From f25745bdadd0de3c4c792068cf564ef20aa41128 Mon Sep 17 00:00:00 2001 From: AWS <> Date: Wed, 3 Mar 2021 19:09:55 +0000 Subject: [PATCH] AWS Secrets Manager Update: Added support for multi-Region secrets APIs ReplicateSecretToRegions, RemoveRegionsFromReplication, and StopReplicationToReplica --- .../feature-AWSSecretsManager-fc9fe94.json | 6 + .../codegen-resources/service-2.json | 289 ++++++++++++++++-- 2 files changed, 265 insertions(+), 30 deletions(-) create mode 100644 .changes/next-release/feature-AWSSecretsManager-fc9fe94.json diff --git a/.changes/next-release/feature-AWSSecretsManager-fc9fe94.json b/.changes/next-release/feature-AWSSecretsManager-fc9fe94.json new file mode 100644 index 000000000000..97771540d574 --- /dev/null +++ b/.changes/next-release/feature-AWSSecretsManager-fc9fe94.json @@ -0,0 +1,6 @@ +{ + "type": "feature", + "category": "AWS Secrets Manager", + "contributor": "", + "description": "Added support for multi-Region secrets APIs ReplicateSecretToRegions, RemoveRegionsFromReplication, and StopReplicationToReplica" +} diff --git a/services/secretsmanager/src/main/resources/codegen-resources/service-2.json b/services/secretsmanager/src/main/resources/codegen-resources/service-2.json index 62311e41b522..5b572e32ad23 100644 --- a/services/secretsmanager/src/main/resources/codegen-resources/service-2.json +++ b/services/secretsmanager/src/main/resources/codegen-resources/service-2.json @@ -61,9 +61,10 @@ "errors":[ {"shape":"ResourceNotFoundException"}, {"shape":"InternalServiceError"}, - {"shape":"InvalidRequestException"} + {"shape":"InvalidRequestException"}, + {"shape":"InvalidParameterException"} ], - "documentation":"
Deletes the resource-based permission policy attached to the secret.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:DeleteResourcePolicy
Related operations
To attach a resource policy to a secret, use PutResourcePolicy.
To retrieve the current resource-based policy that's attached to a secret, use GetResourcePolicy.
To list all of the currently available secrets, use ListSecrets.
Deletes the resource-based permission policy attached to the secret.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:DeleteResourcePolicy
Related operations
To attach a resource policy to a secret, use PutResourcePolicy.
To retrieve the current resource-based policy attached to a secret, use GetResourcePolicy.
To list all of the currently available secrets, use ListSecrets.
Deletes an entire secret and all of its versions. You can optionally include a recovery window during which you can restore the secret. If you don't specify a recovery window value, the operation defaults to 30 days. Secrets Manager attaches a DeletionDate
stamp to the secret that specifies the end of the recovery window. At the end of the recovery window, Secrets Manager deletes the secret permanently.
At any time before recovery window ends, you can use RestoreSecret to remove the DeletionDate
and cancel the deletion of the secret.
You cannot access the encrypted secret information in any secret that is scheduled for deletion. If you need to access that information, you must cancel the deletion with RestoreSecret and then retrieve the information.
There is no explicit operation to delete a version of a secret. Instead, remove all staging labels from the VersionStage
field of a version. That marks the version as deprecated and allows Secrets Manager to delete it as needed. Versions that do not have any staging labels do not show up in ListSecretVersionIds unless you specify IncludeDeprecated
.
The permanent secret deletion at the end of the waiting period is performed as a background task with low priority. There is no guarantee of a specific time after the recovery window for the actual delete operation to occur.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:DeleteSecret
Related operations
To create a secret, use CreateSecret.
To cancel deletion of a version of a secret before the recovery window has expired, use RestoreSecret.
Deletes an entire secret and all of the versions. You can optionally include a recovery window during which you can restore the secret. If you don't specify a recovery window value, the operation defaults to 30 days. Secrets Manager attaches a DeletionDate
stamp to the secret that specifies the end of the recovery window. At the end of the recovery window, Secrets Manager deletes the secret permanently.
At any time before recovery window ends, you can use RestoreSecret to remove the DeletionDate
and cancel the deletion of the secret.
You cannot access the encrypted secret information in any secret scheduled for deletion. If you need to access that information, you must cancel the deletion with RestoreSecret and then retrieve the information.
There is no explicit operation to delete a version of a secret. Instead, remove all staging labels from the VersionStage
field of a version. That marks the version as deprecated and allows Secrets Manager to delete it as needed. Versions without any staging labels do not show up in ListSecretVersionIds unless you specify IncludeDeprecated
.
The permanent secret deletion at the end of the waiting period is performed as a background task with low priority. There is no guarantee of a specific time after the recovery window for the actual delete operation to occur.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:DeleteSecret
Related operations
To create a secret, use CreateSecret.
To cancel deletion of a version of a secret before the recovery window has expired, use RestoreSecret.
Attaches the contents of the specified resource-based permission policy to a secret. A resource-based policy is optional. Alternatively, you can use IAM identity-based policies that specify the secret's Amazon Resource Name (ARN) in the policy statement's Resources
element. You can also use a combination of both identity-based and resource-based policies. The affected users and roles receive the permissions that are permitted by all of the relevant policies. For more information, see Using Resource-Based Policies for AWS Secrets Manager. For the complete description of the AWS policy syntax and grammar, see IAM JSON Policy Reference in the IAM User Guide.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:PutResourcePolicy
Related operations
To retrieve the resource policy attached to a secret, use GetResourcePolicy.
To delete the resource-based policy that's attached to a secret, use DeleteResourcePolicy.
To list all of the currently available secrets, use ListSecrets.
Attaches the contents of the specified resource-based permission policy to a secret. A resource-based policy is optional. Alternatively, you can use IAM identity-based policies that specify the secret's Amazon Resource Name (ARN) in the policy statement's Resources
element. You can also use a combination of both identity-based and resource-based policies. The affected users and roles receive the permissions that are permitted by all of the relevant policies. For more information, see Using Resource-Based Policies for AWS Secrets Manager. For the complete description of the AWS policy syntax and grammar, see IAM JSON Policy Reference in the IAM User Guide.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:PutResourcePolicy
Related operations
To retrieve the resource policy attached to a secret, use GetResourcePolicy.
To delete the resource-based policy attached to a secret, use DeleteResourcePolicy.
To list all of the currently available secrets, use ListSecrets.
Stores a new encrypted secret value in the specified secret. To do this, the operation creates a new version and attaches it to the secret. The version can contain a new SecretString
value or a new SecretBinary
value. You can also specify the staging labels that are initially attached to the new version.
The Secrets Manager console uses only the SecretString
field. To add binary data to a secret with the SecretBinary
field you must use the AWS CLI or one of the AWS SDKs.
If this operation creates the first version for the secret then Secrets Manager automatically attaches the staging label AWSCURRENT
to the new version.
If another version of this secret already exists, then this operation does not automatically move any staging labels other than those that you explicitly specify in the VersionStages
parameter.
If this operation moves the staging label AWSCURRENT
from another version to this version (because you included it in the StagingLabels
parameter) then Secrets Manager also automatically moves the staging label AWSPREVIOUS
to the version that AWSCURRENT
was removed from.
This operation is idempotent. If a version with a VersionId
with the same value as the ClientRequestToken
parameter already exists and you specify the same secret data, the operation succeeds but does nothing. However, if the secret data is different, then the operation fails because you cannot modify an existing version; you can only create new ones.
If you call an operation to encrypt or decrypt the SecretString
or SecretBinary
for a secret in the same account as the calling user and that secret doesn't specify a AWS KMS encryption key, Secrets Manager uses the account's default AWS managed customer master key (CMK) with the alias aws/secretsmanager
. If this key doesn't already exist in your account then Secrets Manager creates it for you automatically. All users and roles in the same AWS account automatically have access to use the default CMK. Note that if an Secrets Manager API call results in AWS creating the account's AWS-managed CMK, it can result in a one-time significant delay in returning the result.
If the secret resides in a different AWS account from the credentials calling an API that requires encryption or decryption of the secret value then you must create and use a custom AWS KMS CMK because you can't access the default CMK for the account using credentials from a different AWS account. Store the ARN of the CMK in the secret when you create the secret or when you update it by including it in the KMSKeyId
. If you call an API that must encrypt or decrypt SecretString
or SecretBinary
using credentials from a different account then the AWS KMS key policy must grant cross-account access to that other account's user or role for both the kms:GenerateDataKey and kms:Decrypt operations.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:PutSecretValue
kms:GenerateDataKey - needed only if you use a customer-managed AWS KMS key to encrypt the secret. You do not need this permission to use the account's default AWS managed CMK for Secrets Manager.
Related operations
To retrieve the encrypted value you store in the version of a secret, use GetSecretValue.
To create a secret, use CreateSecret.
To get the details for a secret, use DescribeSecret.
To list the versions attached to a secret, use ListSecretVersionIds.
Stores a new encrypted secret value in the specified secret. To do this, the operation creates a new version and attaches it to the secret. The version can contain a new SecretString
value or a new SecretBinary
value. You can also specify the staging labels that are initially attached to the new version.
The Secrets Manager console uses only the SecretString
field. To add binary data to a secret with the SecretBinary
field you must use the AWS CLI or one of the AWS SDKs.
If this operation creates the first version for the secret then Secrets Manager automatically attaches the staging label AWSCURRENT
to the new version.
If you do not specify a value for VersionStages then Secrets Manager automatically moves the staging label AWSCURRENT
to this new version.
If this operation moves the staging label AWSCURRENT
from another version to this version, then Secrets Manager also automatically moves the staging label AWSPREVIOUS
to the version that AWSCURRENT
was removed from.
This operation is idempotent. If a version with a VersionId
with the same value as the ClientRequestToken
parameter already exists and you specify the same secret data, the operation succeeds but does nothing. However, if the secret data is different, then the operation fails because you cannot modify an existing version; you can only create new ones.
If you call an operation to encrypt or decrypt the SecretString
or SecretBinary
for a secret in the same account as the calling user and that secret doesn't specify a AWS KMS encryption key, Secrets Manager uses the account's default AWS managed customer master key (CMK) with the alias aws/secretsmanager
. If this key doesn't already exist in your account then Secrets Manager creates it for you automatically. All users and roles in the same AWS account automatically have access to use the default CMK. Note that if an Secrets Manager API call results in AWS creating the account's AWS-managed CMK, it can result in a one-time significant delay in returning the result.
If the secret resides in a different AWS account from the credentials calling an API that requires encryption or decryption of the secret value then you must create and use a custom AWS KMS CMK because you can't access the default CMK for the account using credentials from a different AWS account. Store the ARN of the CMK in the secret when you create the secret or when you update it by including it in the KMSKeyId
. If you call an API that must encrypt or decrypt SecretString
or SecretBinary
using credentials from a different account then the AWS KMS key policy must grant cross-account access to that other account's user or role for both the kms:GenerateDataKey and kms:Decrypt operations.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:PutSecretValue
kms:GenerateDataKey - needed only if you use a customer-managed AWS KMS key to encrypt the secret. You do not need this permission to use the account's default AWS managed CMK for Secrets Manager.
Related operations
To retrieve the encrypted value you store in the version of a secret, use GetSecretValue.
To create a secret, use CreateSecret.
To get the details for a secret, use DescribeSecret.
To list the versions attached to a secret, use ListSecretVersionIds.
Remove regions from replication.
" + }, + "ReplicateSecretToRegions":{ + "name":"ReplicateSecretToRegions", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"ReplicateSecretToRegionsRequest"}, + "output":{"shape":"ReplicateSecretToRegionsResponse"}, + "errors":[ + {"shape":"ResourceNotFoundException"}, + {"shape":"InvalidRequestException"}, + {"shape":"InvalidParameterException"}, + {"shape":"InternalServiceError"} + ], + "documentation":"Converts an existing secret to a multi-Region secret and begins replication the secret to a list of new regions.
" }, "RestoreSecret":{ "name":"RestoreSecret", @@ -241,6 +274,22 @@ ], "documentation":"Configures and starts the asynchronous process of rotating this secret. If you include the configuration parameters, the operation sets those values for the secret and then immediately starts a rotation. If you do not include the configuration parameters, the operation starts a rotation with the values already stored in the secret. After the rotation completes, the protected service and its clients all use the new version of the secret.
This required configuration information includes the ARN of an AWS Lambda function and the time between scheduled rotations. The Lambda rotation function creates a new version of the secret and creates or updates the credentials on the protected service to match. After testing the new credentials, the function marks the new secret with the staging label AWSCURRENT
so that your clients all immediately begin to use the new version. For more information about rotating secrets and how to configure a Lambda function to rotate the secrets for your protected service, see Rotating Secrets in AWS Secrets Manager in the AWS Secrets Manager User Guide.
Secrets Manager schedules the next rotation when the previous one completes. Secrets Manager schedules the date by adding the rotation interval (number of days) to the actual date of the last rotation. The service chooses the hour within that 24-hour date window randomly. The minute is also chosen somewhat randomly, but weighted towards the top of the hour and influenced by a variety of factors that help distribute load.
The rotation function must end with the versions of the secret in one of two states:
The AWSPENDING
and AWSCURRENT
staging labels are attached to the same version of the secret, or
The AWSPENDING
staging label is not attached to any version of the secret.
If the AWSPENDING
staging label is present but not attached to the same version as AWSCURRENT
then any later invocation of RotateSecret
assumes that a previous rotation request is still in progress and returns an error.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:RotateSecret
lambda:InvokeFunction (on the function specified in the secret's metadata)
Related operations
To list the secrets in your account, use ListSecrets.
To get the details for a version of a secret, use DescribeSecret.
To create a new version of a secret, use CreateSecret.
To attach staging labels to or remove staging labels from a version of a secret, use UpdateSecretVersionStage.
Removes the secret from replication and promotes the secret to a regional secret in the replica Region.
" + }, "TagResource":{ "name":"TagResource", "http":{ @@ -324,10 +373,15 @@ {"shape":"InternalServiceError"}, {"shape":"InvalidRequestException"} ], - "documentation":"Validates the JSON text of the resource-based policy document attached to the specified secret. The JSON request string input and response output displays formatted code with white space and line breaks for better readability. Submit your input as a single line JSON string. A resource-based policy is optional.
" + "documentation":"Validates that the resource policy does not grant a wide range of IAM principals access to your secret. The JSON request string input and response output displays formatted code with white space and line breaks for better readability. Submit your input as a single line JSON string. A resource-based policy is optional for secrets.
The API performs three checks when validating the secret:
Sends a call to Zelkova, an automated reasoning engine, to ensure your Resource Policy does not allow broad access to your secret.
Checks for correct syntax in a policy.
Verifies the policy does not lock out a caller.
Minimum Permissions
You must have the permissions required to access the following APIs:
secretsmanager:PutResourcePolicy
secretsmanager:ValidateResourcePolicy
(Optional) If you include SecretString
or SecretBinary
, then an initial version is created as part of the secret, and this parameter specifies a unique identifier for the new version.
If you use the AWS CLI or one of the AWS SDK to call this operation, then you can leave this parameter empty. The CLI or SDK generates a random UUID for you and includes it as the value for this parameter in the request. If you don't use the SDK and instead generate a raw HTTP request to the Secrets Manager service endpoint, then you must generate a ClientRequestToken
yourself for the new version and include the value in the request.
This value helps ensure idempotency. Secrets Manager uses this value to prevent the accidental creation of duplicate versions if there are failures and retries during a rotation. We recommend that you generate a UUID-type value to ensure uniqueness of your versions within the specified secret.
If the ClientRequestToken
value isn't already associated with a version of the secret then a new version of the secret is created.
If a version with this value already exists and the version SecretString
and SecretBinary
values are the same as those in the request, then the request is ignored.
If a version with this value already exists and that version's SecretString
and SecretBinary
values are different from those in the request then the request fails because you cannot modify an existing version. Instead, use PutSecretValue to create a new version.
This value becomes the VersionId
of the new version.
(Optional) If you include SecretString
or SecretBinary
, then an initial version is created as part of the secret, and this parameter specifies a unique identifier for the new version.
If you use the AWS CLI or one of the AWS SDK to call this operation, then you can leave this parameter empty. The CLI or SDK generates a random UUID for you and includes it as the value for this parameter in the request. If you don't use the SDK and instead generate a raw HTTP request to the Secrets Manager service endpoint, then you must generate a ClientRequestToken
yourself for the new version and include the value in the request.
This value helps ensure idempotency. Secrets Manager uses this value to prevent the accidental creation of duplicate versions if there are failures and retries during a rotation. We recommend that you generate a UUID-type value to ensure uniqueness of your versions within the specified secret.
If the ClientRequestToken
value isn't already associated with a version of the secret then a new version of the secret is created.
If a version with this value already exists and the version SecretString
and SecretBinary
values are the same as those in the request, then the request is ignored.
If a version with this value already exists and that version's SecretString
and SecretBinary
values are different from those in the request, then the request fails because you cannot modify an existing version. Instead, use PutSecretValue to create a new version.
This value becomes the VersionId
of the new version.
(Optional) Specifies a list of user-defined tags that are attached to the secret. Each tag is a \"Key\" and \"Value\" pair of strings. This operation only appends tags to the existing list of tags. To remove tags, you must use UntagResource.
Secrets Manager tag key names are case sensitive. A tag with the key \"ABC\" is a different tag from one with key \"abc\".
If you check tags in IAM policy Condition
elements as part of your security strategy, then adding or removing a tag can change permissions. If the successful completion of this operation would result in you losing your permissions for this secret, then this operation is blocked and returns an Access Denied
error.
This parameter requires a JSON text string argument. For information on how to format a JSON parameter for the various command line tool environments, see Using JSON for Parameters in the AWS CLI User Guide. For example:
[{\"Key\":\"CostCenter\",\"Value\":\"12345\"},{\"Key\":\"environment\",\"Value\":\"production\"}]
If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text.
The following basic restrictions apply to tags:
Maximum number of tags per secret—50
Maximum key length—127 Unicode characters in UTF-8
Maximum value length—255 Unicode characters in UTF-8
Tag keys and values are case sensitive.
Do not use the aws:
prefix in your tag names or values because AWS reserves it for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit.
If you use your tagging schema across multiple services and resources, remember other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @.
(Optional) Add a list of regions to replicate secrets. Secrets Manager replicates the KMSKeyID objects to the list of regions specified in the parameter.
" + }, + "ForceOverwriteReplicaSecret":{ + "shape":"BooleanType", + "documentation":"(Optional) If set, the replication overwrites a secret with the same name in the destination region.
" } } }, @@ -415,6 +477,10 @@ "VersionId":{ "shape":"SecretVersionIdType", "documentation":"The unique identifier associated with the version of the secret you just created.
" + }, + "ReplicationStatus":{ + "shape":"ReplicationStatusListType", + "documentation":"Describes a list of replication status objects as InProgress
, Failed
or InSync
.
Specifies the secret that you want to delete. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
If you specify an ARN, we generally recommend that you specify a complete ARN. You can specify a partial ARN too—for example, if you don’t include the final hyphen and six random characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN match can work as long as it uniquely matches only one secret. However, if your secret has a name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six characters to the ARN) and you try to use that as a partial ARN, then those characters cause Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected results. To avoid this situation, we recommend that you don’t create secret names ending with a hyphen followed by six characters.
If you specify an incomplete ARN without the random suffix, and instead provide the 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.
Specifies the secret to delete. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
If you specify an ARN, we generally recommend that you specify a complete ARN. You can specify a partial ARN too—for example, if you don’t include the final hyphen and six random characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN match can work as long as it uniquely matches only one secret. However, if your secret has a name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six characters to the ARN) and you try to use that as a partial ARN, then those characters cause Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected results. To avoid this situation, we recommend that you don’t create secret names ending with a hyphen followed by six characters.
If you specify an incomplete ARN without the random suffix, and instead provide the 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.
(Optional) Specifies the number of days that Secrets Manager waits before it can delete the secret. You can't use both this parameter and the ForceDeleteWithoutRecovery
parameter in the same API call.
This value can range from 7 to 30 days. The default value is 30.
", + "documentation":"(Optional) Specifies the number of days that Secrets Manager waits before Secrets Manager can delete the secret. You can't use both this parameter and the ForceDeleteWithoutRecovery
parameter in the same API call.
This value can range from 7 to 30 days with a default value of 30.
", "box":true }, "ForceDeleteWithoutRecovery":{ "shape":"BooleanType", - "documentation":"(Optional) Specifies that the secret is to be deleted without any recovery window. You can't use both this parameter and the RecoveryWindowInDays
parameter in the same API call.
An asynchronous background process performs the actual deletion, so there can be a short delay before the operation completes. If you write code to delete and then immediately recreate a secret with the same name, ensure that your code includes appropriate back off and retry logic.
Use this parameter with caution. This parameter causes the operation to skip the normal waiting period before the permanent deletion that AWS would normally impose with the RecoveryWindowInDays
parameter. If you delete a secret with the ForceDeleteWithouRecovery
parameter, then you have no opportunity to recover the secret. It is permanently lost.
(Optional) Specifies that the secret is to be deleted without any recovery window. You can't use both this parameter and the RecoveryWindowInDays
parameter in the same API call.
An asynchronous background process performs the actual deletion, so there can be a short delay before the operation completes. If you write code to delete and then immediately recreate a secret with the same name, ensure that your code includes appropriate back off and retry logic.
Use this parameter with caution. This parameter causes the operation to skip the normal waiting period before the permanent deletion that AWS would normally impose with the RecoveryWindowInDays
parameter. If you delete a secret with the ForceDeleteWithouRecovery
parameter, then you have no opportunity to recover the secret. You lose the secret permanently.
If you use this parameter and include a previously deleted or nonexistent secret, the operation does not return the error ResourceNotFoundException
in order to correctly handle retries.
The friendly name of the secret that is now scheduled for deletion.
" + "documentation":"The friendly name of the secret currently scheduled for deletion.
" }, "DeletionDate":{ "shape":"DeletionDateType", @@ -530,11 +596,11 @@ }, "RotationRules":{ "shape":"RotationRulesType", - "documentation":"A structure that contains the rotation configuration for this secret.
" + "documentation":"A structure with the rotation configuration for this secret.
" }, "LastRotatedDate":{ "shape":"LastRotatedDateType", - "documentation":"The most recent date and time that the Secrets Manager rotation process was successfully completed. This value is null if the secret has never rotated.
", + "documentation":"The last date and time that the rotation process for this secret was invoked.
The most recent date and time that the Secrets Manager rotation process successfully completed. If the secret doesn't rotate, Secrets Manager returns a null value.
", "box":true }, "LastChangedDate":{ @@ -566,8 +632,16 @@ }, "CreatedDate":{ "shape":"TimestampType", - "documentation":"The date that the secret was created.
", + "documentation":"The date you created the secret.
", "box":true + }, + "PrimaryRegion":{ + "shape":"RegionType", + "documentation":"Specifies the primary region for secret replication.
" + }, + "ReplicationStatus":{ + "shape":"ReplicationStatusListType", + "documentation":"Describes a list of replication status objects as InProgress
, Failed
or InSync
.P
Filters your list of secrets by a specific value.
" + "documentation":"Filters your list of secrets by a specific value.
You can prefix your search value with an exclamation mark (!
) in order to perform negation filters.
Allows you to filter your list of secrets.
" + "documentation":"Allows you to add filters when you use the search function in Secrets Manager.
" }, "FilterNameStringType":{ "type":"string", @@ -614,14 +688,14 @@ "name", "tag-key", "tag-value", + "primary-region", "all" ] }, "FilterValueStringType":{ "type":"string", "max":512, - "min":1, - "pattern":"[a-zA-Z0-9 :_@\\/\\+\\=\\.\\-]+" + "pattern":"^\\!?[a-zA-Z0-9 :_@\\/\\+\\=\\.\\-]*$" }, "FilterValuesStringList":{ "type":"list", @@ -724,11 +798,11 @@ }, "VersionId":{ "shape":"SecretVersionIdType", - "documentation":"Specifies the unique identifier of the version of the secret that you want to retrieve. If you specify this parameter then don't specify VersionStage
. If you don't specify either a VersionStage
or VersionId
then the default is to perform the operation on the version with the VersionStage
value of AWSCURRENT
.
This value is typically a UUID-type value with 32 hexadecimal digits.
" + "documentation":"Specifies the unique identifier of the version of the secret that you want to retrieve. If you specify both this parameter and VersionStage
, the two parameters must refer to the same secret version. If you don't specify either a VersionStage
or VersionId
then the default is to perform the operation on the version with the VersionStage
value of AWSCURRENT
.
This value is typically a UUID-type value with 32 hexadecimal digits.
" }, "VersionStage":{ "shape":"SecretVersionStageType", - "documentation":"Specifies the secret version that you want to retrieve by the staging label attached to the version.
Staging labels are used to keep track of different versions during the rotation process. If you use this parameter then don't specify VersionId
. If you don't specify either a VersionStage
or VersionId
, then the default is to perform the operation on the version with the VersionStage
value of AWSCURRENT
.
Specifies the secret version that you want to retrieve by the staging label attached to the version.
Staging labels are used to keep track of different versions during the rotation process. If you specify both this parameter and VersionId
, the two parameters must refer to the same secret version . If you don't specify either a VersionStage
or VersionId
, then the default is to perform the operation on the version with the VersionStage
value of AWSCURRENT
.
The policy document that you provided isn't valid.
", + "documentation":"You provided a resource-based policy with syntax errors.
", "exception":true }, "MaxResultsType":{ @@ -947,7 +1021,7 @@ "members":{ "Message":{"shape":"ErrorMessage"} }, - "documentation":"The resource policy did not prevent broad access to the secret.
", + "documentation":"The BlockPublicPolicy parameter is set to true and the resource policy did not prevent broad access to the secret.
", "exception":true }, "PutResourcePolicyRequest":{ @@ -959,15 +1033,15 @@ "members":{ "SecretId":{ "shape":"SecretIdType", - "documentation":"Specifies the secret that you want to attach the resource-based policy to. You can specify either the ARN or the friendly name of the secret.
If you specify an ARN, we generally recommend that you specify a complete ARN. You can specify a partial ARN too—for example, if you don’t include the final hyphen and six random characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN match can work as long as it uniquely matches only one secret. However, if your secret has a name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six characters to the ARN) and you try to use that as a partial ARN, then those characters cause Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected results. To avoid this situation, we recommend that you don’t create secret names ending with a hyphen followed by six characters.
If you specify an incomplete ARN without the random suffix, and instead provide the 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.
Specifies the secret that you want to attach the resource-based policy. You can specify either the ARN or the friendly name of the secret.
If you specify an ARN, we generally recommend that you specify a complete ARN. You can specify a partial ARN too—for example, if you don’t include the final hyphen and six random characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN match can work as long as it uniquely matches only one secret. However, if your secret has a name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six characters to the ARN) and you try to use that as a partial ARN, then those characters cause Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected results. To avoid this situation, we recommend that you don’t create secret names ending with a hyphen followed by six characters.
If you specify an incomplete ARN without the random suffix, and instead provide the 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.
A JSON-formatted string that's constructed according to the grammar and syntax for an AWS resource-based policy. The policy in the string identifies who can access or manage this secret and its versions. For information on how to format a JSON parameter for the various command line tool environments, see Using JSON for Parameters in the AWS CLI User Guide.
" + "documentation":"A JSON-formatted string constructed according to the grammar and syntax for an AWS resource-based policy. The policy in the string identifies who can access or manage this secret and its versions. For information on how to format a JSON parameter for the various command line tool environments, see Using JSON for Parameters in the AWS CLI User Guide.
" }, "BlockPublicPolicy":{ "shape":"BooleanType", - "documentation":"Makes an optional API call to Zelkova to validate the Resource Policy to prevent broad access to your secret.
", + "documentation":"(Optional) If you set the parameter, BlockPublicPolicy
to true, then you block resource-based policies that allow broad access to the secret.
The friendly name of the secret that the retrieved by the resource-based policy.
" + "documentation":"The friendly name of the secret retrieved by the resource-based policy.
" } } }, @@ -1040,6 +1114,125 @@ "sensitive":true }, "RecoveryWindowInDaysType":{"type":"long"}, + "RegionType":{ + "type":"string", + "max":128, + "min":1, + "pattern":"^([a-z]+-)+\\d+$" + }, + "RemoveRegionsFromReplicationRequest":{ + "type":"structure", + "required":[ + "SecretId", + "RemoveReplicaRegions" + ], + "members":{ + "SecretId":{ + "shape":"SecretIdType", + "documentation":"Remove a secret by SecretId
from replica Regions.
Remove replication from specific Regions.
" + } + } + }, + "RemoveRegionsFromReplicationResponse":{ + "type":"structure", + "members":{ + "ARN":{ + "shape":"SecretARNType", + "documentation":"The secret ARN
removed from replication regions.
Describes the remaining replication status after you remove regions from the replication list.
" + } + } + }, + "RemoveReplicaRegionListType":{ + "type":"list", + "member":{"shape":"RegionType"}, + "min":1 + }, + "ReplicaRegionType":{ + "type":"structure", + "members":{ + "Region":{ + "shape":"RegionType", + "documentation":"Describes a single instance of Region objects.
" + }, + "KmsKeyId":{ + "shape":"KmsKeyIdType", + "documentation":"Can be an ARN
, Key ID
, or Alias
.
(Optional) Custom type consisting of a Region
(required) and the KmsKeyId
which can be an ARN
, Key ID
, or Alias
.
Use the Secret Id
to replicate a secret to regions.
Add Regions to replicate the secret.
" + }, + "ForceOverwriteReplicaSecret":{ + "shape":"BooleanType", + "documentation":"(Optional) If set, Secrets Manager replication overwrites a secret with the same name in the destination region.
" + } + } + }, + "ReplicateSecretToRegionsResponse":{ + "type":"structure", + "members":{ + "ARN":{ + "shape":"SecretARNType", + "documentation":"Replicate a secret based on the ReplicaRegionType
> consisting of a Region(required) and a KMSKeyId (optional) which can be the ARN, KeyID, or Alias.
Describes the secret replication status as PENDING
, SUCCESS
or FAIL
.
The Region where replication occurs.
" + }, + "KmsKeyId":{ + "shape":"KmsKeyIdType", + "documentation":"Can be an ARN
, Key ID
, or Alias
.
The status can be InProgress
, Failed
, or InSync
.
Status message such as \"Secret with this name already exists in this region\".
" + }, + "LastAccessedDate":{ + "shape":"LastAccessedDateType", + "documentation":"The date that you last accessed the secret in the Region.
" + } + }, + "documentation":"A replication object consisting of a RegionReplicationStatus
object and includes a Region, KMSKeyId, status, and status message.
The last date and time that the rotation process for this secret was invoked.
", + "documentation":"The most recent date and time that the Secrets Manager rotation process was successfully completed. This value is null if the secret hasn't ever rotated.
", "box":true }, "LastChangedDate":{ @@ -1221,6 +1414,10 @@ "shape":"TimestampType", "documentation":"The date and time when a secret was created.
", "box":true + }, + "PrimaryRegion":{ + "shape":"RegionType", + "documentation":"The Region where Secrets Manager originated the secret.
" } }, "documentation":"A structure that contains the details about a secret. It does not include the encrypted SecretString
and SecretBinary
values. To get those values, use the GetSecretValue operation.
Response to StopReplicationToReplica
of a secret, based on the SecretId
.
Response StopReplicationToReplica
of a secret, based on the ARN,
.
The tags to attach to the secret. Each element in the list consists of a Key
and a Value
.
This parameter to the API requires a JSON text string argument. For information on how to format a JSON parameter for the various command line tool environments, see Using JSON for Parameters in the AWS CLI User Guide. For the AWS CLI, you can also use the syntax: --Tags Key=\"Key1\",Value=\"Value1\",Key=\"Key2\",Value=\"Value2\"[,…]
The tags to attach to the secret. Each element in the list consists of a Key
and a Value
.
This parameter to the API requires a JSON text string argument. For information on how to format a JSON parameter for the various command line tool environments, see Using JSON for Parameters in the AWS CLI User Guide. For the AWS CLI, you can also use the syntax: --Tags Key=\"Key1\",Value=\"Value1\" Key=\"Key2\",Value=\"Value2\"[,…]
The identifier for the secret that you want to validate a resource policy. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
If you specify an ARN, we generally recommend that you specify a complete ARN. You can specify a partial ARN too—for example, if you don’t include the final hyphen and six random characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN match can work as long as it uniquely matches only one secret. However, if your secret has a name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six characters to the ARN) and you try to use that as a partial ARN, then those characters cause Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected results. To avoid this situation, we recommend that you don’t create secret names ending with a hyphen followed by six characters.
If you specify an incomplete ARN without the random suffix, and instead provide the 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.
(Optional) The identifier of the secret with the resource-based policy you want to validate. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
If you specify an ARN, we generally recommend that you specify a complete ARN. You can specify a partial ARN too—for example, if you don’t include the final hyphen and six random characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN match can work as long as it uniquely matches only one secret. However, if your secret has a name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six characters to the ARN) and you try to use that as a partial ARN, then those characters cause Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected results. To avoid this situation, we recommend that you don’t create secret names ending with a hyphen followed by six characters.
If you specify an incomplete ARN without the random suffix, and instead provide the 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.
Identifies the Resource Policy attached to the secret.
" + "documentation":"A JSON-formatted string constructed according to the grammar and syntax for an AWS resource-based policy. The policy in the string identifies who can access or manage this secret and its versions. For information on how to format a JSON parameter for the various command line tool environments, see Using JSON for Parameters in the AWS CLI User Guide.publi
" } } },