aws-sdk-secretsmanager 1.39.0 → 1.40.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 44bb4b64972ae334b89344496c8cc19f8461f48430c247c81e58ee5284cd893e
4
- data.tar.gz: 370c660e0f424b226387f19977cb059f69cf7d0ae30e61ab68fa04f869a44970
3
+ metadata.gz: 61ef4c50b000fe9d14348c4d5fd862da00afa0d5f34b7ff0c446c042e7c72bff
4
+ data.tar.gz: 0ecaa3135f14b021f022c78b49b00e0564027420becab1f5e15833f220234db1
5
5
  SHA512:
6
- metadata.gz: 4cfb45a25f1344a5574fdbc56f9c3c2755911b5a46cd8971272b2f81949c9a62cef807bb3ee14b3cffdb4ee4a05199fc791f992ca63664f7e7cf658edfe1efab
7
- data.tar.gz: 6fb8eced24d860e5f2e38ab2101d10652d825cb8d97e2f511184fe507ce464065b37af8a787787cf8c5b3d153871520b4106b513c053415341763b2c40147efc
6
+ metadata.gz: f85dc1d338e74aaed0e878188b1ac85748ca2435734e765bfd678f06c1f87a420aece7b1b47f8c4daf57822df2ecf29ab807b6d84e3c7b4b5fbbfd9eb907251a
7
+ data.tar.gz: 1028a196ae320a94a84ef4c9db1d14c9fd0ac65533bb4f5961595da8439a593e68742640c82802bb0d27fc6b5136ec2aff8f1f4ad4cac62ac66b1d430a050302
@@ -47,6 +47,6 @@ require_relative 'aws-sdk-secretsmanager/customizations'
47
47
  # @service
48
48
  module Aws::SecretsManager
49
49
 
50
- GEM_VERSION = '1.39.0'
50
+ GEM_VERSION = '1.40.0'
51
51
 
52
52
  end
@@ -323,20 +323,20 @@ module Aws::SecretsManager
323
323
  # @!group API Operations
324
324
 
325
325
  # Disables automatic scheduled rotation and cancels the rotation of a
326
- # secret if one is currently in progress.
326
+ # secret if currently in progress.
327
327
  #
328
328
  # To re-enable scheduled rotation, call RotateSecret with
329
329
  # `AutomaticallyRotateAfterDays` set to a value greater than 0. This
330
- # will immediately rotate your secret and then enable the automatic
330
+ # immediately rotates your secret and then enables the automatic
331
331
  # schedule.
332
332
  #
333
- # <note markdown="1"> If you cancel a rotation that is in progress, it can leave the
334
- # `VersionStage` labels in an unexpected state. Depending on what step
335
- # of the rotation was in progress, you might need to remove the staging
336
- # label `AWSPENDING` from the partially created version, specified by
337
- # the `VersionId` response value. You should also evaluate the partially
333
+ # <note markdown="1"> If you cancel a rotation while in progress, it can leave the
334
+ # `VersionStage` labels in an unexpected state. Depending on the step of
335
+ # the rotation in progress, you might need to remove the staging label
336
+ # `AWSPENDING` from the partially created version, specified by the
337
+ # `VersionId` response value. You should also evaluate the partially
338
338
  # rotated new version to see if it should be deleted, which you can do
339
- # by removing all staging labels from the new version's `VersionStage`
339
+ # by removing all staging labels from the new version `VersionStage`
340
340
  # field.
341
341
  #
342
342
  # </note>
@@ -344,12 +344,12 @@ module Aws::SecretsManager
344
344
  # To successfully start a rotation, the staging label `AWSPENDING` must
345
345
  # be in one of the following states:
346
346
  #
347
- # * Not be attached to any version at all
347
+ # * Not attached to any version at all
348
348
  #
349
349
  # * Attached to the same version as the staging label `AWSCURRENT`
350
350
  #
351
- # If the staging label `AWSPENDING` is attached to a different version
352
- # than the version with `AWSCURRENT` then the attempt to rotate fails.
351
+ # If the staging label `AWSPENDING` attached to a different version than
352
+ # the version with `AWSCURRENT` then the attempt to rotate fails.
353
353
  #
354
354
  # **Minimum permissions**
355
355
  #
@@ -373,9 +373,9 @@ module Aws::SecretsManager
373
373
  # ListSecretVersionIds.
374
374
  #
375
375
  # @option params [required, String] :secret_id
376
- # Specifies the secret for which you want to cancel a rotation request.
377
- # You can specify either the Amazon Resource Name (ARN) or the friendly
378
- # name of the secret.
376
+ # Specifies the secret to cancel a rotation request. You can specify
377
+ # either the Amazon Resource Name (ARN) or the friendly name of the
378
+ # secret.
379
379
  #
380
380
  # <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
381
381
  # complete ARN. You can specify a partial ARN too—for example, if you
@@ -388,7 +388,13 @@ module Aws::SecretsManager
388
388
  # then those characters cause Secrets Manager to assume that you’re
389
389
  # specifying a complete ARN. This confusion can cause unexpected
390
390
  # results. To avoid this situation, we recommend that you don’t create
391
- # secret names that end with a hyphen followed by six characters.
391
+ # secret names ending with a hyphen followed by six characters.
392
+ #
393
+ # If you specify an incomplete ARN without the random suffix, and
394
+ # instead provide the 'friendly name', you *must* not include the
395
+ # random suffix. If you do include the random suffix added by Secrets
396
+ # Manager, you receive either a *ResourceNotFoundException* or an
397
+ # *AccessDeniedException* error, depending on your permissions.
392
398
  #
393
399
  # </note>
394
400
  #
@@ -447,7 +453,7 @@ module Aws::SecretsManager
447
453
  # version is in the rotation cycle. The `SecretVersionsToStages` field
448
454
  # of the secret contains the mapping of staging labels to the active
449
455
  # versions of the secret. Versions without a staging label are
450
- # considered deprecated and are not included in the list.
456
+ # considered deprecated and not included in the list.
451
457
  #
452
458
  # You provide the secret data to be encrypted by putting text in either
453
459
  # the `SecretString` parameter or binary data in the `SecretBinary`
@@ -456,29 +462,29 @@ module Aws::SecretsManager
456
462
  # version and automatically attaches the staging label `AWSCURRENT` to
457
463
  # the new version.
458
464
  #
459
- # <note markdown="1"> * If you call an operation that needs to encrypt or decrypt the
460
- # `SecretString` or `SecretBinary` for a secret in the same account as
461
- # the calling user and that secret doesn't specify a AWS KMS
462
- # encryption key, Secrets Manager uses the account's default AWS
463
- # managed customer master key (CMK) with the alias
464
- # `aws/secretsmanager`. If this key doesn't already exist in your
465
- # account then Secrets Manager creates it for you automatically. All
466
- # users and roles in the same AWS account automatically have access to
467
- # use the default CMK. Note that if an Secrets Manager API call
468
- # results in AWS having to create the account's AWS-managed CMK, it
469
- # can result in a one-time significant delay in returning the result.
470
- #
471
- # * If the secret is in a different AWS account from the credentials
472
- # calling an API that requires encryption or decryption of the secret
473
- # value then you must create and use a custom AWS KMS CMK because you
474
- # can't access the default CMK for the account using credentials from
475
- # a different AWS account. Store the ARN of the CMK in the secret when
476
- # you create the secret or when you update it by including it in the
477
- # `KMSKeyId`. If you call an API that must encrypt or decrypt
478
- # `SecretString` or `SecretBinary` using credentials from a different
479
- # account then the AWS KMS key policy must grant cross-account access
480
- # to that other account's user or role for both the
481
- # kms:GenerateDataKey and kms:Decrypt operations.
465
+ # <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
466
+ # `SecretBinary` for a secret in the same account as the calling user
467
+ # and that secret doesn't specify a AWS KMS encryption key, Secrets
468
+ # Manager uses the account's default AWS managed customer master key
469
+ # (CMK) with the alias `aws/secretsmanager`. If this key doesn't
470
+ # already exist in your account then Secrets Manager creates it for
471
+ # you automatically. All users and roles in the same AWS account
472
+ # automatically have access to use the default CMK. Note that if an
473
+ # Secrets Manager API call results in AWS creating the account's
474
+ # AWS-managed CMK, it can result in a one-time significant delay in
475
+ # returning the result.
476
+ #
477
+ # * If the secret resides in a different AWS account from the
478
+ # credentials calling an API that requires encryption or decryption of
479
+ # the secret value then you must create and use a custom AWS KMS CMK
480
+ # because you can't access the default CMK for the account using
481
+ # credentials from a different AWS account. Store the ARN of the CMK
482
+ # in the secret when you create the secret or when you update it by
483
+ # including it in the `KMSKeyId`. If you call an API that must encrypt
484
+ # or decrypt `SecretString` or `SecretBinary` using credentials from a
485
+ # different account then the AWS KMS key policy must grant
486
+ # cross-account access to that other account's user or role for both
487
+ # the kms:GenerateDataKey and kms:Decrypt operations.
482
488
  #
483
489
  # </note>
484
490
  #
@@ -492,11 +498,11 @@ module Aws::SecretsManager
492
498
  #
493
499
  # * kms:GenerateDataKey - needed only if you use a customer-managed AWS
494
500
  # KMS key to encrypt the secret. You do not need this permission to
495
- # use the account's default AWS managed CMK for Secrets Manager.
501
+ # use the account default AWS managed CMK for Secrets Manager.
496
502
  #
497
503
  # * kms:Decrypt - needed only if you use a customer-managed AWS KMS key
498
504
  # to encrypt the secret. You do not need this permission to use the
499
- # account's default AWS managed CMK for Secrets Manager.
505
+ # account default AWS managed CMK for Secrets Manager.
500
506
  #
501
507
  # * secretsmanager:TagResource - needed only if you include the `Tags`
502
508
  # parameter.
@@ -526,11 +532,10 @@ module Aws::SecretsManager
526
532
  # The secret name must be ASCII letters, digits, or the following
527
533
  # characters : /\_+=.@-
528
534
  #
529
- # <note markdown="1"> Don't end your secret name with a hyphen followed by six characters.
535
+ # <note markdown="1"> Do not end your secret name with a hyphen followed by six characters.
530
536
  # If you do so, you risk confusion and unexpected results when searching
531
- # for a secret by partial ARN. This is because Secrets Manager
532
- # automatically adds a hyphen and six random characters at the end of
533
- # the ARN.
537
+ # for a secret by partial ARN. Secrets Manager automatically adds a
538
+ # hyphen and six random characters at the end of the ARN.
534
539
  #
535
540
  # </note>
536
541
  #
@@ -545,7 +550,7 @@ module Aws::SecretsManager
545
550
  # the request. If you don't use the SDK and instead generate a raw HTTP
546
551
  # request to the Secrets Manager service endpoint, then you must
547
552
  # generate a `ClientRequestToken` yourself for the new version and
548
- # include that value in the request.
553
+ # include the value in the request.
549
554
  #
550
555
  # </note>
551
556
  #
@@ -558,10 +563,9 @@ module Aws::SecretsManager
558
563
  # * If the `ClientRequestToken` value isn't already associated with a
559
564
  # version of the secret then a new version of the secret is created.
560
565
  #
561
- # * If a version with this value already exists and that version's
566
+ # * If a version with this value already exists and the version
562
567
  # `SecretString` and `SecretBinary` values are the same as those in
563
- # the request, then the request is ignored (the operation is
564
- # idempotent).
568
+ # the request, then the request is ignored.
565
569
  #
566
570
  # * If a version with this value already exists and that version's
567
571
  # `SecretString` and `SecretBinary` values are different from those in
@@ -597,9 +601,9 @@ module Aws::SecretsManager
597
601
  # time it needs to encrypt a version's `SecretString` or `SecretBinary`
598
602
  # fields.
599
603
  #
600
- # You can use the account's default CMK to encrypt and decrypt only if
601
- # you call this operation using credentials from the same account that
602
- # owns the secret. If the secret is in a different account, then you
604
+ # You can use the account default CMK to encrypt and decrypt only if you
605
+ # call this operation using credentials from the same account that owns
606
+ # the secret. If the secret resides in a different account, then you
603
607
  # must create a custom CMK and specify the ARN in this field.
604
608
  #
605
609
  # @option params [String, IO] :secret_binary
@@ -634,7 +638,7 @@ module Aws::SecretsManager
634
638
  # environments, see [Using JSON for Parameters][1] in the *AWS CLI User
635
639
  # Guide*. For example:
636
640
  #
637
- # `[\{"username":"bob"\},\{"password":"abc123xyz456"\}]`
641
+ # `\{"username":"bob","password":"abc123xyz456"\}`
638
642
  #
639
643
  # If your command-line tool or SDK requires quotation marks around the
640
644
  # parameter, you should use single quotes to avoid confusion with the
@@ -680,16 +684,16 @@ module Aws::SecretsManager
680
684
  #
681
685
  # * Tag keys and values are case sensitive.
682
686
  #
683
- # * Do not use the `aws:` prefix in your tag names or values because it
684
- # is reserved for AWS use. You can't edit or delete tag names or
687
+ # * Do not use the `aws:` prefix in your tag names or values because AWS
688
+ # reserves it for AWS use. You can't edit or delete tag names or
685
689
  # values with this prefix. Tags with this prefix do not count against
686
690
  # your tags per secret limit.
687
691
  #
688
- # * If your tagging schema will be used across multiple services and
689
- # resources, remember that other services might have restrictions on
690
- # allowed characters. Generally allowed characters are: letters,
691
- # spaces, and numbers representable in UTF-8, plus the following
692
- # special characters: + - = . \_ : / @.
692
+ # * If you use your tagging schema across multiple services and
693
+ # resources, remember other services might have restrictions on
694
+ # allowed characters. Generally allowed characters: letters, spaces,
695
+ # and numbers representable in UTF-8, plus the following special
696
+ # characters: + - = . \_ : / @.
693
697
  #
694
698
  #
695
699
  #
@@ -753,8 +757,7 @@ module Aws::SecretsManager
753
757
  req.send_request(options)
754
758
  end
755
759
 
756
- # Deletes the resource-based permission policy that's attached to the
757
- # secret.
760
+ # Deletes the resource-based permission policy attached to the secret.
758
761
  #
759
762
  # **Minimum permissions**
760
763
  #
@@ -789,7 +792,13 @@ module Aws::SecretsManager
789
792
  # then those characters cause Secrets Manager to assume that you’re
790
793
  # specifying a complete ARN. This confusion can cause unexpected
791
794
  # results. To avoid this situation, we recommend that you don’t create
792
- # secret names that end with a hyphen followed by six characters.
795
+ # secret names ending with a hyphen followed by six characters.
796
+ #
797
+ # If you specify an incomplete ARN without the random suffix, and
798
+ # instead provide the 'friendly name', you *must* not include the
799
+ # random suffix. If you do include the random suffix added by Secrets
800
+ # Manager, you receive either a *ResourceNotFoundException* or an
801
+ # *AccessDeniedException* error, depending on your permissions.
793
802
  #
794
803
  # </note>
795
804
  #
@@ -892,7 +901,13 @@ module Aws::SecretsManager
892
901
  # then those characters cause Secrets Manager to assume that you’re
893
902
  # specifying a complete ARN. This confusion can cause unexpected
894
903
  # results. To avoid this situation, we recommend that you don’t create
895
- # secret names that end with a hyphen followed by six characters.
904
+ # secret names ending with a hyphen followed by six characters.
905
+ #
906
+ # If you specify an incomplete ARN without the random suffix, and
907
+ # instead provide the 'friendly name', you *must* not include the
908
+ # random suffix. If you do include the random suffix added by Secrets
909
+ # Manager, you receive either a *ResourceNotFoundException* or an
910
+ # *AccessDeniedException* error, depending on your permissions.
896
911
  #
897
912
  # </note>
898
913
  #
@@ -970,8 +985,8 @@ module Aws::SecretsManager
970
985
  end
971
986
 
972
987
  # Retrieves the details of a secret. It does not include the encrypted
973
- # fields. Only those fields that are populated with a value are returned
974
- # in the response.
988
+ # fields. Secrets Manager only returns fields populated with a value in
989
+ # the response.
975
990
  #
976
991
  # **Minimum permissions**
977
992
  #
@@ -1008,7 +1023,13 @@ module Aws::SecretsManager
1008
1023
  # then those characters cause Secrets Manager to assume that you’re
1009
1024
  # specifying a complete ARN. This confusion can cause unexpected
1010
1025
  # results. To avoid this situation, we recommend that you don’t create
1011
- # secret names that end with a hyphen followed by six characters.
1026
+ # secret names ending with a hyphen followed by six characters.
1027
+ #
1028
+ # If you specify an incomplete ARN without the random suffix, and
1029
+ # instead provide the 'friendly name', you *must* not include the
1030
+ # random suffix. If you do include the random suffix added by Secrets
1031
+ # Manager, you receive either a *ResourceNotFoundException* or an
1032
+ # *AccessDeniedException* error, depending on your permissions.
1012
1033
  #
1013
1034
  # </note>
1014
1035
  #
@@ -1028,6 +1049,7 @@ module Aws::SecretsManager
1028
1049
  # * {Types::DescribeSecretResponse#tags #tags} => Array&lt;Types::Tag&gt;
1029
1050
  # * {Types::DescribeSecretResponse#version_ids_to_stages #version_ids_to_stages} => Hash&lt;String,Array&lt;String&gt;&gt;
1030
1051
  # * {Types::DescribeSecretResponse#owning_service #owning_service} => String
1052
+ # * {Types::DescribeSecretResponse#created_date #created_date} => Time
1031
1053
  #
1032
1054
  #
1033
1055
  # @example Example: To retrieve the details of a secret
@@ -1098,6 +1120,7 @@ module Aws::SecretsManager
1098
1120
  # resp.version_ids_to_stages["SecretVersionIdType"] #=> Array
1099
1121
  # resp.version_ids_to_stages["SecretVersionIdType"][0] #=> String
1100
1122
  # resp.owning_service #=> String
1123
+ # resp.created_date #=> Time
1101
1124
  #
1102
1125
  # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/DescribeSecret AWS API Documentation
1103
1126
  #
@@ -1216,11 +1239,10 @@ module Aws::SecretsManager
1216
1239
  req.send_request(options)
1217
1240
  end
1218
1241
 
1219
- # Retrieves the JSON text of the resource-based policy document that's
1220
- # attached to the specified secret. The JSON request string input and
1221
- # response output are shown formatted with white space and line breaks
1222
- # for better readability. Submit your input as a single line JSON
1223
- # string.
1242
+ # Retrieves the JSON text of the resource-based policy document attached
1243
+ # to the specified secret. The JSON request string input and response
1244
+ # output displays formatted code with white space and line breaks for
1245
+ # better readability. Submit your input as a single line JSON string.
1224
1246
  #
1225
1247
  # **Minimum permissions**
1226
1248
  #
@@ -1234,8 +1256,8 @@ module Aws::SecretsManager
1234
1256
  #
1235
1257
  # * To attach a resource policy to a secret, use PutResourcePolicy.
1236
1258
  #
1237
- # * To delete the resource-based policy that's attached to a secret,
1238
- # use DeleteResourcePolicy.
1259
+ # * To delete the resource-based policy attached to a secret, use
1260
+ # DeleteResourcePolicy.
1239
1261
  #
1240
1262
  # * To list all of the currently available secrets, use ListSecrets.
1241
1263
  #
@@ -1255,7 +1277,13 @@ module Aws::SecretsManager
1255
1277
  # then those characters cause Secrets Manager to assume that you’re
1256
1278
  # specifying a complete ARN. This confusion can cause unexpected
1257
1279
  # results. To avoid this situation, we recommend that you don’t create
1258
- # secret names that end with a hyphen followed by six characters.
1280
+ # secret names ending with a hyphen followed by six characters.
1281
+ #
1282
+ # If you specify an incomplete ARN without the random suffix, and
1283
+ # instead provide the 'friendly name', you *must* not include the
1284
+ # random suffix. If you do include the random suffix added by Secrets
1285
+ # Manager, you receive either a *ResourceNotFoundException* or an
1286
+ # *AccessDeniedException* error, depending on your permissions.
1259
1287
  #
1260
1288
  # </note>
1261
1289
  #
@@ -1340,7 +1368,13 @@ module Aws::SecretsManager
1340
1368
  # then those characters cause Secrets Manager to assume that you’re
1341
1369
  # specifying a complete ARN. This confusion can cause unexpected
1342
1370
  # results. To avoid this situation, we recommend that you don’t create
1343
- # secret names that end with a hyphen followed by six characters.
1371
+ # secret names ending with a hyphen followed by six characters.
1372
+ #
1373
+ # If you specify an incomplete ARN without the random suffix, and
1374
+ # instead provide the 'friendly name', you *must* not include the
1375
+ # random suffix. If you do include the random suffix added by Secrets
1376
+ # Manager, you receive either a *ResourceNotFoundException* or an
1377
+ # *AccessDeniedException* error, depending on your permissions.
1344
1378
  #
1345
1379
  # </note>
1346
1380
  #
@@ -1437,8 +1471,8 @@ module Aws::SecretsManager
1437
1471
  #
1438
1472
  # <note markdown="1"> Always check the `NextToken` response parameter when calling any of
1439
1473
  # the `List*` operations. These operations can occasionally return an
1440
- # empty or shorter than expected list of results even when there are
1441
- # more results available. When this happens, the `NextToken` response
1474
+ # empty or shorter than expected list of results even when there more
1475
+ # results become available. When this happens, the `NextToken` response
1442
1476
  # parameter contains a value to pass to the next call to the same API to
1443
1477
  # request the next part of the list.
1444
1478
  #
@@ -1474,28 +1508,34 @@ module Aws::SecretsManager
1474
1508
  # then those characters cause Secrets Manager to assume that you’re
1475
1509
  # specifying a complete ARN. This confusion can cause unexpected
1476
1510
  # results. To avoid this situation, we recommend that you don’t create
1477
- # secret names that end with a hyphen followed by six characters.
1511
+ # secret names ending with a hyphen followed by six characters.
1512
+ #
1513
+ # If you specify an incomplete ARN without the random suffix, and
1514
+ # instead provide the 'friendly name', you *must* not include the
1515
+ # random suffix. If you do include the random suffix added by Secrets
1516
+ # Manager, you receive either a *ResourceNotFoundException* or an
1517
+ # *AccessDeniedException* error, depending on your permissions.
1478
1518
  #
1479
1519
  # </note>
1480
1520
  #
1481
1521
  # @option params [Integer] :max_results
1482
- # (Optional) Limits the number of results that you want to include in
1483
- # the response. If you don't include this parameter, it defaults to a
1484
- # value that's specific to the operation. If additional items exist
1485
- # beyond the maximum you specify, the `NextToken` response element is
1486
- # present and has a value (isn't null). Include that value as the
1487
- # `NextToken` request parameter in the next call to the operation to get
1488
- # the next part of the results. Note that Secrets Manager might return
1489
- # fewer results than the maximum even when there are more results
1490
- # available. You should check `NextToken` after every operation to
1491
- # ensure that you receive all of the results.
1522
+ # (Optional) Limits the number of results you want to include in the
1523
+ # response. If you don't include this parameter, it defaults to a value
1524
+ # that's specific to the operation. If additional items exist beyond
1525
+ # the maximum you specify, the `NextToken` response element is present
1526
+ # and has a value (isn't null). Include that value as the `NextToken`
1527
+ # request parameter in the next call to the operation to get the next
1528
+ # part of the results. Note that Secrets Manager might return fewer
1529
+ # results than the maximum even when there are more results available.
1530
+ # You should check `NextToken` after every operation to ensure that you
1531
+ # receive all of the results.
1492
1532
  #
1493
1533
  # @option params [String] :next_token
1494
1534
  # (Optional) Use this parameter in a request if you receive a
1495
- # `NextToken` response in a previous request that indicates that
1496
- # there's more output available. In a subsequent call, set it to the
1497
- # value of the previous call's `NextToken` response to indicate where
1498
- # the output should continue from.
1535
+ # `NextToken` response in a previous request indicating there's more
1536
+ # output available. In a subsequent call, set it to the value of the
1537
+ # previous call `NextToken` response to indicate where the output should
1538
+ # continue from.
1499
1539
  #
1500
1540
  # @option params [Boolean] :include_deprecated
1501
1541
  # (Optional) Specifies that you want the results to include versions
@@ -1587,8 +1627,8 @@ module Aws::SecretsManager
1587
1627
  #
1588
1628
  # <note markdown="1"> Always check the `NextToken` response parameter when calling any of
1589
1629
  # the `List*` operations. These operations can occasionally return an
1590
- # empty or shorter than expected list of results even when there are
1591
- # more results available. When this happens, the `NextToken` response
1630
+ # empty or shorter than expected list of results even when there more
1631
+ # results become available. When this happens, the `NextToken` response
1592
1632
  # parameter contains a value to pass to the next call to the same API to
1593
1633
  # request the next part of the list.
1594
1634
  #
@@ -1609,23 +1649,29 @@ module Aws::SecretsManager
1609
1649
  # ^
1610
1650
  #
1611
1651
  # @option params [Integer] :max_results
1612
- # (Optional) Limits the number of results that you want to include in
1613
- # the response. If you don't include this parameter, it defaults to a
1614
- # value that's specific to the operation. If additional items exist
1615
- # beyond the maximum you specify, the `NextToken` response element is
1616
- # present and has a value (isn't null). Include that value as the
1617
- # `NextToken` request parameter in the next call to the operation to get
1618
- # the next part of the results. Note that Secrets Manager might return
1619
- # fewer results than the maximum even when there are more results
1620
- # available. You should check `NextToken` after every operation to
1621
- # ensure that you receive all of the results.
1652
+ # (Optional) Limits the number of results you want to include in the
1653
+ # response. If you don't include this parameter, it defaults to a value
1654
+ # that's specific to the operation. If additional items exist beyond
1655
+ # the maximum you specify, the `NextToken` response element is present
1656
+ # and has a value (isn't null). Include that value as the `NextToken`
1657
+ # request parameter in the next call to the operation to get the next
1658
+ # part of the results. Note that Secrets Manager might return fewer
1659
+ # results than the maximum even when there are more results available.
1660
+ # You should check `NextToken` after every operation to ensure that you
1661
+ # receive all of the results.
1622
1662
  #
1623
1663
  # @option params [String] :next_token
1624
1664
  # (Optional) Use this parameter in a request if you receive a
1625
- # `NextToken` response in a previous request that indicates that
1626
- # there's more output available. In a subsequent call, set it to the
1627
- # value of the previous call's `NextToken` response to indicate where
1628
- # the output should continue from.
1665
+ # `NextToken` response in a previous request indicating there's more
1666
+ # output available. In a subsequent call, set it to the value of the
1667
+ # previous call `NextToken` response to indicate where the output should
1668
+ # continue from.
1669
+ #
1670
+ # @option params [Array<Types::Filter>] :filters
1671
+ # Lists the secret request filters.
1672
+ #
1673
+ # @option params [String] :sort_order
1674
+ # Lists secrets in the requested order.
1629
1675
  #
1630
1676
  # @return [Types::ListSecretsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1631
1677
  #
@@ -1675,6 +1721,13 @@ module Aws::SecretsManager
1675
1721
  # resp = client.list_secrets({
1676
1722
  # max_results: 1,
1677
1723
  # next_token: "NextTokenType",
1724
+ # filters: [
1725
+ # {
1726
+ # key: "description", # accepts description, name, tag-key, tag-value, all
1727
+ # values: ["FilterValueStringType"],
1728
+ # },
1729
+ # ],
1730
+ # sort_order: "asc", # accepts asc, desc
1678
1731
  # })
1679
1732
  #
1680
1733
  # @example Response structure
@@ -1698,6 +1751,7 @@ module Aws::SecretsManager
1698
1751
  # resp.secret_list[0].secret_versions_to_stages["SecretVersionIdType"] #=> Array
1699
1752
  # resp.secret_list[0].secret_versions_to_stages["SecretVersionIdType"][0] #=> String
1700
1753
  # resp.secret_list[0].owning_service #=> String
1754
+ # resp.secret_list[0].created_date #=> Time
1701
1755
  # resp.next_token #=> String
1702
1756
  #
1703
1757
  # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ListSecrets AWS API Documentation
@@ -1731,7 +1785,7 @@ module Aws::SecretsManager
1731
1785
  #
1732
1786
  # **Related operations**
1733
1787
  #
1734
- # * To retrieve the resource policy that's attached to a secret, use
1788
+ # * To retrieve the resource policy attached to a secret, use
1735
1789
  # GetResourcePolicy.
1736
1790
  #
1737
1791
  # * To delete the resource-based policy that's attached to a secret,
@@ -1759,7 +1813,13 @@ module Aws::SecretsManager
1759
1813
  # then those characters cause Secrets Manager to assume that you’re
1760
1814
  # specifying a complete ARN. This confusion can cause unexpected
1761
1815
  # results. To avoid this situation, we recommend that you don’t create
1762
- # secret names that end with a hyphen followed by six characters.
1816
+ # secret names ending with a hyphen followed by six characters.
1817
+ #
1818
+ # If you specify an incomplete ARN without the random suffix, and
1819
+ # instead provide the 'friendly name', you *must* not include the
1820
+ # random suffix. If you do include the random suffix added by Secrets
1821
+ # Manager, you receive either a *ResourceNotFoundException* or an
1822
+ # *AccessDeniedException* error, depending on your permissions.
1763
1823
  #
1764
1824
  # </note>
1765
1825
  #
@@ -1775,6 +1835,10 @@ module Aws::SecretsManager
1775
1835
  #
1776
1836
  # [1]: http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
1777
1837
  #
1838
+ # @option params [Boolean] :block_public_policy
1839
+ # Makes an optional API call to Zelkova to validate the Resource Policy
1840
+ # to prevent broad access to your secret.
1841
+ #
1778
1842
  # @return [Types::PutResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1779
1843
  #
1780
1844
  # * {Types::PutResourcePolicyResponse#arn #arn} => String
@@ -1801,6 +1865,7 @@ module Aws::SecretsManager
1801
1865
  # resp = client.put_resource_policy({
1802
1866
  # secret_id: "SecretIdType", # required
1803
1867
  # resource_policy: "NonEmptyResourcePolicyType", # required
1868
+ # block_public_policy: false,
1804
1869
  # })
1805
1870
  #
1806
1871
  # @example Response structure
@@ -1850,29 +1915,29 @@ module Aws::SecretsManager
1850
1915
  # operation fails because you cannot modify an existing version; you
1851
1916
  # can only create new ones.
1852
1917
  #
1853
- # <note markdown="1"> * If you call an operation that needs to encrypt or decrypt the
1854
- # `SecretString` or `SecretBinary` for a secret in the same account as
1855
- # the calling user and that secret doesn't specify a AWS KMS
1856
- # encryption key, Secrets Manager uses the account's default AWS
1857
- # managed customer master key (CMK) with the alias
1858
- # `aws/secretsmanager`. If this key doesn't already exist in your
1859
- # account then Secrets Manager creates it for you automatically. All
1860
- # users and roles in the same AWS account automatically have access to
1861
- # use the default CMK. Note that if an Secrets Manager API call
1862
- # results in AWS having to create the account's AWS-managed CMK, it
1863
- # can result in a one-time significant delay in returning the result.
1864
- #
1865
- # * If the secret is in a different AWS account from the credentials
1866
- # calling an API that requires encryption or decryption of the secret
1867
- # value then you must create and use a custom AWS KMS CMK because you
1868
- # can't access the default CMK for the account using credentials from
1869
- # a different AWS account. Store the ARN of the CMK in the secret when
1870
- # you create the secret or when you update it by including it in the
1871
- # `KMSKeyId`. If you call an API that must encrypt or decrypt
1872
- # `SecretString` or `SecretBinary` using credentials from a different
1873
- # account then the AWS KMS key policy must grant cross-account access
1874
- # to that other account's user or role for both the
1875
- # kms:GenerateDataKey and kms:Decrypt operations.
1918
+ # <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
1919
+ # `SecretBinary` for a secret in the same account as the calling user
1920
+ # and that secret doesn't specify a AWS KMS encryption key, Secrets
1921
+ # Manager uses the account's default AWS managed customer master key
1922
+ # (CMK) with the alias `aws/secretsmanager`. If this key doesn't
1923
+ # already exist in your account then Secrets Manager creates it for
1924
+ # you automatically. All users and roles in the same AWS account
1925
+ # automatically have access to use the default CMK. Note that if an
1926
+ # Secrets Manager API call results in AWS creating the account's
1927
+ # AWS-managed CMK, it can result in a one-time significant delay in
1928
+ # returning the result.
1929
+ #
1930
+ # * If the secret resides in a different AWS account from the
1931
+ # credentials calling an API that requires encryption or decryption of
1932
+ # the secret value then you must create and use a custom AWS KMS CMK
1933
+ # because you can't access the default CMK for the account using
1934
+ # credentials from a different AWS account. Store the ARN of the CMK
1935
+ # in the secret when you create the secret or when you update it by
1936
+ # including it in the `KMSKeyId`. If you call an API that must encrypt
1937
+ # or decrypt `SecretString` or `SecretBinary` using credentials from a
1938
+ # different account then the AWS KMS key policy must grant
1939
+ # cross-account access to that other account's user or role for both
1940
+ # the kms:GenerateDataKey and kms:Decrypt operations.
1876
1941
  #
1877
1942
  # </note>
1878
1943
  #
@@ -1913,7 +1978,13 @@ module Aws::SecretsManager
1913
1978
  # then those characters cause Secrets Manager to assume that you’re
1914
1979
  # specifying a complete ARN. This confusion can cause unexpected
1915
1980
  # results. To avoid this situation, we recommend that you don’t create
1916
- # secret names that end with a hyphen followed by six characters.
1981
+ # secret names ending with a hyphen followed by six characters.
1982
+ #
1983
+ # If you specify an incomplete ARN without the random suffix, and
1984
+ # instead provide the 'friendly name', you *must* not include the
1985
+ # random suffix. If you do include the random suffix added by Secrets
1986
+ # Manager, you receive either a *ResourceNotFoundException* or an
1987
+ # *AccessDeniedException* error, depending on your permissions.
1917
1988
  #
1918
1989
  # </note>
1919
1990
  #
@@ -1944,7 +2015,7 @@ module Aws::SecretsManager
1944
2015
  # `SecretString` or `SecretBinary` values are the same as those in the
1945
2016
  # request then the request is ignored (the operation is idempotent).
1946
2017
  #
1947
- # * If a version with this value already exists and that version's
2018
+ # * If a version with this value already exists and the version of the
1948
2019
  # `SecretString` and `SecretBinary` values are different from those in
1949
2020
  # the request then the request fails because you cannot modify an
1950
2021
  # existing secret version. You can only create new versions to store
@@ -2106,7 +2177,13 @@ module Aws::SecretsManager
2106
2177
  # then those characters cause Secrets Manager to assume that you’re
2107
2178
  # specifying a complete ARN. This confusion can cause unexpected
2108
2179
  # results. To avoid this situation, we recommend that you don’t create
2109
- # secret names that end with a hyphen followed by six characters.
2180
+ # secret names ending with a hyphen followed by six characters.
2181
+ #
2182
+ # If you specify an incomplete ARN without the random suffix, and
2183
+ # instead provide the 'friendly name', you *must* not include the
2184
+ # random suffix. If you do include the random suffix added by Secrets
2185
+ # Manager, you receive either a *ResourceNotFoundException* or an
2186
+ # *AccessDeniedException* error, depending on your permissions.
2110
2187
  #
2111
2188
  # </note>
2112
2189
  #
@@ -2169,8 +2246,8 @@ module Aws::SecretsManager
2169
2246
  # for your protected service, see [Rotating Secrets in AWS Secrets
2170
2247
  # Manager][1] in the *AWS Secrets Manager User Guide*.
2171
2248
  #
2172
- # Secrets Manager schedules the next rotation when the previous one is
2173
- # complete. Secrets Manager schedules the date by adding the rotation
2249
+ # Secrets Manager schedules the next rotation when the previous one
2250
+ # completes. Secrets Manager schedules the date by adding the rotation
2174
2251
  # interval (number of days) to the actual date of the last rotation. The
2175
2252
  # service chooses the hour within that 24-hour date window randomly. The
2176
2253
  # minute is also chosen somewhat randomly, but weighted towards the top
@@ -2186,9 +2263,9 @@ module Aws::SecretsManager
2186
2263
  # * The `AWSPENDING` staging label is not attached to any version of the
2187
2264
  # secret.
2188
2265
  #
2189
- # If instead the `AWSPENDING` staging label is present but is not
2190
- # attached to the same version as `AWSCURRENT` then any later invocation
2191
- # of `RotateSecret` assumes that a previous rotation request is still in
2266
+ # If the `AWSPENDING` staging label is present but not attached to the
2267
+ # same version as `AWSCURRENT` then any later invocation of
2268
+ # `RotateSecret` assumes that a previous rotation request is still in
2192
2269
  # progress and returns an error.
2193
2270
  #
2194
2271
  # **Minimum permissions**
@@ -2230,7 +2307,13 @@ module Aws::SecretsManager
2230
2307
  # then those characters cause Secrets Manager to assume that you’re
2231
2308
  # specifying a complete ARN. This confusion can cause unexpected
2232
2309
  # results. To avoid this situation, we recommend that you don’t create
2233
- # secret names that end with a hyphen followed by six characters.
2310
+ # secret names ending with a hyphen followed by six characters.
2311
+ #
2312
+ # If you specify an incomplete ARN without the random suffix, and
2313
+ # instead provide the 'friendly name', you *must* not include the
2314
+ # random suffix. If you do include the random suffix added by Secrets
2315
+ # Manager, you receive either a *ResourceNotFoundException* or an
2316
+ # *AccessDeniedException* error, depending on your permissions.
2234
2317
  #
2235
2318
  # </note>
2236
2319
  #
@@ -2246,8 +2329,8 @@ module Aws::SecretsManager
2246
2329
  # generate a `ClientRequestToken` yourself for new versions and include
2247
2330
  # that value in the request.
2248
2331
  #
2249
- # You only need to specify your own value if you are implementing your
2250
- # own retry logic and want to ensure that a given secret is not created
2332
+ # You only need to specify your own value if you implement your own
2333
+ # retry logic and want to ensure that a given secret is not created
2251
2334
  # twice. We recommend that you generate a [UUID-type][1] value to ensure
2252
2335
  # uniqueness within the specified secret.
2253
2336
  #
@@ -2318,16 +2401,16 @@ module Aws::SecretsManager
2318
2401
  #
2319
2402
  # * Tag keys and values are case sensitive.
2320
2403
  #
2321
- # * Do not use the `aws:` prefix in your tag names or values because it
2322
- # is reserved for AWS use. You can't edit or delete tag names or
2404
+ # * Do not use the `aws:` prefix in your tag names or values because AWS
2405
+ # reserves it for AWS use. You can't edit or delete tag names or
2323
2406
  # values with this prefix. Tags with this prefix do not count against
2324
2407
  # your tags per secret limit.
2325
2408
  #
2326
- # * If your tagging schema will be used across multiple services and
2327
- # resources, remember that other services might have restrictions on
2328
- # allowed characters. Generally allowed characters are: letters,
2329
- # spaces, and numbers representable in UTF-8, plus the following
2330
- # special characters: + - = . \_ : / @.
2409
+ # * If you use your tagging schema across multiple services and
2410
+ # resources, remember other services might have restrictions on
2411
+ # allowed characters. Generally allowed characters: letters, spaces,
2412
+ # and numbers representable in UTF-8, plus the following special
2413
+ # characters: + - = . \_ : / @.
2331
2414
  #
2332
2415
  # If you use tags as part of your security strategy, then adding or
2333
2416
  # removing a tag can change permissions. If successfully completing this
@@ -2365,7 +2448,13 @@ module Aws::SecretsManager
2365
2448
  # then those characters cause Secrets Manager to assume that you’re
2366
2449
  # specifying a complete ARN. This confusion can cause unexpected
2367
2450
  # results. To avoid this situation, we recommend that you don’t create
2368
- # secret names that end with a hyphen followed by six characters.
2451
+ # secret names ending with a hyphen followed by six characters.
2452
+ #
2453
+ # If you specify an incomplete ARN without the random suffix, and
2454
+ # instead provide the 'friendly name', you *must* not include the
2455
+ # random suffix. If you do include the random suffix added by Secrets
2456
+ # Manager, you receive either a *ResourceNotFoundException* or an
2457
+ # *AccessDeniedException* error, depending on your permissions.
2369
2458
  #
2370
2459
  # </note>
2371
2460
  #
@@ -2467,7 +2556,13 @@ module Aws::SecretsManager
2467
2556
  # then those characters cause Secrets Manager to assume that you’re
2468
2557
  # specifying a complete ARN. This confusion can cause unexpected
2469
2558
  # results. To avoid this situation, we recommend that you don’t create
2470
- # secret names that end with a hyphen followed by six characters.
2559
+ # secret names ending with a hyphen followed by six characters.
2560
+ #
2561
+ # If you specify an incomplete ARN without the random suffix, and
2562
+ # instead provide the 'friendly name', you *must* not include the
2563
+ # random suffix. If you do include the random suffix added by Secrets
2564
+ # Manager, you receive either a *ResourceNotFoundException* or an
2565
+ # *AccessDeniedException* error, depending on your permissions.
2471
2566
  #
2472
2567
  # </note>
2473
2568
  #
@@ -2539,29 +2634,29 @@ module Aws::SecretsManager
2539
2634
  # secret version, Secrets Manager automatically attaches the staging
2540
2635
  # label `AWSCURRENT` to the new version.
2541
2636
  #
2542
- # <note markdown="1"> * If you call an operation that needs to encrypt or decrypt the
2543
- # `SecretString` or `SecretBinary` for a secret in the same account as
2544
- # the calling user and that secret doesn't specify a AWS KMS
2545
- # encryption key, Secrets Manager uses the account's default AWS
2546
- # managed customer master key (CMK) with the alias
2547
- # `aws/secretsmanager`. If this key doesn't already exist in your
2548
- # account then Secrets Manager creates it for you automatically. All
2549
- # users and roles in the same AWS account automatically have access to
2550
- # use the default CMK. Note that if an Secrets Manager API call
2551
- # results in AWS having to create the account's AWS-managed CMK, it
2552
- # can result in a one-time significant delay in returning the result.
2553
- #
2554
- # * If the secret is in a different AWS account from the credentials
2555
- # calling an API that requires encryption or decryption of the secret
2556
- # value then you must create and use a custom AWS KMS CMK because you
2557
- # can't access the default CMK for the account using credentials from
2558
- # a different AWS account. Store the ARN of the CMK in the secret when
2559
- # you create the secret or when you update it by including it in the
2560
- # `KMSKeyId`. If you call an API that must encrypt or decrypt
2561
- # `SecretString` or `SecretBinary` using credentials from a different
2562
- # account then the AWS KMS key policy must grant cross-account access
2563
- # to that other account's user or role for both the
2564
- # kms:GenerateDataKey and kms:Decrypt operations.
2637
+ # <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or
2638
+ # `SecretBinary` for a secret in the same account as the calling user
2639
+ # and that secret doesn't specify a AWS KMS encryption key, Secrets
2640
+ # Manager uses the account's default AWS managed customer master key
2641
+ # (CMK) with the alias `aws/secretsmanager`. If this key doesn't
2642
+ # already exist in your account then Secrets Manager creates it for
2643
+ # you automatically. All users and roles in the same AWS account
2644
+ # automatically have access to use the default CMK. Note that if an
2645
+ # Secrets Manager API call results in AWS creating the account's
2646
+ # AWS-managed CMK, it can result in a one-time significant delay in
2647
+ # returning the result.
2648
+ #
2649
+ # * If the secret resides in a different AWS account from the
2650
+ # credentials calling an API that requires encryption or decryption of
2651
+ # the secret value then you must create and use a custom AWS KMS CMK
2652
+ # because you can't access the default CMK for the account using
2653
+ # credentials from a different AWS account. Store the ARN of the CMK
2654
+ # in the secret when you create the secret or when you update it by
2655
+ # including it in the `KMSKeyId`. If you call an API that must encrypt
2656
+ # or decrypt `SecretString` or `SecretBinary` using credentials from a
2657
+ # different account then the AWS KMS key policy must grant
2658
+ # cross-account access to that other account's user or role for both
2659
+ # the kms:GenerateDataKey and kms:Decrypt operations.
2565
2660
  #
2566
2661
  # </note>
2567
2662
  #
@@ -2606,7 +2701,13 @@ module Aws::SecretsManager
2606
2701
  # then those characters cause Secrets Manager to assume that you’re
2607
2702
  # specifying a complete ARN. This confusion can cause unexpected
2608
2703
  # results. To avoid this situation, we recommend that you don’t create
2609
- # secret names that end with a hyphen followed by six characters.
2704
+ # secret names ending with a hyphen followed by six characters.
2705
+ #
2706
+ # If you specify an incomplete ARN without the random suffix, and
2707
+ # instead provide the 'friendly name', you *must* not include the
2708
+ # random suffix. If you do include the random suffix added by Secrets
2709
+ # Manager, you receive either a *ResourceNotFoundException* or an
2710
+ # *AccessDeniedException* error, depending on your permissions.
2610
2711
  #
2611
2712
  # </note>
2612
2713
  #
@@ -2843,9 +2944,9 @@ module Aws::SecretsManager
2843
2944
  # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/terms-concepts.html#term_staging-label
2844
2945
  #
2845
2946
  # @option params [required, String] :secret_id
2846
- # Specifies the secret with the version whose list of staging labels you
2847
- # want to modify. You can specify either the Amazon Resource Name (ARN)
2848
- # or the friendly name of the secret.
2947
+ # Specifies the secret with the version with the list of staging labels
2948
+ # you want to modify. You can specify either the Amazon Resource Name
2949
+ # (ARN) or the friendly name of the secret.
2849
2950
  #
2850
2951
  # <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
2851
2952
  # complete ARN. You can specify a partial ARN too—for example, if you
@@ -2858,7 +2959,13 @@ module Aws::SecretsManager
2858
2959
  # then those characters cause Secrets Manager to assume that you’re
2859
2960
  # specifying a complete ARN. This confusion can cause unexpected
2860
2961
  # results. To avoid this situation, we recommend that you don’t create
2861
- # secret names that end with a hyphen followed by six characters.
2962
+ # secret names ending with a hyphen followed by six characters.
2963
+ #
2964
+ # If you specify an incomplete ARN without the random suffix, and
2965
+ # instead provide the 'friendly name', you *must* not include the
2966
+ # random suffix. If you do include the random suffix added by Secrets
2967
+ # Manager, you receive either a *ResourceNotFoundException* or an
2968
+ # *AccessDeniedException* error, depending on your permissions.
2862
2969
  #
2863
2970
  # </note>
2864
2971
  #
@@ -2876,7 +2983,7 @@ module Aws::SecretsManager
2876
2983
  #
2877
2984
  # @option params [String] :move_to_version_id
2878
2985
  # (Optional) The secret version ID that you want to add the staging
2879
- # label to. If you want to remove a label from a version, then do not
2986
+ # label. If you want to remove a label from a version, then do not
2880
2987
  # specify this parameter.
2881
2988
  #
2882
2989
  # If the staging label is already attached to a different version of the
@@ -2966,6 +3073,86 @@ module Aws::SecretsManager
2966
3073
  req.send_request(options)
2967
3074
  end
2968
3075
 
3076
+ # Validates the JSON text of the resource-based policy document attached
3077
+ # to the specified secret. The JSON request string input and response
3078
+ # output displays formatted code with white space and line breaks for
3079
+ # better readability. Submit your input as a single line JSON string. A
3080
+ # resource-based policy is optional.
3081
+ #
3082
+ # @option params [String] :secret_id
3083
+ # The identifier for the secret that you want to validate a resource
3084
+ # policy. You can specify either the Amazon Resource Name (ARN) or the
3085
+ # friendly name of the secret.
3086
+ #
3087
+ # <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
3088
+ # complete ARN. You can specify a partial ARN too—for example, if you
3089
+ # don’t include the final hyphen and six random characters that Secrets
3090
+ # Manager adds at the end of the ARN when you created the secret. A
3091
+ # partial ARN match can work as long as it uniquely matches only one
3092
+ # secret. However, if your secret has a name that ends in a hyphen
3093
+ # followed by six characters (before Secrets Manager adds the hyphen and
3094
+ # six characters to the ARN) and you try to use that as a partial ARN,
3095
+ # then those characters cause Secrets Manager to assume that you’re
3096
+ # specifying a complete ARN. This confusion can cause unexpected
3097
+ # results. To avoid this situation, we recommend that you don’t create
3098
+ # secret names ending with a hyphen followed by six characters.
3099
+ #
3100
+ # If you specify an incomplete ARN without the random suffix, and
3101
+ # instead provide the 'friendly name', you *must* not include the
3102
+ # random suffix. If you do include the random suffix added by Secrets
3103
+ # Manager, you receive either a *ResourceNotFoundException* or an
3104
+ # *AccessDeniedException* error, depending on your permissions.
3105
+ #
3106
+ # </note>
3107
+ #
3108
+ # @option params [required, String] :resource_policy
3109
+ # Identifies the Resource Policy attached to the secret.
3110
+ #
3111
+ # @return [Types::ValidateResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
3112
+ #
3113
+ # * {Types::ValidateResourcePolicyResponse#policy_validation_passed #policy_validation_passed} => Boolean
3114
+ # * {Types::ValidateResourcePolicyResponse#validation_errors #validation_errors} => Array&lt;Types::ValidationErrorsEntry&gt;
3115
+ #
3116
+ #
3117
+ # @example Example: To validate a resource-based policy to a secret
3118
+ #
3119
+ # # The following example shows how to validate a resource-based policy to a secret.
3120
+ #
3121
+ # resp = client.validate_resource_policy({
3122
+ # resource_policy: "{\n\"Version\":\"2012-10-17\",\n\"Statement\":[{\n\"Effect\":\"Allow\",\n\"Principal\":{\n\"AWS\":\"arn:aws:iam::123456789012:root\"\n},\n\"Action\":\"secretsmanager:GetSecretValue\",\n\"Resource\":\"*\"\n}]\n}",
3123
+ # secret_id: "MyTestDatabaseSecret",
3124
+ # })
3125
+ #
3126
+ # resp.to_h outputs the following:
3127
+ # {
3128
+ # policy_validation_passed: true,
3129
+ # validation_errors: [
3130
+ # ],
3131
+ # }
3132
+ #
3133
+ # @example Request syntax with placeholder values
3134
+ #
3135
+ # resp = client.validate_resource_policy({
3136
+ # secret_id: "SecretIdType",
3137
+ # resource_policy: "NonEmptyResourcePolicyType", # required
3138
+ # })
3139
+ #
3140
+ # @example Response structure
3141
+ #
3142
+ # resp.policy_validation_passed #=> Boolean
3143
+ # resp.validation_errors #=> Array
3144
+ # resp.validation_errors[0].check_name #=> String
3145
+ # resp.validation_errors[0].error_message #=> String
3146
+ #
3147
+ # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ValidateResourcePolicy AWS API Documentation
3148
+ #
3149
+ # @overload validate_resource_policy(params = {})
3150
+ # @param [Hash] params ({})
3151
+ def validate_resource_policy(params = {}, options = {})
3152
+ req = build_request(:validate_resource_policy, params)
3153
+ req.send_request(options)
3154
+ end
3155
+
2969
3156
  # @!endgroup
2970
3157
 
2971
3158
  # @param params ({})
@@ -2979,7 +3166,7 @@ module Aws::SecretsManager
2979
3166
  params: params,
2980
3167
  config: config)
2981
3168
  context[:gem_name] = 'aws-sdk-secretsmanager'
2982
- context[:gem_version] = '1.39.0'
3169
+ context[:gem_version] = '1.40.0'
2983
3170
  Seahorse::Client::Request.new(handlers, context)
2984
3171
  end
2985
3172