus the following special
692
600
  # characters: + - = . \_ : / @.
693
601
  #
694
602
  #
695
603
  #
696
- # [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
604
+ # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#tag-secrets-abac
605
+ # [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#auth-and-access_tags2
606
+ # [3]: https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
697
607
  #
698
608
  # @option params [Array<Types::ReplicaRegionType>] :add_replica_regions
699
- # (Optional) Add a list of regions to replicate secrets. Secrets Manager
700
- # replicates the KMSKeyID objects to the list of regions specified in
701
- # the parameter.
609
+ # A list of Regions and KMS keys to replicate secrets.
702
610
  #
703
611
  # @option params [Boolean] :force_overwrite_replica_secret
704
- # (Optional) If set, the replication overwrites a secret with the same
705
- # name in the destination region.
612
+ # Specifies whether to overwrite a secret with the same name in the
613
+ # destination Region.
706
614
  #
707
615
  # @return [Types::CreateSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
708
616
  #
@@ -777,28 +685,11 @@ module Aws::SecretsManager
777
685
  end
778
686
 
779
687
  # Deletes the resource-based permission policy attached to the secret.
780
- #
781
- # **Minimum permissions**
782
- #
783
- # To run this command, you must have the following permissions:
784
- #
785
- # * secretsmanager:DeleteResourcePolicy
786
- #
787
- # ^
788
- #
789
- # **Related operations**
790
- #
791
- # * To attach a resource policy to a secret, use PutResourcePolicy.
792
- #
793
- # * To retrieve the current resource-based policy attached to a secret,
794
- # use GetResourcePolicy.
795
- #
796
- # * To list all of the currently available secrets, use ListSecrets.
688
+ # To attach a policy to a secret, use PutResourcePolicy.
797
689
  #
798
690
  # @option params [required, String] :secret_id
799
- # Specifies the secret that you want to delete the attached
800
- # resource-based policy for. You can specify either the Amazon Resource
801
- # Name (ARN) or the friendly name of the secret.
691
+ # The ARN or name of the secret to delete the attached resource-based
692
+ # policy for.
802
693
  #
803
694
  # For an ARN, we recommend that you specify a complete ARN rather than a
804
695
  # partial ARN.
@@ -843,86 +734,62 @@ module Aws::SecretsManager
843
734
  req.send_request(options)
844
735
  end
845
736
 
846
- # Deletes an entire secret and all of the versions. You can optionally
847
- # include a recovery window during which you can restore the secret. If
848
- # you don't specify a recovery window value, the operation defaults to
849
- # 30 days. Secrets Manager attaches a `DeletionDate` stamp to the secret
850
- # that specifies the end of the recovery window. At the end of the
851
- # recovery window, Secrets Manager deletes the secret permanently.
852
- #
853
- # At any time before recovery window ends, you can use RestoreSecret to
854
- # remove the `DeletionDate` and cancel the deletion of the secret.
855
- #
856
- # You cannot access the encrypted secret information in any secret
857
- # scheduled for deletion. If you need to access that information, you
858
- # must cancel the deletion with RestoreSecret and then retrieve the
859
- # information.
860
- #
861
- # <note markdown="1"> * There is no explicit operation to delete a version of a secret.
862
- # Instead, remove all staging labels from the `VersionStage` field of
863
- # a version. That marks the version as deprecated and allows Secrets
864
- # Manager to delete it as needed. Versions without any staging labels
865
- # do not show up in ListSecretVersionIds unless you specify
866
- # `IncludeDeprecated`.
867
- #
868
- # * The permanent secret deletion at the end of the waiting period is
869
- # performed as a background task with low priority. There is no
870
- # guarantee of a specific time after the recovery window for the
871
- # actual delete operation to occur.
737
+ # Deletes a secret and all of its versions. You can specify a recovery
738
+ # window during which you can restore the secret. The minimum recovery
739
+ # window is 7 days. The default recovery window is 30 days. Secrets
740
+ # Manager attaches a `DeletionDate` stamp to the secret that specifies
741
+ # the end of the recovery window. At the end of the recovery window,
742
+ # Secrets Manager deletes the secret permanently.
872
743
  #
873
- # </note>
874
- #
875
- # **Minimum permissions**
744
+ # For information about deleting a secret in the console, see
745
+ # [https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage\_delete-secret.html][1].
876
746
  #
877
- # To run this command, you must have the following permissions:
747
+ # Secrets Manager performs the permanent secret deletion at the end of
748
+ # the waiting period as a background task with low priority. There is no
749
+ # guarantee of a specific time after the recovery window for the
750
+ # permanent delete to occur.
878
751
  #
879
- # * secretsmanager:DeleteSecret
752
+ # At any time before recovery window ends, you can use RestoreSecret to
753
+ # remove the `DeletionDate` and cancel the deletion of the secret.
880
754
  #
881
- # ^
755
+ # In a secret scheduled for deletion, you cannot access the encrypted
756
+ # secret value. To access that information, first cancel the deletion
757
+ # with RestoreSecret and then retrieve the information.
882
758
  #
883
- # **Related operations**
884
759
  #
885
- # * To create a secret, use CreateSecret.
886
760
  #
887
- # * To cancel deletion of a version of a secret before the recovery
888
- # window has expired, use RestoreSecret.
761
+ # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_delete-secret.html
889
762
  #
890
763
  # @option params [required, String] :secret_id
891
- # Specifies the secret to delete. You can specify either the Amazon
892
- # Resource Name (ARN) or the friendly name of the secret.
764
+ # The ARN or name of the secret to delete.
893
765
  #
894
766
  # For an ARN, we recommend that you specify a complete ARN rather than a
895
767
  # partial ARN.
896
768
  #
897
769
  # @option params [Integer] :recovery_window_in_days
898
- # (Optional) Specifies the number of days that Secrets Manager waits
899
- # before Secrets Manager can delete the secret. You can't use both this
900
- # parameter and the `ForceDeleteWithoutRecovery` parameter in the same
901
- # API call.
902
- #
903
- # This value can range from 7 to 30 days with a default value of 30.
770
+ # The number of days from 7 to 30 that Secrets Manager waits before
771
+ # permanently deleting the secret. You can't use both this parameter
772
+ # and `ForceDeleteWithoutRecovery` in the same call. If you don't use
773
+ # either, then Secrets Manager defaults to a 30 day recovery window.
904
774
  #
905
775
  # @option params [Boolean] :force_delete_without_recovery
906
- # (Optional) Specifies that the secret is to be deleted without any
907
- # recovery window. You can't use both this parameter and the
908
- # `RecoveryWindowInDays` parameter in the same API call.
776
+ # Specifies whether to delete the secret without any recovery window.
777
+ # You can't use both this parameter and `RecoveryWindowInDays` in the
778
+ # same call. If you don't use either, then Secrets Manager defaults to
779
+ # a 30 day recovery window.
909
780
  #
910
- # An asynchronous background process performs the actual deletion, so
911
- # there can be a short delay before the operation completes. If you
912
- # write code to delete and then immediately recreate a secret with the
913
- # same name, ensure that your code includes appropriate back off and
914
- # retry logic.
781
+ # Secrets Manager performs the actual deletion with an asynchronous
782
+ # background process, so there might be a short delay before the secret
783
+ # is permanently deleted. If you delete a secret and then immediately
784
+ # create a secret with the same name, use appropriate back off and retry
785
+ # logic.
915
786
  #
916
787
  # Use this parameter with caution. This parameter causes the operation
917
- # to skip the normal waiting period before the permanent deletion that
918
- # Amazon Web Services would normally impose with the
919
- # `RecoveryWindowInDays` parameter. If you delete a secret with the
920
- # `ForceDeleteWithouRecovery` parameter, then you have no opportunity to
921
- # recover the secret. You lose the secret permanently.
922
- #
923
- # If you use this parameter and include a previously deleted or
924
- # nonexistent secret, the operation does not return the error
925
- # `ResourceNotFoundException` in order to correctly handle retries.
788
+ # to skip the normal recovery window before the permanent deletion that
789
+ # Secrets Manager would normally impose with the `RecoveryWindowInDays`
790
+ # parameter. If you delete a secret with the `ForceDeleteWithouRecovery`
791
+ # parameter, then you have no opportunity to recover the secret. You
792
+ # lose the secret permanently.
926
793
  #
927
794
  # @return [Types::DeleteSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
928
795
  #
@@ -973,33 +840,11 @@ module Aws::SecretsManager
973
840
  end
974
841
 
975
842
  # Retrieves the details of a secret. It does not include the encrypted
976
- # fields. Secrets Manager only returns fields populated with a value in
843
+ # secret value. Secrets Manager only returns fields that have a value in
977
844
  # the response.
978
845
  #
979
- # **Minimum permissions**
980
- #
981
- # To run this command, you must have the following permissions:
982
- #
983
- # * secretsmanager:DescribeSecret
984
- #
985
- # ^
986
- #
987
- # **Related operations**
988
- #
989
- # * To create a secret, use CreateSecret.
990
- #
991
- # * To modify a secret, use UpdateSecret.
992
- #
993
- # * To retrieve the encrypted secret information in a version of the
994
- # secret, use GetSecretValue.
995
- #
996
- # * To list all of the secrets in the Amazon Web Services account, use
997
- # ListSecrets.
998
- #
999
846
  # @option params [required, String] :secret_id
1000
- # The identifier of the secret whose details you want to retrieve. You
1001
- # can specify either the Amazon Resource Name (ARN) or the friendly name
1002
- # of the secret.
847
+ # The ARN or name of the secret.
1003
848
  #
1004
849
  # For an ARN, we recommend that you specify a complete ARN rather than a
1005
850
  # partial ARN.
@@ -1111,66 +956,45 @@ module Aws::SecretsManager
1111
956
  req.send_request(options)
1112
957
  end
1113
958
 
1114
- # Generates a random password of the specified complexity. This
1115
- # operation is intended for use in the Lambda rotation function. Per
1116
- # best practice, we recommend that you specify the maximum length and
1117
- # include every character type that the system you are generating a
1118
- # password for can support.
1119
- #
1120
- # **Minimum permissions**
1121
- #
1122
- # To run this command, you must have the following permissions:
1123
- #
1124
- # * secretsmanager:GetRandomPassword
1125
- #
1126
- # ^
959
+ # Generates a random password. We recommend that you specify the maximum
960
+ # length and include every character type that the system you are
961
+ # generating a password for can support.
1127
962
  #
1128
963
  # @option params [Integer] :password_length
1129
- # The desired length of the generated password. The default value if you
1130
- # do not include this parameter is 32 characters.
964
+ # The length of the password. If you don't include this parameter, the
965
+ # default length is 32 characters.
1131
966
  #
1132
967
  # @option params [String] :exclude_characters
1133
- # A string that includes characters that should not be included in the
1134
- # generated password. The default is that all characters from the
1135
- # included sets can be used.
968
+ # A string of the characters that you don't want in the password.
1136
969
  #
1137
970
  # @option params [Boolean] :exclude_numbers
1138
- # Specifies that the generated password should not include digits. The
1139
- # default if you do not include this switch parameter is that digits can
1140
- # be included.
971
+ # Specifies whether to exclude numbers from the password. If you don't
972
+ # include this switch, the password can contain numbers.
1141
973
  #
1142
974
  # @option params [Boolean] :exclude_punctuation
1143
- # Specifies that the generated password should not include punctuation
1144
- # characters. The default if you do not include this switch parameter is
1145
- # that punctuation characters can be included.
1146
- #
1147
- # The following are the punctuation characters that *can* be included in
1148
- # the generated password if you don't explicitly exclude them with
1149
- # `ExcludeCharacters` or `ExcludePunctuation`\:
1150
- #
1151
- # `` ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` \{ | \} ~
1152
- # ``
975
+ # Specifies whether to exclude the following punctuation characters from
976
+ # the password: `` ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _
977
+ # ` \{ | \} ~ ``. If you don't include this switch, the password can
978
+ # contain punctuation.
1153
979
  #
1154
980
  # @option params [Boolean] :exclude_uppercase
1155
- # Specifies that the generated password should not include uppercase
1156
- # letters. The default if you do not include this switch parameter is
1157
- # that uppercase letters can be included.
981
+ # Specifies whether to exclude uppercase letters from the password. If
982
+ # you don't include this switch, the password can contain uppercase
983
+ # letters.
1158
984
  #
1159
985
  # @option params [Boolean] :exclude_lowercase
1160
- # Specifies that the generated password should not include lowercase
1161
- # letters. The default if you do not include this switch parameter is
1162
- # that lowercase letters can be included.
986
+ # Specifies whether to exclude lowercase letters from the password. If
987
+ # you don't include this switch, the password can contain lowercase
988
+ # letters.
1163
989
  #
1164
990
  # @option params [Boolean] :include_space
1165
- # Specifies that the generated password can include the space character.
1166
- # The default if you do not include this switch parameter is that the
1167
- # space character is not included.
991
+ # Specifies whether to include the space character. If you include this
992
+ # switch, the password can contain space characters.
1168
993
  #
1169
994
  # @option params [Boolean] :require_each_included_type
1170
- # A boolean value that specifies whether the generated password must
1171
- # include at least one of every allowed character type. The default
1172
- # value is `True` and the operation requires at least one of every
1173
- # character type.
995
+ # Specifies whether to include at least one upper and lowercase letter,
996
+ # one number, and one punctuation. If you don't include this switch,
997
+ # the password contains at least one of every character type.
1174
998
  #
1175
999
  # @return [Types::GetRandomPasswordResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1176
1000
  #
@@ -1220,31 +1044,17 @@ module Aws::SecretsManager
1220
1044
  end
1221
1045
 
1222
1046
  # Retrieves the JSON text of the resource-based policy document attached
1223
- # to the specified secret. The JSON request string input and response
1224
- # output displays formatted code with white space and line breaks for
1225
- # better readability. Submit your input as a single line JSON string.
1226
- #
1227
- # **Minimum permissions**
1228
- #
1229
- # To run this command, you must have the following permissions:
1230
- #
1231
- # * secretsmanager:GetResourcePolicy
1232
- #
1233
- # ^
1047
+ # to the secret. For more information about permissions policies
1048
+ # attached to a secret, see [Permissions policies attached to a
1049
+ # secret][1].
1234
1050
  #
1235
- # **Related operations**
1236
1051
  #
1237
- # * To attach a resource policy to a secret, use PutResourcePolicy.
1238
1052
  #
1239
- # * To delete the resource-based policy attached to a secret, use
1240
- # DeleteResourcePolicy.
1241
- #
1242
- # * To list all of the currently available secrets, use ListSecrets.
1053
+ # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html
1243
1054
  #
1244
1055
  # @option params [required, String] :secret_id
1245
- # Specifies the secret that you want to retrieve the attached
1246
- # resource-based policy for. You can specify either the Amazon Resource
1247
- # Name (ARN) or the friendly name of the secret.
1056
+ # The ARN or name of the secret to retrieve the attached resource-based
1057
+ # policy for.
1248
1058
  #
1249
1059
  # For an ARN, we recommend that you specify a complete ARN rather than a
1250
1060
  # partial ARN.
@@ -1296,40 +1106,30 @@ module Aws::SecretsManager
1296
1106
  # `SecretBinary` from the specified version of a secret, whichever
1297
1107
  # contains content.
1298
1108
  #
1299
- # **Minimum permissions**
1300
- #
1301
- # To run this command, you must have the following permissions:
1302
- #
1303
- # * secretsmanager:GetSecretValue
1109
+ # For information about retrieving the secret value in the console, see
1110
+ # [Retrieve secrets][1].
1304
1111
  #
1305
- # * kms:Decrypt - required only if you use a customer-managed Amazon Web
1306
- # Services KMS key to encrypt the secret. You do not need this
1307
- # permission to use the account's default Amazon Web Services managed
1308
- # CMK for Secrets Manager.
1112
+ # To run this command, you must have `secretsmanager:GetSecretValue`
1113
+ # permissions. If the secret is encrypted using a customer-managed key
1114
+ # instead of the Amazon Web Services managed key `aws/secretsmanager`,
1115
+ # then you also need `kms:Decrypt` permissions for that key.
1309
1116
  #
1310
- # **Related operations**
1311
1117
  #
1312
- # * To create a new version of the secret with different encrypted
1313
- # information, use PutSecretValue.
1314
1118
  #
1315
- # * To retrieve the non-encrypted details for the secret, use
1316
- # DescribeSecret.
1119
+ # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html
1317
1120
  #
1318
1121
  # @option params [required, String] :secret_id
1319
- # Specifies the secret containing the version that you want to retrieve.
1320
- # You can specify either the Amazon Resource Name (ARN) or the friendly
1321
- # name of the secret.
1122
+ # The ARN or name of the secret to retrieve.
1322
1123
  #
1323
1124
  # For an ARN, we recommend that you specify a complete ARN rather than a
1324
1125
  # partial ARN.
1325
1126
  #
1326
1127
  # @option params [String] :version_id
1327
- # Specifies the unique identifier of the version of the secret that you
1328
- # want to retrieve. If you specify both this parameter and
1329
- # `VersionStage`, the two parameters must refer to the same secret
1330
- # version. If you don't specify either a `VersionStage` or `VersionId`
1331
- # then the default is to perform the operation on the version with the
1332
- # `VersionStage` value of `AWSCURRENT`.
1128
+ # The unique identifier of the version of the secret to retrieve. If you
1129
+ # include both this parameter and `VersionStage`, the two parameters
1130
+ # must refer to the same secret version. If you don't specify either a
1131
+ # `VersionStage` or `VersionId`, then Secrets Manager returns the
1132
+ # `AWSCURRENT` version.
1333
1133
  #
1334
1134
  # This value is typically a [UUID-type][1] value with 32 hexadecimal
1335
1135
  # digits.
@@ -1339,15 +1139,13 @@ module Aws::SecretsManager
1339
1139
  # [1]: https://wikipedia.org/wiki/Universally_unique_identifier
1340
1140
  #
1341
1141
  # @option params [String] :version_stage
1342
- # Specifies the secret version that you want to retrieve by the staging
1343
- # label attached to the version.
1142
+ # The staging label of the version of the secret to retrieve.
1344
1143
  #
1345
- # Staging labels are used to keep track of different versions during the
1346
- # rotation process. If you specify both this parameter and `VersionId`,
1347
- # the two parameters must refer to the same secret version . If you
1348
- # don't specify either a `VersionStage` or `VersionId`, then the
1349
- # default is to perform the operation on the version with the
1350
- # `VersionStage` value of `AWSCURRENT`.
1144
+ # Secrets Manager uses staging labels to keep track of different
1145
+ # versions during the rotation process. If you include both this
1146
+ # parameter and `VersionId`, the two parameters must refer to the same
1147
+ # secret version. If you don't specify either a `VersionStage` or
1148
+ # `VersionId`, Secrets Manager returns the `AWSCURRENT` version.
1351
1149
  #
1352
1150
  # @return [Types::GetSecretValueResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1353
1151
  #
@@ -1411,66 +1209,40 @@ module Aws::SecretsManager
1411
1209
  req.send_request(options)
1412
1210
  end
1413
1211
 
1414
- # Lists all of the versions attached to the specified secret. The output
1415
- # does not include the `SecretString` or `SecretBinary` fields. By
1416
- # default, the list includes only versions that have at least one
1417
- # staging label in `VersionStage` attached.
1418
- #
1419
- # <note markdown="1"> Always check the `NextToken` response parameter when calling any of
1420
- # the `List*` operations. These operations can occasionally return an
1421
- # empty or shorter than expected list of results even when there more
1422
- # results become available. When this happens, the `NextToken` response
1423
- # parameter contains a value to pass to the next call to the same API to
1424
- # request the next part of the list.
1212
+ # Lists the versions for a secret.
1425
1213
  #
1426
- # </note>
1427
- #
1428
- # **Minimum permissions**
1429
- #
1430
- # To run this command, you must have the following permissions:
1431
- #
1432
- # * secretsmanager:ListSecretVersionIds
1214
+ # To list the secrets in the account, use ListSecrets.
1433
1215
  #
1434
- # ^
1216
+ # To get the secret value from `SecretString` or `SecretBinary`, call
1217
+ # GetSecretValue.
1435
1218
  #
1436
- # **Related operations**
1437
- #
1438
- # * To list the secrets in an account, use ListSecrets.
1219
+ # **Minimum permissions**
1439
1220
  #
1440
- # ^
1221
+ # To run this command, you must have
1222
+ # `secretsmanager:ListSecretVersionIds` permissions.
1441
1223
  #
1442
1224
  # @option params [required, String] :secret_id
1443
- # The identifier for the secret containing the versions you want to
1444
- # list. You can specify either the Amazon Resource Name (ARN) or the
1445
- # friendly name of the secret.
1225
+ # The ARN or name of the secret whose versions you want to list.
1446
1226
  #
1447
1227
  # For an ARN, we recommend that you specify a complete ARN rather than a
1448
1228
  # partial ARN.
1449
1229
  #
1450
1230
  # @option params [Integer] :max_results
1451
- # (Optional) Limits the number of results you want to include in the
1452
- # response. If you don't include this parameter, it defaults to a value
1453
- # that's specific to the operation. If additional items exist beyond
1454
- # the maximum you specify, the `NextToken` response element is present
1455
- # and has a value (isn't null). Include that value as the `NextToken`
1456
- # request parameter in the next call to the operation to get the next
1457
- # part of the results. Note that Secrets Manager might return fewer
1458
- # results than the maximum even when there are more results available.
1459
- # You should check `NextToken` after every operation to ensure that you
1460
- # receive all of the results.
1231
+ # The number of results to include in the response.
1232
+ #
1233
+ # If there are more results available, in the response, Secrets Manager
1234
+ # includes `NextToken`. To get the next results, call
1235
+ # `ListSecretVersionIds` again with the value from `NextToken`.
1461
1236
  #
1462
1237
  # @option params [String] :next_token
1463
- # (Optional) Use this parameter in a request if you receive a
1464
- # `NextToken` response in a previous request indicating there's more
1465
- # output available. In a subsequent call, set it to the value of the
1466
- # previous call `NextToken` response to indicate where the output should
1467
- # continue from.
1238
+ # A token that indicates where the output should continue from, if a
1239
+ # previous call did not show all results. To get the next results, call
1240
+ # `ListSecretVersionIds` again with this value.
1468
1241
  #
1469
1242
  # @option params [Boolean] :include_deprecated
1470
- # (Optional) Specifies that you want the results to include versions
1471
- # that do not have any staging labels attached to them. Such versions
1472
- # are considered deprecated and are subject to deletion by Secrets
1473
- # Manager as needed.
1243
+ # Specifies whether to include versions of secrets that don't have any
1244
+ # staging labels attached to them. Versions without staging labels are
1245
+ # considered deprecated and are subject to deletion by Secrets Manager.
1474
1246
  #
1475
1247
  # @return [Types::ListSecretVersionIdsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1476
1248
  #
@@ -1550,56 +1322,40 @@ module Aws::SecretsManager
1550
1322
  req.send_request(options)
1551
1323
  end
1552
1324
 
1553
- # Lists all of the secrets that are stored by Secrets Manager in the
1554
- # Amazon Web Services account. To list the versions currently stored for
1555
- # a specific secret, use ListSecretVersionIds. The encrypted fields
1556
- # `SecretString` and `SecretBinary` are not included in the output. To
1557
- # get that information, call the GetSecretValue operation.
1558
- #
1559
- # <note markdown="1"> Always check the `NextToken` response parameter when calling any of
1560
- # the `List*` operations. These operations can occasionally return an
1561
- # empty or shorter than expected list of results even when there more
1562
- # results become available. When this happens, the `NextToken` response
1563
- # parameter contains a value to pass to the next call to the same API to
1564
- # request the next part of the list.
1325
+ # Lists the secrets that are stored by Secrets Manager in the Amazon Web
1326
+ # Services account.
1565
1327
  #
1566
- # </note>
1328
+ # To list the versions of a secret, use ListSecretVersionIds.
1567
1329
  #
1568
- # **Minimum permissions**
1330
+ # To get the secret value from `SecretString` or `SecretBinary`, call
1331
+ # GetSecretValue.
1569
1332
  #
1570
- # To run this command, you must have the following permissions:
1333
+ # For information about finding secrets in the console, see [Enhanced
1334
+ # search capabilities for secrets in Secrets Manager][1].
1571
1335
  #
1572
- # * secretsmanager:ListSecrets
1336
+ # **Minimum permissions**
1573
1337
  #
1574
- # ^
1338
+ # To run this command, you must have `secretsmanager:ListSecrets`
1339
+ # permissions.
1575
1340
  #
1576
- # **Related operations**
1577
1341
  #
1578
- # * To list the versions attached to a secret, use ListSecretVersionIds.
1579
1342
  #
1580
- # ^
1343
+ # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_search-secret.html
1581
1344
  #
1582
1345
  # @option params [Integer] :max_results
1583
- # (Optional) Limits the number of results you want to include in the
1584
- # response. If you don't include this parameter, it defaults to a value
1585
- # that's specific to the operation. If additional items exist beyond
1586
- # the maximum you specify, the `NextToken` response element is present
1587
- # and has a value (isn't null). Include that value as the `NextToken`
1588
- # request parameter in the next call to the operation to get the next
1589
- # part of the results. Note that Secrets Manager might return fewer
1590
- # results than the maximum even when there are more results available.
1591
- # You should check `NextToken` after every operation to ensure that you
1592
- # receive all of the results.
1346
+ # The number of results to include in the response.
1347
+ #
1348
+ # If there are more results available, in the response, Secrets Manager
1349
+ # includes `NextToken`. To get the next results, call `ListSecrets`
1350
+ # again with the value from `NextToken`.
1593
1351
  #
1594
1352
  # @option params [String] :next_token
1595
- # (Optional) Use this parameter in a request if you receive a
1596
- # `NextToken` response in a previous request indicating there's more
1597
- # output available. In a subsequent call, set it to the value of the
1598
- # previous call `NextToken` response to indicate where the output should
1599
- # continue from.
1353
+ # A token that indicates where the output should continue from, if a
1354
+ # previous call did not show all results. To get the next results, call
1355
+ # `ListSecrets` again with this value.
1600
1356
  #
1601
1357
  # @option params [Array<Types::Filter>] :filters
1602
- # Lists the secret request filters.
1358
+ # The filters to apply to the list of secrets.
1603
1359
  #
1604
1360
  # @option params [String] :sort_order
1605
1361
  # Lists secrets in the requested order.
@@ -1695,65 +1451,37 @@ module Aws::SecretsManager
1695
1451
  req.send_request(options)
1696
1452
  end
1697
1453
 
1698
- # Attaches the contents of the specified resource-based permission
1699
- # policy to a secret. A resource-based policy is optional.
1700
- # Alternatively, you can use IAM identity-based policies that specify
1701
- # the secret's Amazon Resource Name (ARN) in the policy statement's
1702
- # `Resources` element. You can also use a combination of both
1703
- # identity-based and resource-based policies. The affected users and
1704
- # roles receive the permissions that are permitted by all of the
1705
- # relevant policies. For more information, see [Using Resource-Based
1706
- # Policies for Amazon Web Services Secrets Manager][1]. For the complete
1707
- # description of the Amazon Web Services policy syntax and grammar, see
1708
- # [IAM JSON Policy Reference][2] in the *IAM User Guide*.
1709
- #
1710
- # **Minimum permissions**
1711
- #
1712
- # To run this command, you must have the following permissions:
1713
- #
1714
- # * secretsmanager:PutResourcePolicy
1715
- #
1716
- # ^
1454
+ # Attaches a resource-based permission policy to a secret. A
1455
+ # resource-based policy is optional. For more information, see
1456
+ # [Authentication and access control for Secrets Manager][1]
1717
1457
  #
1718
- # **Related operations**
1458
+ # For information about attaching a policy in the console, see [Attach a
1459
+ # permissions policy to a secret][2].
1719
1460
  #
1720
- # * To retrieve the resource policy attached to a secret, use
1721
- # GetResourcePolicy.
1722
1461
  #
1723
- # * To delete the resource-based policy attached to a secret, use
1724
- # DeleteResourcePolicy.
1725
1462
  #
1726
- # * To list all of the currently available secrets, use ListSecrets.
1727
- #
1728
- #
1729
- #
1730
- # [1]: http://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html
1731
- # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
1463
+ # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
1464
+ # [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html
1732
1465
  #
1733
1466
  # @option params [required, String] :secret_id
1734
- # Specifies the secret that you want to attach the resource-based
1735
- # policy. You can specify either the ARN or the friendly name of the
1736
- # secret.
1467
+ # The ARN or name of the secret to attach the resource-based policy.
1737
1468
  #
1738
1469
  # For an ARN, we recommend that you specify a complete ARN rather than a
1739
1470
  # partial ARN.
1740
1471
  #
1741
1472
  # @option params [required, String] :resource_policy
1742
- # A JSON-formatted string constructed according to the grammar and
1743
- # syntax for an Amazon Web Services resource-based policy. The policy in
1744
- # the string identifies who can access or manage this secret and its
1745
- # versions. For information on how to format a JSON parameter for the
1746
- # various command line tool environments, see [Using JSON for
1747
- # Parameters][1] in the *CLI User Guide*.
1473
+ # A JSON-formatted string for an Amazon Web Services resource-based
1474
+ # policy. For example policies, see [Permissions policy examples][1].
1748
1475
  #
1749
1476
  #
1750
1477
  #
1751
- # [1]: http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
1478
+ # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html
1752
1479
  #
1753
1480
  # @option params [Boolean] :block_public_policy
1754
- # (Optional) If you set the parameter, `BlockPublicPolicy` to true, then
1755
- # you block resource-based policies that allow broad access to the
1756
- # secret.
1481
+ # Specifies whether to block resource-based policies that allow broad
1482
+ # access to the secret. By default, Secrets Manager blocks policies that
1483
+ # allow broad access, for example those that use a wildcard for the
1484
+ # principal.
1757
1485
  #
1758
1486
  # @return [Types::PutResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1759
1487
  #
@@ -1798,11 +1526,9 @@ module Aws::SecretsManager
1798
1526
  req.send_request(options)
1799
1527
  end
1800
1528
 
1801
- # Stores a new encrypted secret value in the specified secret. To do
1802
- # this, the operation creates a new version and attaches it to the
1803
- # secret. The version can contain a new `SecretString` value or a new
1804
- # `SecretBinary` value. You can also specify the staging labels that are
1805
- # initially attached to the new version.
1529
+ # Creates a new version with a new encrypted secret value and attaches
1530
+ # it to the secret. The version can contain a new `SecretString` value
1531
+ # or a new `SecretBinary` value.
1806
1532
  #
1807
1533
  # We recommend you avoid calling `PutSecretValue` at a sustained rate of
1808
1534
  # more than once every 10 minutes. When you update the secret value,
@@ -1813,116 +1539,64 @@ module Aws::SecretsManager
1813
1539
  # versions than Secrets Manager removes, and you will reach the quota
1814
1540
  # for secret versions.
1815
1541
  #
1816
- # * If this operation creates the first version for the secret then
1817
- # Secrets Manager automatically attaches the staging label
1818
- # `AWSCURRENT` to the new version.
1819
- #
1820
- # * If you do not specify a value for VersionStages then Secrets Manager
1821
- # automatically moves the staging label `AWSCURRENT` to this new
1822
- # version.
1823
- #
1824
- # * If this operation moves the staging label `AWSCURRENT` from another
1825
- # version to this version, then Secrets Manager also automatically
1826
- # moves the staging label `AWSPREVIOUS` to the version that
1827
- # `AWSCURRENT` was removed from.
1828
- #
1829
- # * This operation is idempotent. If a version with a `VersionId` with
1830
- # the same value as the `ClientRequestToken` parameter already exists
1831
- # and you specify the same secret data, the operation succeeds but
1832
- # does nothing. However, if the secret data is different, then the
1833
- # operation fails because you cannot modify an existing version; you
1834
- # can only create new ones.
1835
- #
1836
- # <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
1837
- # `SecretBinary` for a secret in the same account as the calling user
1838
- # and that secret doesn't specify a Amazon Web Services KMS
1839
- # encryption key, Secrets Manager uses the account's default Amazon
1840
- # Web Services managed customer master key (CMK) with the alias
1841
- # `aws/secretsmanager`. If this key doesn't already exist in your
1842
- # account then Secrets Manager creates it for you automatically. All
1843
- # users and roles in the same Amazon Web Services account
1844
- # automatically have access to use the default CMK. Note that if an
1845
- # Secrets Manager API call results in Amazon Web Services creating the
1846
- # account's Amazon Web Services-managed CMK, it can result in a
1847
- # one-time significant delay in returning the result.
1848
- #
1849
- # * If the secret resides in a different Amazon Web Services account
1850
- # from the credentials calling an API that requires encryption or
1851
- # decryption of the secret value then you must create and use a custom
1852
- # Amazon Web Services KMS CMK because you can't access the default
1853
- # CMK for the account using credentials from a different Amazon Web
1854
- # Services account. Store the ARN of the CMK in the secret when you
1855
- # create the secret or when you update it by including it in the
1856
- # `KMSKeyId`. If you call an API that must encrypt or decrypt
1857
- # `SecretString` or `SecretBinary` using credentials from a different
1858
- # account then the Amazon Web Services KMS key policy must grant
1859
- # cross-account access to that other account's user or role for both
1860
- # the kms:GenerateDataKey and kms:Decrypt operations.
1861
- #
1862
- # </note>
1863
- #
1864
- # **Minimum permissions**
1865
- #
1866
- # To run this command, you must have the following permissions:
1867
- #
1868
- # * secretsmanager:PutSecretValue
1869
- #
1870
- # * kms:GenerateDataKey - needed only if you use a customer-managed
1871
- # Amazon Web Services KMS key to encrypt the secret. You do not need
1872
- # this permission to use the account's default Amazon Web Services
1873
- # managed CMK for Secrets Manager.
1874
- #
1875
- # **Related operations**
1876
- #
1877
- # * To retrieve the encrypted value you store in the version of a
1878
- # secret, use GetSecretValue.
1879
- #
1880
- # * To create a secret, use CreateSecret.
1881
- #
1882
- # * To get the details for a secret, use DescribeSecret.
1883
- #
1884
- # * To list the versions attached to a secret, use ListSecretVersionIds.
1542
+ # You can specify the staging labels to attach to the new version in
1543
+ # `VersionStages`. If you don't include `VersionStages`, then Secrets
1544
+ # Manager automatically moves the staging label `AWSCURRENT` to this
1545
+ # version. If this operation creates the first version for the secret,
1546
+ # then Secrets Manager automatically attaches the staging label
1547
+ # `AWSCURRENT` to it .
1548
+ #
1549
+ # If this operation moves the staging label `AWSCURRENT` from another
1550
+ # version to this version, then Secrets Manager also automatically moves
1551
+ # the staging label `AWSPREVIOUS` to the version that `AWSCURRENT` was
1552
+ # removed from.
1553
+ #
1554
+ # This operation is idempotent. If a version with a `VersionId` with the
1555
+ # same value as the `ClientRequestToken` parameter already exists, and
1556
+ # you specify the same secret data, the operation succeeds but does
1557
+ # nothing. However, if the secret data is different, then the operation
1558
+ # fails because you can't modify an existing version; you can only
1559
+ # create new ones.
1885
1560
  #
1886
1561
  # @option params [required, String] :secret_id
1887
- # Specifies the secret to which you want to add a new version. You can
1888
- # specify either the Amazon Resource Name (ARN) or the friendly name of
1889
- # the secret. The secret must already exist.
1562
+ # The ARN or name of the secret to add a new version to.
1890
1563
  #
1891
1564
  # For an ARN, we recommend that you specify a complete ARN rather than a
1892
1565
  # partial ARN.
1893
1566
  #
1567
+ # If the secret doesn't already exist, use `CreateSecret` instead.
1568
+ #
1894
1569
  # @option params [String] :client_request_token
1895
- # (Optional) Specifies a unique identifier for the new version of the
1896
- # secret.
1570
+ # A unique identifier for the new version of the secret.
1897
1571
  #
1898
1572
  # <note markdown="1"> If you use the Amazon Web Services CLI or one of the Amazon Web
1899
- # Services SDK to call this operation, then you can leave this parameter
1900
- # empty. The CLI or SDK generates a random UUID for you and includes
1901
- # that in the request. If you don't use the SDK and instead generate a
1902
- # raw HTTP request to the Secrets Manager service endpoint, then you
1903
- # must generate a `ClientRequestToken` yourself for new versions and
1904
- # include that value in the request.
1573
+ # Services SDKs to call this operation, then you can leave this
1574
+ # parameter empty because they generate a random UUID for you. If you
1575
+ # don't use the SDK and instead generate a raw HTTP request to the
1576
+ # Secrets Manager service endpoint, then you must generate a
1577
+ # `ClientRequestToken` yourself for new versions and include that value
1578
+ # in the request.
1905
1579
  #
1906
1580
  # </note>
1907
1581
  #
1908
1582
  # This value helps ensure idempotency. Secrets Manager uses this value
1909
1583
  # to prevent the accidental creation of duplicate versions if there are
1910
- # failures and retries during the Lambda rotation function's
1911
- # processing. We recommend that you generate a [UUID-type][1] value to
1912
- # ensure uniqueness within the specified secret.
1584
+ # failures and retries during the Lambda rotation function processing.
1585
+ # We recommend that you generate a [UUID-type][1] value to ensure
1586
+ # uniqueness within the specified secret.
1913
1587
  #
1914
1588
  # * If the `ClientRequestToken` value isn't already associated with a
1915
1589
  # version of the secret then a new version of the secret is created.
1916
1590
  #
1917
1591
  # * If a version with this value already exists and that version's
1918
1592
  # `SecretString` or `SecretBinary` values are the same as those in the
1919
- # request then the request is ignored (the operation is idempotent).
1593
+ # request then the request is ignored. The operation is idempotent.
1920
1594
  #
1921
1595
  # * If a version with this value already exists and the version of the
1922
1596
  # `SecretString` and `SecretBinary` values are different from those in
1923
- # the request then the request fails because you cannot modify an
1924
- # existing secret version. You can only create new versions to store
1925
- # new secret values.
1597
+ # the request, then the request fails because you can't modify a
1598
+ # secret version. You can only create new versions to store new secret
1599
+ # values.
1926
1600
  #
1927
1601
  # This value becomes the `VersionId` of the new version.
1928
1602
  #
@@ -1934,52 +1608,37 @@ module Aws::SecretsManager
1934
1608
  # [1]: https://wikipedia.org/wiki/Universally_unique_identifier
1935
1609
  #
1936
1610
  # @option params [String, StringIO, File] :secret_binary
1937
- # (Optional) Specifies binary data that you want to encrypt and store in
1938
- # the new version of the secret. To use this parameter in the
1939
- # command-line tools, we recommend that you store your binary data in a
1940
- # file and then use the appropriate technique for your tool to pass the
1941
- # contents of the file as a parameter. Either `SecretBinary` or
1942
- # `SecretString` must have a value, but not both. They cannot both be
1943
- # empty.
1611
+ # The binary data to encrypt and store in the new version of the secret.
1612
+ # To use this parameter in the command-line tools, we recommend that you
1613
+ # store your binary data in a file and then pass the contents of the
1614
+ # file as a parameter.
1944
1615
  #
1945
- # This parameter is not accessible if the secret using the Secrets
1946
- # Manager console.
1616
+ # You must include `SecretBinary` or `SecretString`, but not both.
1947
1617
  #
1948
- # @option params [String] :secret_string
1949
- # (Optional) Specifies text data that you want to encrypt and store in
1950
- # this new version of the secret. Either `SecretString` or
1951
- # `SecretBinary` must have a value, but not both. They cannot both be
1952
- # empty.
1953
- #
1954
- # If you create this secret by using the Secrets Manager console then
1955
- # Secrets Manager puts the protected secret text in only the
1956
- # `SecretString` parameter. The Secrets Manager console stores the
1957
- # information as a JSON structure of key/value pairs that the default
1958
- # Lambda rotation function knows how to parse.
1959
- #
1960
- # For storing multiple values, we recommend that you use a JSON text
1961
- # string argument and specify key/value pairs. For more information, see
1962
- # [Specifying parameter values for the Amazon Web Services CLI][1] in
1963
- # the Amazon Web Services CLI User Guide.
1618
+ # You can't access this value from the Secrets Manager console.
1964
1619
  #
1620
+ # @option params [String] :secret_string
1621
+ # The text to encrypt and store in the new version of the secret.
1965
1622
  #
1623
+ # You must include `SecretBinary` or `SecretString`, but not both.
1966
1624
  #
1967
- # [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-parameters.html
1625
+ # We recommend you create the secret string as JSON key/value pairs, as
1626
+ # shown in the example.
1968
1627
  #
1969
1628
  # @option params [Array<String>] :version_stages
1970
- # (Optional) Specifies a list of staging labels that are attached to
1971
- # this version of the secret. These staging labels are used to track the
1972
- # versions through the rotation process by the Lambda rotation function.
1973
- #
1974
- # A staging label must be unique to a single version of the secret. If
1975
- # you specify a staging label that's already associated with a
1976
- # different version of the same secret then that staging label is
1977
- # automatically removed from the other version and attached to this
1978
- # version.
1629
+ # A list of staging labels to attach to this version of the secret.
1630
+ # Secrets Manager uses staging labels to track versions of a secret
1631
+ # through the rotation process.
1979
1632
  #
1980
- # If you do not specify a value for `VersionStages` then Secrets Manager
1981
- # automatically moves the staging label `AWSCURRENT` to this new
1982
- # version.
1633
+ # If you specify a staging label that's already associated with a
1634
+ # different version of the same secret, then Secrets Manager removes the
1635
+ # label from the other version and attaches it to this version. If you
1636
+ # specify `AWSCURRENT`, and it is already attached to another version,
1637
+ # then Secrets Manager also moves the staging label `AWSPREVIOUS` to the
1638
+ # version that `AWSCURRENT` was removed from.
1639
+ #
1640
+ # If you don't include `VersionStages`, then Secrets Manager
1641
+ # automatically moves the staging label `AWSCURRENT` to this version.
1983
1642
  #
1984
1643
  # @return [Types::PutSecretValueResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1985
1644
  #
@@ -2037,13 +1696,14 @@ module Aws::SecretsManager
2037
1696
  req.send_request(options)
2038
1697
  end
2039
1698
 
2040
- # Remove regions from replication.
1699
+ # For a secret that is replicated to other Regions, deletes the secret
1700
+ # replicas from the Regions you specify.
2041
1701
  #
2042
1702
  # @option params [required, String] :secret_id
2043
- # Remove a secret by `SecretId` from replica Regions.
1703
+ # The ARN or name of the secret.
2044
1704
  #
2045
1705
  # @option params [required, Array<String>] :remove_replica_regions
2046
- # Remove replication from specific Regions.
1706
+ # The Regions of the replicas to remove.
2047
1707
  #
2048
1708
  # @return [Types::RemoveRegionsFromReplicationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
2049
1709
  #
@@ -2076,18 +1736,21 @@ module Aws::SecretsManager
2076
1736
  req.send_request(options)
2077
1737
  end
2078
1738
 
2079
- # Converts an existing secret to a multi-Region secret and begins
2080
- # replication the secret to a list of new regions.
1739
+ # Replicates the secret to a new Regions. See [Multi-Region secrets][1].
1740
+ #
1741
+ #
1742
+ #
1743
+ # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/create-manage-multi-region-secrets.html
2081
1744
  #
2082
1745
  # @option params [required, String] :secret_id
2083
- # Use the `Secret Id` to replicate a secret to regions.
1746
+ # The ARN or name of the secret to replicate.
2084
1747
  #
2085
1748
  # @option params [required, Array<Types::ReplicaRegionType>] :add_replica_regions
2086
- # Add Regions to replicate the secret.
1749
+ # A list of Regions in which to replicate the secret.
2087
1750
  #
2088
1751
  # @option params [Boolean] :force_overwrite_replica_secret
2089
- # (Optional) If set, Secrets Manager replication overwrites a secret
2090
- # with the same name in the destination region.
1752
+ # Specifies whether to overwrite a secret with the same name in the
1753
+ # destination Region.
2091
1754
  #
2092
1755
  # @return [Types::ReplicateSecretToRegionsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
2093
1756
  #
@@ -2127,27 +1790,11 @@ module Aws::SecretsManager
2127
1790
  end
2128
1791
 
2129
1792
  # Cancels the scheduled deletion of a secret by removing the
2130
- # `DeletedDate` time stamp. This makes the secret accessible to query
2131
- # once again.
2132
- #
2133
- # **Minimum permissions**
2134
- #
2135
- # To run this command, you must have the following permissions:
2136
- #
2137
- # * secretsmanager:RestoreSecret
2138
- #
2139
- # ^
2140
- #
2141
- # **Related operations**
2142
- #
2143
- # * To delete a secret, use DeleteSecret.
2144
- #
2145
- # ^
1793
+ # `DeletedDate` time stamp. You can access a secret again after it has
1794
+ # been restored.
2146
1795
  #
2147
1796
  # @option params [required, String] :secret_id
2148
- # Specifies the secret that you want to restore from a previously
2149
- # scheduled deletion. You can specify either the Amazon Resource Name
2150
- # (ARN) or the friendly name of the secret.
1797
+ # The ARN or name of the secret to restore.
2151
1798
  #
2152
1799
  # For an ARN, we recommend that you specify a complete ARN rather than a
2153
1800
  # partial ARN.
@@ -2192,82 +1839,52 @@ module Aws::SecretsManager
2192
1839
  req.send_request(options)
2193
1840
  end
2194
1841
 
2195
- # Configures and starts the asynchronous process of rotating this
2196
- # secret. If you include the configuration parameters, the operation
2197
- # sets those values for the secret and then immediately starts a
2198
- # rotation. If you do not include the configuration parameters, the
2199
- # operation starts a rotation with the values already stored in the
2200
- # secret. After the rotation completes, the protected service and its
2201
- # clients all use the new version of the secret.
2202
- #
2203
- # This required configuration information includes the ARN of an Amazon
2204
- # Web Services Lambda function and optionally, the time between
2205
- # scheduled rotations. The Lambda rotation function creates a new
2206
- # version of the secret and creates or updates the credentials on the
2207
- # protected service to match. After testing the new credentials, the
2208
- # function marks the new secret with the staging label `AWSCURRENT` so
2209
- # that your clients all immediately begin to use the new version. For
2210
- # more information about rotating secrets and how to configure a Lambda
2211
- # function to rotate the secrets for your protected service, see
2212
- # [Rotating Secrets in Amazon Web Services Secrets Manager][1] in the
2213
- # *Amazon Web Services Secrets Manager User Guide*.
2214
- #
2215
- # Secrets Manager schedules the next rotation when the previous one
2216
- # completes. Secrets Manager schedules the date by adding the rotation
2217
- # interval (number of days) to the actual date of the last rotation. The
2218
- # service chooses the hour within that 24-hour date window randomly. The
2219
- # minute is also chosen somewhat randomly, but weighted towards the top
2220
- # of the hour and influenced by a variety of factors that help
2221
- # distribute load.
2222
- #
2223
- # The rotation function must end with the versions of the secret in one
2224
- # of two states:
2225
- #
2226
- # * The `AWSPENDING` and `AWSCURRENT` staging labels are attached to the
2227
- # same version of the secret, or
2228
- #
2229
- # * The `AWSPENDING` staging label is not attached to any version of the
2230
- # secret.
1842
+ # Configures and starts the asynchronous process of rotating the secret.
1843
+ #
1844
+ # If you include the configuration parameters, the operation sets the
1845
+ # values for the secret and then immediately starts a rotation. If you
1846
+ # don't include the configuration parameters, the operation starts a
1847
+ # rotation with the values already stored in the secret. For more
1848
+ # information about rotation, see [Rotate secrets][1].
1849
+ #
1850
+ # To configure rotation, you include the ARN of an Amazon Web Services
1851
+ # Lambda function and the schedule for the rotation. The Lambda rotation
1852
+ # function creates a new version of the secret and creates or updates
1853
+ # the credentials on the database or service to match. After testing the
1854
+ # new credentials, the function marks the new secret version with the
1855
+ # staging label `AWSCURRENT`. Then anyone who retrieves the secret gets
1856
+ # the new version. For more information, see [How rotation works][2].
1857
+ #
1858
+ # When rotation is successful, the `AWSPENDING` staging label might be
1859
+ # attached to the same version as the `AWSCURRENT` version, or it might
1860
+ # not be attached to any version.
2231
1861
  #
2232
1862
  # If the `AWSPENDING` staging label is present but not attached to the
2233
- # same version as `AWSCURRENT` then any later invocation of
1863
+ # same version as `AWSCURRENT`, then any later invocation of
2234
1864
  # `RotateSecret` assumes that a previous rotation request is still in
2235
1865
  # progress and returns an error.
2236
1866
  #
2237
- # **Minimum permissions**
2238
- #
2239
- # To run this command, you must have the following permissions:
2240
- #
2241
- # * secretsmanager:RotateSecret
2242
- #
2243
- # * lambda:InvokeFunction (on the function specified in the secret's
2244
- # metadata)
2245
- #
2246
- # **Related operations**
2247
- #
2248
- # * To list the secrets in your account, use ListSecrets.
2249
- #
2250
- # * To get the details for a version of a secret, use DescribeSecret.
2251
- #
2252
- # * To create a new version of a secret, use CreateSecret.
2253
- #
2254
- # * To attach staging labels to or remove staging labels from a version
2255
- # of a secret, use UpdateSecretVersionStage.
1867
+ # To run this command, you must have `secretsmanager:RotateSecret`
1868
+ # permissions and `lambda:InvokeFunction` permissions on the function
1869
+ # specified in the secret's metadata.
2256
1870
  #
2257
1871
  #
2258
1872
  #
2259
1873
  # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html
1874
+ # [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html
2260
1875
  #
2261
1876
  # @option params [required, String] :secret_id
2262
- # Specifies the secret that you want to rotate. You can specify either
2263
- # the Amazon Resource Name (ARN) or the friendly name of the secret.
1877
+ # The ARN or name of the secret to rotate.
2264
1878
  #
2265
1879
  # For an ARN, we recommend that you specify a complete ARN rather than a
2266
1880
  # partial ARN.
2267
1881
  #
2268
1882
  # @option params [String] :client_request_token
2269
- # (Optional) Specifies a unique identifier for the new version of the
2270
- # secret that helps ensure idempotency.
1883
+ # A unique identifier for the new version of the secret that helps
1884
+ # ensure idempotency. Secrets Manager uses this value to prevent the
1885
+ # accidental creation of duplicate versions if there are failures and
1886
+ # retries during rotation. This value becomes the `VersionId` of the new
1887
+ # version.
2271
1888
  #
2272
1889
  # If you use the Amazon Web Services CLI or one of the Amazon Web
2273
1890
  # Services SDK to call this operation, then you can leave this parameter
@@ -2277,15 +1894,10 @@ module Aws::SecretsManager
2277
1894
  # endpoint, then you must generate a `ClientRequestToken` yourself for
2278
1895
  # new versions and include that value in the request.
2279
1896
  #
2280
- # You only need to specify your own value if you implement your own
2281
- # retry logic and want to ensure that a given secret is not created
2282
- # twice. We recommend that you generate a [UUID-type][1] value to ensure
2283
- # uniqueness within the specified secret.
2284
- #
2285
- # Secrets Manager uses this value to prevent the accidental creation of
2286
- # duplicate versions if there are failures and retries during the
2287
- # function's processing. This value becomes the `VersionId` of the new
2288
- # version.
1897
+ # You only need to specify this value if you implement your own retry
1898
+ # logic and you want to ensure that Secrets Manager doesn't attempt to
1899
+ # create a secret version twice. We recommend that you generate a
1900
+ # [UUID-type][1] value to ensure uniqueness within the specified secret.
2289
1901
  #
2290
1902
  # **A suitable default value is auto-generated.** You should normally
2291
1903
  # not need to pass this option.**
@@ -2295,8 +1907,7 @@ module Aws::SecretsManager
2295
1907
  # [1]: https://wikipedia.org/wiki/Universally_unique_identifier
2296
1908
  #
2297
1909
  # @option params [String] :rotation_lambda_arn
2298
- # (Optional) Specifies the ARN of the Lambda function that can rotate
2299
- # the secret.
1910
+ # The ARN of the Lambda rotation function that can rotate the secret.
2300
1911
  #
2301
1912
  # @option params [Types::RotationRulesType] :rotation_rules
2302
1913
  # A structure that defines the rotation configuration for this secret.
@@ -2333,12 +1944,14 @@ module Aws::SecretsManager
2333
1944
  req.send_request(options)
2334
1945
  end
2335
1946
 
2336
- # Removes the secret from replication and promotes the secret to a
2337
- # regional secret in the replica Region.
1947
+ # Removes the link between the replica secret and the primary secret and
1948
+ # promotes the replica to a primary secret in the replica Region.
1949
+ #
1950
+ # You must call this operation from the Region in which you want to
1951
+ # promote the replica to a primary secret.
2338
1952
  #
2339
1953
  # @option params [required, String] :secret_id
2340
- # Response to `StopReplicationToReplica` of a secret, based on the
2341
- # `SecretId`.
1954
+ # The ARN of the primary secret.
2342
1955
  #
2343
1956
  # @return [Types::StopReplicationToReplicaResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
2344
1957
  #
@@ -2363,19 +1976,18 @@ module Aws::SecretsManager
2363
1976
  req.send_request(options)
2364
1977
  end
2365
1978
 
2366
- # Attaches one or more tags, each consisting of a key name and a value,
2367
- # to the specified secret. Tags are part of the secret's overall
2368
- # metadata, and are not associated with any specific version of the
2369
- # secret. This operation only appends tags to the existing list of tags.
2370
- # To remove tags, you must use UntagResource.
1979
+ # Attaches tags to a secret. Tags consist of a key name and a value.
1980
+ # Tags are part of the secret's metadata. They are not associated with
1981
+ # specific versions of the secret. This operation appends tags to the
1982
+ # existing list of tags.
2371
1983
  #
2372
- # The following basic restrictions apply to tags:
1984
+ # The following restrictions apply to tags:
2373
1985
  #
2374
- # * Maximum number of tags per secret50
1986
+ # * Maximum number of tags per secret: 50
2375
1987
  #
2376
- # * Maximum key length127 Unicode characters in UTF-8
1988
+ # * Maximum key length: 127 Unicode characters in UTF-8
2377
1989
  #
2378
- # * Maximum value length255 Unicode characters in UTF-8
1990
+ # * Maximum value length: 255 Unicode characters in UTF-8
2379
1991
  #
2380
1992
  # * Tag keys and values are case sensitive.
2381
1993
  #
@@ -2385,9 +1997,9 @@ module Aws::SecretsManager
2385
1997
  # with this prefix do not count against your tags per secret limit.
2386
1998
  #
2387
1999
  # * If you use your tagging schema across multiple services and
2388
- # resources, remember other services might have restrictions on
2389
- # allowed characters. Generally allowed characters: letters, spaces,
2390
- # and numbers representable in UTF-8, plus the following special
2000
+ # resources, other services might have restrictions on allowed
2001
+ # characters. Generally allowed characters: letters, spaces, and
2002
+ # numbers representable in UTF-8, plus the following special
2391
2003
  # characters: + - = . \_ : / @.
2392
2004
  #
2393
2005
  # If you use tags as part of your security strategy, then adding or
@@ -2395,34 +2007,17 @@ module Aws::SecretsManager
2395
2007
  # operation would result in you losing your permissions for this secret,
2396
2008
  # then the operation is blocked and returns an Access Denied error.
2397
2009
  #
2398
- # **Minimum permissions**
2399
- #
2400
- # To run this command, you must have the following permissions:
2401
- #
2402
- # * secretsmanager:TagResource
2403
- #
2404
- # ^
2405
- #
2406
- # **Related operations**
2407
- #
2408
- # * To remove one or more tags from the collection attached to a secret,
2409
- # use UntagResource.
2410
- #
2411
- # * To view the list of tags attached to a secret, use DescribeSecret.
2412
- #
2413
2010
  # @option params [required, String] :secret_id
2414
- # The identifier for the secret that you want to attach tags to. You can
2415
- # specify either the Amazon Resource Name (ARN) or the friendly name of
2416
- # the secret.
2011
+ # The identifier for the secret to attach tags to. You can specify
2012
+ # either the Amazon Resource Name (ARN) or the friendly name of the
2013
+ # secret.
2417
2014
  #
2418
2015
  # For an ARN, we recommend that you specify a complete ARN rather than a
2419
2016
  # partial ARN.
2420
2017
  #
2421
2018
  # @option params [required, Array<Types::Tag>] :tags
2422
- # The tags to attach to the secret. Each element in the list consists of
2423
- # a `Key` and a `Value`.
2424
- #
2425
- # This parameter to the API requires a JSON text string argument.
2019
+ # The tags to attach to the secret as a JSON text string argument. Each
2020
+ # element in the list consists of a `Key` and a `Value`.
2426
2021
  #
2427
2022
  # For storing multiple values, we recommend that you use a JSON text
2428
2023
  # string argument and specify key/value pairs. For more information, see
@@ -2476,7 +2071,7 @@ module Aws::SecretsManager
2476
2071
  req.send_request(options)
2477
2072
  end
2478
2073
 
2479
- # Removes one or more tags from the specified secret.
2074
+ # Removes specific tags from a secret.
2480
2075
  #
2481
2076
  # This operation is idempotent. If a requested tag is not attached to
2482
2077
  # the secret, no error is returned and the secret metadata is unchanged.
@@ -2486,25 +2081,8 @@ module Aws::SecretsManager
2486
2081
  # would result in you losing your permissions for this secret, then the
2487
2082
  # operation is blocked and returns an Access Denied error.
2488
2083
  #
2489
- # **Minimum permissions**
2490
- #
2491
- # To run this command, you must have the following permissions:
2492
- #
2493
- # * secretsmanager:UntagResource
2494
- #
2495
- # ^
2496
- #
2497
- # **Related operations**
2498
- #
2499
- # * To add one or more tags to the collection attached to a secret, use
2500
- # TagResource.
2501
- #
2502
- # * To view the list of tags attached to a secret, use DescribeSecret.
2503
- #
2504
2084
  # @option params [required, String] :secret_id
2505
- # The identifier for the secret that you want to remove tags from. You
2506
- # can specify either the Amazon Resource Name (ARN) or the friendly name
2507
- # of the secret.
2085
+ # The ARN or name of the secret.
2508
2086
  #
2509
2087
  # For an ARN, we recommend that you specify a complete ARN rather than a
2510
2088
  # partial ARN.
@@ -2513,7 +2091,7 @@ module Aws::SecretsManager
2513
2091
  # A list of tag key names to remove from the secret. You don't specify
2514
2092
  # the value. Both the key and its associated value are removed.
2515
2093
  #
2516
- # This parameter to the API requires a JSON text string argument.
2094
+ # This parameter requires a JSON text string argument.
2517
2095
  #
2518
2096
  # For storing multiple values, we recommend that you use a JSON text
2519
2097
  # string argument and specify key/value pairs. For more information, see
@@ -2556,9 +2134,8 @@ module Aws::SecretsManager
2556
2134
  req.send_request(options)
2557
2135
  end
2558
2136
 
2559
- # Modifies many of the details of the specified secret.
2560
- #
2561
- # To change the secret value, you can also use PutSecretValue.
2137
+ # Modifies the details of a secret, including metadata and the secret
2138
+ # value. To change the secret value, you can also use PutSecretValue.
2562
2139
  #
2563
2140
  # To change the rotation configuration of a secret, use RotateSecret
2564
2141
  # instead.
@@ -2572,185 +2149,99 @@ module Aws::SecretsManager
2572
2149
  # you create more versions than Secrets Manager removes, and you will
2573
2150
  # reach the quota for secret versions.
2574
2151
  #
2575
- # <note markdown="1"> The Secrets Manager console uses only the `SecretString` parameter and
2576
- # therefore limits you to encrypting and storing only a text string. To
2577
- # encrypt and store binary data as part of the version of a secret, you
2578
- # must use either the Amazon Web Services CLI or one of the Amazon Web
2579
- # Services SDKs.
2580
- #
2581
- # </note>
2582
- #
2583
- # * If a version with a `VersionId` with the same value as the
2584
- # `ClientRequestToken` parameter already exists, the operation results
2585
- # in an error. You cannot modify an existing version, you can only
2586
- # create a new version.
2587
- #
2588
- # * If you include `SecretString` or `SecretBinary` to create a new
2589
- # secret version, Secrets Manager automatically attaches the staging
2590
- # label `AWSCURRENT` to the new version.
2591
- #
2592
- # <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
2593
- # `SecretBinary` for a secret in the same account as the calling user
2594
- # and that secret doesn't specify a Amazon Web Services KMS
2595
- # encryption key, Secrets Manager uses the account's default Amazon
2596
- # Web Services managed customer master key (CMK) with the alias
2597
- # `aws/secretsmanager`. If this key doesn't already exist in your
2598
- # account then Secrets Manager creates it for you automatically. All
2599
- # users and roles in the same Amazon Web Services account
2600
- # automatically have access to use the default CMK. Note that if an
2601
- # Secrets Manager API call results in Amazon Web Services creating the
2602
- # account's Amazon Web Services-managed CMK, it can result in a
2603
- # one-time significant delay in returning the result.
2604
- #
2605
- # * If the secret resides in a different Amazon Web Services account
2606
- # from the credentials calling an API that requires encryption or
2607
- # decryption of the secret value then you must create and use a custom
2608
- # Amazon Web Services KMS CMK because you can't access the default
2609
- # CMK for the account using credentials from a different Amazon Web
2610
- # Services account. Store the ARN of the CMK in the secret when you
2611
- # create the secret or when you update it by including it in the
2612
- # `KMSKeyId`. If you call an API that must encrypt or decrypt
2613
- # `SecretString` or `SecretBinary` using credentials from a different
2614
- # account then the Amazon Web Services KMS key policy must grant
2615
- # cross-account access to that other account's user or role for both
2616
- # the kms:GenerateDataKey and kms:Decrypt operations.
2617
- #
2618
- # </note>
2619
- #
2620
- # **Minimum permissions**
2621
- #
2622
- # To run this command, you must have the following permissions:
2623
- #
2624
- # * secretsmanager:UpdateSecret
2625
- #
2626
- # * kms:GenerateDataKey - needed only if you use a custom Amazon Web
2627
- # Services KMS key to encrypt the secret. You do not need this
2628
- # permission to use the account's Amazon Web Services managed CMK for
2629
- # Secrets Manager.
2630
- #
2631
- # * kms:Decrypt - needed only if you use a custom Amazon Web Services
2632
- # KMS key to encrypt the secret. You do not need this permission to
2633
- # use the account's Amazon Web Services managed CMK for Secrets
2634
- # Manager.
2635
- #
2636
- # **Related operations**
2637
- #
2638
- # * To create a new secret, use CreateSecret.
2639
- #
2640
- # * To add only a new version to an existing secret, use PutSecretValue.
2641
- #
2642
- # * To get the details for a secret, use DescribeSecret.
2643
- #
2644
- # * To list the versions contained in a secret, use
2645
- # ListSecretVersionIds.
2152
+ # If you include `SecretString` or `SecretBinary` to create a new secret
2153
+ # version, Secrets Manager automatically attaches the staging label
2154
+ # `AWSCURRENT` to the new version.
2155
+ #
2156
+ # If you call this operation with a `VersionId` that matches an existing
2157
+ # version's `ClientRequestToken`, the operation results in an error.
2158
+ # You can't modify an existing version, you can only create a new
2159
+ # version. To remove a version, remove all staging labels from it. See
2160
+ # UpdateSecretVersionStage.
2161
+ #
2162
+ # If you don't specify an KMS encryption key, Secrets Manager uses the
2163
+ # Amazon Web Services managed key `aws/secretsmanager`. If this key
2164
+ # doesn't already exist in your account, then Secrets Manager creates
2165
+ # it for you automatically. All users and roles in the Amazon Web
2166
+ # Services account automatically have access to use
2167
+ # `aws/secretsmanager`. Creating `aws/secretsmanager` can result in a
2168
+ # one-time significant delay in returning the result.
2169
+ #
2170
+ # If the secret is in a different Amazon Web Services account from the
2171
+ # credentials calling the API, then you can't use `aws/secretsmanager`
2172
+ # to encrypt the secret, and you must create and use a customer managed
2173
+ # key.
2174
+ #
2175
+ # To run this command, you must have `secretsmanager:UpdateSecret`
2176
+ # permissions. If you use a customer managed key, you must also have
2177
+ # `kms:GenerateDataKey` and `kms:Decrypt` permissions .
2646
2178
  #
2647
2179
  # @option params [required, String] :secret_id
2648
- # Specifies the secret that you want to modify or to which you want to
2649
- # add a new version. You can specify either the Amazon Resource Name
2650
- # (ARN) or the friendly name of the secret.
2180
+ # The ARN or name of the secret.
2651
2181
  #
2652
2182
  # For an ARN, we recommend that you specify a complete ARN rather than a
2653
2183
  # partial ARN.
2654
2184
  #
2655
2185
  # @option params [String] :client_request_token
2656
- # (Optional) If you want to add a new version to the secret, this
2657
- # parameter specifies a unique identifier for the new version that helps
2658
- # ensure idempotency.
2659
- #
2660
- # If you use the Amazon Web Services CLI or one of the Amazon Web
2661
- # Services SDK to call this operation, then you can leave this parameter
2662
- # empty. The CLI or SDK generates a random UUID for you and includes
2663
- # that in the request. If you don't use the SDK and instead generate a
2664
- # raw HTTP request to the Secrets Manager service endpoint, then you
2665
- # must generate a `ClientRequestToken` yourself for new versions and
2666
- # include that value in the request.
2667
- #
2668
- # You typically only need to interact with this value if you implement
2669
- # your own retry logic and want to ensure that a given secret is not
2670
- # created twice. We recommend that you generate a [UUID-type][1] value
2671
- # to ensure uniqueness within the specified secret.
2672
- #
2673
- # Secrets Manager uses this value to prevent the accidental creation of
2674
- # duplicate versions if there are failures and retries during the Lambda
2675
- # rotation function's processing.
2186
+ # If you include `SecretString` or `SecretBinary`, then Secrets Manager
2187
+ # creates a new version for the secret, and this parameter specifies the
2188
+ # unique identifier for the new version.
2676
2189
  #
2677
- # * If the `ClientRequestToken` value isn't already associated with a
2678
- # version of the secret then a new version of the secret is created.
2679
- #
2680
- # * If a version with this value already exists and that version's
2681
- # `SecretString` and `SecretBinary` values are the same as those in
2682
- # the request then the request is ignored (the operation is
2683
- # idempotent).
2190
+ # <note markdown="1"> If you use the Amazon Web Services CLI or one of the Amazon Web
2191
+ # Services SDKs to call this operation, then you can leave this
2192
+ # parameter empty. The CLI or SDK generates a random UUID for you and
2193
+ # includes it as the value for this parameter in the request. If you
2194
+ # don't use the SDK and instead generate a raw HTTP request to the
2195
+ # Secrets Manager service endpoint, then you must generate a
2196
+ # `ClientRequestToken` yourself for the new version and include the
2197
+ # value in the request.
2684
2198
  #
2685
- # * If a version with this value already exists and that version's
2686
- # `SecretString` and `SecretBinary` values are different from the
2687
- # request then an error occurs because you cannot modify an existing
2688
- # secret value.
2199
+ # </note>
2689
2200
  #
2690
2201
  # This value becomes the `VersionId` of the new version.
2691
2202
  #
2692
2203
  # **A suitable default value is auto-generated.** You should normally
2693
2204
  # not need to pass this option.**
2694
2205
  #
2695
- #
2696
- #
2697
- # [1]: https://wikipedia.org/wiki/Universally_unique_identifier
2698
- #
2699
2206
  # @option params [String] :description
2700
- # (Optional) Specifies an updated user-provided description of the
2701
- # secret.
2207
+ # The description of the secret.
2702
2208
  #
2703
2209
  # @option params [String] :kms_key_id
2704
- # (Optional) Specifies an updated ARN or alias of the Amazon Web
2705
- # Services KMS customer master key (CMK) that Secrets Manager uses to
2706
- # encrypt the protected text in new versions of this secret as well as
2707
- # any existing versions of this secret that have the staging labels
2708
- # AWSCURRENT, AWSPENDING, or AWSPREVIOUS. For more information about
2709
- # staging labels, see [Staging Labels][1] in the *Amazon Web Services
2710
- # Secrets Manager User Guide*.
2210
+ # The ARN, key ID, or alias of the KMS key that Secrets Manager uses to
2211
+ # encrypt new secret versions as well as any existing versions the
2212
+ # staging labels `AWSCURRENT`, `AWSPENDING`, or `AWSPREVIOUS`. For more
2213
+ # information about versions and staging labels, see [Concepts:
2214
+ # Version][1].
2711
2215
  #
2712
- # You can only use the account's default CMK to encrypt and decrypt if
2713
- # you call this operation using credentials from the same account that
2714
- # owns the secret. If the secret is in a different account, then you
2715
- # must create a custom CMK and provide the ARN of that CMK in this
2716
- # field. The user making the call must have permissions to both the
2717
- # secret and the CMK in their respective accounts.
2216
+ # You can only use the Amazon Web Services managed key
2217
+ # `aws/secretsmanager` if you call this operation using credentials from
2218
+ # the same Amazon Web Services account that owns the secret. If the
2219
+ # secret is in a different account, then you must use a customer managed
2220
+ # key and provide the ARN of that KMS key in this field. The user making
2221
+ # the call must have permissions to both the secret and the KMS key in
2222
+ # their respective accounts.
2718
2223
  #
2719
2224
  #
2720
2225
  #
2721
- # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/terms-concepts.html#term_staging-label
2226
+ # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/getting-started.html#term_version
2722
2227
  #
2723
2228
  # @option params [String, StringIO, File] :secret_binary
2724
- # (Optional) Specifies updated binary data that you want to encrypt and
2725
- # store in the new version of the secret. To use this parameter in the
2726
- # command-line tools, we recommend that you store your binary data in a
2727
- # file and then use the appropriate technique for your tool to pass the
2728
- # contents of the file as a parameter. Either `SecretBinary` or
2729
- # `SecretString` must have a value, but not both. They cannot both be
2730
- # empty.
2229
+ # The binary data to encrypt and store in the new version of the secret.
2230
+ # We recommend that you store your binary data in a file and then pass
2231
+ # the contents of the file as a parameter.
2731
2232
  #
2732
- # This parameter is not accessible using the Secrets Manager console.
2733
- #
2734
- # @option params [String] :secret_string
2735
- # (Optional) Specifies updated text data that you want to encrypt and
2736
- # store in this new version of the secret. Either `SecretBinary` or
2737
- # `SecretString` must have a value, but not both. They cannot both be
2738
- # empty.
2739
- #
2740
- # If you create this secret by using the Secrets Manager console then
2741
- # Secrets Manager puts the protected secret text in only the
2742
- # `SecretString` parameter. The Secrets Manager console stores the
2743
- # information as a JSON structure of key/value pairs that the default
2744
- # Lambda rotation function knows how to parse.
2745
- #
2746
- # For storing multiple values, we recommend that you use a JSON text
2747
- # string argument and specify key/value pairs. For more information, see
2748
- # [Specifying parameter values for the Amazon Web Services CLI][1] in
2749
- # the Amazon Web Services CLI User Guide.
2233
+ # Either `SecretBinary` or `SecretString` must have a value, but not
2234
+ # both.
2750
2235
  #
2236
+ # You can't access this parameter in the Secrets Manager console.
2751
2237
  #
2238
+ # @option params [String] :secret_string
2239
+ # The text data to encrypt and store in the new version of the secret.
2240
+ # We recommend you use a JSON structure of key/value pairs for your
2241
+ # secret value.
2752
2242
  #
2753
- # [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-parameters.html
2243
+ # Either `SecretBinary` or `SecretString` must have a value, but not
2244
+ # both.
2754
2245
  #
2755
2246
  # @return [Types::UpdateSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
2756
2247
  #
@@ -2834,18 +2325,17 @@ module Aws::SecretsManager
2834
2325
  req.send_request(options)
2835
2326
  end
2836
2327
 
2837
- # Modifies the staging labels attached to a version of a secret. Staging
2838
- # labels are used to track a version as it progresses through the secret
2839
- # rotation process. You can attach a staging label to only one version
2840
- # of a secret at a time. If a staging label to be added is already
2841
- # attached to another version, then it is moved--removed from the other
2842
- # version first and then attached to this one. For more information
2843
- # about staging labels, see [Staging Labels][1] in the *Amazon Web
2844
- # Services Secrets Manager User Guide*.
2328
+ # Modifies the staging labels attached to a version of a secret. Secrets
2329
+ # Manager uses staging labels to track a version as it progresses
2330
+ # through the secret rotation process. Each staging label can be
2331
+ # attached to only one version at a time. To add a staging label to a
2332
+ # version when it is already attached to another version, Secrets
2333
+ # Manager first removes it from the other version first and then
2334
+ # attaches it to this one. For more information about versions and
2335
+ # staging labels, see [Concepts: Version][1].
2845
2336
  #
2846
2337
  # The staging labels that you specify in the `VersionStage` parameter
2847
- # are added to the existing list of staging labels--they don't replace
2848
- # it.
2338
+ # are added to the existing list of staging labels for the version.
2849
2339
  #
2850
2340
  # You can move the `AWSCURRENT` staging label to this version by
2851
2341
  # including it in this call.
@@ -2860,30 +2350,13 @@ module Aws::SecretsManager
2860
2350
  # then the version is considered to be 'deprecated' and can be deleted
2861
2351
  # by Secrets Manager.
2862
2352
  #
2863
- # **Minimum permissions**
2864
- #
2865
- # To run this command, you must have the following permissions:
2866
- #
2867
- # * secretsmanager:UpdateSecretVersionStage
2868
- #
2869
- # ^
2870
- #
2871
- # **Related operations**
2872
- #
2873
- # * To get the list of staging labels that are currently associated with
2874
- # a version of a secret, use ` DescribeSecret ` and examine the
2875
- # `SecretVersionsToStages` response value.
2876
- #
2877
- # ^
2878
- #
2879
2353
  #
2880
2354
  #
2881
- # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/terms-concepts.html#term_staging-label
2355
+ # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/getting-started.html#term_version
2882
2356
  #
2883
2357
  # @option params [required, String] :secret_id
2884
- # Specifies the secret with the version with the list of staging labels
2885
- # you want to modify. You can specify either the Amazon Resource Name
2886
- # (ARN) or the friendly name of the secret.
2358
+ # The ARN or the name of the secret with the version and staging
2359
+ # labelsto modify.
2887
2360
  #
2888
2361
  # For an ARN, we recommend that you specify a complete ARN rather than a
2889
2362
  # partial ARN.
@@ -2892,18 +2365,16 @@ module Aws::SecretsManager
2892
2365
  # The staging label to add to this version.
2893
2366
  #
2894
2367
  # @option params [String] :remove_from_version_id
2895
- # Specifies the secret version ID of the version that the staging label
2896
- # is to be removed from. If the staging label you are trying to attach
2897
- # to one version is already attached to a different version, then you
2898
- # must include this parameter and specify the version that the label is
2899
- # to be removed from. If the label is attached and you either do not
2900
- # specify this parameter, or the version ID does not match, then the
2901
- # operation fails.
2368
+ # The ID of the version that the staging label is to be removed from. If
2369
+ # the staging label you are trying to attach to one version is already
2370
+ # attached to a different version, then you must include this parameter
2371
+ # and specify the version that the label is to be removed from. If the
2372
+ # label is attached and you either do not specify this parameter, or the
2373
+ # version ID does not match, then the operation fails.
2902
2374
  #
2903
2375
  # @option params [String] :move_to_version_id
2904
- # (Optional) The secret version ID that you want to add the staging
2905
- # label. If you want to remove a label from a version, then do not
2906
- # specify this parameter.
2376
+ # The ID of the version to add the staging label to. To remove a label
2377
+ # from a version, then do not specify this parameter.
2907
2378
  #
2908
2379
  # If the staging label is already attached to a different version of the
2909
2380
  # secret, then you must also specify the `RemoveFromVersionId`
@@ -2992,53 +2463,36 @@ module Aws::SecretsManager
2992
2463
  req.send_request(options)
2993
2464
  end
2994
2465
 
2995
- # Validates that the resource policy does not grant a wide range of IAM
2996
- # principals access to your secret. The JSON request string input and
2997
- # response output displays formatted code with white space and line
2998
- # breaks for better readability. Submit your input as a single line JSON
2999
- # string. A resource-based policy is optional for secrets.
2466
+ # Validates that a resource policy does not grant a wide range of
2467
+ # principals access to your secret. A resource-based policy is optional
2468
+ # for secrets.
3000
2469
  #
3001
- # The API performs three checks when validating the secret:
2470
+ # The API performs three checks when validating the policy:
3002
2471
  #
3003
2472
  # * Sends a call to [Zelkova][1], an automated reasoning engine, to
3004
- # ensure your Resource Policy does not allow broad access to your
3005
- # secret.
2473
+ # ensure your resource policy does not allow broad access to your
2474
+ # secret, for example policies that use a wildcard for the principal.
3006
2475
  #
3007
2476
  # * Checks for correct syntax in a policy.
3008
2477
  #
3009
2478
  # * Verifies the policy does not lock out a caller.
3010
2479
  #
3011
- # **Minimum Permissions**
3012
- #
3013
- # You must have the permissions required to access the following APIs:
3014
- #
3015
- # * `secretsmanager:PutResourcePolicy`
3016
- #
3017
- # * `secretsmanager:ValidateResourcePolicy`
3018
- #
3019
2480
  #
3020
2481
  #
3021
2482
  # [1]: https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/
3022
2483
  #
3023
2484
  # @option params [String] :secret_id
3024
- # (Optional) The identifier of the secret with the resource-based policy
3025
- # you want to validate. You can specify either the Amazon Resource Name
3026
- # (ARN) or the friendly name of the secret.
3027
- #
3028
- # For an ARN, we recommend that you specify a complete ARN rather than a
3029
- # partial ARN.
2485
+ # This field is reserved for internal use.
3030
2486
  #
3031
2487
  # @option params [required, String] :resource_policy
3032
- # A JSON-formatted string constructed according to the grammar and
3033
- # syntax for an Amazon Web Services resource-based policy. The policy in
3034
- # the string identifies who can access or manage this secret and its
3035
- # versions. For information on how to format a JSON parameter for the
3036
- # various command line tool environments, see [Using JSON for
3037
- # Parameters][1] in the *CLI User Guide*.publi
2488
+ # A JSON-formatted string that contains an Amazon Web Services
2489
+ # resource-based policy. The policy in the string identifies who can
2490
+ # access or manage this secret and its versions. For example policies,
2491
+ # see [Permissions policy examples][1].
3038
2492
  #
3039
2493
  #
3040
2494
  #
3041
- # [1]: http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
2495
+ # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html
3042
2496
  #
3043
2497
  # @return [Types::ValidateResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
3044
2498
  #
@@ -3098,7 +2552,7 @@ module Aws::SecretsManager
3098
2552
  params: params,
3099
2553
  config: config)
3100
2554
  context[:gem_name] = 'aws-sdk-secretsmanager'
3101
- context[:gem_version] = '1.51.0'
2555
+ context[:gem_version] = '1.55.0'
3102
2556
  Seahorse::Client::Request.new(handlers, context)
3103
2557
  end
3104
2558