lib/aws-sdk-secretsmanager/client.rb in aws-sdk-secretsmanager-1.44.0 vs lib/aws-sdk-secretsmanager/client.rb in aws-sdk-secretsmanager-1.45.0

- old
+ new

@@ -582,11 +582,11 @@ # `SecretString` and `SecretBinary` values are the same as those in # the request, then the request is ignored. # # * If a version with this value already exists and that version's # `SecretString` and `SecretBinary` values are different from those in - # the request then the request fails because you cannot modify an + # the request, then the request fails because you cannot modify an # existing version. Instead, use PutSecretValue to create a new # version. # # This value becomes the `VersionId` of the new version. # @@ -712,15 +712,25 @@ # # # # [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json # + # @option params [Array<Types::ReplicaRegionType>] :add_replica_regions + # (Optional) Add a list of regions to replicate secrets. Secrets Manager + # replicates the KMSKeyID objects to the list of regions specified in + # the parameter. + # + # @option params [Boolean] :force_overwrite_replica_secret + # (Optional) If set, the replication overwrites a secret with the same + # name in the destination region. + # # @return [Types::CreateSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::CreateSecretResponse#arn #arn} => String # * {Types::CreateSecretResponse#name #name} => String # * {Types::CreateSecretResponse#version_id #version_id} => String + # * {Types::CreateSecretResponse#replication_status #replication_status} => Array&lt;Types::ReplicationStatusType&gt; # # # @example Example: To create a basic secret # # # The following example shows how to create a secret. The credentials stored in the encrypted secret value are retrieved @@ -753,17 +763,30 @@ # { # key: "TagKeyType", # value: "TagValueType", # }, # ], + # add_replica_regions: [ + # { + # region: "RegionType", + # kms_key_id: "KmsKeyIdType", + # }, + # ], + # force_overwrite_replica_secret: false, # }) # # @example Response structure # # resp.arn #=> String # resp.name #=> String # resp.version_id #=> String + # resp.replication_status #=> Array + # resp.replication_status[0].region #=> String + # resp.replication_status[0].kms_key_id #=> String + # resp.replication_status[0].status #=> String, one of "InSync", "Failed", "InProgress" + # resp.replication_status[0].status_message #=> String + # resp.replication_status[0].last_accessed_date #=> Time # # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/CreateSecret AWS API Documentation # # @overload create_secret(params = {}) # @param [Hash] params ({}) @@ -784,12 +807,12 @@ # # **Related operations** # # * To attach a resource policy to a secret, use PutResourcePolicy. # - # * To retrieve the current resource-based policy that's attached to a - # secret, use GetResourcePolicy. + # * To retrieve the current resource-based policy attached to a secret, + # use GetResourcePolicy. # # * To list all of the currently available secrets, use ListSecrets. # # @option params [required, String] :secret_id # Specifies the secret that you want to delete the attached @@ -855,31 +878,31 @@ def delete_resource_policy(params = {}, options = {}) req = build_request(:delete_resource_policy, params) req.send_request(options) end - # Deletes an entire secret and all of its versions. You can optionally + # Deletes an entire secret and all of the versions. You can optionally # include a recovery window during which you can restore the secret. If # you don't specify a recovery window value, the operation defaults to # 30 days. Secrets Manager attaches a `DeletionDate` stamp to the secret # that specifies the end of the recovery window. At the end of the # recovery window, Secrets Manager deletes the secret permanently. # # At any time before recovery window ends, you can use RestoreSecret to # remove the `DeletionDate` and cancel the deletion of the secret. # - # You cannot access the encrypted secret information in any secret that - # is scheduled for deletion. If you need to access that information, you + # You cannot access the encrypted secret information in any secret + # scheduled for deletion. If you need to access that information, you # must cancel the deletion with RestoreSecret and then retrieve the # information. # # <note markdown="1"> * There is no explicit operation to delete a version of a secret. # Instead, remove all staging labels from the `VersionStage` field of # a version. That marks the version as deprecated and allows Secrets - # Manager to delete it as needed. Versions that do not have any - # staging labels do not show up in ListSecretVersionIds unless you - # specify `IncludeDeprecated`. + # Manager to delete it as needed. Versions without any staging labels + # do not show up in ListSecretVersionIds unless you specify + # `IncludeDeprecated`. # # * The permanent secret deletion at the end of the waiting period is # performed as a background task with low priority. There is no # guarantee of a specific time after the recovery window for the # actual delete operation to occur. @@ -900,12 +923,12 @@ # # * To cancel deletion of a version of a secret before the recovery # window has expired, use RestoreSecret. # # @option params [required, String] :secret_id - # Specifies the secret that you want to delete. You can specify either - # the Amazon Resource Name (ARN) or the friendly name of the secret. + # Specifies the secret to delete. You can specify either the Amazon + # Resource Name (ARN) or the friendly name of the secret. # # <note markdown="1"> If you specify an ARN, we generally recommend that you specify a # complete ARN. You can specify a partial ARN too—for example, if you # don’t include the final hyphen and six random characters that Secrets # Manager adds at the end of the ARN when you created the secret. A @@ -926,14 +949,15 @@ # # </note> # # @option params [Integer] :recovery_window_in_days # (Optional) Specifies the number of days that Secrets Manager waits - # before it can delete the secret. You can't use both this parameter - # and the `ForceDeleteWithoutRecovery` parameter in the same API call. + # before Secrets Manager can delete the secret. You can't use both this + # parameter and the `ForceDeleteWithoutRecovery` parameter in the same + # API call. # - # This value can range from 7 to 30 days. The default value is 30. + # This value can range from 7 to 30 days with a default value of 30. # # @option params [Boolean] :force_delete_without_recovery # (Optional) Specifies that the secret is to be deleted without any # recovery window. You can't use both this parameter and the # `RecoveryWindowInDays` parameter in the same API call. @@ -946,13 +970,17 @@ # # Use this parameter with caution. This parameter causes the operation # to skip the normal waiting period before the permanent deletion that # AWS would normally impose with the `RecoveryWindowInDays` parameter. # If you delete a secret with the `ForceDeleteWithouRecovery` parameter, - # then you have no opportunity to recover the secret. It is permanently - # lost. + # then you have no opportunity to recover the secret. You lose the + # secret permanently. # + # If you use this parameter and include a previously deleted or + # nonexistent secret, the operation does not return the error + # `ResourceNotFoundException` in order to correctly handle retries. + # # @return [Types::DeleteSecretResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::DeleteSecretResponse#arn #arn} => String # * {Types::DeleteSecretResponse#name #name} => String # * {Types::DeleteSecretResponse#deletion_date #deletion_date} => Time @@ -1063,10 +1091,12 @@ # * {Types::DescribeSecretResponse#deleted_date #deleted_date} => Time # * {Types::DescribeSecretResponse#tags #tags} => Array&lt;Types::Tag&gt; # * {Types::DescribeSecretResponse#version_ids_to_stages #version_ids_to_stages} => Hash&lt;String,Array&lt;String&gt;&gt; # * {Types::DescribeSecretResponse#owning_service #owning_service} => String # * {Types::DescribeSecretResponse#created_date #created_date} => Time + # * {Types::DescribeSecretResponse#primary_region #primary_region} => String + # * {Types::DescribeSecretResponse#replication_status #replication_status} => Array&lt;Types::ReplicationStatusType&gt; # # # @example Example: To retrieve the details of a secret # # # The following example shows how to get the details about a secret. @@ -1134,10 +1164,17 @@ # resp.version_ids_to_stages #=> Hash # resp.version_ids_to_stages["SecretVersionIdType"] #=> Array # resp.version_ids_to_stages["SecretVersionIdType"][0] #=> String # resp.owning_service #=> String # resp.created_date #=> Time + # resp.primary_region #=> String + # resp.replication_status #=> Array + # resp.replication_status[0].region #=> String + # resp.replication_status[0].kms_key_id #=> String + # resp.replication_status[0].status #=> String, one of "InSync", "Failed", "InProgress" + # resp.replication_status[0].status_message #=> String + # resp.replication_status[0].last_accessed_date #=> Time # # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/DescribeSecret AWS API Documentation # # @overload describe_secret(params = {}) # @param [Hash] params ({}) @@ -1393,14 +1430,15 @@ # # </note> # # @option params [String] :version_id # Specifies the unique identifier of the version of the secret that you - # want to retrieve. If you specify this parameter then don't specify - # `VersionStage`. If you don't specify either a `VersionStage` or - # `VersionId` then the default is to perform the operation on the - # version with the `VersionStage` value of `AWSCURRENT`. + # want to retrieve. If you specify both this parameter and + # `VersionStage`, the two parameters must refer to the same secret + # version. If you don't specify either a `VersionStage` or `VersionId` + # then the default is to perform the operation on the version with the + # `VersionStage` value of `AWSCURRENT`. # # This value is typically a [UUID-type][1] value with 32 hexadecimal # digits. # # @@ -1410,14 +1448,15 @@ # @option params [String] :version_stage # Specifies the secret version that you want to retrieve by the staging # label attached to the version. # # Staging labels are used to keep track of different versions during the - # rotation process. If you use this parameter then don't specify - # `VersionId`. If you don't specify either a `VersionStage` or - # `VersionId`, then the default is to perform the operation on the - # version with the `VersionStage` value of `AWSCURRENT`. + # rotation process. If you specify both this parameter and `VersionId`, + # the two parameters must refer to the same secret version . If you + # don't specify either a `VersionStage` or `VersionId`, then the + # default is to perform the operation on the version with the + # `VersionStage` value of `AWSCURRENT`. # # @return [Types::GetSecretValueResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::GetSecretValueResponse#arn #arn} => String # * {Types::GetSecretValueResponse#name #name} => String @@ -1736,11 +1775,11 @@ # resp = client.list_secrets({ # max_results: 1, # next_token: "NextTokenType", # filters: [ # { - # key: "description", # accepts description, name, tag-key, tag-value, all + # key: "description", # accepts description, name, tag-key, tag-value, primary-region, all # values: ["FilterValueStringType"], # }, # ], # sort_order: "asc", # accepts asc, desc # }) @@ -1765,10 +1804,11 @@ # resp.secret_list[0].secret_versions_to_stages #=> Hash # resp.secret_list[0].secret_versions_to_stages["SecretVersionIdType"] #=> Array # resp.secret_list[0].secret_versions_to_stages["SecretVersionIdType"][0] #=> String # resp.secret_list[0].owning_service #=> String # resp.secret_list[0].created_date #=> Time + # resp.secret_list[0].primary_region #=> String # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ListSecrets AWS API Documentation # # @overload list_secrets(params = {}) @@ -1801,23 +1841,24 @@ # **Related operations** # # * To retrieve the resource policy attached to a secret, use # GetResourcePolicy. # - # * To delete the resource-based policy that's attached to a secret, - # use DeleteResourcePolicy. + # * To delete the resource-based policy attached to a secret, use + # DeleteResourcePolicy. # # * To list all of the currently available secrets, use ListSecrets. # # # # [1]: http://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html # # @option params [required, String] :secret_id - # Specifies the secret that you want to attach the resource-based policy - # to. You can specify either the ARN or the friendly name of the secret. + # Specifies the secret that you want to attach the resource-based + # policy. You can specify either the ARN or the friendly name of the + # secret. # # <note markdown="1"> If you specify an ARN, we generally recommend that you specify a # complete ARN. You can specify a partial ARN too—for example, if you # don’t include the final hyphen and six random characters that Secrets # Manager adds at the end of the ARN when you created the secret. A @@ -1837,24 +1878,25 @@ # *AccessDeniedException* error, depending on your permissions. # # </note> # # @option params [required, String] :resource_policy - # A JSON-formatted string that's constructed according to the grammar - # and syntax for an AWS resource-based policy. The policy in the string + # A JSON-formatted string constructed according to the grammar and + # syntax for an AWS resource-based policy. The policy in the string # identifies who can access or manage this secret and its versions. For # information on how to format a JSON parameter for the various command # line tool environments, see [Using JSON for Parameters][1] in the *AWS # CLI User Guide*. # # # # [1]: http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json # # @option params [Boolean] :block_public_policy - # Makes an optional API call to Zelkova to validate the Resource Policy - # to prevent broad access to your secret. + # (Optional) If you set the parameter, `BlockPublicPolicy` to true, then + # you block resource-based policies that allow broad access to the + # secret. # # @return [Types::PutResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::PutResourcePolicyResponse#arn #arn} => String # * {Types::PutResourcePolicyResponse#name #name} => String @@ -1911,17 +1953,16 @@ # # * If this operation creates the first version for the secret then # Secrets Manager automatically attaches the staging label # `AWSCURRENT` to the new version. # - # * If another version of this secret already exists, then this - # operation does not automatically move any staging labels other than - # those that you explicitly specify in the `VersionStages` parameter. + # * If you do not specify a value for VersionStages then Secrets Manager + # automatically moves the staging label `AWSCURRENT` to this new + # version. # # * If this operation moves the staging label `AWSCURRENT` from another - # version to this version (because you included it in the - # `StagingLabels` parameter) then Secrets Manager also automatically + # version to this version, then Secrets Manager also automatically # moves the staging label `AWSPREVIOUS` to the version that # `AWSCURRENT` was removed from. # # * This operation is idempotent. If a version with a `VersionId` with # the same value as the `ClientRequestToken` parameter already exists @@ -2156,10 +2197,99 @@ def put_secret_value(params = {}, options = {}) req = build_request(:put_secret_value, params) req.send_request(options) end + # Remove regions from replication. + # + # @option params [required, String] :secret_id + # Remove a secret by `SecretId` from replica Regions. + # + # @option params [required, Array<String>] :remove_replica_regions + # Remove replication from specific Regions. + # + # @return [Types::RemoveRegionsFromReplicationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: + # + # * {Types::RemoveRegionsFromReplicationResponse#arn #arn} => String + # * {Types::RemoveRegionsFromReplicationResponse#replication_status #replication_status} => Array&lt;Types::ReplicationStatusType&gt; + # + # @example Request syntax with placeholder values + # + # resp = client.remove_regions_from_replication({ + # secret_id: "SecretIdType", # required + # remove_replica_regions: ["RegionType"], # required + # }) + # + # @example Response structure + # + # resp.arn #=> String + # resp.replication_status #=> Array + # resp.replication_status[0].region #=> String + # resp.replication_status[0].kms_key_id #=> String + # resp.replication_status[0].status #=> String, one of "InSync", "Failed", "InProgress" + # resp.replication_status[0].status_message #=> String + # resp.replication_status[0].last_accessed_date #=> Time + # + # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/RemoveRegionsFromReplication AWS API Documentation + # + # @overload remove_regions_from_replication(params = {}) + # @param [Hash] params ({}) + def remove_regions_from_replication(params = {}, options = {}) + req = build_request(:remove_regions_from_replication, params) + req.send_request(options) + end + + # Converts an existing secret to a multi-Region secret and begins + # replication the secret to a list of new regions. + # + # @option params [required, String] :secret_id + # Use the `Secret Id` to replicate a secret to regions. + # + # @option params [required, Array<Types::ReplicaRegionType>] :add_replica_regions + # Add Regions to replicate the secret. + # + # @option params [Boolean] :force_overwrite_replica_secret + # (Optional) If set, Secrets Manager replication overwrites a secret + # with the same name in the destination region. + # + # @return [Types::ReplicateSecretToRegionsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: + # + # * {Types::ReplicateSecretToRegionsResponse#arn #arn} => String + # * {Types::ReplicateSecretToRegionsResponse#replication_status #replication_status} => Array&lt;Types::ReplicationStatusType&gt; + # + # @example Request syntax with placeholder values + # + # resp = client.replicate_secret_to_regions({ + # secret_id: "SecretIdType", # required + # add_replica_regions: [ # required + # { + # region: "RegionType", + # kms_key_id: "KmsKeyIdType", + # }, + # ], + # force_overwrite_replica_secret: false, + # }) + # + # @example Response structure + # + # resp.arn #=> String + # resp.replication_status #=> Array + # resp.replication_status[0].region #=> String + # resp.replication_status[0].kms_key_id #=> String + # resp.replication_status[0].status #=> String, one of "InSync", "Failed", "InProgress" + # resp.replication_status[0].status_message #=> String + # resp.replication_status[0].last_accessed_date #=> Time + # + # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ReplicateSecretToRegions AWS API Documentation + # + # @overload replicate_secret_to_regions(params = {}) + # @param [Hash] params ({}) + def replicate_secret_to_regions(params = {}, options = {}) + req = build_request(:replicate_secret_to_regions, params) + req.send_request(options) + end + # Cancels the scheduled deletion of a secret by removing the # `DeletedDate` time stamp. This makes the secret accessible to query # once again. # # **Minimum permissions** @@ -2398,10 +2528,40 @@ def rotate_secret(params = {}, options = {}) req = build_request(:rotate_secret, params) req.send_request(options) end + # Removes the secret from replication and promotes the secret to a + # regional secret in the replica Region. + # + # @option params [required, String] :secret_id + # Response to `StopReplicationToReplica` of a secret, based on the + # `SecretId`. + # + # @return [Types::StopReplicationToReplicaResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: + # + # * {Types::StopReplicationToReplicaResponse#arn #arn} => String + # + # @example Request syntax with placeholder values + # + # resp = client.stop_replication_to_replica({ + # secret_id: "SecretIdType", # required + # }) + # + # @example Response structure + # + # resp.arn #=> String + # + # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/StopReplicationToReplica AWS API Documentation + # + # @overload stop_replication_to_replica(params = {}) + # @param [Hash] params ({}) + def stop_replication_to_replica(params = {}, options = {}) + req = build_request(:stop_replication_to_replica, params) + req.send_request(options) + end + # Attaches one or more tags, each consisting of a key name and a value, # to the specified secret. Tags are part of the secret's overall # metadata, and are not associated with any specific version of the # secret. This operation only appends tags to the existing list of tags. # To remove tags, you must use UntagResource. @@ -2479,11 +2639,11 @@ # # This parameter to the API requires a JSON text string argument. For # information on how to format a JSON parameter for the various command # line tool environments, see [Using JSON for Parameters][1] in the *AWS # CLI User Guide*. For the AWS CLI, you can also use the syntax: `--Tags - # Key="Key1",Value="Value1",Key="Key2",Value="Value2"[,…]` + # Key="Key1",Value="Value1" Key="Key2",Value="Value2"[,…]` # # # # [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json # @@ -3086,20 +3246,42 @@ def update_secret_version_stage(params = {}, options = {}) req = build_request(:update_secret_version_stage, params) req.send_request(options) end - # Validates the JSON text of the resource-based policy document attached - # to the specified secret. The JSON request string input and response - # output displays formatted code with white space and line breaks for - # better readability. Submit your input as a single line JSON string. A - # resource-based policy is optional. + # Validates that the resource policy does not grant a wide range of IAM + # principals access to your secret. The JSON request string input and + # response output displays formatted code with white space and line + # breaks for better readability. Submit your input as a single line JSON + # string. A resource-based policy is optional for secrets. # + # The API performs three checks when validating the secret: + # + # * Sends a call to [Zelkova][1], an automated reasoning engine, to + # ensure your Resource Policy does not allow broad access to your + # secret. + # + # * Checks for correct syntax in a policy. + # + # * Verifies the policy does not lock out a caller. + # + # **Minimum Permissions** + # + # You must have the permissions required to access the following APIs: + # + # * `secretsmanager:PutResourcePolicy` + # + # * `secretsmanager:ValidateResourcePolicy` + # + # + # + # [1]: https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/ + # # @option params [String] :secret_id - # The identifier for the secret that you want to validate a resource - # policy. You can specify either the Amazon Resource Name (ARN) or the - # friendly name of the secret. + # (Optional) The identifier of the secret with the resource-based policy + # you want to validate. You can specify either the Amazon Resource Name + # (ARN) or the friendly name of the secret. # # <note markdown="1"> If you specify an ARN, we generally recommend that you specify a # complete ARN. You can specify a partial ARN too—for example, if you # don’t include the final hyphen and six random characters that Secrets # Manager adds at the end of the ARN when you created the secret. A @@ -3119,12 +3301,21 @@ # *AccessDeniedException* error, depending on your permissions. # # </note> # # @option params [required, String] :resource_policy - # Identifies the Resource Policy attached to the secret. + # A JSON-formatted string constructed according to the grammar and + # syntax for an AWS resource-based policy. The policy in the string + # identifies who can access or manage this secret and its versions. For + # information on how to format a JSON parameter for the various command + # line tool environments, see [Using JSON for Parameters][1] in the *AWS + # CLI User Guide*.publi # + # + # + # [1]: http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json + # # @return [Types::ValidateResourcePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ValidateResourcePolicyResponse#policy_validation_passed #policy_validation_passed} => Boolean # * {Types::ValidateResourcePolicyResponse#validation_errors #validation_errors} => Array&lt;Types::ValidationErrorsEntry&gt; # @@ -3179,10 +3370,10 @@ operation: config.api.operation(operation_name), client: self, params: params, config: config) context[:gem_name] = 'aws-sdk-secretsmanager' - context[:gem_version] = '1.44.0' + context[:gem_version] = '1.45.0' Seahorse::Client::Request.new(handlers, context) end # @api private # @deprecated