@aws-sdk/client-secrets-manager 3.40.0 → 3.45.0

package/dist-types/commands/PutResourcePolicyCommand.d.ts

@@ -7,38 +7,11 @@ export interface PutResourcePolicyCommandInput extends PutResourcePolicyRequest
 export interface PutResourcePolicyCommandOutput extends PutResourcePolicyResponse, __MetadataBearer {
 }
 /**
- * <p>Attaches the contents of the specified resource-based permission policy to a secret. A
- *       resource-based policy is optional. Alternatively, you can use IAM identity-based policies
- *       that specify the secret's Amazon Resource Name (ARN) in the policy statement's
- *         <code>Resources</code> element. You can also use a combination of both identity-based and
- *       resource-based policies. The affected users and roles receive the permissions that are
- *       permitted by all of the relevant policies. For more information, see <a href="http://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html">Using Resource-Based
- *         Policies for Amazon Web Services Secrets Manager</a>. For the complete description of the Amazon Web Services policy syntax and
- *       grammar, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html">IAM JSON
- *         Policy Reference</a> in the <i>IAM User Guide</i>.</p>
- *          <p>
- *             <b>Minimum permissions</b>
+ * <p>Attaches a resource-based permission policy to a secret. A resource-based policy is
+ *       optional. For more information, see <a href="https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html">Authentication and access control for Secrets Manager</a>
  *          </p>
- *          <p>To run this command, you must have the following permissions:</p>
- *          <ul>
- *             <li>
- *                <p>secretsmanager:PutResourcePolicy</p>
- *             </li>
- *          </ul>
- *          <p>
- *             <b>Related operations</b>
- *          </p>
- *          <ul>
- *             <li>
- *                <p>To retrieve the resource policy attached to a secret, use <a>GetResourcePolicy</a>.</p>
- *             </li>
- *             <li>
- *                <p>To delete the resource-based policy attached to a secret, use <a>DeleteResourcePolicy</a>.</p>
- *             </li>
- *             <li>
- *                <p>To list all of the currently available secrets, use <a>ListSecrets</a>.</p>
- *             </li>
- *          </ul>
+ *          <p>For information about attaching a policy in the console, see <a href="https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html">Attach a
+ *       permissions policy to a secret</a>.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -51,7 +24,7 @@ export interface PutResourcePolicyCommandOutput extends PutResourcePolicyRespons
  *
  * @see {@link PutResourcePolicyCommandInput} for command's `input` shape.
  * @see {@link PutResourcePolicyCommandOutput} for command's `response` shape.
- * @see {@link SecretsManagerClientResolvedConfig | config} for command's `input` shape.
+ * @see {@link SecretsManagerClientResolvedConfig | config} for SecretsManagerClient's `config` shape.
  *
  */
 export declare class PutResourcePolicyCommand extends $Command<PutResourcePolicyCommandInput, PutResourcePolicyCommandOutput, SecretsManagerClientResolvedConfig> {

package/dist-types/commands/PutSecretValueCommand.d.ts

@@ -7,95 +7,27 @@ export interface PutSecretValueCommandInput extends PutSecretValueRequest {
 export interface PutSecretValueCommandOutput extends PutSecretValueResponse, __MetadataBearer {
 }
 /**
- * <p>Stores a new encrypted secret value in the specified secret. To do this, the operation
- *       creates a new version and attaches it to the secret. The version can contain a new
- *         <code>SecretString</code> value or a new <code>SecretBinary</code> value. You can also
- *       specify the staging labels that are initially attached to the new version.</p>
+ * <p>Creates a new version with a new encrypted secret value and attaches it to the secret. The
+ *       version can contain a new <code>SecretString</code> value or a new <code>SecretBinary</code> value. </p>
  *          <p>We recommend you avoid calling <code>PutSecretValue</code> at a sustained rate of more than
  *       once every 10 minutes. When you update the secret value, Secrets Manager creates a new version
  *       of the secret. Secrets Manager removes outdated versions when there are more than 100, but it does not
  *       remove versions created less than 24 hours ago. If you call <code>PutSecretValue</code> more
  *       than once every 10 minutes, you create more versions than Secrets Manager removes, and you will reach
  *       the quota for secret versions.</p>
- *          <ul>
- *             <li>
- *                <p>If this operation creates the first version for the secret then Secrets Manager
- *           automatically attaches the staging label <code>AWSCURRENT</code> to the new version.</p>
- *             </li>
- *             <li>
- *                <p>If you do not specify a value for VersionStages then Secrets Manager automatically
- *           moves the staging label <code>AWSCURRENT</code> to this new version.</p>
- *             </li>
- *             <li>
- *                <p>If this operation moves the staging label <code>AWSCURRENT</code> from another version to this
- *           version, then Secrets Manager also automatically moves the staging label <code>AWSPREVIOUS</code> to
- *           the version that <code>AWSCURRENT</code> was removed from.</p>
- *             </li>
- *             <li>
- *                <p>This operation is idempotent. If a version with a <code>VersionId</code> with the same
- *           value as the <code>ClientRequestToken</code> parameter already exists and you specify the
- *           same secret data, the operation succeeds but does nothing. However, if the secret data is
- *           different, then the operation fails because you cannot modify an existing version; you can
- *           only create new ones.</p>
- *             </li>
- *          </ul>
- *          <note>
- *             <ul>
- *                <li>
- *                   <p>If you call an operation to encrypt or decrypt the <code>SecretString</code>
- *           or <code>SecretBinary</code> for a secret in the same account as the calling user and that
- *           secret doesn't specify a Amazon Web Services KMS encryption key, Secrets Manager uses the account's default
- *           Amazon Web Services managed customer master key (CMK) with the alias <code>aws/secretsmanager</code>. If this key
- *           doesn't already exist in your account then Secrets Manager creates it for you automatically. All
- *           users and roles in the same Amazon Web Services account automatically have access to use the default CMK.
- *           Note that if an Secrets Manager API call results in Amazon Web Services creating the account's
- *           Amazon Web Services-managed CMK, it can result in a one-time significant delay in returning the
- *           result.</p>
- *                </li>
- *                <li>
- *                   <p>If the secret resides in a different Amazon Web Services account from the credentials calling an API that
- *           requires encryption or decryption of the secret value then you must create and use a custom
- *           Amazon Web Services KMS CMK because you can't access the default CMK for the account using credentials
- *           from a different Amazon Web Services account. Store the ARN of the CMK in the secret when you create the
- *           secret or when you update it by including it in the <code>KMSKeyId</code>. If you call an
- *           API that must encrypt or decrypt <code>SecretString</code> or <code>SecretBinary</code>
- *           using credentials from a different account then the Amazon Web Services KMS key policy must grant cross-account
- *           access to that other account's user or role for both the kms:GenerateDataKey and
- *           kms:Decrypt operations.</p>
- *                </li>
- *             </ul>
- *          </note>
- *          <p>
- *             <b>Minimum permissions</b>
- *          </p>
- *          <p>To run this command, you must have the following permissions:</p>
- *          <ul>
- *             <li>
- *                <p>secretsmanager:PutSecretValue</p>
- *             </li>
- *             <li>
- *                <p>kms:GenerateDataKey - needed only if you use a customer-managed Amazon Web Services KMS key to encrypt
- *           the secret. You do not need this permission to use the account's default Amazon Web Services managed CMK
- *           for Secrets Manager.</p>
- *             </li>
- *          </ul>
- *          <p>
- *             <b>Related operations</b>
- *          </p>
- *          <ul>
- *             <li>
- *                <p>To retrieve the encrypted value you store in the version of a secret, use <a>GetSecretValue</a>.</p>
- *             </li>
- *             <li>
- *                <p>To create a secret, use <a>CreateSecret</a>.</p>
- *             </li>
- *             <li>
- *                <p>To get the details for a secret, use <a>DescribeSecret</a>.</p>
- *             </li>
- *             <li>
- *                <p>To list the versions attached to a secret, use <a>ListSecretVersionIds</a>.</p>
- *             </li>
- *          </ul>
+ *          <p>You can specify the staging labels to attach to the new version in <code>VersionStages</code>.
+ *       If you don't include <code>VersionStages</code>, then Secrets Manager automatically
+ *       moves the staging label <code>AWSCURRENT</code> to this version. If this operation creates
+ *       the first version for the secret, then Secrets Manager
+ *         automatically attaches the staging label <code>AWSCURRENT</code> to it .</p>
+ *          <p>If this operation moves the staging label <code>AWSCURRENT</code> from another version to this
+ *       version, then Secrets Manager also automatically moves the staging label <code>AWSPREVIOUS</code> to
+ *       the version that <code>AWSCURRENT</code> was removed from.</p>
+ *          <p>This operation is idempotent. If a version with a <code>VersionId</code> with the same
+ *       value as the <code>ClientRequestToken</code> parameter already exists, and you specify the
+ *       same secret data, the operation succeeds but does nothing. However, if the secret data is
+ *       different, then the operation fails because you can't modify an existing version; you can
+ *       only create new ones.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -108,7 +40,7 @@ export interface PutSecretValueCommandOutput extends PutSecretValueResponse, __M
  *
  * @see {@link PutSecretValueCommandInput} for command's `input` shape.
  * @see {@link PutSecretValueCommandOutput} for command's `response` shape.
- * @see {@link SecretsManagerClientResolvedConfig | config} for command's `input` shape.
+ * @see {@link SecretsManagerClientResolvedConfig | config} for SecretsManagerClient's `config` shape.
  *
  */
 export declare class PutSecretValueCommand extends $Command<PutSecretValueCommandInput, PutSecretValueCommandOutput, SecretsManagerClientResolvedConfig> {

package/dist-types/commands/RemoveRegionsFromReplicationCommand.d.ts

@@ -7,7 +7,7 @@ export interface RemoveRegionsFromReplicationCommandInput extends RemoveRegionsF
 export interface RemoveRegionsFromReplicationCommandOutput extends RemoveRegionsFromReplicationResponse, __MetadataBearer {
 }
 /**
- * <p>Remove regions from replication.</p>
+ * <p>For a secret that is replicated to other Regions, deletes the secret replicas from the Regions you specify.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -20,7 +20,7 @@ export interface RemoveRegionsFromReplicationCommandOutput extends RemoveRegions
  *
  * @see {@link RemoveRegionsFromReplicationCommandInput} for command's `input` shape.
  * @see {@link RemoveRegionsFromReplicationCommandOutput} for command's `response` shape.
- * @see {@link SecretsManagerClientResolvedConfig | config} for command's `input` shape.
+ * @see {@link SecretsManagerClientResolvedConfig | config} for SecretsManagerClient's `config` shape.
  *
  */
 export declare class RemoveRegionsFromReplicationCommand extends $Command<RemoveRegionsFromReplicationCommandInput, RemoveRegionsFromReplicationCommandOutput, SecretsManagerClientResolvedConfig> {

package/dist-types/commands/ReplicateSecretToRegionsCommand.d.ts

@@ -7,8 +7,7 @@ export interface ReplicateSecretToRegionsCommandInput extends ReplicateSecretToR
 export interface ReplicateSecretToRegionsCommandOutput extends ReplicateSecretToRegionsResponse, __MetadataBearer {
 }
 /**
- * <p>Converts an existing secret to a multi-Region secret and begins replication the secret to a
- *       list of new regions. </p>
+ * <p>Replicates the secret to a new Regions. See <a href="https://docs.aws.amazon.com/secretsmanager/latest/userguide/create-manage-multi-region-secrets.html">Multi-Region secrets</a>.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -21,7 +20,7 @@ export interface ReplicateSecretToRegionsCommandOutput extends ReplicateSecretTo
  *
  * @see {@link ReplicateSecretToRegionsCommandInput} for command's `input` shape.
  * @see {@link ReplicateSecretToRegionsCommandOutput} for command's `response` shape.
- * @see {@link SecretsManagerClientResolvedConfig | config} for command's `input` shape.
+ * @see {@link SecretsManagerClientResolvedConfig | config} for SecretsManagerClient's `config` shape.
  *
  */
 export declare class ReplicateSecretToRegionsCommand extends $Command<ReplicateSecretToRegionsCommandInput, ReplicateSecretToRegionsCommandOutput, SecretsManagerClientResolvedConfig> {

package/dist-types/commands/RestoreSecretCommand.d.ts

@@ -8,24 +8,7 @@ export interface RestoreSecretCommandOutput extends RestoreSecretResponse, __Met
 }
 /**
  * <p>Cancels the scheduled deletion of a secret by removing the <code>DeletedDate</code> time
- *       stamp. This makes the secret accessible to query once again.</p>
- *          <p>
- *             <b>Minimum permissions</b>
- *          </p>
- *          <p>To run this command, you must have the following permissions:</p>
- *          <ul>
- *             <li>
- *                <p>secretsmanager:RestoreSecret</p>
- *             </li>
- *          </ul>
- *          <p>
- *             <b>Related operations</b>
- *          </p>
- *          <ul>
- *             <li>
- *                <p>To delete a secret, use <a>DeleteSecret</a>.</p>
- *             </li>
- *          </ul>
+ *       stamp. You can access a secret again after it has been restored.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -38,7 +21,7 @@ export interface RestoreSecretCommandOutput extends RestoreSecretResponse, __Met
  *
  * @see {@link RestoreSecretCommandInput} for command's `input` shape.
  * @see {@link RestoreSecretCommandOutput} for command's `response` shape.
- * @see {@link SecretsManagerClientResolvedConfig | config} for command's `input` shape.
+ * @see {@link SecretsManagerClientResolvedConfig | config} for SecretsManagerClient's `config` shape.
  *
  */
 export declare class RestoreSecretCommand extends $Command<RestoreSecretCommandInput, RestoreSecretCommandOutput, SecretsManagerClientResolvedConfig> {

package/dist-types/commands/RotateSecretCommand.d.ts

@@ -7,68 +7,25 @@ export interface RotateSecretCommandInput extends RotateSecretRequest {
 export interface RotateSecretCommandOutput extends RotateSecretResponse, __MetadataBearer {
 }
 /**
- * <p>Configures and starts the asynchronous process of rotating this secret. If you include the
- *       configuration parameters, the operation sets those values for the secret and then immediately
- *       starts a rotation. If you do not include the configuration parameters, the operation starts a
- *       rotation with the values already stored in the secret. After the rotation completes, the
- *       protected service and its clients all use the new version of the secret. </p>
- *          <p>This required configuration information includes the ARN of an Amazon Web Services Lambda function and
- *       optionally, the time between scheduled rotations. The Lambda rotation function creates a new
- *       version of the secret and creates or updates the credentials on the protected service to
- *       match. After testing the new credentials, the function marks the new secret with the staging
- *       label <code>AWSCURRENT</code> so that your clients all immediately begin to use the new version. For more
- *       information about rotating secrets and how to configure a Lambda function to rotate the
- *       secrets for your protected service, see <a href="https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html">Rotating Secrets in Amazon Web Services Secrets Manager</a> in the
- *         <i>Amazon Web Services Secrets Manager User Guide</i>.</p>
- *          <p>Secrets Manager schedules the next rotation when the previous
- *     one completes. Secrets Manager schedules the date by adding the rotation interval (number of days) to the
- *     actual date of the last rotation. The service chooses the hour within that 24-hour date window
- *     randomly. The minute is also chosen somewhat randomly, but weighted towards the top of the hour
- *     and influenced by a variety of factors that help distribute load.</p>
- *          <p>The
- *       rotation function must end with the versions of the secret in one of two states:</p>
- *          <ul>
- *             <li>
- *                <p>The <code>AWSPENDING</code> and <code>AWSCURRENT</code> staging labels are attached to the same version of
- *           the secret, or</p>
- *             </li>
- *             <li>
- *                <p>The <code>AWSPENDING</code> staging label is not attached to any version of the secret.</p>
- *             </li>
- *          </ul>
+ * <p>Configures and starts the asynchronous process of rotating the secret.</p>
+ *          <p>If you include the
+ *       configuration parameters, the operation sets the values for the secret and then immediately
+ *       starts a rotation. If you don't include the configuration parameters, the operation starts a
+ *       rotation with the values already stored in the secret. For more information about rotation,
+ *       see <a href="https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html">Rotate secrets</a>.</p>
+ *          <p>To configure rotation, you include the ARN of an Amazon Web Services Lambda function and the schedule
+ *       for the rotation. The Lambda rotation function creates a new
+ *       version of the secret and creates or updates the credentials on the database or service to
+ *       match. After testing the new credentials, the function marks the new secret version with the staging
+ *       label <code>AWSCURRENT</code>. Then anyone who retrieves the secret gets the new version. For more
+ *       information, see <a href="https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html">How rotation works</a>.</p>
+ *          <p>When rotation is successful, the <code>AWSPENDING</code> staging label might be attached to the same
+ *       version as the <code>AWSCURRENT</code> version, or it might not be attached to any version.</p>
  *          <p>If the <code>AWSPENDING</code> staging label is present but not attached to the same version as
- *       <code>AWSCURRENT</code> then any later invocation of <code>RotateSecret</code> assumes that a previous
+ *       <code>AWSCURRENT</code>, then any later invocation of <code>RotateSecret</code> assumes that a previous
  *       rotation request is still in progress and returns an error.</p>
- *          <p>
- *             <b>Minimum permissions</b>
- *          </p>
- *          <p>To run this command, you must have the following permissions:</p>
- *          <ul>
- *             <li>
- *                <p>secretsmanager:RotateSecret</p>
- *             </li>
- *             <li>
- *                <p>lambda:InvokeFunction (on the function specified in the secret's metadata)</p>
- *             </li>
- *          </ul>
- *          <p>
- *             <b>Related operations</b>
- *          </p>
- *          <ul>
- *             <li>
- *                <p>To list the secrets in your account, use <a>ListSecrets</a>.</p>
- *             </li>
- *             <li>
- *                <p>To get the details for a version of a secret, use <a>DescribeSecret</a>.</p>
- *             </li>
- *             <li>
- *                <p>To create a new version of a secret, use <a>CreateSecret</a>.</p>
- *             </li>
- *             <li>
- *                <p>To attach staging labels to or remove staging labels from a version of a secret, use
- *             <a>UpdateSecretVersionStage</a>.</p>
- *             </li>
- *          </ul>
+ *          <p>To run this command, you must have <code>secretsmanager:RotateSecret</code> permissions and
+ *       <code>lambda:InvokeFunction</code> permissions on the function specified in the secret's metadata.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -81,7 +38,7 @@ export interface RotateSecretCommandOutput extends RotateSecretResponse, __Metad
  *
  * @see {@link RotateSecretCommandInput} for command's `input` shape.
  * @see {@link RotateSecretCommandOutput} for command's `response` shape.
- * @see {@link SecretsManagerClientResolvedConfig | config} for command's `input` shape.
+ * @see {@link SecretsManagerClientResolvedConfig | config} for SecretsManagerClient's `config` shape.
  *
  */
 export declare class RotateSecretCommand extends $Command<RotateSecretCommandInput, RotateSecretCommandOutput, SecretsManagerClientResolvedConfig> {

package/dist-types/commands/StopReplicationToReplicaCommand.d.ts

@@ -7,7 +7,8 @@ export interface StopReplicationToReplicaCommandInput extends StopReplicationToR
 export interface StopReplicationToReplicaCommandOutput extends StopReplicationToReplicaResponse, __MetadataBearer {
 }
 /**
- * <p>Removes the secret from replication and promotes the secret to a regional secret in the replica Region.</p>
+ * <p>Removes the link between the replica secret and the primary secret and promotes the replica to a primary secret in the replica Region.</p>
+ *          <p>You must call this operation from the Region in which you want to promote the replica to a primary secret.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -20,7 +21,7 @@ export interface StopReplicationToReplicaCommandOutput extends StopReplicationTo
  *
  * @see {@link StopReplicationToReplicaCommandInput} for command's `input` shape.
  * @see {@link StopReplicationToReplicaCommandOutput} for command's `response` shape.
- * @see {@link SecretsManagerClientResolvedConfig | config} for command's `input` shape.
+ * @see {@link SecretsManagerClientResolvedConfig | config} for SecretsManagerClient's `config` shape.
  *
  */
 export declare class StopReplicationToReplicaCommand extends $Command<StopReplicationToReplicaCommandInput, StopReplicationToReplicaCommandOutput, SecretsManagerClientResolvedConfig> {

package/dist-types/commands/TagResourceCommand.d.ts

@@ -7,20 +7,18 @@ export interface TagResourceCommandInput extends TagResourceRequest {
 export interface TagResourceCommandOutput extends __MetadataBearer {
 }
 /**
- * <p>Attaches one or more tags, each consisting of a key name and a value, to the specified
- *       secret. Tags are part of the secret's overall metadata, and are not associated with any
- *       specific version of the secret. This operation only appends tags to the existing list of tags.
- *       To remove tags, you must use <a>UntagResource</a>.</p>
- *          <p>The following basic restrictions apply to tags:</p>
+ * <p>Attaches tags to a secret. Tags consist of a key name and a value. Tags are part of the
+ *       secret's metadata. They are not associated with specific versions of the secret. This operation appends tags to the existing list of tags.</p>
+ *             <p>The following restrictions apply to tags:</p>
  *         <ul>
  *             <li>
- *                <p>Maximum number of tags per secret—50</p>
+ *                <p>Maximum number of tags per secret: 50</p>
  *             </li>
  *             <li>
- *                <p>Maximum key length—127 Unicode characters in UTF-8</p>
+ *                <p>Maximum key length: 127 Unicode characters in UTF-8</p>
  *             </li>
  *             <li>
- *                <p>Maximum value length—255 Unicode characters in UTF-8</p>
+ *                <p>Maximum value length: 255 Unicode characters in UTF-8</p>
  *             </li>
  *             <li>
  *                <p>Tag keys and values are case sensitive.</p>
@@ -32,37 +30,18 @@ export interface TagResourceCommandOutput extends __MetadataBearer {
  *             </li>
  *             <li>
  *                <p>If you use your tagging schema across multiple services and resources,
- *               remember other services might have restrictions on allowed characters. Generally
+ *               other services might have restrictions on allowed characters. Generally
  *               allowed characters: letters, spaces, and numbers representable in UTF-8, plus the
  *               following special characters: + - = . _ : / @.</p>
  *             </li>
  *          </ul>
+ *
  *          <important>
  *             <p>If you use tags as part of your security strategy, then adding or removing a tag can
  *         change permissions. If successfully completing this operation would result in you losing
  *         your permissions for this secret, then the operation is blocked and returns an Access Denied
  *         error.</p>
  *          </important>
- *          <p>
- *             <b>Minimum permissions</b>
- *          </p>
- *          <p>To run this command, you must have the following permissions:</p>
- *          <ul>
- *             <li>
- *                <p>secretsmanager:TagResource</p>
- *             </li>
- *          </ul>
- *          <p>
- *             <b>Related operations</b>
- *          </p>
- *          <ul>
- *             <li>
- *                <p>To remove one or more tags from the collection attached to a secret, use <a>UntagResource</a>.</p>
- *             </li>
- *             <li>
- *                <p>To view the list of tags attached to a secret, use <a>DescribeSecret</a>.</p>
- *             </li>
- *          </ul>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -75,7 +54,7 @@ export interface TagResourceCommandOutput extends __MetadataBearer {
  *
  * @see {@link TagResourceCommandInput} for command's `input` shape.
  * @see {@link TagResourceCommandOutput} for command's `response` shape.
- * @see {@link SecretsManagerClientResolvedConfig | config} for command's `input` shape.
+ * @see {@link SecretsManagerClientResolvedConfig | config} for SecretsManagerClient's `config` shape.
  *
  */
 export declare class TagResourceCommand extends $Command<TagResourceCommandInput, TagResourceCommandOutput, SecretsManagerClientResolvedConfig> {

package/dist-types/commands/UntagResourceCommand.d.ts

@@ -7,7 +7,7 @@ export interface UntagResourceCommandInput extends UntagResourceRequest {
 export interface UntagResourceCommandOutput extends __MetadataBearer {
 }
 /**
- * <p>Removes one or more tags from the specified secret.</p>
+ * <p>Removes specific tags from a secret.</p>
  *          <p>This operation is idempotent. If a requested tag is not attached to the secret, no error
  *       is returned and the secret metadata is unchanged.</p>
  *          <important>
@@ -16,26 +16,6 @@ export interface UntagResourceCommandOutput extends __MetadataBearer {
  *         permissions for this secret, then the operation is blocked and returns an Access Denied
  *         error.</p>
  *          </important>
- *          <p>
- *             <b>Minimum permissions</b>
- *          </p>
- *          <p>To run this command, you must have the following permissions:</p>
- *          <ul>
- *             <li>
- *                <p>secretsmanager:UntagResource</p>
- *             </li>
- *          </ul>
- *          <p>
- *             <b>Related operations</b>
- *          </p>
- *          <ul>
- *             <li>
- *                <p>To add one or more tags to the collection attached to a secret, use <a>TagResource</a>.</p>
- *             </li>
- *             <li>
- *                <p>To view the list of tags attached to a secret, use <a>DescribeSecret</a>.</p>
- *             </li>
- *          </ul>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -48,7 +28,7 @@ export interface UntagResourceCommandOutput extends __MetadataBearer {
  *
  * @see {@link UntagResourceCommandInput} for command's `input` shape.
  * @see {@link UntagResourceCommandOutput} for command's `response` shape.
- * @see {@link SecretsManagerClientResolvedConfig | config} for command's `input` shape.
+ * @see {@link SecretsManagerClientResolvedConfig | config} for SecretsManagerClient's `config` shape.
  *
  */
 export declare class UntagResourceCommand extends $Command<UntagResourceCommandInput, UntagResourceCommandOutput, SecretsManagerClientResolvedConfig> {

package/dist-types/commands/UpdateSecretCommand.d.ts

@@ -7,10 +7,8 @@ export interface UpdateSecretCommandInput extends UpdateSecretRequest {
 export interface UpdateSecretCommandOutput extends UpdateSecretResponse, __MetadataBearer {
 }
 /**
- * <p>Modifies many of the details of the specified secret. </p>
- *          <p>To change the secret value, you can also use <a>PutSecretValue</a>.</p>
- *          <p>To change the rotation configuration of a secret, use <a>RotateSecret</a>
- *       instead.</p>
+ * <p>Modifies the details of a secret, including metadata and the secret value. To change the secret value, you can also use <a>PutSecretValue</a>.</p>
+ *          <p>To change the rotation configuration of a secret, use <a>RotateSecret</a> instead.</p>
  *
  *          <p>We recommend you avoid calling <code>UpdateSecret</code> at a sustained rate of more than
  *       once every 10 minutes. When you call <code>UpdateSecret</code> to update the secret value, Secrets Manager creates a new version
@@ -18,85 +16,23 @@ export interface UpdateSecretCommandOutput extends UpdateSecretResponse, __Metad
  *       remove versions created less than 24 hours ago. If you update the secret value more
  *       than once every 10 minutes, you create more versions than Secrets Manager removes, and you will reach
  *       the quota for secret versions.</p>
- *          <note>
- *             <p>The Secrets Manager console uses only the <code>SecretString</code> parameter and therefore limits
- *         you to encrypting and storing only a text string. To encrypt and store binary data as part
- *         of the version of a secret, you must use either the Amazon Web Services CLI or one of the Amazon Web Services
- *         SDKs.</p>
- *          </note>
- *          <ul>
- *             <li>
- *                <p>If a version with a <code>VersionId</code> with the same value as the
- *             <code>ClientRequestToken</code> parameter already exists, the operation results in an
- *           error. You cannot modify an existing version, you can only create a new version.</p>
- *             </li>
- *             <li>
- *                <p>If you include <code>SecretString</code> or <code>SecretBinary</code> to create a new
- *           secret version, Secrets Manager automatically attaches the staging label <code>AWSCURRENT</code> to the new
- *           version. </p>
- *             </li>
- *          </ul>
- *          <note>
- *             <ul>
- *                <li>
- *                   <p>If you call an operation to encrypt or decrypt the <code>SecretString</code>
- *           or <code>SecretBinary</code> for a secret in the same account as the calling user and that
- *           secret doesn't specify a Amazon Web Services KMS encryption key, Secrets Manager uses the account's default
- *           Amazon Web Services managed customer master key (CMK) with the alias <code>aws/secretsmanager</code>. If this key
- *           doesn't already exist in your account then Secrets Manager creates it for you automatically. All
- *           users and roles in the same Amazon Web Services account automatically have access to use the default CMK.
- *           Note that if an Secrets Manager API call results in Amazon Web Services creating the account's
- *           Amazon Web Services-managed CMK, it can result in a one-time significant delay in returning the
- *           result.</p>
- *                </li>
- *                <li>
- *                   <p>If the secret resides in a different Amazon Web Services account from the credentials calling an API that
- *           requires encryption or decryption of the secret value then you must create and use a custom
- *           Amazon Web Services KMS CMK because you can't access the default CMK for the account using credentials
- *           from a different Amazon Web Services account. Store the ARN of the CMK in the secret when you create the
- *           secret or when you update it by including it in the <code>KMSKeyId</code>. If you call an
- *           API that must encrypt or decrypt <code>SecretString</code> or <code>SecretBinary</code>
- *           using credentials from a different account then the Amazon Web Services KMS key policy must grant cross-account
- *           access to that other account's user or role for both the kms:GenerateDataKey and
- *           kms:Decrypt operations.</p>
- *                </li>
- *             </ul>
- *          </note>
- *          <p>
- *             <b>Minimum permissions</b>
- *          </p>
- *          <p>To run this command, you must have the following permissions:</p>
- *          <ul>
- *             <li>
- *                <p>secretsmanager:UpdateSecret</p>
- *             </li>
- *             <li>
- *                <p>kms:GenerateDataKey - needed only if you use a custom Amazon Web Services KMS key to encrypt the secret.
- *           You do not need this permission to use the account's Amazon Web Services managed CMK for
- *           Secrets Manager.</p>
- *             </li>
- *             <li>
- *                <p>kms:Decrypt - needed only if you use a custom Amazon Web Services KMS key to encrypt the secret. You do
- *           not need this permission to use the account's Amazon Web Services managed CMK for Secrets Manager.</p>
- *             </li>
- *          </ul>
- *          <p>
- *             <b>Related operations</b>
- *          </p>
- *          <ul>
- *             <li>
- *                <p>To create a new secret, use <a>CreateSecret</a>.</p>
- *             </li>
- *             <li>
- *                <p>To add only a new version to an existing secret, use <a>PutSecretValue</a>.</p>
- *             </li>
- *             <li>
- *                <p>To get the details for a secret, use <a>DescribeSecret</a>.</p>
- *             </li>
- *             <li>
- *                <p>To list the versions contained in a secret, use <a>ListSecretVersionIds</a>.</p>
- *             </li>
- *          </ul>
+ *          <p>If you include <code>SecretString</code> or <code>SecretBinary</code> to create a new
+ *       secret version, Secrets Manager automatically attaches the staging label <code>AWSCURRENT</code> to the new
+ *       version. </p>
+ *          <p>If you call this operation with a <code>VersionId</code> that matches an existing version's
+ *       <code>ClientRequestToken</code>, the operation results in an error. You can't modify an existing
+ *       version, you can only create a new version. To remove a version, remove all staging labels from it. See
+ *     <a>UpdateSecretVersionStage</a>.</p>
+ *          <p>If you don't specify an KMS encryption key, Secrets Manager uses the Amazon Web Services managed key
+ *       <code>aws/secretsmanager</code>. If this key doesn't already exist in your account, then Secrets Manager
+ *       creates it for you automatically. All users and roles in the Amazon Web Services account automatically have access
+ *       to use <code>aws/secretsmanager</code>. Creating <code>aws/secretsmanager</code> can result in a one-time
+ *       significant delay in returning the result.  </p>
+ *          <p>If the secret is in a different Amazon Web Services account from the credentials calling the API, then you can't
+ *       use <code>aws/secretsmanager</code> to encrypt the secret, and you must create and use a customer managed key. </p>
+ *
+ *          <p>To run this command, you must have <code>secretsmanager:UpdateSecret</code> permissions. If you use a
+ *       customer managed key, you must also have <code>kms:GenerateDataKey</code> and <code>kms:Decrypt</code> permissions .</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -109,7 +45,7 @@ export interface UpdateSecretCommandOutput extends UpdateSecretResponse, __Metad
  *
  * @see {@link UpdateSecretCommandInput} for command's `input` shape.
  * @see {@link UpdateSecretCommandOutput} for command's `response` shape.
- * @see {@link SecretsManagerClientResolvedConfig | config} for command's `input` shape.
+ * @see {@link SecretsManagerClientResolvedConfig | config} for SecretsManagerClient's `config` shape.
  *
  */
 export declare class UpdateSecretCommand extends $Command<UpdateSecretCommandInput, UpdateSecretCommandOutput, SecretsManagerClientResolvedConfig> {