aws-sdk-secretsmanager 1.53.0 → 1.57.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +20 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-secretsmanager/client.rb +634 -1006
- data/lib/aws-sdk-secretsmanager/client_api.rb +8 -0
- data/lib/aws-sdk-secretsmanager/types.rb +567 -648
- data/lib/aws-sdk-secretsmanager.rb +1 -1
- metadata +4 -4
@@ -27,6 +27,8 @@ require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
|
|
27
27
|
require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
|
28
28
|
require 'aws-sdk-core/plugins/transfer_encoding.rb'
|
29
29
|
require 'aws-sdk-core/plugins/http_checksum.rb'
|
30
|
+
require 'aws-sdk-core/plugins/defaults_mode.rb'
|
31
|
+
require 'aws-sdk-core/plugins/recursion_detection.rb'
|
30
32
|
require 'aws-sdk-core/plugins/signature_v4.rb'
|
31
33
|
require 'aws-sdk-core/plugins/protocols/json_rpc.rb'
|
32
34
|
|
@@ -73,6 +75,8 @@ module Aws::SecretsManager
|
|
73
75
|
add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
|
74
76
|
add_plugin(Aws::Plugins::TransferEncoding)
|
75
77
|
add_plugin(Aws::Plugins::HttpChecksum)
|
78
|
+
add_plugin(Aws::Plugins::DefaultsMode)
|
79
|
+
add_plugin(Aws::Plugins::RecursionDetection)
|
76
80
|
add_plugin(Aws::Plugins::SignatureV4)
|
77
81
|
add_plugin(Aws::Plugins::Protocols::JsonRpc)
|
78
82
|
|
@@ -175,6 +179,10 @@ module Aws::SecretsManager
|
|
175
179
|
# Used only in `standard` and adaptive retry modes. Specifies whether to apply
|
176
180
|
# a clock skew correction and retry requests with skewed client clocks.
|
177
181
|
#
|
182
|
+
# @option options [String] :defaults_mode ("legacy")
|
183
|
+
# See {Aws::DefaultsModeConfiguration} for a list of the
|
184
|
+
# accepted modes and the configuration defaults that are included.
|
185
|
+
#
|
178
186
|
# @option options [Boolean] :disable_host_prefix_injection (false)
|
179
187
|
# Set to true to disable SDK automatically adding host prefix
|
180
188
|
# to default service endpoint when available.
|
@@ -307,7 +315,7 @@ module Aws::SecretsManager
|
|
307
315
|
# seconds to wait when opening a HTTP session before raising a
|
308
316
|
# `Timeout::Error`.
|
309
317
|
#
|
310
|
-
# @option options [
|
318
|
+
# @option options [Float] :http_read_timeout (60) The default
|
311
319
|
# number of seconds to wait for response data. This value can
|
312
320
|
# safely be set per-request on the session.
|
313
321
|
#
|
@@ -323,6 +331,9 @@ module Aws::SecretsManager
|
|
323
331
|
# disables this behaviour. This value can safely be set per
|
324
332
|
# request on the session.
|
325
333
|
#
|
334
|
+
# @option options [Float] :ssl_timeout (nil) Sets the SSL timeout
|
335
|
+
# in seconds.
|
336
|
+
#
|
326
337
|
# @option options [Boolean] :http_wire_trace (false) When `true`,
|
327
338
|
# HTTP debug output will be sent to the `:logger`.
|
328
339
|
#
|
@@ -348,60 +359,32 @@ module Aws::SecretsManager
|
|
348
359
|
|
349
360
|
# @!group API Operations
|
350
361
|
|
351
|
-
#
|
352
|
-
#
|
353
|
-
#
|
354
|
-
# To re-enable scheduled rotation, call RotateSecret with
|
355
|
-
# `AutomaticallyRotateAfterDays` set to a value greater than 0. This
|
356
|
-
# immediately rotates your secret and then enables the automatic
|
357
|
-
# schedule.
|
358
|
-
#
|
359
|
-
# <note markdown="1"> If you cancel a rotation while in progress, it can leave the
|
360
|
-
# `VersionStage` labels in an unexpected state. Depending on the step of
|
361
|
-
# the rotation in progress, you might need to remove the staging label
|
362
|
-
# `AWSPENDING` from the partially created version, specified by the
|
363
|
-
# `VersionId` response value. You should also evaluate the partially
|
364
|
-
# rotated new version to see if it should be deleted, which you can do
|
365
|
-
# by removing all staging labels from the new version `VersionStage`
|
366
|
-
# field.
|
367
|
-
#
|
368
|
-
# </note>
|
369
|
-
#
|
370
|
-
# To successfully start a rotation, the staging label `AWSPENDING` must
|
371
|
-
# be in one of the following states:
|
372
|
-
#
|
373
|
-
# * Not attached to any version at all
|
374
|
-
#
|
375
|
-
# * Attached to the same version as the staging label `AWSCURRENT`
|
362
|
+
# Turns off automatic rotation, and if a rotation is currently in
|
363
|
+
# progress, cancels the rotation.
|
376
364
|
#
|
377
|
-
#
|
378
|
-
# the version with `AWSCURRENT` then the attempt to rotate fails.
|
365
|
+
# To turn on automatic rotation again, call RotateSecret.
|
379
366
|
#
|
380
|
-
#
|
367
|
+
# <note markdown="1"> If you cancel a rotation in progress, it can leave the `VersionStage`
|
368
|
+
# labels in an unexpected state. Depending on the step of the rotation
|
369
|
+
# in progress, you might need to remove the staging label `AWSPENDING`
|
370
|
+
# from the partially created version, specified by the `VersionId`
|
371
|
+
# response value. We recommend you also evaluate the partially rotated
|
372
|
+
# new version to see if it should be deleted. You can delete a version
|
373
|
+
# by removing all staging labels from it.
|
381
374
|
#
|
382
|
-
#
|
383
|
-
#
|
384
|
-
# * secretsmanager:CancelRotateSecret
|
385
|
-
#
|
386
|
-
# ^
|
387
|
-
#
|
388
|
-
# **Related operations**
|
375
|
+
# </note>
|
389
376
|
#
|
390
|
-
#
|
391
|
-
#
|
377
|
+
# <b>Required permissions: </b> `secretsmanager:CancelRotateSecret`. For
|
378
|
+
# more information, see [ IAM policy actions for Secrets Manager][1] and
|
379
|
+
# [Authentication and access control in Secrets Manager][2].
|
392
380
|
#
|
393
|
-
# * To get the rotation configuration details for a secret, use
|
394
|
-
# DescribeSecret.
|
395
381
|
#
|
396
|
-
# * To list all of the currently available secrets, use ListSecrets.
|
397
382
|
#
|
398
|
-
#
|
399
|
-
#
|
383
|
+
# [1]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
384
|
+
# [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
400
385
|
#
|
401
386
|
# @option params [required, String] :secret_id
|
402
|
-
#
|
403
|
-
# either the Amazon Resource Name (ARN) or the friendly name of the
|
404
|
-
# secret.
|
387
|
+
# The ARN or name of the secret.
|
405
388
|
#
|
406
389
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
407
390
|
# partial ARN.
|
@@ -450,119 +433,70 @@ module Aws::SecretsManager
|
|
450
433
|
req.send_request(options)
|
451
434
|
end
|
452
435
|
|
453
|
-
# Creates a new secret. A secret
|
454
|
-
#
|
455
|
-
# the
|
456
|
-
#
|
457
|
-
# Secrets Manager
|
458
|
-
#
|
459
|
-
#
|
460
|
-
#
|
461
|
-
#
|
462
|
-
#
|
463
|
-
#
|
464
|
-
#
|
465
|
-
#
|
466
|
-
# You provide the secret data to be encrypted by putting text in either
|
467
|
-
# the `SecretString` parameter or binary data in the `SecretBinary`
|
436
|
+
# Creates a new secret. A *secret* is a set of credentials, such as a
|
437
|
+
# user name and password, that you store in an encrypted form in Secrets
|
438
|
+
# Manager. The secret also includes the connection information to access
|
439
|
+
# a database or other service, which Secrets Manager doesn't encrypt. A
|
440
|
+
# secret in Secrets Manager consists of both the protected secret data
|
441
|
+
# and the important information needed to manage the secret.
|
442
|
+
#
|
443
|
+
# For information about creating a secret in the console, see [Create a
|
444
|
+
# secret][1].
|
445
|
+
#
|
446
|
+
# To create a secret, you can provide the secret value to be encrypted
|
447
|
+
# in either the `SecretString` parameter or the `SecretBinary`
|
468
448
|
# parameter, but not both. If you include `SecretString` or
|
469
|
-
# `SecretBinary` then Secrets Manager
|
470
|
-
#
|
471
|
-
# the new version.
|
472
|
-
#
|
473
|
-
# <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
|
474
|
-
# `SecretBinary` for a secret in the same account as the calling user
|
475
|
-
# and that secret doesn't specify a Amazon Web Services KMS
|
476
|
-
# encryption key, Secrets Manager uses the account's default Amazon
|
477
|
-
# Web Services managed customer master key (CMK) with the alias
|
478
|
-
# `aws/secretsmanager`. If this key doesn't already exist in your
|
479
|
-
# account then Secrets Manager creates it for you automatically. All
|
480
|
-
# users and roles in the same Amazon Web Services account
|
481
|
-
# automatically have access to use the default CMK. Note that if an
|
482
|
-
# Secrets Manager API call results in Amazon Web Services creating the
|
483
|
-
# account's Amazon Web Services-managed CMK, it can result in a
|
484
|
-
# one-time significant delay in returning the result.
|
485
|
-
#
|
486
|
-
# * If the secret resides in a different Amazon Web Services account
|
487
|
-
# from the credentials calling an API that requires encryption or
|
488
|
-
# decryption of the secret value then you must create and use a custom
|
489
|
-
# Amazon Web Services KMS CMK because you can't access the default
|
490
|
-
# CMK for the account using credentials from a different Amazon Web
|
491
|
-
# Services account. Store the ARN of the CMK in the secret when you
|
492
|
-
# create the secret or when you update it by including it in the
|
493
|
-
# `KMSKeyId`. If you call an API that must encrypt or decrypt
|
494
|
-
# `SecretString` or `SecretBinary` using credentials from a different
|
495
|
-
# account then the Amazon Web Services KMS key policy must grant
|
496
|
-
# cross-account access to that other account's user or role for both
|
497
|
-
# the kms:GenerateDataKey and kms:Decrypt operations.
|
449
|
+
# `SecretBinary` then Secrets Manager creates an initial secret version
|
450
|
+
# and automatically attaches the staging label `AWSCURRENT` to it.
|
498
451
|
#
|
499
|
-
#
|
500
|
-
#
|
501
|
-
#
|
502
|
-
#
|
503
|
-
#
|
452
|
+
# If you don't specify an KMS encryption key, Secrets Manager uses the
|
453
|
+
# Amazon Web Services managed key `aws/secretsmanager`. If this key
|
454
|
+
# doesn't already exist in your account, then Secrets Manager creates
|
455
|
+
# it for you automatically. All users and roles in the Amazon Web
|
456
|
+
# Services account automatically have access to use
|
457
|
+
# `aws/secretsmanager`. Creating `aws/secretsmanager` can result in a
|
458
|
+
# one-time significant delay in returning the result.
|
504
459
|
#
|
505
|
-
#
|
460
|
+
# If the secret is in a different Amazon Web Services account from the
|
461
|
+
# credentials calling the API, then you can't use `aws/secretsmanager`
|
462
|
+
# to encrypt the secret, and you must create and use a customer managed
|
463
|
+
# KMS key.
|
506
464
|
#
|
507
|
-
#
|
465
|
+
# <b>Required permissions: </b> `secretsmanager:CreateSecret`. For more
|
466
|
+
# information, see [ IAM policy actions for Secrets Manager][2] and
|
467
|
+
# [Authentication and access control in Secrets Manager][3].
|
508
468
|
#
|
509
|
-
# * kms:GenerateDataKey - needed only if you use a customer-managed
|
510
|
-
# Amazon Web Services KMS key to encrypt the secret. You do not need
|
511
|
-
# this permission to use the account default Amazon Web Services
|
512
|
-
# managed CMK for Secrets Manager.
|
513
|
-
#
|
514
|
-
# * kms:Decrypt - needed only if you use a customer-managed Amazon Web
|
515
|
-
# Services KMS key to encrypt the secret. You do not need this
|
516
|
-
# permission to use the account default Amazon Web Services managed
|
517
|
-
# CMK for Secrets Manager.
|
518
|
-
#
|
519
|
-
# * secretsmanager:TagResource - needed only if you include the `Tags`
|
520
|
-
# parameter.
|
521
469
|
#
|
522
|
-
# **Related operations**
|
523
470
|
#
|
524
|
-
#
|
525
|
-
#
|
526
|
-
#
|
527
|
-
#
|
528
|
-
# * To create a new version of a secret, use PutSecretValue.
|
529
|
-
#
|
530
|
-
# * To retrieve the encrypted secure string and secure binary values,
|
531
|
-
# use GetSecretValue.
|
532
|
-
#
|
533
|
-
# * To retrieve all other details for a secret, use DescribeSecret. This
|
534
|
-
# does not include the encrypted secure string and secure binary
|
535
|
-
# values.
|
536
|
-
#
|
537
|
-
# * To retrieve the list of secret versions associated with the current
|
538
|
-
# secret, use DescribeSecret and examine the `SecretVersionsToStages`
|
539
|
-
# response value.
|
471
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html
|
472
|
+
# [2]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
473
|
+
# [3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
540
474
|
#
|
541
475
|
# @option params [required, String] :name
|
542
|
-
#
|
476
|
+
# The name of the new secret.
|
543
477
|
#
|
544
|
-
# The secret name
|
545
|
-
# characters
|
478
|
+
# The secret name can contain ASCII letters, numbers, and the following
|
479
|
+
# characters: /\_+=.@-
|
546
480
|
#
|
547
|
-
#
|
481
|
+
# Do not end your secret name with a hyphen followed by six characters.
|
548
482
|
# If you do so, you risk confusion and unexpected results when searching
|
549
483
|
# for a secret by partial ARN. Secrets Manager automatically adds a
|
550
|
-
# hyphen and six random characters at the end of
|
551
|
-
#
|
552
|
-
# </note>
|
484
|
+
# hyphen and six random characters after the secret name at the end of
|
485
|
+
# the ARN.
|
553
486
|
#
|
554
487
|
# @option params [String] :client_request_token
|
555
|
-
#
|
556
|
-
# initial version
|
557
|
-
# specifies
|
488
|
+
# If you include `SecretString` or `SecretBinary`, then Secrets Manager
|
489
|
+
# creates an initial version for the secret, and this parameter
|
490
|
+
# specifies the unique identifier for the new version.
|
558
491
|
#
|
559
492
|
# <note markdown="1"> If you use the Amazon Web Services CLI or one of the Amazon Web
|
560
|
-
# Services
|
561
|
-
# empty. The CLI or SDK generates a random UUID for you and
|
562
|
-
# as the value for this parameter in the request. If you
|
563
|
-
# SDK and instead generate a raw HTTP request to the
|
564
|
-
# service endpoint, then you must generate a
|
565
|
-
# yourself for the new version and include the
|
493
|
+
# Services SDKs to call this operation, then you can leave this
|
494
|
+
# parameter empty. The CLI or SDK generates a random UUID for you and
|
495
|
+
# includes it as the value for this parameter in the request. If you
|
496
|
+
# don't use the SDK and instead generate a raw HTTP request to the
|
497
|
+
# Secrets Manager service endpoint, then you must generate a
|
498
|
+
# `ClientRequestToken` yourself for the new version and include the
|
499
|
+
# value in the request.
|
566
500
|
#
|
567
501
|
# </note>
|
568
502
|
#
|
@@ -595,99 +529,79 @@ module Aws::SecretsManager
|
|
595
529
|
# [1]: https://wikipedia.org/wiki/Universally_unique_identifier
|
596
530
|
#
|
597
531
|
# @option params [String] :description
|
598
|
-
#
|
532
|
+
# The description of the secret.
|
599
533
|
#
|
600
534
|
# @option params [String] :kms_key_id
|
601
|
-
#
|
602
|
-
#
|
603
|
-
# `SecretString` or `SecretBinary` values in the versions stored in this
|
604
|
-
# secret.
|
535
|
+
# The ARN, key ID, or alias of the KMS key that Secrets Manager uses to
|
536
|
+
# encrypt the secret value in the secret.
|
605
537
|
#
|
606
|
-
#
|
607
|
-
#
|
608
|
-
# account, you can use only the key ARN or the alias ARN.
|
538
|
+
# To use a KMS key in a different account, use the key ARN or the alias
|
539
|
+
# ARN.
|
609
540
|
#
|
610
|
-
# If you don't specify this value, then Secrets Manager
|
611
|
-
#
|
612
|
-
#
|
613
|
-
#
|
614
|
-
# automatically the first time it needs to encrypt a version's
|
615
|
-
# `SecretString` or `SecretBinary` fields.
|
541
|
+
# If you don't specify this value, then Secrets Manager uses the key
|
542
|
+
# `aws/secretsmanager`. If that key doesn't yet exist, then Secrets
|
543
|
+
# Manager creates it for you automatically the first time it encrypts
|
544
|
+
# the secret value.
|
616
545
|
#
|
617
|
-
#
|
618
|
-
#
|
619
|
-
# the secret
|
620
|
-
#
|
546
|
+
# If the secret is in a different Amazon Web Services account from the
|
547
|
+
# credentials calling the API, then you can't use `aws/secretsmanager`
|
548
|
+
# to encrypt the secret, and you must create and use a customer managed
|
549
|
+
# KMS key.
|
621
550
|
#
|
622
551
|
# @option params [String, StringIO, File] :secret_binary
|
623
|
-
#
|
624
|
-
#
|
625
|
-
#
|
626
|
-
# file and then use the appropriate technique for your tool to pass the
|
627
|
-
# contents of the file as a parameter.
|
552
|
+
# The binary data to encrypt and store in the new version of the secret.
|
553
|
+
# We recommend that you store your binary data in a file and then pass
|
554
|
+
# the contents of the file as a parameter.
|
628
555
|
#
|
629
556
|
# Either `SecretString` or `SecretBinary` must have a value, but not
|
630
|
-
# both.
|
557
|
+
# both.
|
631
558
|
#
|
632
|
-
# This parameter is not available
|
633
|
-
# can be accessed only by using the Amazon Web Services CLI or one of
|
634
|
-
# the Amazon Web Services SDKs.
|
559
|
+
# This parameter is not available in the Secrets Manager console.
|
635
560
|
#
|
636
561
|
# @option params [String] :secret_string
|
637
|
-
#
|
638
|
-
#
|
562
|
+
# The text data to encrypt and store in this new version of the secret.
|
563
|
+
# We recommend you use a JSON structure of key/value pairs for your
|
564
|
+
# secret value.
|
639
565
|
#
|
640
566
|
# Either `SecretString` or `SecretBinary` must have a value, but not
|
641
|
-
# both.
|
567
|
+
# both.
|
642
568
|
#
|
643
569
|
# If you create a secret by using the Secrets Manager console then
|
644
570
|
# Secrets Manager puts the protected secret text in only the
|
645
571
|
# `SecretString` parameter. The Secrets Manager console stores the
|
646
|
-
# information as a JSON structure of key/value pairs that
|
647
|
-
# rotation function
|
648
|
-
#
|
649
|
-
# For storing multiple values, we recommend that you use a JSON text
|
650
|
-
# string argument and specify key/value pairs. For more information, see
|
651
|
-
# [Specifying parameter values for the Amazon Web Services CLI][1] in
|
652
|
-
# the Amazon Web Services CLI User Guide.
|
653
|
-
#
|
654
|
-
#
|
655
|
-
#
|
656
|
-
# [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-parameters.html
|
572
|
+
# information as a JSON structure of key/value pairs that a Lambda
|
573
|
+
# rotation function can parse.
|
657
574
|
#
|
658
575
|
# @option params [Array<Types::Tag>] :tags
|
659
|
-
#
|
660
|
-
#
|
661
|
-
# operation only appends tags to the existing list of tags. To remove
|
662
|
-
# tags, you must use UntagResource.
|
663
|
-
#
|
664
|
-
# * Secrets Manager tag key names are case sensitive. A tag with the key
|
665
|
-
# "ABC" is a different tag from one with key "abc".
|
576
|
+
# A list of tags to attach to the secret. Each tag is a key and value
|
577
|
+
# pair of strings in a JSON text string, for example:
|
666
578
|
#
|
667
|
-
#
|
668
|
-
# security strategy, then adding or removing a tag can change
|
669
|
-
# permissions. If the successful completion of this operation would
|
670
|
-
# result in you losing your permissions for this secret, then this
|
671
|
-
# operation is blocked and returns an `Access Denied` error.
|
579
|
+
# `[\{"Key":"CostCenter","Value":"12345"\},\{"Key":"environment","Value":"production"\}]`
|
672
580
|
#
|
673
|
-
#
|
674
|
-
#
|
675
|
-
# environments, see [Using JSON for Parameters][1] in the *CLI User
|
676
|
-
# Guide*. For example:
|
581
|
+
# Secrets Manager tag key names are case sensitive. A tag with the key
|
582
|
+
# "ABC" is a different tag from one with key "abc".
|
677
583
|
#
|
678
|
-
#
|
584
|
+
# If you check tags in permissions policies as part of your security
|
585
|
+
# strategy, then adding or removing a tag can change permissions. If the
|
586
|
+
# completion of this operation would result in you losing your
|
587
|
+
# permissions for this secret, then Secrets Manager blocks the operation
|
588
|
+
# and returns an `Access Denied` error. For more information, see
|
589
|
+
# [Control access to secrets using tags][1] and [Limit access to
|
590
|
+
# identities with tags that match secrets' tags][2].
|
679
591
|
#
|
680
|
-
#
|
592
|
+
# For information about how to format a JSON parameter for the various
|
593
|
+
# command line tool environments, see [Using JSON for Parameters][3]. If
|
594
|
+
# your command-line tool or SDK requires quotation marks around the
|
681
595
|
# parameter, you should use single quotes to avoid confusion with the
|
682
596
|
# double quotes required in the JSON text.
|
683
597
|
#
|
684
|
-
# The following
|
598
|
+
# The following restrictions apply to tags:
|
685
599
|
#
|
686
|
-
# * Maximum number of tags per secret
|
600
|
+
# * Maximum number of tags per secret: 50
|
687
601
|
#
|
688
|
-
# * Maximum key length
|
602
|
+
# * Maximum key length: 127 Unicode characters in UTF-8
|
689
603
|
#
|
690
|
-
# * Maximum value length
|
604
|
+
# * Maximum value length: 255 Unicode characters in UTF-8
|
691
605
|
#
|
692
606
|
# * Tag keys and values are case sensitive.
|
693
607
|
#
|
@@ -697,23 +611,23 @@ module Aws::SecretsManager
|
|
697
611
|
# with this prefix do not count against your tags per secret limit.
|
698
612
|
#
|
699
613
|
# * If you use your tagging schema across multiple services and
|
700
|
-
# resources,
|
701
|
-
#
|
702
|
-
#
|
614
|
+
# resources, other services might have restrictions on allowed
|
615
|
+
# characters. Generally allowed characters: letters, spaces, and
|
616
|
+
# numbers representable in UTF-8, plus the following special
|
703
617
|
# characters: + - = . \_ : / @.
|
704
618
|
#
|
705
619
|
#
|
706
620
|
#
|
707
|
-
# [1]: https://docs.aws.amazon.com/
|
621
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#tag-secrets-abac
|
622
|
+
# [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#auth-and-access_tags2
|
623
|
+
# [3]: https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
|
708
624
|
#
|
709
625
|
# @option params [Array<Types::ReplicaRegionType>] :add_replica_regions
|
710
|
-
#
|
711
|
-
# replicates the KMSKeyID objects to the list of regions specified in
|
712
|
-
# the parameter.
|
626
|
+
# A list of Regions and KMS keys to replicate secrets.
|
713
627
|
#
|
714
628
|
# @option params [Boolean] :force_overwrite_replica_secret
|
715
|
-
#
|
716
|
-
#
|
629
|
+
# Specifies whether to overwrite a secret with the same name in the
|
630
|
+
# destination Region.
|
717
631
|
#
|
718
632
|
# @return [Types::CreateSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
719
633
|
#
|
@@ -788,28 +702,20 @@ module Aws::SecretsManager
|
|
788
702
|
end
|
789
703
|
|
790
704
|
# Deletes the resource-based permission policy attached to the secret.
|
705
|
+
# To attach a policy to a secret, use PutResourcePolicy.
|
791
706
|
#
|
792
|
-
#
|
793
|
-
#
|
794
|
-
#
|
795
|
-
#
|
796
|
-
# * secretsmanager:DeleteResourcePolicy
|
707
|
+
# <b>Required permissions: </b> `secretsmanager:DeleteResourcePolicy`.
|
708
|
+
# For more information, see [ IAM policy actions for Secrets Manager][1]
|
709
|
+
# and [Authentication and access control in Secrets Manager][2].
|
797
710
|
#
|
798
|
-
# ^
|
799
711
|
#
|
800
|
-
# **Related operations**
|
801
712
|
#
|
802
|
-
#
|
803
|
-
#
|
804
|
-
# * To retrieve the current resource-based policy attached to a secret,
|
805
|
-
# use GetResourcePolicy.
|
806
|
-
#
|
807
|
-
# * To list all of the currently available secrets, use ListSecrets.
|
713
|
+
# [1]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
714
|
+
# [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
808
715
|
#
|
809
716
|
# @option params [required, String] :secret_id
|
810
|
-
#
|
811
|
-
#
|
812
|
-
# Name (ARN) or the friendly name of the secret.
|
717
|
+
# The ARN or name of the secret to delete the attached resource-based
|
718
|
+
# policy for.
|
813
719
|
#
|
814
720
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
815
721
|
# partial ARN.
|
@@ -854,86 +760,68 @@ module Aws::SecretsManager
|
|
854
760
|
req.send_request(options)
|
855
761
|
end
|
856
762
|
|
857
|
-
# Deletes
|
858
|
-
#
|
859
|
-
#
|
860
|
-
#
|
861
|
-
#
|
862
|
-
#
|
763
|
+
# Deletes a secret and all of its versions. You can specify a recovery
|
764
|
+
# window during which you can restore the secret. The minimum recovery
|
765
|
+
# window is 7 days. The default recovery window is 30 days. Secrets
|
766
|
+
# Manager attaches a `DeletionDate` stamp to the secret that specifies
|
767
|
+
# the end of the recovery window. At the end of the recovery window,
|
768
|
+
# Secrets Manager deletes the secret permanently.
|
863
769
|
#
|
864
|
-
#
|
865
|
-
#
|
866
|
-
#
|
867
|
-
# You cannot access the encrypted secret information in any secret
|
868
|
-
# scheduled for deletion. If you need to access that information, you
|
869
|
-
# must cancel the deletion with RestoreSecret and then retrieve the
|
870
|
-
# information.
|
871
|
-
#
|
872
|
-
# <note markdown="1"> * There is no explicit operation to delete a version of a secret.
|
873
|
-
# Instead, remove all staging labels from the `VersionStage` field of
|
874
|
-
# a version. That marks the version as deprecated and allows Secrets
|
875
|
-
# Manager to delete it as needed. Versions without any staging labels
|
876
|
-
# do not show up in ListSecretVersionIds unless you specify
|
877
|
-
# `IncludeDeprecated`.
|
878
|
-
#
|
879
|
-
# * The permanent secret deletion at the end of the waiting period is
|
880
|
-
# performed as a background task with low priority. There is no
|
881
|
-
# guarantee of a specific time after the recovery window for the
|
882
|
-
# actual delete operation to occur.
|
883
|
-
#
|
884
|
-
# </note>
|
770
|
+
# For information about deleting a secret in the console, see
|
771
|
+
# [https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage\_delete-secret.html][1].
|
885
772
|
#
|
886
|
-
#
|
773
|
+
# Secrets Manager performs the permanent secret deletion at the end of
|
774
|
+
# the waiting period as a background task with low priority. There is no
|
775
|
+
# guarantee of a specific time after the recovery window for the
|
776
|
+
# permanent delete to occur.
|
887
777
|
#
|
888
|
-
#
|
778
|
+
# At any time before recovery window ends, you can use RestoreSecret to
|
779
|
+
# remove the `DeletionDate` and cancel the deletion of the secret.
|
889
780
|
#
|
890
|
-
#
|
781
|
+
# In a secret scheduled for deletion, you cannot access the encrypted
|
782
|
+
# secret value. To access that information, first cancel the deletion
|
783
|
+
# with RestoreSecret and then retrieve the information.
|
891
784
|
#
|
892
|
-
#
|
785
|
+
# <b>Required permissions: </b> `secretsmanager:DeleteSecret`. For more
|
786
|
+
# information, see [ IAM policy actions for Secrets Manager][2] and
|
787
|
+
# [Authentication and access control in Secrets Manager][3].
|
893
788
|
#
|
894
|
-
# **Related operations**
|
895
789
|
#
|
896
|
-
# * To create a secret, use CreateSecret.
|
897
790
|
#
|
898
|
-
#
|
899
|
-
#
|
791
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_delete-secret.html
|
792
|
+
# [2]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
793
|
+
# [3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
900
794
|
#
|
901
795
|
# @option params [required, String] :secret_id
|
902
|
-
#
|
903
|
-
# Resource Name (ARN) or the friendly name of the secret.
|
796
|
+
# The ARN or name of the secret to delete.
|
904
797
|
#
|
905
798
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
906
799
|
# partial ARN.
|
907
800
|
#
|
908
801
|
# @option params [Integer] :recovery_window_in_days
|
909
|
-
#
|
910
|
-
#
|
911
|
-
#
|
912
|
-
#
|
913
|
-
#
|
914
|
-
# This value can range from 7 to 30 days with a default value of 30.
|
802
|
+
# The number of days from 7 to 30 that Secrets Manager waits before
|
803
|
+
# permanently deleting the secret. You can't use both this parameter
|
804
|
+
# and `ForceDeleteWithoutRecovery` in the same call. If you don't use
|
805
|
+
# either, then Secrets Manager defaults to a 30 day recovery window.
|
915
806
|
#
|
916
807
|
# @option params [Boolean] :force_delete_without_recovery
|
917
|
-
#
|
918
|
-
#
|
919
|
-
#
|
808
|
+
# Specifies whether to delete the secret without any recovery window.
|
809
|
+
# You can't use both this parameter and `RecoveryWindowInDays` in the
|
810
|
+
# same call. If you don't use either, then Secrets Manager defaults to
|
811
|
+
# a 30 day recovery window.
|
920
812
|
#
|
921
|
-
#
|
922
|
-
# there
|
923
|
-
#
|
924
|
-
#
|
925
|
-
#
|
813
|
+
# Secrets Manager performs the actual deletion with an asynchronous
|
814
|
+
# background process, so there might be a short delay before the secret
|
815
|
+
# is permanently deleted. If you delete a secret and then immediately
|
816
|
+
# create a secret with the same name, use appropriate back off and retry
|
817
|
+
# logic.
|
926
818
|
#
|
927
819
|
# Use this parameter with caution. This parameter causes the operation
|
928
|
-
# to skip the normal
|
929
|
-
#
|
930
|
-
#
|
931
|
-
#
|
932
|
-
#
|
933
|
-
#
|
934
|
-
# If you use this parameter and include a previously deleted or
|
935
|
-
# nonexistent secret, the operation does not return the error
|
936
|
-
# `ResourceNotFoundException` in order to correctly handle retries.
|
820
|
+
# to skip the normal recovery window before the permanent deletion that
|
821
|
+
# Secrets Manager would normally impose with the `RecoveryWindowInDays`
|
822
|
+
# parameter. If you delete a secret with the `ForceDeleteWithouRecovery`
|
823
|
+
# parameter, then you have no opportunity to recover the secret. You
|
824
|
+
# lose the secret permanently.
|
937
825
|
#
|
938
826
|
# @return [Types::DeleteSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
939
827
|
#
|
@@ -984,33 +872,20 @@ module Aws::SecretsManager
|
|
984
872
|
end
|
985
873
|
|
986
874
|
# Retrieves the details of a secret. It does not include the encrypted
|
987
|
-
#
|
875
|
+
# secret value. Secrets Manager only returns fields that have a value in
|
988
876
|
# the response.
|
989
877
|
#
|
990
|
-
#
|
991
|
-
#
|
992
|
-
#
|
993
|
-
#
|
994
|
-
# * secretsmanager:DescribeSecret
|
995
|
-
#
|
996
|
-
# ^
|
878
|
+
# <b>Required permissions: </b> `secretsmanager:DescribeSecret`. For
|
879
|
+
# more information, see [ IAM policy actions for Secrets Manager][1] and
|
880
|
+
# [Authentication and access control in Secrets Manager][2].
|
997
881
|
#
|
998
|
-
# **Related operations**
|
999
882
|
#
|
1000
|
-
# * To create a secret, use CreateSecret.
|
1001
883
|
#
|
1002
|
-
#
|
1003
|
-
#
|
1004
|
-
# * To retrieve the encrypted secret information in a version of the
|
1005
|
-
# secret, use GetSecretValue.
|
1006
|
-
#
|
1007
|
-
# * To list all of the secrets in the Amazon Web Services account, use
|
1008
|
-
# ListSecrets.
|
884
|
+
# [1]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
885
|
+
# [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
1009
886
|
#
|
1010
887
|
# @option params [required, String] :secret_id
|
1011
|
-
# The
|
1012
|
-
# can specify either the Amazon Resource Name (ARN) or the friendly name
|
1013
|
-
# of the secret.
|
888
|
+
# The ARN or name of the secret.
|
1014
889
|
#
|
1015
890
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
1016
891
|
# partial ARN.
|
@@ -1093,6 +968,8 @@ module Aws::SecretsManager
|
|
1093
968
|
# resp.rotation_enabled #=> Boolean
|
1094
969
|
# resp.rotation_lambda_arn #=> String
|
1095
970
|
# resp.rotation_rules.automatically_after_days #=> Integer
|
971
|
+
# resp.rotation_rules.duration #=> String
|
972
|
+
# resp.rotation_rules.schedule_expression #=> String
|
1096
973
|
# resp.last_rotated_date #=> Time
|
1097
974
|
# resp.last_changed_date #=> Time
|
1098
975
|
# resp.last_accessed_date #=> Time
|
@@ -1122,66 +999,54 @@ module Aws::SecretsManager
|
|
1122
999
|
req.send_request(options)
|
1123
1000
|
end
|
1124
1001
|
|
1125
|
-
# Generates a random password
|
1126
|
-
#
|
1127
|
-
#
|
1128
|
-
# include every character type that the system you are generating a
|
1129
|
-
# password for can support.
|
1002
|
+
# Generates a random password. We recommend that you specify the maximum
|
1003
|
+
# length and include every character type that the system you are
|
1004
|
+
# generating a password for can support.
|
1130
1005
|
#
|
1131
|
-
#
|
1006
|
+
# <b>Required permissions: </b> `secretsmanager:GetRandomPassword`. For
|
1007
|
+
# more information, see [ IAM policy actions for Secrets Manager][1] and
|
1008
|
+
# [Authentication and access control in Secrets Manager][2].
|
1132
1009
|
#
|
1133
|
-
# To run this command, you must have the following permissions:
|
1134
1010
|
#
|
1135
|
-
# * secretsmanager:GetRandomPassword
|
1136
1011
|
#
|
1137
|
-
#
|
1012
|
+
# [1]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
1013
|
+
# [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
1138
1014
|
#
|
1139
1015
|
# @option params [Integer] :password_length
|
1140
|
-
# The
|
1141
|
-
#
|
1016
|
+
# The length of the password. If you don't include this parameter, the
|
1017
|
+
# default length is 32 characters.
|
1142
1018
|
#
|
1143
1019
|
# @option params [String] :exclude_characters
|
1144
|
-
# A string
|
1145
|
-
# generated password. The default is that all characters from the
|
1146
|
-
# included sets can be used.
|
1020
|
+
# A string of the characters that you don't want in the password.
|
1147
1021
|
#
|
1148
1022
|
# @option params [Boolean] :exclude_numbers
|
1149
|
-
# Specifies
|
1150
|
-
#
|
1151
|
-
# be included.
|
1023
|
+
# Specifies whether to exclude numbers from the password. If you don't
|
1024
|
+
# include this switch, the password can contain numbers.
|
1152
1025
|
#
|
1153
1026
|
# @option params [Boolean] :exclude_punctuation
|
1154
|
-
# Specifies
|
1155
|
-
#
|
1156
|
-
#
|
1157
|
-
#
|
1158
|
-
# The following are the punctuation characters that *can* be included in
|
1159
|
-
# the generated password if you don't explicitly exclude them with
|
1160
|
-
# `ExcludeCharacters` or `ExcludePunctuation`\:
|
1161
|
-
#
|
1162
|
-
# `` ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` \{ | \} ~
|
1163
|
-
# ``
|
1027
|
+
# Specifies whether to exclude the following punctuation characters from
|
1028
|
+
# the password: `` ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _
|
1029
|
+
# ` \{ | \} ~ ``. If you don't include this switch, the password can
|
1030
|
+
# contain punctuation.
|
1164
1031
|
#
|
1165
1032
|
# @option params [Boolean] :exclude_uppercase
|
1166
|
-
# Specifies
|
1167
|
-
#
|
1168
|
-
#
|
1033
|
+
# Specifies whether to exclude uppercase letters from the password. If
|
1034
|
+
# you don't include this switch, the password can contain uppercase
|
1035
|
+
# letters.
|
1169
1036
|
#
|
1170
1037
|
# @option params [Boolean] :exclude_lowercase
|
1171
|
-
# Specifies
|
1172
|
-
#
|
1173
|
-
#
|
1038
|
+
# Specifies whether to exclude lowercase letters from the password. If
|
1039
|
+
# you don't include this switch, the password can contain lowercase
|
1040
|
+
# letters.
|
1174
1041
|
#
|
1175
1042
|
# @option params [Boolean] :include_space
|
1176
|
-
# Specifies
|
1177
|
-
#
|
1178
|
-
# space character is not included.
|
1043
|
+
# Specifies whether to include the space character. If you include this
|
1044
|
+
# switch, the password can contain space characters.
|
1179
1045
|
#
|
1180
1046
|
# @option params [Boolean] :require_each_included_type
|
1181
|
-
#
|
1182
|
-
#
|
1183
|
-
#
|
1184
|
-
# character type.
|
1047
|
+
# Specifies whether to include at least one upper and lowercase letter,
|
1048
|
+
# one number, and one punctuation. If you don't include this switch,
|
1049
|
+
# the password contains at least one of every character type.
|
1185
1050
|
#
|
1186
1051
|
# @return [Types::GetRandomPasswordResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1187
1052
|
#
|
@@ -1231,31 +1096,23 @@ module Aws::SecretsManager
|
|
1231
1096
|
end
|
1232
1097
|
|
1233
1098
|
# Retrieves the JSON text of the resource-based policy document attached
|
1234
|
-
# to the
|
1235
|
-
#
|
1236
|
-
#
|
1237
|
-
#
|
1238
|
-
# **Minimum permissions**
|
1239
|
-
#
|
1240
|
-
# To run this command, you must have the following permissions:
|
1099
|
+
# to the secret. For more information about permissions policies
|
1100
|
+
# attached to a secret, see [Permissions policies attached to a
|
1101
|
+
# secret][1].
|
1241
1102
|
#
|
1242
|
-
#
|
1103
|
+
# <b>Required permissions: </b> `secretsmanager:GetResourcePolicy`. For
|
1104
|
+
# more information, see [ IAM policy actions for Secrets Manager][2] and
|
1105
|
+
# [Authentication and access control in Secrets Manager][3].
|
1243
1106
|
#
|
1244
|
-
# ^
|
1245
1107
|
#
|
1246
|
-
# **Related operations**
|
1247
1108
|
#
|
1248
|
-
#
|
1249
|
-
#
|
1250
|
-
#
|
1251
|
-
# DeleteResourcePolicy.
|
1252
|
-
#
|
1253
|
-
# * To list all of the currently available secrets, use ListSecrets.
|
1109
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html
|
1110
|
+
# [2]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
1111
|
+
# [3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
1254
1112
|
#
|
1255
1113
|
# @option params [required, String] :secret_id
|
1256
|
-
#
|
1257
|
-
#
|
1258
|
-
# Name (ARN) or the friendly name of the secret.
|
1114
|
+
# The ARN or name of the secret to retrieve the attached resource-based
|
1115
|
+
# policy for.
|
1259
1116
|
#
|
1260
1117
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
1261
1118
|
# partial ARN.
|
@@ -1307,40 +1164,35 @@ module Aws::SecretsManager
|
|
1307
1164
|
# `SecretBinary` from the specified version of a secret, whichever
|
1308
1165
|
# contains content.
|
1309
1166
|
#
|
1310
|
-
#
|
1311
|
-
#
|
1312
|
-
#
|
1313
|
-
#
|
1314
|
-
# * secretsmanager:GetSecretValue
|
1167
|
+
# We recommend that you cache your secret values by using client-side
|
1168
|
+
# caching. Caching secrets improves speed and reduces your costs. For
|
1169
|
+
# more information, see [Cache secrets for your applications][1].
|
1315
1170
|
#
|
1316
|
-
#
|
1317
|
-
#
|
1318
|
-
#
|
1319
|
-
#
|
1171
|
+
# <b>Required permissions: </b> `secretsmanager:GetSecretValue`. If the
|
1172
|
+
# secret is encrypted using a customer-managed key instead of the Amazon
|
1173
|
+
# Web Services managed key `aws/secretsmanager`, then you also need
|
1174
|
+
# `kms:Decrypt` permissions for that key. For more information, see [
|
1175
|
+
# IAM policy actions for Secrets Manager][2] and [Authentication and
|
1176
|
+
# access control in Secrets Manager][3].
|
1320
1177
|
#
|
1321
|
-
# **Related operations**
|
1322
1178
|
#
|
1323
|
-
# * To create a new version of the secret with different encrypted
|
1324
|
-
# information, use PutSecretValue.
|
1325
1179
|
#
|
1326
|
-
#
|
1327
|
-
#
|
1180
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html
|
1181
|
+
# [2]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
1182
|
+
# [3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
1328
1183
|
#
|
1329
1184
|
# @option params [required, String] :secret_id
|
1330
|
-
#
|
1331
|
-
# You can specify either the Amazon Resource Name (ARN) or the friendly
|
1332
|
-
# name of the secret.
|
1185
|
+
# The ARN or name of the secret to retrieve.
|
1333
1186
|
#
|
1334
1187
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
1335
1188
|
# partial ARN.
|
1336
1189
|
#
|
1337
1190
|
# @option params [String] :version_id
|
1338
|
-
#
|
1339
|
-
#
|
1340
|
-
#
|
1341
|
-
#
|
1342
|
-
#
|
1343
|
-
# `VersionStage` value of `AWSCURRENT`.
|
1191
|
+
# The unique identifier of the version of the secret to retrieve. If you
|
1192
|
+
# include both this parameter and `VersionStage`, the two parameters
|
1193
|
+
# must refer to the same secret version. If you don't specify either a
|
1194
|
+
# `VersionStage` or `VersionId`, then Secrets Manager returns the
|
1195
|
+
# `AWSCURRENT` version.
|
1344
1196
|
#
|
1345
1197
|
# This value is typically a [UUID-type][1] value with 32 hexadecimal
|
1346
1198
|
# digits.
|
@@ -1350,15 +1202,13 @@ module Aws::SecretsManager
|
|
1350
1202
|
# [1]: https://wikipedia.org/wiki/Universally_unique_identifier
|
1351
1203
|
#
|
1352
1204
|
# @option params [String] :version_stage
|
1353
|
-
#
|
1354
|
-
# label attached to the version.
|
1205
|
+
# The staging label of the version of the secret to retrieve.
|
1355
1206
|
#
|
1356
|
-
#
|
1357
|
-
# rotation process. If you
|
1358
|
-
# the two parameters must refer to the same
|
1359
|
-
# don't specify either a `VersionStage` or
|
1360
|
-
#
|
1361
|
-
# `VersionStage` value of `AWSCURRENT`.
|
1207
|
+
# Secrets Manager uses staging labels to keep track of different
|
1208
|
+
# versions during the rotation process. If you include both this
|
1209
|
+
# parameter and `VersionId`, the two parameters must refer to the same
|
1210
|
+
# secret version. If you don't specify either a `VersionStage` or
|
1211
|
+
# `VersionId`, Secrets Manager returns the `AWSCURRENT` version.
|
1362
1212
|
#
|
1363
1213
|
# @return [Types::GetSecretValueResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1364
1214
|
#
|
@@ -1422,66 +1272,44 @@ module Aws::SecretsManager
|
|
1422
1272
|
req.send_request(options)
|
1423
1273
|
end
|
1424
1274
|
|
1425
|
-
# Lists
|
1426
|
-
# does not include the `SecretString` or `SecretBinary` fields. By
|
1427
|
-
# default, the list includes only versions that have at least one
|
1428
|
-
# staging label in `VersionStage` attached.
|
1429
|
-
#
|
1430
|
-
# <note markdown="1"> Always check the `NextToken` response parameter when calling any of
|
1431
|
-
# the `List*` operations. These operations can occasionally return an
|
1432
|
-
# empty or shorter than expected list of results even when there more
|
1433
|
-
# results become available. When this happens, the `NextToken` response
|
1434
|
-
# parameter contains a value to pass to the next call to the same API to
|
1435
|
-
# request the next part of the list.
|
1436
|
-
#
|
1437
|
-
# </note>
|
1438
|
-
#
|
1439
|
-
# **Minimum permissions**
|
1275
|
+
# Lists the versions for a secret.
|
1440
1276
|
#
|
1441
|
-
# To
|
1277
|
+
# To list the secrets in the account, use ListSecrets.
|
1442
1278
|
#
|
1443
|
-
#
|
1279
|
+
# To get the secret value from `SecretString` or `SecretBinary`, call
|
1280
|
+
# GetSecretValue.
|
1444
1281
|
#
|
1445
|
-
#
|
1282
|
+
# <b>Required permissions: </b> `secretsmanager:ListSecretVersionIds`.
|
1283
|
+
# For more information, see [ IAM policy actions for Secrets Manager][1]
|
1284
|
+
# and [Authentication and access control in Secrets Manager][2].
|
1446
1285
|
#
|
1447
|
-
# **Related operations**
|
1448
1286
|
#
|
1449
|
-
# * To list the secrets in an account, use ListSecrets.
|
1450
1287
|
#
|
1451
|
-
#
|
1288
|
+
# [1]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
1289
|
+
# [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
1452
1290
|
#
|
1453
1291
|
# @option params [required, String] :secret_id
|
1454
|
-
# The
|
1455
|
-
# list. You can specify either the Amazon Resource Name (ARN) or the
|
1456
|
-
# friendly name of the secret.
|
1292
|
+
# The ARN or name of the secret whose versions you want to list.
|
1457
1293
|
#
|
1458
1294
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
1459
1295
|
# partial ARN.
|
1460
1296
|
#
|
1461
1297
|
# @option params [Integer] :max_results
|
1462
|
-
#
|
1463
|
-
#
|
1464
|
-
#
|
1465
|
-
#
|
1466
|
-
#
|
1467
|
-
# request parameter in the next call to the operation to get the next
|
1468
|
-
# part of the results. Note that Secrets Manager might return fewer
|
1469
|
-
# results than the maximum even when there are more results available.
|
1470
|
-
# You should check `NextToken` after every operation to ensure that you
|
1471
|
-
# receive all of the results.
|
1298
|
+
# The number of results to include in the response.
|
1299
|
+
#
|
1300
|
+
# If there are more results available, in the response, Secrets Manager
|
1301
|
+
# includes `NextToken`. To get the next results, call
|
1302
|
+
# `ListSecretVersionIds` again with the value from `NextToken`.
|
1472
1303
|
#
|
1473
1304
|
# @option params [String] :next_token
|
1474
|
-
#
|
1475
|
-
#
|
1476
|
-
#
|
1477
|
-
# previous call `NextToken` response to indicate where the output should
|
1478
|
-
# continue from.
|
1305
|
+
# A token that indicates where the output should continue from, if a
|
1306
|
+
# previous call did not show all results. To get the next results, call
|
1307
|
+
# `ListSecretVersionIds` again with this value.
|
1479
1308
|
#
|
1480
1309
|
# @option params [Boolean] :include_deprecated
|
1481
|
-
#
|
1482
|
-
#
|
1483
|
-
#
|
1484
|
-
# Manager as needed.
|
1310
|
+
# Specifies whether to include versions of secrets that don't have any
|
1311
|
+
# staging labels attached to them. Versions without staging labels are
|
1312
|
+
# considered deprecated and are subject to deletion by Secrets Manager.
|
1485
1313
|
#
|
1486
1314
|
# @return [Types::ListSecretVersionIdsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1487
1315
|
#
|
@@ -1561,56 +1389,41 @@ module Aws::SecretsManager
|
|
1561
1389
|
req.send_request(options)
|
1562
1390
|
end
|
1563
1391
|
|
1564
|
-
# Lists
|
1565
|
-
#
|
1566
|
-
# a specific secret, use ListSecretVersionIds. The encrypted fields
|
1567
|
-
# `SecretString` and `SecretBinary` are not included in the output. To
|
1568
|
-
# get that information, call the GetSecretValue operation.
|
1569
|
-
#
|
1570
|
-
# <note markdown="1"> Always check the `NextToken` response parameter when calling any of
|
1571
|
-
# the `List*` operations. These operations can occasionally return an
|
1572
|
-
# empty or shorter than expected list of results even when there more
|
1573
|
-
# results become available. When this happens, the `NextToken` response
|
1574
|
-
# parameter contains a value to pass to the next call to the same API to
|
1575
|
-
# request the next part of the list.
|
1576
|
-
#
|
1577
|
-
# </note>
|
1392
|
+
# Lists the secrets that are stored by Secrets Manager in the Amazon Web
|
1393
|
+
# Services account.
|
1578
1394
|
#
|
1579
|
-
#
|
1395
|
+
# To list the versions of a secret, use ListSecretVersionIds.
|
1580
1396
|
#
|
1581
|
-
# To
|
1397
|
+
# To get the secret value from `SecretString` or `SecretBinary`, call
|
1398
|
+
# GetSecretValue.
|
1582
1399
|
#
|
1583
|
-
#
|
1400
|
+
# For information about finding secrets in the console, see [Enhanced
|
1401
|
+
# search capabilities for secrets in Secrets Manager][1].
|
1584
1402
|
#
|
1585
|
-
#
|
1403
|
+
# <b>Required permissions: </b> `secretsmanager:ListSecrets`. For more
|
1404
|
+
# information, see [ IAM policy actions for Secrets Manager][2] and
|
1405
|
+
# [Authentication and access control in Secrets Manager][3].
|
1586
1406
|
#
|
1587
|
-
# **Related operations**
|
1588
1407
|
#
|
1589
|
-
# * To list the versions attached to a secret, use ListSecretVersionIds.
|
1590
1408
|
#
|
1591
|
-
#
|
1409
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_search-secret.html
|
1410
|
+
# [2]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
1411
|
+
# [3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
1592
1412
|
#
|
1593
1413
|
# @option params [Integer] :max_results
|
1594
|
-
#
|
1595
|
-
#
|
1596
|
-
#
|
1597
|
-
#
|
1598
|
-
#
|
1599
|
-
# request parameter in the next call to the operation to get the next
|
1600
|
-
# part of the results. Note that Secrets Manager might return fewer
|
1601
|
-
# results than the maximum even when there are more results available.
|
1602
|
-
# You should check `NextToken` after every operation to ensure that you
|
1603
|
-
# receive all of the results.
|
1414
|
+
# The number of results to include in the response.
|
1415
|
+
#
|
1416
|
+
# If there are more results available, in the response, Secrets Manager
|
1417
|
+
# includes `NextToken`. To get the next results, call `ListSecrets`
|
1418
|
+
# again with the value from `NextToken`.
|
1604
1419
|
#
|
1605
1420
|
# @option params [String] :next_token
|
1606
|
-
#
|
1607
|
-
#
|
1608
|
-
#
|
1609
|
-
# previous call `NextToken` response to indicate where the output should
|
1610
|
-
# continue from.
|
1421
|
+
# A token that indicates where the output should continue from, if a
|
1422
|
+
# previous call did not show all results. To get the next results, call
|
1423
|
+
# `ListSecrets` again with this value.
|
1611
1424
|
#
|
1612
1425
|
# @option params [Array<Types::Filter>] :filters
|
1613
|
-
#
|
1426
|
+
# The filters to apply to the list of secrets.
|
1614
1427
|
#
|
1615
1428
|
# @option params [String] :sort_order
|
1616
1429
|
# Lists secrets in the requested order.
|
@@ -1682,6 +1495,8 @@ module Aws::SecretsManager
|
|
1682
1495
|
# resp.secret_list[0].rotation_enabled #=> Boolean
|
1683
1496
|
# resp.secret_list[0].rotation_lambda_arn #=> String
|
1684
1497
|
# resp.secret_list[0].rotation_rules.automatically_after_days #=> Integer
|
1498
|
+
# resp.secret_list[0].rotation_rules.duration #=> String
|
1499
|
+
# resp.secret_list[0].rotation_rules.schedule_expression #=> String
|
1685
1500
|
# resp.secret_list[0].last_rotated_date #=> Time
|
1686
1501
|
# resp.secret_list[0].last_changed_date #=> Time
|
1687
1502
|
# resp.secret_list[0].last_accessed_date #=> Time
|
@@ -1706,65 +1521,42 @@ module Aws::SecretsManager
|
|
1706
1521
|
req.send_request(options)
|
1707
1522
|
end
|
1708
1523
|
|
1709
|
-
# Attaches
|
1710
|
-
#
|
1711
|
-
#
|
1712
|
-
# the secret's Amazon Resource Name (ARN) in the policy statement's
|
1713
|
-
# `Resources` element. You can also use a combination of both
|
1714
|
-
# identity-based and resource-based policies. The affected users and
|
1715
|
-
# roles receive the permissions that are permitted by all of the
|
1716
|
-
# relevant policies. For more information, see [Using Resource-Based
|
1717
|
-
# Policies for Amazon Web Services Secrets Manager][1]. For the complete
|
1718
|
-
# description of the Amazon Web Services policy syntax and grammar, see
|
1719
|
-
# [IAM JSON Policy Reference][2] in the *IAM User Guide*.
|
1720
|
-
#
|
1721
|
-
# **Minimum permissions**
|
1722
|
-
#
|
1723
|
-
# To run this command, you must have the following permissions:
|
1524
|
+
# Attaches a resource-based permission policy to a secret. A
|
1525
|
+
# resource-based policy is optional. For more information, see
|
1526
|
+
# [Authentication and access control for Secrets Manager][1]
|
1724
1527
|
#
|
1725
|
-
#
|
1528
|
+
# For information about attaching a policy in the console, see [Attach a
|
1529
|
+
# permissions policy to a secret][2].
|
1726
1530
|
#
|
1727
|
-
#
|
1531
|
+
# <b>Required permissions: </b> `secretsmanager:PutResourcePolicy`. For
|
1532
|
+
# more information, see [ IAM policy actions for Secrets Manager][3] and
|
1533
|
+
# [Authentication and access control in Secrets Manager][1].
|
1728
1534
|
#
|
1729
|
-
# **Related operations**
|
1730
1535
|
#
|
1731
|
-
# * To retrieve the resource policy attached to a secret, use
|
1732
|
-
# GetResourcePolicy.
|
1733
1536
|
#
|
1734
|
-
#
|
1735
|
-
#
|
1736
|
-
#
|
1737
|
-
# * To list all of the currently available secrets, use ListSecrets.
|
1738
|
-
#
|
1739
|
-
#
|
1740
|
-
#
|
1741
|
-
# [1]: http://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html
|
1742
|
-
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
|
1537
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
1538
|
+
# [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html
|
1539
|
+
# [3]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
1743
1540
|
#
|
1744
1541
|
# @option params [required, String] :secret_id
|
1745
|
-
#
|
1746
|
-
# policy. You can specify either the ARN or the friendly name of the
|
1747
|
-
# secret.
|
1542
|
+
# The ARN or name of the secret to attach the resource-based policy.
|
1748
1543
|
#
|
1749
1544
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
1750
1545
|
# partial ARN.
|
1751
1546
|
#
|
1752
1547
|
# @option params [required, String] :resource_policy
|
1753
|
-
# A JSON-formatted string
|
1754
|
-
#
|
1755
|
-
# the string identifies who can access or manage this secret and its
|
1756
|
-
# versions. For information on how to format a JSON parameter for the
|
1757
|
-
# various command line tool environments, see [Using JSON for
|
1758
|
-
# Parameters][1] in the *CLI User Guide*.
|
1548
|
+
# A JSON-formatted string for an Amazon Web Services resource-based
|
1549
|
+
# policy. For example policies, see [Permissions policy examples][1].
|
1759
1550
|
#
|
1760
1551
|
#
|
1761
1552
|
#
|
1762
|
-
# [1]:
|
1553
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html
|
1763
1554
|
#
|
1764
1555
|
# @option params [Boolean] :block_public_policy
|
1765
|
-
#
|
1766
|
-
#
|
1767
|
-
#
|
1556
|
+
# Specifies whether to block resource-based policies that allow broad
|
1557
|
+
# access to the secret. By default, Secrets Manager blocks policies that
|
1558
|
+
# allow broad access, for example those that use a wildcard for the
|
1559
|
+
# principal.
|
1768
1560
|
#
|
1769
1561
|
# @return [Types::PutResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1770
1562
|
#
|
@@ -1809,11 +1601,9 @@ module Aws::SecretsManager
|
|
1809
1601
|
req.send_request(options)
|
1810
1602
|
end
|
1811
1603
|
|
1812
|
-
#
|
1813
|
-
#
|
1814
|
-
#
|
1815
|
-
# `SecretBinary` value. You can also specify the staging labels that are
|
1816
|
-
# initially attached to the new version.
|
1604
|
+
# Creates a new version with a new encrypted secret value and attaches
|
1605
|
+
# it to the secret. The version can contain a new `SecretString` value
|
1606
|
+
# or a new `SecretBinary` value.
|
1817
1607
|
#
|
1818
1608
|
# We recommend you avoid calling `PutSecretValue` at a sustained rate of
|
1819
1609
|
# more than once every 10 minutes. When you update the secret value,
|
@@ -1824,116 +1614,73 @@ module Aws::SecretsManager
|
|
1824
1614
|
# versions than Secrets Manager removes, and you will reach the quota
|
1825
1615
|
# for secret versions.
|
1826
1616
|
#
|
1827
|
-
#
|
1828
|
-
#
|
1829
|
-
#
|
1830
|
-
#
|
1831
|
-
#
|
1832
|
-
#
|
1833
|
-
# version.
|
1834
|
-
#
|
1835
|
-
# * If this operation moves the staging label `AWSCURRENT` from another
|
1836
|
-
# version to this version, then Secrets Manager also automatically
|
1837
|
-
# moves the staging label `AWSPREVIOUS` to the version that
|
1838
|
-
# `AWSCURRENT` was removed from.
|
1839
|
-
#
|
1840
|
-
# * This operation is idempotent. If a version with a `VersionId` with
|
1841
|
-
# the same value as the `ClientRequestToken` parameter already exists
|
1842
|
-
# and you specify the same secret data, the operation succeeds but
|
1843
|
-
# does nothing. However, if the secret data is different, then the
|
1844
|
-
# operation fails because you cannot modify an existing version; you
|
1845
|
-
# can only create new ones.
|
1846
|
-
#
|
1847
|
-
# <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
|
1848
|
-
# `SecretBinary` for a secret in the same account as the calling user
|
1849
|
-
# and that secret doesn't specify a Amazon Web Services KMS
|
1850
|
-
# encryption key, Secrets Manager uses the account's default Amazon
|
1851
|
-
# Web Services managed customer master key (CMK) with the alias
|
1852
|
-
# `aws/secretsmanager`. If this key doesn't already exist in your
|
1853
|
-
# account then Secrets Manager creates it for you automatically. All
|
1854
|
-
# users and roles in the same Amazon Web Services account
|
1855
|
-
# automatically have access to use the default CMK. Note that if an
|
1856
|
-
# Secrets Manager API call results in Amazon Web Services creating the
|
1857
|
-
# account's Amazon Web Services-managed CMK, it can result in a
|
1858
|
-
# one-time significant delay in returning the result.
|
1859
|
-
#
|
1860
|
-
# * If the secret resides in a different Amazon Web Services account
|
1861
|
-
# from the credentials calling an API that requires encryption or
|
1862
|
-
# decryption of the secret value then you must create and use a custom
|
1863
|
-
# Amazon Web Services KMS CMK because you can't access the default
|
1864
|
-
# CMK for the account using credentials from a different Amazon Web
|
1865
|
-
# Services account. Store the ARN of the CMK in the secret when you
|
1866
|
-
# create the secret or when you update it by including it in the
|
1867
|
-
# `KMSKeyId`. If you call an API that must encrypt or decrypt
|
1868
|
-
# `SecretString` or `SecretBinary` using credentials from a different
|
1869
|
-
# account then the Amazon Web Services KMS key policy must grant
|
1870
|
-
# cross-account access to that other account's user or role for both
|
1871
|
-
# the kms:GenerateDataKey and kms:Decrypt operations.
|
1872
|
-
#
|
1873
|
-
# </note>
|
1874
|
-
#
|
1875
|
-
# **Minimum permissions**
|
1876
|
-
#
|
1877
|
-
# To run this command, you must have the following permissions:
|
1617
|
+
# You can specify the staging labels to attach to the new version in
|
1618
|
+
# `VersionStages`. If you don't include `VersionStages`, then Secrets
|
1619
|
+
# Manager automatically moves the staging label `AWSCURRENT` to this
|
1620
|
+
# version. If this operation creates the first version for the secret,
|
1621
|
+
# then Secrets Manager automatically attaches the staging label
|
1622
|
+
# `AWSCURRENT` to it .
|
1878
1623
|
#
|
1879
|
-
#
|
1624
|
+
# If this operation moves the staging label `AWSCURRENT` from another
|
1625
|
+
# version to this version, then Secrets Manager also automatically moves
|
1626
|
+
# the staging label `AWSPREVIOUS` to the version that `AWSCURRENT` was
|
1627
|
+
# removed from.
|
1880
1628
|
#
|
1881
|
-
#
|
1882
|
-
#
|
1883
|
-
#
|
1884
|
-
#
|
1629
|
+
# This operation is idempotent. If a version with a `VersionId` with the
|
1630
|
+
# same value as the `ClientRequestToken` parameter already exists, and
|
1631
|
+
# you specify the same secret data, the operation succeeds but does
|
1632
|
+
# nothing. However, if the secret data is different, then the operation
|
1633
|
+
# fails because you can't modify an existing version; you can only
|
1634
|
+
# create new ones.
|
1885
1635
|
#
|
1886
|
-
#
|
1636
|
+
# <b>Required permissions: </b> `secretsmanager:PutSecretValue`. For
|
1637
|
+
# more information, see [ IAM policy actions for Secrets Manager][1] and
|
1638
|
+
# [Authentication and access control in Secrets Manager][2].
|
1887
1639
|
#
|
1888
|
-
# * To retrieve the encrypted value you store in the version of a
|
1889
|
-
# secret, use GetSecretValue.
|
1890
1640
|
#
|
1891
|
-
# * To create a secret, use CreateSecret.
|
1892
1641
|
#
|
1893
|
-
#
|
1894
|
-
#
|
1895
|
-
# * To list the versions attached to a secret, use ListSecretVersionIds.
|
1642
|
+
# [1]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
1643
|
+
# [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
1896
1644
|
#
|
1897
1645
|
# @option params [required, String] :secret_id
|
1898
|
-
#
|
1899
|
-
# specify either the Amazon Resource Name (ARN) or the friendly name of
|
1900
|
-
# the secret. The secret must already exist.
|
1646
|
+
# The ARN or name of the secret to add a new version to.
|
1901
1647
|
#
|
1902
1648
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
1903
1649
|
# partial ARN.
|
1904
1650
|
#
|
1651
|
+
# If the secret doesn't already exist, use `CreateSecret` instead.
|
1652
|
+
#
|
1905
1653
|
# @option params [String] :client_request_token
|
1906
|
-
#
|
1907
|
-
# secret.
|
1654
|
+
# A unique identifier for the new version of the secret.
|
1908
1655
|
#
|
1909
1656
|
# <note markdown="1"> If you use the Amazon Web Services CLI or one of the Amazon Web
|
1910
|
-
# Services
|
1911
|
-
# empty
|
1912
|
-
#
|
1913
|
-
#
|
1914
|
-
#
|
1915
|
-
#
|
1657
|
+
# Services SDKs to call this operation, then you can leave this
|
1658
|
+
# parameter empty because they generate a random UUID for you. If you
|
1659
|
+
# don't use the SDK and instead generate a raw HTTP request to the
|
1660
|
+
# Secrets Manager service endpoint, then you must generate a
|
1661
|
+
# `ClientRequestToken` yourself for new versions and include that value
|
1662
|
+
# in the request.
|
1916
1663
|
#
|
1917
1664
|
# </note>
|
1918
1665
|
#
|
1919
1666
|
# This value helps ensure idempotency. Secrets Manager uses this value
|
1920
1667
|
# to prevent the accidental creation of duplicate versions if there are
|
1921
|
-
# failures and retries during the Lambda rotation function
|
1922
|
-
#
|
1923
|
-
#
|
1668
|
+
# failures and retries during the Lambda rotation function processing.
|
1669
|
+
# We recommend that you generate a [UUID-type][1] value to ensure
|
1670
|
+
# uniqueness within the specified secret.
|
1924
1671
|
#
|
1925
1672
|
# * If the `ClientRequestToken` value isn't already associated with a
|
1926
1673
|
# version of the secret then a new version of the secret is created.
|
1927
1674
|
#
|
1928
1675
|
# * If a version with this value already exists and that version's
|
1929
1676
|
# `SecretString` or `SecretBinary` values are the same as those in the
|
1930
|
-
# request then the request is ignored
|
1677
|
+
# request then the request is ignored. The operation is idempotent.
|
1931
1678
|
#
|
1932
1679
|
# * If a version with this value already exists and the version of the
|
1933
1680
|
# `SecretString` and `SecretBinary` values are different from those in
|
1934
|
-
# the request then the request fails because you
|
1935
|
-
#
|
1936
|
-
#
|
1681
|
+
# the request, then the request fails because you can't modify a
|
1682
|
+
# secret version. You can only create new versions to store new secret
|
1683
|
+
# values.
|
1937
1684
|
#
|
1938
1685
|
# This value becomes the `VersionId` of the new version.
|
1939
1686
|
#
|
@@ -1945,52 +1692,37 @@ module Aws::SecretsManager
|
|
1945
1692
|
# [1]: https://wikipedia.org/wiki/Universally_unique_identifier
|
1946
1693
|
#
|
1947
1694
|
# @option params [String, StringIO, File] :secret_binary
|
1948
|
-
#
|
1949
|
-
#
|
1950
|
-
#
|
1951
|
-
# file
|
1952
|
-
# contents of the file as a parameter. Either `SecretBinary` or
|
1953
|
-
# `SecretString` must have a value, but not both. They cannot both be
|
1954
|
-
# empty.
|
1695
|
+
# The binary data to encrypt and store in the new version of the secret.
|
1696
|
+
# To use this parameter in the command-line tools, we recommend that you
|
1697
|
+
# store your binary data in a file and then pass the contents of the
|
1698
|
+
# file as a parameter.
|
1955
1699
|
#
|
1956
|
-
#
|
1957
|
-
# Manager console.
|
1700
|
+
# You must include `SecretBinary` or `SecretString`, but not both.
|
1958
1701
|
#
|
1959
|
-
#
|
1960
|
-
# (Optional) Specifies text data that you want to encrypt and store in
|
1961
|
-
# this new version of the secret. Either `SecretString` or
|
1962
|
-
# `SecretBinary` must have a value, but not both. They cannot both be
|
1963
|
-
# empty.
|
1964
|
-
#
|
1965
|
-
# If you create this secret by using the Secrets Manager console then
|
1966
|
-
# Secrets Manager puts the protected secret text in only the
|
1967
|
-
# `SecretString` parameter. The Secrets Manager console stores the
|
1968
|
-
# information as a JSON structure of key/value pairs that the default
|
1969
|
-
# Lambda rotation function knows how to parse.
|
1970
|
-
#
|
1971
|
-
# For storing multiple values, we recommend that you use a JSON text
|
1972
|
-
# string argument and specify key/value pairs. For more information, see
|
1973
|
-
# [Specifying parameter values for the Amazon Web Services CLI][1] in
|
1974
|
-
# the Amazon Web Services CLI User Guide.
|
1702
|
+
# You can't access this value from the Secrets Manager console.
|
1975
1703
|
#
|
1704
|
+
# @option params [String] :secret_string
|
1705
|
+
# The text to encrypt and store in the new version of the secret.
|
1976
1706
|
#
|
1707
|
+
# You must include `SecretBinary` or `SecretString`, but not both.
|
1977
1708
|
#
|
1978
|
-
#
|
1709
|
+
# We recommend you create the secret string as JSON key/value pairs, as
|
1710
|
+
# shown in the example.
|
1979
1711
|
#
|
1980
1712
|
# @option params [Array<String>] :version_stages
|
1981
|
-
#
|
1982
|
-
#
|
1983
|
-
#
|
1984
|
-
#
|
1985
|
-
# A staging label must be unique to a single version of the secret. If
|
1986
|
-
# you specify a staging label that's already associated with a
|
1987
|
-
# different version of the same secret then that staging label is
|
1988
|
-
# automatically removed from the other version and attached to this
|
1989
|
-
# version.
|
1713
|
+
# A list of staging labels to attach to this version of the secret.
|
1714
|
+
# Secrets Manager uses staging labels to track versions of a secret
|
1715
|
+
# through the rotation process.
|
1990
1716
|
#
|
1991
|
-
# If you
|
1992
|
-
#
|
1993
|
-
# version.
|
1717
|
+
# If you specify a staging label that's already associated with a
|
1718
|
+
# different version of the same secret, then Secrets Manager removes the
|
1719
|
+
# label from the other version and attaches it to this version. If you
|
1720
|
+
# specify `AWSCURRENT`, and it is already attached to another version,
|
1721
|
+
# then Secrets Manager also moves the staging label `AWSPREVIOUS` to the
|
1722
|
+
# version that `AWSCURRENT` was removed from.
|
1723
|
+
#
|
1724
|
+
# If you don't include `VersionStages`, then Secrets Manager
|
1725
|
+
# automatically moves the staging label `AWSCURRENT` to this version.
|
1994
1726
|
#
|
1995
1727
|
# @return [Types::PutSecretValueResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1996
1728
|
#
|
@@ -2048,13 +1780,24 @@ module Aws::SecretsManager
|
|
2048
1780
|
req.send_request(options)
|
2049
1781
|
end
|
2050
1782
|
|
2051
|
-
#
|
1783
|
+
# For a secret that is replicated to other Regions, deletes the secret
|
1784
|
+
# replicas from the Regions you specify.
|
1785
|
+
#
|
1786
|
+
# <b>Required permissions: </b>
|
1787
|
+
# `secretsmanager:RemoveRegionsFromReplication`. For more information,
|
1788
|
+
# see [ IAM policy actions for Secrets Manager][1] and [Authentication
|
1789
|
+
# and access control in Secrets Manager][2].
|
1790
|
+
#
|
1791
|
+
#
|
1792
|
+
#
|
1793
|
+
# [1]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
1794
|
+
# [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
2052
1795
|
#
|
2053
1796
|
# @option params [required, String] :secret_id
|
2054
|
-
#
|
1797
|
+
# The ARN or name of the secret.
|
2055
1798
|
#
|
2056
1799
|
# @option params [required, Array<String>] :remove_replica_regions
|
2057
|
-
#
|
1800
|
+
# The Regions of the replicas to remove.
|
2058
1801
|
#
|
2059
1802
|
# @return [Types::RemoveRegionsFromReplicationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
2060
1803
|
#
|
@@ -2087,18 +1830,28 @@ module Aws::SecretsManager
|
|
2087
1830
|
req.send_request(options)
|
2088
1831
|
end
|
2089
1832
|
|
2090
|
-
#
|
2091
|
-
#
|
1833
|
+
# Replicates the secret to a new Regions. See [Multi-Region secrets][1].
|
1834
|
+
#
|
1835
|
+
# <b>Required permissions: </b>
|
1836
|
+
# `secretsmanager:ReplicateSecretToRegions`. For more information, see [
|
1837
|
+
# IAM policy actions for Secrets Manager][2] and [Authentication and
|
1838
|
+
# access control in Secrets Manager][3].
|
1839
|
+
#
|
1840
|
+
#
|
1841
|
+
#
|
1842
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/create-manage-multi-region-secrets.html
|
1843
|
+
# [2]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
1844
|
+
# [3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
2092
1845
|
#
|
2093
1846
|
# @option params [required, String] :secret_id
|
2094
|
-
#
|
1847
|
+
# The ARN or name of the secret to replicate.
|
2095
1848
|
#
|
2096
1849
|
# @option params [required, Array<Types::ReplicaRegionType>] :add_replica_regions
|
2097
|
-
#
|
1850
|
+
# A list of Regions in which to replicate the secret.
|
2098
1851
|
#
|
2099
1852
|
# @option params [Boolean] :force_overwrite_replica_secret
|
2100
|
-
#
|
2101
|
-
#
|
1853
|
+
# Specifies whether to overwrite a secret with the same name in the
|
1854
|
+
# destination Region.
|
2102
1855
|
#
|
2103
1856
|
# @return [Types::ReplicateSecretToRegionsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
2104
1857
|
#
|
@@ -2138,27 +1891,20 @@ module Aws::SecretsManager
|
|
2138
1891
|
end
|
2139
1892
|
|
2140
1893
|
# Cancels the scheduled deletion of a secret by removing the
|
2141
|
-
# `DeletedDate` time stamp.
|
2142
|
-
#
|
2143
|
-
#
|
2144
|
-
# **Minimum permissions**
|
2145
|
-
#
|
2146
|
-
# To run this command, you must have the following permissions:
|
1894
|
+
# `DeletedDate` time stamp. You can access a secret again after it has
|
1895
|
+
# been restored.
|
2147
1896
|
#
|
2148
|
-
#
|
1897
|
+
# <b>Required permissions: </b> `secretsmanager:RestoreSecret`. For more
|
1898
|
+
# information, see [ IAM policy actions for Secrets Manager][1] and
|
1899
|
+
# [Authentication and access control in Secrets Manager][2].
|
2149
1900
|
#
|
2150
|
-
# ^
|
2151
1901
|
#
|
2152
|
-
# **Related operations**
|
2153
1902
|
#
|
2154
|
-
#
|
2155
|
-
#
|
2156
|
-
# ^
|
1903
|
+
# [1]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
1904
|
+
# [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
2157
1905
|
#
|
2158
1906
|
# @option params [required, String] :secret_id
|
2159
|
-
#
|
2160
|
-
# scheduled deletion. You can specify either the Amazon Resource Name
|
2161
|
-
# (ARN) or the friendly name of the secret.
|
1907
|
+
# The ARN or name of the secret to restore.
|
2162
1908
|
#
|
2163
1909
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
2164
1910
|
# partial ARN.
|
@@ -2203,82 +1949,57 @@ module Aws::SecretsManager
|
|
2203
1949
|
req.send_request(options)
|
2204
1950
|
end
|
2205
1951
|
|
2206
|
-
# Configures and starts the asynchronous process of rotating
|
2207
|
-
#
|
2208
|
-
#
|
2209
|
-
#
|
2210
|
-
#
|
2211
|
-
#
|
2212
|
-
#
|
2213
|
-
#
|
2214
|
-
#
|
2215
|
-
#
|
2216
|
-
#
|
2217
|
-
#
|
2218
|
-
#
|
2219
|
-
#
|
2220
|
-
#
|
2221
|
-
#
|
2222
|
-
#
|
2223
|
-
#
|
2224
|
-
#
|
2225
|
-
#
|
2226
|
-
# Secrets Manager schedules the next rotation when the previous one
|
2227
|
-
# completes. Secrets Manager schedules the date by adding the rotation
|
2228
|
-
# interval (number of days) to the actual date of the last rotation. The
|
2229
|
-
# service chooses the hour within that 24-hour date window randomly. The
|
2230
|
-
# minute is also chosen somewhat randomly, but weighted towards the top
|
2231
|
-
# of the hour and influenced by a variety of factors that help
|
2232
|
-
# distribute load.
|
2233
|
-
#
|
2234
|
-
# The rotation function must end with the versions of the secret in one
|
2235
|
-
# of two states:
|
2236
|
-
#
|
2237
|
-
# * The `AWSPENDING` and `AWSCURRENT` staging labels are attached to the
|
2238
|
-
# same version of the secret, or
|
2239
|
-
#
|
2240
|
-
# * The `AWSPENDING` staging label is not attached to any version of the
|
2241
|
-
# secret.
|
1952
|
+
# Configures and starts the asynchronous process of rotating the secret.
|
1953
|
+
#
|
1954
|
+
# If you include the configuration parameters, the operation sets the
|
1955
|
+
# values for the secret and then immediately starts a rotation. If you
|
1956
|
+
# don't include the configuration parameters, the operation starts a
|
1957
|
+
# rotation with the values already stored in the secret. For more
|
1958
|
+
# information about rotation, see [Rotate secrets][1].
|
1959
|
+
#
|
1960
|
+
# To configure rotation, you include the ARN of an Amazon Web Services
|
1961
|
+
# Lambda function and the schedule for the rotation. The Lambda rotation
|
1962
|
+
# function creates a new version of the secret and creates or updates
|
1963
|
+
# the credentials on the database or service to match. After testing the
|
1964
|
+
# new credentials, the function marks the new secret version with the
|
1965
|
+
# staging label `AWSCURRENT`. Then anyone who retrieves the secret gets
|
1966
|
+
# the new version. For more information, see [How rotation works][2].
|
1967
|
+
#
|
1968
|
+
# When rotation is successful, the `AWSPENDING` staging label might be
|
1969
|
+
# attached to the same version as the `AWSCURRENT` version, or it might
|
1970
|
+
# not be attached to any version.
|
2242
1971
|
#
|
2243
1972
|
# If the `AWSPENDING` staging label is present but not attached to the
|
2244
|
-
# same version as `AWSCURRENT
|
1973
|
+
# same version as `AWSCURRENT`, then any later invocation of
|
2245
1974
|
# `RotateSecret` assumes that a previous rotation request is still in
|
2246
1975
|
# progress and returns an error.
|
2247
1976
|
#
|
2248
|
-
#
|
2249
|
-
#
|
2250
|
-
#
|
2251
|
-
#
|
2252
|
-
#
|
2253
|
-
#
|
2254
|
-
# * lambda:InvokeFunction (on the function specified in the secret's
|
2255
|
-
# metadata)
|
2256
|
-
#
|
2257
|
-
# **Related operations**
|
2258
|
-
#
|
2259
|
-
# * To list the secrets in your account, use ListSecrets.
|
2260
|
-
#
|
2261
|
-
# * To get the details for a version of a secret, use DescribeSecret.
|
2262
|
-
#
|
2263
|
-
# * To create a new version of a secret, use CreateSecret.
|
2264
|
-
#
|
2265
|
-
# * To attach staging labels to or remove staging labels from a version
|
2266
|
-
# of a secret, use UpdateSecretVersionStage.
|
1977
|
+
# <b>Required permissions: </b> `secretsmanager:RotateSecret`. For more
|
1978
|
+
# information, see [ IAM policy actions for Secrets Manager][3] and
|
1979
|
+
# [Authentication and access control in Secrets Manager][4]. You also
|
1980
|
+
# need `lambda:InvokeFunction` permissions on the rotation function. For
|
1981
|
+
# more information, see [ Permissions for rotation][5].
|
2267
1982
|
#
|
2268
1983
|
#
|
2269
1984
|
#
|
2270
1985
|
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html
|
1986
|
+
# [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html
|
1987
|
+
# [3]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
1988
|
+
# [4]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
1989
|
+
# [5]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html
|
2271
1990
|
#
|
2272
1991
|
# @option params [required, String] :secret_id
|
2273
|
-
#
|
2274
|
-
# the Amazon Resource Name (ARN) or the friendly name of the secret.
|
1992
|
+
# The ARN or name of the secret to rotate.
|
2275
1993
|
#
|
2276
1994
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
2277
1995
|
# partial ARN.
|
2278
1996
|
#
|
2279
1997
|
# @option params [String] :client_request_token
|
2280
|
-
#
|
2281
|
-
#
|
1998
|
+
# A unique identifier for the new version of the secret that helps
|
1999
|
+
# ensure idempotency. Secrets Manager uses this value to prevent the
|
2000
|
+
# accidental creation of duplicate versions if there are failures and
|
2001
|
+
# retries during rotation. This value becomes the `VersionId` of the new
|
2002
|
+
# version.
|
2282
2003
|
#
|
2283
2004
|
# If you use the Amazon Web Services CLI or one of the Amazon Web
|
2284
2005
|
# Services SDK to call this operation, then you can leave this parameter
|
@@ -2288,15 +2009,10 @@ module Aws::SecretsManager
|
|
2288
2009
|
# endpoint, then you must generate a `ClientRequestToken` yourself for
|
2289
2010
|
# new versions and include that value in the request.
|
2290
2011
|
#
|
2291
|
-
# You only need to specify
|
2292
|
-
#
|
2293
|
-
# twice. We recommend that you generate a
|
2294
|
-
# uniqueness within the specified secret.
|
2295
|
-
#
|
2296
|
-
# Secrets Manager uses this value to prevent the accidental creation of
|
2297
|
-
# duplicate versions if there are failures and retries during the
|
2298
|
-
# function's processing. This value becomes the `VersionId` of the new
|
2299
|
-
# version.
|
2012
|
+
# You only need to specify this value if you implement your own retry
|
2013
|
+
# logic and you want to ensure that Secrets Manager doesn't attempt to
|
2014
|
+
# create a secret version twice. We recommend that you generate a
|
2015
|
+
# [UUID-type][1] value to ensure uniqueness within the specified secret.
|
2300
2016
|
#
|
2301
2017
|
# **A suitable default value is auto-generated.** You should normally
|
2302
2018
|
# not need to pass this option.**
|
@@ -2306,12 +2022,28 @@ module Aws::SecretsManager
|
|
2306
2022
|
# [1]: https://wikipedia.org/wiki/Universally_unique_identifier
|
2307
2023
|
#
|
2308
2024
|
# @option params [String] :rotation_lambda_arn
|
2309
|
-
#
|
2310
|
-
# the secret.
|
2025
|
+
# The ARN of the Lambda rotation function that can rotate the secret.
|
2311
2026
|
#
|
2312
2027
|
# @option params [Types::RotationRulesType] :rotation_rules
|
2313
2028
|
# A structure that defines the rotation configuration for this secret.
|
2314
2029
|
#
|
2030
|
+
# @option params [Boolean] :rotate_immediately
|
2031
|
+
# Specifies whether to rotate the secret immediately or wait until the
|
2032
|
+
# next scheduled rotation window. The rotation schedule is defined in
|
2033
|
+
# RotateSecretRequest$RotationRules.
|
2034
|
+
#
|
2035
|
+
# If you don't immediately rotate the secret, Secrets Manager tests the
|
2036
|
+
# rotation configuration by running the [ `testSecret` step][1] of the
|
2037
|
+
# Lambda rotation function. The test creates an `AWSPENDING` version of
|
2038
|
+
# the secret and then removes it.
|
2039
|
+
#
|
2040
|
+
# If you don't specify this value, then by default, Secrets Manager
|
2041
|
+
# rotates the secret immediately.
|
2042
|
+
#
|
2043
|
+
#
|
2044
|
+
#
|
2045
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html
|
2046
|
+
#
|
2315
2047
|
# @return [Types::RotateSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
2316
2048
|
#
|
2317
2049
|
# * {Types::RotateSecretResponse#arn #arn} => String
|
@@ -2326,7 +2058,10 @@ module Aws::SecretsManager
|
|
2326
2058
|
# rotation_lambda_arn: "RotationLambdaARNType",
|
2327
2059
|
# rotation_rules: {
|
2328
2060
|
# automatically_after_days: 1,
|
2061
|
+
# duration: "DurationType",
|
2062
|
+
# schedule_expression: "ScheduleExpressionType",
|
2329
2063
|
# },
|
2064
|
+
# rotate_immediately: false,
|
2330
2065
|
# })
|
2331
2066
|
#
|
2332
2067
|
# @example Response structure
|
@@ -2344,12 +2079,24 @@ module Aws::SecretsManager
|
|
2344
2079
|
req.send_request(options)
|
2345
2080
|
end
|
2346
2081
|
|
2347
|
-
# Removes the
|
2348
|
-
#
|
2082
|
+
# Removes the link between the replica secret and the primary secret and
|
2083
|
+
# promotes the replica to a primary secret in the replica Region.
|
2084
|
+
#
|
2085
|
+
# You must call this operation from the Region in which you want to
|
2086
|
+
# promote the replica to a primary secret.
|
2087
|
+
#
|
2088
|
+
# <b>Required permissions: </b>
|
2089
|
+
# `secretsmanager:StopReplicationToReplica`. For more information, see [
|
2090
|
+
# IAM policy actions for Secrets Manager][1] and [Authentication and
|
2091
|
+
# access control in Secrets Manager][2].
|
2092
|
+
#
|
2093
|
+
#
|
2094
|
+
#
|
2095
|
+
# [1]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
2096
|
+
# [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
2349
2097
|
#
|
2350
2098
|
# @option params [required, String] :secret_id
|
2351
|
-
#
|
2352
|
-
# `SecretId`.
|
2099
|
+
# The ARN of the primary secret.
|
2353
2100
|
#
|
2354
2101
|
# @return [Types::StopReplicationToReplicaResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
2355
2102
|
#
|
@@ -2374,19 +2121,18 @@ module Aws::SecretsManager
|
|
2374
2121
|
req.send_request(options)
|
2375
2122
|
end
|
2376
2123
|
|
2377
|
-
# Attaches
|
2378
|
-
#
|
2379
|
-
#
|
2380
|
-
#
|
2381
|
-
# To remove tags, you must use UntagResource.
|
2124
|
+
# Attaches tags to a secret. Tags consist of a key name and a value.
|
2125
|
+
# Tags are part of the secret's metadata. They are not associated with
|
2126
|
+
# specific versions of the secret. This operation appends tags to the
|
2127
|
+
# existing list of tags.
|
2382
2128
|
#
|
2383
|
-
# The following
|
2129
|
+
# The following restrictions apply to tags:
|
2384
2130
|
#
|
2385
|
-
# * Maximum number of tags per secret
|
2131
|
+
# * Maximum number of tags per secret: 50
|
2386
2132
|
#
|
2387
|
-
# * Maximum key length
|
2133
|
+
# * Maximum key length: 127 Unicode characters in UTF-8
|
2388
2134
|
#
|
2389
|
-
# * Maximum value length
|
2135
|
+
# * Maximum value length: 255 Unicode characters in UTF-8
|
2390
2136
|
#
|
2391
2137
|
# * Tag keys and values are case sensitive.
|
2392
2138
|
#
|
@@ -2396,9 +2142,9 @@ module Aws::SecretsManager
|
|
2396
2142
|
# with this prefix do not count against your tags per secret limit.
|
2397
2143
|
#
|
2398
2144
|
# * If you use your tagging schema across multiple services and
|
2399
|
-
# resources,
|
2400
|
-
#
|
2401
|
-
#
|
2145
|
+
# resources, other services might have restrictions on allowed
|
2146
|
+
# characters. Generally allowed characters: letters, spaces, and
|
2147
|
+
# numbers representable in UTF-8, plus the following special
|
2402
2148
|
# characters: + - = . \_ : / @.
|
2403
2149
|
#
|
2404
2150
|
# If you use tags as part of your security strategy, then adding or
|
@@ -2406,34 +2152,26 @@ module Aws::SecretsManager
|
|
2406
2152
|
# operation would result in you losing your permissions for this secret,
|
2407
2153
|
# then the operation is blocked and returns an Access Denied error.
|
2408
2154
|
#
|
2409
|
-
#
|
2410
|
-
#
|
2411
|
-
#
|
2155
|
+
# <b>Required permissions: </b> `secretsmanager:TagResource`. For more
|
2156
|
+
# information, see [ IAM policy actions for Secrets Manager][1] and
|
2157
|
+
# [Authentication and access control in Secrets Manager][2].
|
2412
2158
|
#
|
2413
|
-
# * secretsmanager:TagResource
|
2414
2159
|
#
|
2415
|
-
# ^
|
2416
2160
|
#
|
2417
|
-
#
|
2418
|
-
#
|
2419
|
-
# * To remove one or more tags from the collection attached to a secret,
|
2420
|
-
# use UntagResource.
|
2421
|
-
#
|
2422
|
-
# * To view the list of tags attached to a secret, use DescribeSecret.
|
2161
|
+
# [1]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
2162
|
+
# [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
2423
2163
|
#
|
2424
2164
|
# @option params [required, String] :secret_id
|
2425
|
-
# The identifier for the secret
|
2426
|
-
#
|
2427
|
-
#
|
2165
|
+
# The identifier for the secret to attach tags to. You can specify
|
2166
|
+
# either the Amazon Resource Name (ARN) or the friendly name of the
|
2167
|
+
# secret.
|
2428
2168
|
#
|
2429
2169
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
2430
2170
|
# partial ARN.
|
2431
2171
|
#
|
2432
2172
|
# @option params [required, Array<Types::Tag>] :tags
|
2433
|
-
# The tags to attach to the secret
|
2434
|
-
# a `Key` and a `Value`.
|
2435
|
-
#
|
2436
|
-
# This parameter to the API requires a JSON text string argument.
|
2173
|
+
# The tags to attach to the secret as a JSON text string argument. Each
|
2174
|
+
# element in the list consists of a `Key` and a `Value`.
|
2437
2175
|
#
|
2438
2176
|
# For storing multiple values, we recommend that you use a JSON text
|
2439
2177
|
# string argument and specify key/value pairs. For more information, see
|
@@ -2487,7 +2225,7 @@ module Aws::SecretsManager
|
|
2487
2225
|
req.send_request(options)
|
2488
2226
|
end
|
2489
2227
|
|
2490
|
-
# Removes
|
2228
|
+
# Removes specific tags from a secret.
|
2491
2229
|
#
|
2492
2230
|
# This operation is idempotent. If a requested tag is not attached to
|
2493
2231
|
# the secret, no error is returned and the secret metadata is unchanged.
|
@@ -2497,25 +2235,17 @@ module Aws::SecretsManager
|
|
2497
2235
|
# would result in you losing your permissions for this secret, then the
|
2498
2236
|
# operation is blocked and returns an Access Denied error.
|
2499
2237
|
#
|
2500
|
-
#
|
2501
|
-
#
|
2502
|
-
#
|
2238
|
+
# <b>Required permissions: </b> `secretsmanager:UntagResource`. For more
|
2239
|
+
# information, see [ IAM policy actions for Secrets Manager][1] and
|
2240
|
+
# [Authentication and access control in Secrets Manager][2].
|
2503
2241
|
#
|
2504
|
-
# * secretsmanager:UntagResource
|
2505
2242
|
#
|
2506
|
-
# ^
|
2507
2243
|
#
|
2508
|
-
#
|
2509
|
-
#
|
2510
|
-
# * To add one or more tags to the collection attached to a secret, use
|
2511
|
-
# TagResource.
|
2512
|
-
#
|
2513
|
-
# * To view the list of tags attached to a secret, use DescribeSecret.
|
2244
|
+
# [1]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
2245
|
+
# [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
2514
2246
|
#
|
2515
2247
|
# @option params [required, String] :secret_id
|
2516
|
-
# The
|
2517
|
-
# can specify either the Amazon Resource Name (ARN) or the friendly name
|
2518
|
-
# of the secret.
|
2248
|
+
# The ARN or name of the secret.
|
2519
2249
|
#
|
2520
2250
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
2521
2251
|
# partial ARN.
|
@@ -2524,7 +2254,7 @@ module Aws::SecretsManager
|
|
2524
2254
|
# A list of tag key names to remove from the secret. You don't specify
|
2525
2255
|
# the value. Both the key and its associated value are removed.
|
2526
2256
|
#
|
2527
|
-
# This parameter
|
2257
|
+
# This parameter requires a JSON text string argument.
|
2528
2258
|
#
|
2529
2259
|
# For storing multiple values, we recommend that you use a JSON text
|
2530
2260
|
# string argument and specify key/value pairs. For more information, see
|
@@ -2567,9 +2297,8 @@ module Aws::SecretsManager
|
|
2567
2297
|
req.send_request(options)
|
2568
2298
|
end
|
2569
2299
|
|
2570
|
-
# Modifies
|
2571
|
-
#
|
2572
|
-
# To change the secret value, you can also use PutSecretValue.
|
2300
|
+
# Modifies the details of a secret, including metadata and the secret
|
2301
|
+
# value. To change the secret value, you can also use PutSecretValue.
|
2573
2302
|
#
|
2574
2303
|
# To change the rotation configuration of a secret, use RotateSecret
|
2575
2304
|
# instead.
|
@@ -2583,185 +2312,108 @@ module Aws::SecretsManager
|
|
2583
2312
|
# you create more versions than Secrets Manager removes, and you will
|
2584
2313
|
# reach the quota for secret versions.
|
2585
2314
|
#
|
2586
|
-
#
|
2587
|
-
#
|
2588
|
-
#
|
2589
|
-
# must use either the Amazon Web Services CLI or one of the Amazon Web
|
2590
|
-
# Services SDKs.
|
2315
|
+
# If you include `SecretString` or `SecretBinary` to create a new secret
|
2316
|
+
# version, Secrets Manager automatically attaches the staging label
|
2317
|
+
# `AWSCURRENT` to the new version.
|
2591
2318
|
#
|
2592
|
-
#
|
2593
|
-
#
|
2594
|
-
#
|
2595
|
-
#
|
2596
|
-
#
|
2597
|
-
# create a new version.
|
2598
|
-
#
|
2599
|
-
# * If you include `SecretString` or `SecretBinary` to create a new
|
2600
|
-
# secret version, Secrets Manager automatically attaches the staging
|
2601
|
-
# label `AWSCURRENT` to the new version.
|
2602
|
-
#
|
2603
|
-
# <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
|
2604
|
-
# `SecretBinary` for a secret in the same account as the calling user
|
2605
|
-
# and that secret doesn't specify a Amazon Web Services KMS
|
2606
|
-
# encryption key, Secrets Manager uses the account's default Amazon
|
2607
|
-
# Web Services managed customer master key (CMK) with the alias
|
2608
|
-
# `aws/secretsmanager`. If this key doesn't already exist in your
|
2609
|
-
# account then Secrets Manager creates it for you automatically. All
|
2610
|
-
# users and roles in the same Amazon Web Services account
|
2611
|
-
# automatically have access to use the default CMK. Note that if an
|
2612
|
-
# Secrets Manager API call results in Amazon Web Services creating the
|
2613
|
-
# account's Amazon Web Services-managed CMK, it can result in a
|
2614
|
-
# one-time significant delay in returning the result.
|
2615
|
-
#
|
2616
|
-
# * If the secret resides in a different Amazon Web Services account
|
2617
|
-
# from the credentials calling an API that requires encryption or
|
2618
|
-
# decryption of the secret value then you must create and use a custom
|
2619
|
-
# Amazon Web Services KMS CMK because you can't access the default
|
2620
|
-
# CMK for the account using credentials from a different Amazon Web
|
2621
|
-
# Services account. Store the ARN of the CMK in the secret when you
|
2622
|
-
# create the secret or when you update it by including it in the
|
2623
|
-
# `KMSKeyId`. If you call an API that must encrypt or decrypt
|
2624
|
-
# `SecretString` or `SecretBinary` using credentials from a different
|
2625
|
-
# account then the Amazon Web Services KMS key policy must grant
|
2626
|
-
# cross-account access to that other account's user or role for both
|
2627
|
-
# the kms:GenerateDataKey and kms:Decrypt operations.
|
2628
|
-
#
|
2629
|
-
# </note>
|
2630
|
-
#
|
2631
|
-
# **Minimum permissions**
|
2632
|
-
#
|
2633
|
-
# To run this command, you must have the following permissions:
|
2634
|
-
#
|
2635
|
-
# * secretsmanager:UpdateSecret
|
2319
|
+
# If you call this operation with a `VersionId` that matches an existing
|
2320
|
+
# version's `ClientRequestToken`, the operation results in an error.
|
2321
|
+
# You can't modify an existing version, you can only create a new
|
2322
|
+
# version. To remove a version, remove all staging labels from it. See
|
2323
|
+
# UpdateSecretVersionStage.
|
2636
2324
|
#
|
2637
|
-
#
|
2638
|
-
#
|
2639
|
-
#
|
2640
|
-
#
|
2325
|
+
# If you don't specify an KMS encryption key, Secrets Manager uses the
|
2326
|
+
# Amazon Web Services managed key `aws/secretsmanager`. If this key
|
2327
|
+
# doesn't already exist in your account, then Secrets Manager creates
|
2328
|
+
# it for you automatically. All users and roles in the Amazon Web
|
2329
|
+
# Services account automatically have access to use
|
2330
|
+
# `aws/secretsmanager`. Creating `aws/secretsmanager` can result in a
|
2331
|
+
# one-time significant delay in returning the result.
|
2641
2332
|
#
|
2642
|
-
#
|
2643
|
-
#
|
2644
|
-
#
|
2645
|
-
#
|
2333
|
+
# If the secret is in a different Amazon Web Services account from the
|
2334
|
+
# credentials calling the API, then you can't use `aws/secretsmanager`
|
2335
|
+
# to encrypt the secret, and you must create and use a customer managed
|
2336
|
+
# key.
|
2646
2337
|
#
|
2647
|
-
#
|
2338
|
+
# <b>Required permissions: </b> `secretsmanager:UpdateSecret`. For more
|
2339
|
+
# information, see [ IAM policy actions for Secrets Manager][1] and
|
2340
|
+
# [Authentication and access control in Secrets Manager][2]. If you use
|
2341
|
+
# a customer managed key, you must also have `kms:GenerateDataKey` and
|
2342
|
+
# `kms:Decrypt` permissions on the key. For more information, see [
|
2343
|
+
# Secret encryption and decryption][3].
|
2648
2344
|
#
|
2649
|
-
# * To create a new secret, use CreateSecret.
|
2650
2345
|
#
|
2651
|
-
# * To add only a new version to an existing secret, use PutSecretValue.
|
2652
2346
|
#
|
2653
|
-
#
|
2654
|
-
#
|
2655
|
-
#
|
2656
|
-
# ListSecretVersionIds.
|
2347
|
+
# [1]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
2348
|
+
# [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
2349
|
+
# [3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html
|
2657
2350
|
#
|
2658
2351
|
# @option params [required, String] :secret_id
|
2659
|
-
#
|
2660
|
-
# add a new version. You can specify either the Amazon Resource Name
|
2661
|
-
# (ARN) or the friendly name of the secret.
|
2352
|
+
# The ARN or name of the secret.
|
2662
2353
|
#
|
2663
2354
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
2664
2355
|
# partial ARN.
|
2665
2356
|
#
|
2666
2357
|
# @option params [String] :client_request_token
|
2667
|
-
#
|
2668
|
-
#
|
2669
|
-
#
|
2670
|
-
#
|
2671
|
-
# If you use the Amazon Web Services CLI or one of the Amazon Web
|
2672
|
-
# Services SDK to call this operation, then you can leave this parameter
|
2673
|
-
# empty. The CLI or SDK generates a random UUID for you and includes
|
2674
|
-
# that in the request. If you don't use the SDK and instead generate a
|
2675
|
-
# raw HTTP request to the Secrets Manager service endpoint, then you
|
2676
|
-
# must generate a `ClientRequestToken` yourself for new versions and
|
2677
|
-
# include that value in the request.
|
2678
|
-
#
|
2679
|
-
# You typically only need to interact with this value if you implement
|
2680
|
-
# your own retry logic and want to ensure that a given secret is not
|
2681
|
-
# created twice. We recommend that you generate a [UUID-type][1] value
|
2682
|
-
# to ensure uniqueness within the specified secret.
|
2358
|
+
# If you include `SecretString` or `SecretBinary`, then Secrets Manager
|
2359
|
+
# creates a new version for the secret, and this parameter specifies the
|
2360
|
+
# unique identifier for the new version.
|
2683
2361
|
#
|
2684
|
-
#
|
2685
|
-
#
|
2686
|
-
#
|
2687
|
-
#
|
2688
|
-
#
|
2689
|
-
#
|
2690
|
-
#
|
2691
|
-
#
|
2692
|
-
# `SecretString` and `SecretBinary` values are the same as those in
|
2693
|
-
# the request then the request is ignored (the operation is
|
2694
|
-
# idempotent).
|
2362
|
+
# <note markdown="1"> If you use the Amazon Web Services CLI or one of the Amazon Web
|
2363
|
+
# Services SDKs to call this operation, then you can leave this
|
2364
|
+
# parameter empty. The CLI or SDK generates a random UUID for you and
|
2365
|
+
# includes it as the value for this parameter in the request. If you
|
2366
|
+
# don't use the SDK and instead generate a raw HTTP request to the
|
2367
|
+
# Secrets Manager service endpoint, then you must generate a
|
2368
|
+
# `ClientRequestToken` yourself for the new version and include the
|
2369
|
+
# value in the request.
|
2695
2370
|
#
|
2696
|
-
#
|
2697
|
-
# `SecretString` and `SecretBinary` values are different from the
|
2698
|
-
# request then an error occurs because you cannot modify an existing
|
2699
|
-
# secret value.
|
2371
|
+
# </note>
|
2700
2372
|
#
|
2701
2373
|
# This value becomes the `VersionId` of the new version.
|
2702
2374
|
#
|
2703
2375
|
# **A suitable default value is auto-generated.** You should normally
|
2704
2376
|
# not need to pass this option.**
|
2705
2377
|
#
|
2706
|
-
#
|
2707
|
-
#
|
2708
|
-
# [1]: https://wikipedia.org/wiki/Universally_unique_identifier
|
2709
|
-
#
|
2710
2378
|
# @option params [String] :description
|
2711
|
-
#
|
2712
|
-
# secret.
|
2379
|
+
# The description of the secret.
|
2713
2380
|
#
|
2714
2381
|
# @option params [String] :kms_key_id
|
2715
|
-
#
|
2716
|
-
#
|
2717
|
-
#
|
2718
|
-
#
|
2719
|
-
#
|
2720
|
-
# staging labels, see [Staging Labels][1] in the *Amazon Web Services
|
2721
|
-
# Secrets Manager User Guide*.
|
2382
|
+
# The ARN, key ID, or alias of the KMS key that Secrets Manager uses to
|
2383
|
+
# encrypt new secret versions as well as any existing versions the
|
2384
|
+
# staging labels `AWSCURRENT`, `AWSPENDING`, or `AWSPREVIOUS`. For more
|
2385
|
+
# information about versions and staging labels, see [Concepts:
|
2386
|
+
# Version][1].
|
2722
2387
|
#
|
2723
|
-
# You can only use the
|
2724
|
-
# you call this operation using credentials from
|
2725
|
-
#
|
2726
|
-
#
|
2727
|
-
#
|
2728
|
-
# secret and the
|
2388
|
+
# You can only use the Amazon Web Services managed key
|
2389
|
+
# `aws/secretsmanager` if you call this operation using credentials from
|
2390
|
+
# the same Amazon Web Services account that owns the secret. If the
|
2391
|
+
# secret is in a different account, then you must use a customer managed
|
2392
|
+
# key and provide the ARN of that KMS key in this field. The user making
|
2393
|
+
# the call must have permissions to both the secret and the KMS key in
|
2394
|
+
# their respective accounts.
|
2729
2395
|
#
|
2730
2396
|
#
|
2731
2397
|
#
|
2732
|
-
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/
|
2398
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/getting-started.html#term_version
|
2733
2399
|
#
|
2734
2400
|
# @option params [String, StringIO, File] :secret_binary
|
2735
|
-
#
|
2736
|
-
#
|
2737
|
-
#
|
2738
|
-
# file and then use the appropriate technique for your tool to pass the
|
2739
|
-
# contents of the file as a parameter. Either `SecretBinary` or
|
2740
|
-
# `SecretString` must have a value, but not both. They cannot both be
|
2741
|
-
# empty.
|
2401
|
+
# The binary data to encrypt and store in the new version of the secret.
|
2402
|
+
# We recommend that you store your binary data in a file and then pass
|
2403
|
+
# the contents of the file as a parameter.
|
2742
2404
|
#
|
2743
|
-
#
|
2744
|
-
#
|
2745
|
-
# @option params [String] :secret_string
|
2746
|
-
# (Optional) Specifies updated text data that you want to encrypt and
|
2747
|
-
# store in this new version of the secret. Either `SecretBinary` or
|
2748
|
-
# `SecretString` must have a value, but not both. They cannot both be
|
2749
|
-
# empty.
|
2750
|
-
#
|
2751
|
-
# If you create this secret by using the Secrets Manager console then
|
2752
|
-
# Secrets Manager puts the protected secret text in only the
|
2753
|
-
# `SecretString` parameter. The Secrets Manager console stores the
|
2754
|
-
# information as a JSON structure of key/value pairs that the default
|
2755
|
-
# Lambda rotation function knows how to parse.
|
2756
|
-
#
|
2757
|
-
# For storing multiple values, we recommend that you use a JSON text
|
2758
|
-
# string argument and specify key/value pairs. For more information, see
|
2759
|
-
# [Specifying parameter values for the Amazon Web Services CLI][1] in
|
2760
|
-
# the Amazon Web Services CLI User Guide.
|
2405
|
+
# Either `SecretBinary` or `SecretString` must have a value, but not
|
2406
|
+
# both.
|
2761
2407
|
#
|
2408
|
+
# You can't access this parameter in the Secrets Manager console.
|
2762
2409
|
#
|
2410
|
+
# @option params [String] :secret_string
|
2411
|
+
# The text data to encrypt and store in the new version of the secret.
|
2412
|
+
# We recommend you use a JSON structure of key/value pairs for your
|
2413
|
+
# secret value.
|
2763
2414
|
#
|
2764
|
-
#
|
2415
|
+
# Either `SecretBinary` or `SecretString` must have a value, but not
|
2416
|
+
# both.
|
2765
2417
|
#
|
2766
2418
|
# @return [Types::UpdateSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
2767
2419
|
#
|
@@ -2845,18 +2497,17 @@ module Aws::SecretsManager
|
|
2845
2497
|
req.send_request(options)
|
2846
2498
|
end
|
2847
2499
|
|
2848
|
-
# Modifies the staging labels attached to a version of a secret.
|
2849
|
-
#
|
2850
|
-
# rotation process.
|
2851
|
-
#
|
2852
|
-
#
|
2853
|
-
#
|
2854
|
-
#
|
2855
|
-
#
|
2500
|
+
# Modifies the staging labels attached to a version of a secret. Secrets
|
2501
|
+
# Manager uses staging labels to track a version as it progresses
|
2502
|
+
# through the secret rotation process. Each staging label can be
|
2503
|
+
# attached to only one version at a time. To add a staging label to a
|
2504
|
+
# version when it is already attached to another version, Secrets
|
2505
|
+
# Manager first removes it from the other version first and then
|
2506
|
+
# attaches it to this one. For more information about versions and
|
2507
|
+
# staging labels, see [Concepts: Version][1].
|
2856
2508
|
#
|
2857
2509
|
# The staging labels that you specify in the `VersionStage` parameter
|
2858
|
-
# are added to the existing list of staging labels
|
2859
|
-
# it.
|
2510
|
+
# are added to the existing list of staging labels for the version.
|
2860
2511
|
#
|
2861
2512
|
# You can move the `AWSCURRENT` staging label to this version by
|
2862
2513
|
# including it in this call.
|
@@ -2871,30 +2522,20 @@ module Aws::SecretsManager
|
|
2871
2522
|
# then the version is considered to be 'deprecated' and can be deleted
|
2872
2523
|
# by Secrets Manager.
|
2873
2524
|
#
|
2874
|
-
#
|
2525
|
+
# <b>Required permissions: </b>
|
2526
|
+
# `secretsmanager:UpdateSecretVersionStage`. For more information, see [
|
2527
|
+
# IAM policy actions for Secrets Manager][2] and [Authentication and
|
2528
|
+
# access control in Secrets Manager][3].
|
2875
2529
|
#
|
2876
|
-
# To run this command, you must have the following permissions:
|
2877
2530
|
#
|
2878
|
-
# * secretsmanager:UpdateSecretVersionStage
|
2879
2531
|
#
|
2880
|
-
#
|
2881
|
-
#
|
2882
|
-
#
|
2883
|
-
#
|
2884
|
-
# * To get the list of staging labels that are currently associated with
|
2885
|
-
# a version of a secret, use ` DescribeSecret ` and examine the
|
2886
|
-
# `SecretVersionsToStages` response value.
|
2887
|
-
#
|
2888
|
-
# ^
|
2889
|
-
#
|
2890
|
-
#
|
2891
|
-
#
|
2892
|
-
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/terms-concepts.html#term_staging-label
|
2532
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/getting-started.html#term_version
|
2533
|
+
# [2]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
2534
|
+
# [3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
2893
2535
|
#
|
2894
2536
|
# @option params [required, String] :secret_id
|
2895
|
-
#
|
2896
|
-
#
|
2897
|
-
# (ARN) or the friendly name of the secret.
|
2537
|
+
# The ARN or the name of the secret with the version and staging
|
2538
|
+
# labelsto modify.
|
2898
2539
|
#
|
2899
2540
|
# For an ARN, we recommend that you specify a complete ARN rather than a
|
2900
2541
|
# partial ARN.
|
@@ -2903,18 +2544,16 @@ module Aws::SecretsManager
|
|
2903
2544
|
# The staging label to add to this version.
|
2904
2545
|
#
|
2905
2546
|
# @option params [String] :remove_from_version_id
|
2906
|
-
#
|
2907
|
-
#
|
2908
|
-
#
|
2909
|
-
#
|
2910
|
-
#
|
2911
|
-
#
|
2912
|
-
# operation fails.
|
2547
|
+
# The ID of the version that the staging label is to be removed from. If
|
2548
|
+
# the staging label you are trying to attach to one version is already
|
2549
|
+
# attached to a different version, then you must include this parameter
|
2550
|
+
# and specify the version that the label is to be removed from. If the
|
2551
|
+
# label is attached and you either do not specify this parameter, or the
|
2552
|
+
# version ID does not match, then the operation fails.
|
2913
2553
|
#
|
2914
2554
|
# @option params [String] :move_to_version_id
|
2915
|
-
#
|
2916
|
-
#
|
2917
|
-
# specify this parameter.
|
2555
|
+
# The ID of the version to add the staging label to. To remove a label
|
2556
|
+
# from a version, then do not specify this parameter.
|
2918
2557
|
#
|
2919
2558
|
# If the staging label is already attached to a different version of the
|
2920
2559
|
# secret, then you must also specify the `RemoveFromVersionId`
|
@@ -3003,53 +2642,42 @@ module Aws::SecretsManager
|
|
3003
2642
|
req.send_request(options)
|
3004
2643
|
end
|
3005
2644
|
|
3006
|
-
# Validates that
|
3007
|
-
# principals access to your secret.
|
3008
|
-
#
|
3009
|
-
# breaks for better readability. Submit your input as a single line JSON
|
3010
|
-
# string. A resource-based policy is optional for secrets.
|
2645
|
+
# Validates that a resource policy does not grant a wide range of
|
2646
|
+
# principals access to your secret. A resource-based policy is optional
|
2647
|
+
# for secrets.
|
3011
2648
|
#
|
3012
|
-
# The API performs three checks when validating the
|
2649
|
+
# The API performs three checks when validating the policy:
|
3013
2650
|
#
|
3014
2651
|
# * Sends a call to [Zelkova][1], an automated reasoning engine, to
|
3015
|
-
# ensure your
|
3016
|
-
# secret.
|
2652
|
+
# ensure your resource policy does not allow broad access to your
|
2653
|
+
# secret, for example policies that use a wildcard for the principal.
|
3017
2654
|
#
|
3018
2655
|
# * Checks for correct syntax in a policy.
|
3019
2656
|
#
|
3020
2657
|
# * Verifies the policy does not lock out a caller.
|
3021
2658
|
#
|
3022
|
-
#
|
3023
|
-
#
|
3024
|
-
#
|
3025
|
-
#
|
3026
|
-
# * `secretsmanager:PutResourcePolicy`
|
3027
|
-
#
|
3028
|
-
# * `secretsmanager:ValidateResourcePolicy`
|
2659
|
+
# <b>Required permissions: </b> `secretsmanager:ValidateResourcePolicy`.
|
2660
|
+
# For more information, see [ IAM policy actions for Secrets Manager][2]
|
2661
|
+
# and [Authentication and access control in Secrets Manager][3].
|
3029
2662
|
#
|
3030
2663
|
#
|
3031
2664
|
#
|
3032
2665
|
# [1]: https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/
|
2666
|
+
# [2]: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions
|
2667
|
+
# [3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
|
3033
2668
|
#
|
3034
2669
|
# @option params [String] :secret_id
|
3035
|
-
#
|
3036
|
-
# you want to validate. You can specify either the Amazon Resource Name
|
3037
|
-
# (ARN) or the friendly name of the secret.
|
3038
|
-
#
|
3039
|
-
# For an ARN, we recommend that you specify a complete ARN rather than a
|
3040
|
-
# partial ARN.
|
2670
|
+
# This field is reserved for internal use.
|
3041
2671
|
#
|
3042
2672
|
# @option params [required, String] :resource_policy
|
3043
|
-
# A JSON-formatted string
|
3044
|
-
#
|
3045
|
-
#
|
3046
|
-
#
|
3047
|
-
# various command line tool environments, see [Using JSON for
|
3048
|
-
# Parameters][1] in the *CLI User Guide*.publi
|
2673
|
+
# A JSON-formatted string that contains an Amazon Web Services
|
2674
|
+
# resource-based policy. The policy in the string identifies who can
|
2675
|
+
# access or manage this secret and its versions. For example policies,
|
2676
|
+
# see [Permissions policy examples][1].
|
3049
2677
|
#
|
3050
2678
|
#
|
3051
2679
|
#
|
3052
|
-
# [1]:
|
2680
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html
|
3053
2681
|
#
|
3054
2682
|
# @return [Types::ValidateResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
3055
2683
|
#
|
@@ -3109,7 +2737,7 @@ module Aws::SecretsManager
|
|
3109
2737
|
params: params,
|
3110
2738
|
config: config)
|
3111
2739
|
context[:gem_name] = 'aws-sdk-secretsmanager'
|
3112
|
-
context[:gem_version] = '1.
|
2740
|
+
context[:gem_version] = '1.57.0'
|
3113
2741
|
Seahorse::Client::Request.new(handlers, context)
|
3114
2742
|
end
|
3115
2743
|
|