lib/aws-sdk-secretsmanager/client.rb in aws-sdk-secretsmanager-1.2.0 vs lib/aws-sdk-secretsmanager/client.rb in aws-sdk-secretsmanager-1.3.0

@@ -293,11 +293,12 @@
     #   a different AWS account. Store the ARN of the CMK in the secret when
     #   you create the secret or when you update it by including it in the
     #   `KMSKeyId`. If you call an API that must encrypt or decrypt
     #   `SecretString` or `SecretBinary` using credentials from a different
     #   account then the KMS key policy must grant cross-account access to
-    #   that other account's user or role.
+    #   that other account's user or role for both the kms:GenerateDataKey
+    #   and kms:Decrypt operations.
     #
     #  </note>
     #
     #
     #
@@ -309,11 +310,11 @@
     #
     # * kms:GenerateDataKey - needed only if you use a customer-created KMS
     #   key to encrypt the secret. You do not need this permission to use
     #   the account's default AWS managed CMK for Secrets Manager.
     #
-    # * kms:Encrypt - needed only if you use a customer-created KMS key to
+    # * kms:Decrypt - needed only if you use a customer-created KMS key to
     #   encrypt the secret. You do not need this permission to use the
     #   account's default AWS managed CMK for Secrets Manager.
     #
     # **Related operations**
     #
@@ -1298,11 +1299,12 @@
     #   a different AWS account. Store the ARN of the CMK in the secret when
     #   you create the secret or when you update it by including it in the
     #   `KMSKeyId`. If you call an API that must encrypt or decrypt
     #   `SecretString` or `SecretBinary` using credentials from a different
     #   account then the KMS key policy must grant cross-account access to
-    #   that other account's user or role.
+    #   that other account's user or role for both the kms:GenerateDataKey
+    #   and kms:Decrypt operations.
     #
     #  </note>
     #
     # **Minimum permissions**
     #
@@ -1915,11 +1917,12 @@
     #   a different AWS account. Store the ARN of the CMK in the secret when
     #   you create the secret or when you update it by including it in the
     #   `KMSKeyId`. If you call an API that must encrypt or decrypt
     #   `SecretString` or `SecretBinary` using credentials from a different
     #   account then the KMS key policy must grant cross-account access to
-    #   that other account's user or role.
+    #   that other account's user or role for both the kms:GenerateDataKey
+    #   and kms:Decrypt operations.
     #
     #  </note>
     #
     # **Minimum permissions**
     #
@@ -2299,10 +2302,10 @@
         operation: config.api.operation(operation_name),
         client: self,
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-secretsmanager'
-      context[:gem_version] = '1.2.0'
+      context[:gem_version] = '1.3.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 
     # @api private
     # @deprecated