lib/aws-sdk-secretsmanager/client.rb in aws-sdk-secretsmanager-1.47.0 vs lib/aws-sdk-secretsmanager/client.rb in aws-sdk-secretsmanager-1.48.0

- old
+ new

@@ -477,29 +477,31 @@ # version and automatically attaches the staging label `AWSCURRENT` to # the new version. # # <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or # `SecretBinary` for a secret in the same account as the calling user - # and that secret doesn't specify a AWS KMS encryption key, Secrets - # Manager uses the account's default AWS managed customer master key - # (CMK) with the alias `aws/secretsmanager`. If this key doesn't - # already exist in your account then Secrets Manager creates it for - # you automatically. All users and roles in the same AWS account + # and that secret doesn't specify a Amazon Web Services KMS + # encryption key, Secrets Manager uses the account's default Amazon + # Web Services managed customer master key (CMK) with the alias + # `aws/secretsmanager`. If this key doesn't already exist in your + # account then Secrets Manager creates it for you automatically. All + # users and roles in the same Amazon Web Services account # automatically have access to use the default CMK. Note that if an - # Secrets Manager API call results in AWS creating the account's - # AWS-managed CMK, it can result in a one-time significant delay in - # returning the result. + # Secrets Manager API call results in Amazon Web Services creating the + # account's Amazon Web Services-managed CMK, it can result in a + # one-time significant delay in returning the result. # - # * If the secret resides in a different AWS account from the - # credentials calling an API that requires encryption or decryption of - # the secret value then you must create and use a custom AWS KMS CMK - # because you can't access the default CMK for the account using - # credentials from a different AWS account. Store the ARN of the CMK - # in the secret when you create the secret or when you update it by - # including it in the `KMSKeyId`. If you call an API that must encrypt - # or decrypt `SecretString` or `SecretBinary` using credentials from a - # different account then the AWS KMS key policy must grant + # * If the secret resides in a different Amazon Web Services account + # from the credentials calling an API that requires encryption or + # decryption of the secret value then you must create and use a custom + # Amazon Web Services KMS CMK because you can't access the default + # CMK for the account using credentials from a different Amazon Web + # Services account. Store the ARN of the CMK in the secret when you + # create the secret or when you update it by including it in the + # `KMSKeyId`. If you call an API that must encrypt or decrypt + # `SecretString` or `SecretBinary` using credentials from a different + # account then the Amazon Web Services KMS key policy must grant # cross-account access to that other account's user or role for both # the kms:GenerateDataKey and kms:Decrypt operations. # # </note> # @@ -509,17 +511,19 @@ # # To run this command, you must have the following permissions: # # * secretsmanager:CreateSecret # - # * kms:GenerateDataKey - needed only if you use a customer-managed AWS - # KMS key to encrypt the secret. You do not need this permission to - # use the account default AWS managed CMK for Secrets Manager. + # * kms:GenerateDataKey - needed only if you use a customer-managed + # Amazon Web Services KMS key to encrypt the secret. You do not need + # this permission to use the account default Amazon Web Services + # managed CMK for Secrets Manager. # - # * kms:Decrypt - needed only if you use a customer-managed AWS KMS key - # to encrypt the secret. You do not need this permission to use the - # account default AWS managed CMK for Secrets Manager. + # * kms:Decrypt - needed only if you use a customer-managed Amazon Web + # Services KMS key to encrypt the secret. You do not need this + # permission to use the account default Amazon Web Services managed + # CMK for Secrets Manager. # # * secretsmanager:TagResource - needed only if you include the `Tags` # parameter. # # **Related operations** @@ -557,17 +561,17 @@ # @option params [String] :client_request_token # (Optional) If you include `SecretString` or `SecretBinary`, then an # initial version is created as part of the secret, and this parameter # specifies a unique identifier for the new version. # - # <note markdown="1"> If you use the AWS CLI or one of the AWS SDK to call this operation, - # then you can leave this parameter empty. The CLI or SDK generates a - # random UUID for you and includes it as the value for this parameter in - # the request. If you don't use the SDK and instead generate a raw HTTP - # request to the Secrets Manager service endpoint, then you must - # generate a `ClientRequestToken` yourself for the new version and - # include the value in the request. + # <note markdown="1"> If you use the Amazon Web Services CLI or one of the Amazon Web + # Services SDK to call this operation, then you can leave this parameter + # empty. The CLI or SDK generates a random UUID for you and includes it + # as the value for this parameter in the request. If you don't use the + # SDK and instead generate a raw HTTP request to the Secrets Manager + # service endpoint, then you must generate a `ClientRequestToken` + # yourself for the new version and include the value in the request. # # </note> # # This value helps ensure idempotency. Secrets Manager uses this value # to prevent the accidental creation of duplicate versions if there are @@ -599,24 +603,25 @@ # # @option params [String] :description # (Optional) Specifies a user-provided description of the secret. # # @option params [String] :kms_key_id - # (Optional) Specifies the ARN, Key ID, or alias of the AWS KMS customer - # master key (CMK) to be used to encrypt the `SecretString` or - # `SecretBinary` values in the versions stored in this secret. + # (Optional) Specifies the ARN, Key ID, or alias of the Amazon Web + # Services KMS customer master key (CMK) to be used to encrypt the + # `SecretString` or `SecretBinary` values in the versions stored in this + # secret. # - # You can specify any of the supported ways to identify a AWS KMS key - # ID. If you need to reference a CMK in a different account, you can use - # only the key ARN or the alias ARN. + # You can specify any of the supported ways to identify a Amazon Web + # Services KMS key ID. If you need to reference a CMK in a different + # account, you can use only the key ARN or the alias ARN. # # If you don't specify this value, then Secrets Manager defaults to - # using the AWS account's default CMK (the one named - # `aws/secretsmanager`). If a AWS KMS CMK with that name doesn't yet - # exist, then Secrets Manager creates it for you automatically the first - # time it needs to encrypt a version's `SecretString` or `SecretBinary` - # fields. + # using the Amazon Web Services account's default CMK (the one named + # `aws/secretsmanager`). If a Amazon Web Services KMS CMK with that name + # doesn't yet exist, then Secrets Manager creates it for you + # automatically the first time it needs to encrypt a version's + # `SecretString` or `SecretBinary` fields. # # You can use the account default CMK to encrypt and decrypt only if you # call this operation using credentials from the same account that owns # the secret. If the secret resides in a different account, then you # must create a custom CMK and specify the ARN in this field. @@ -630,11 +635,12 @@ # # Either `SecretString` or `SecretBinary` must have a value, but not # both. They cannot both be empty. # # This parameter is not available using the Secrets Manager console. It - # can be accessed only by using the AWS CLI or one of the AWS SDKs. + # can be accessed only by using the Amazon Web Services CLI or one of + # the Amazon Web Services SDKs. # # @option params [String] :secret_string # (Optional) Specifies text data that you want to encrypt and store in # this new version of the secret. # @@ -648,11 +654,11 @@ # rotation function knows how to parse. # # For storing multiple values, we recommend that you use a JSON text # string argument and specify key/value pairs. For information on how to # format a JSON parameter for the various command line tool - # environments, see [Using JSON for Parameters][1] in the *AWS CLI User + # environments, see [Using JSON for Parameters][1] in the *CLI User # Guide*. For example: # # `\{"username":"bob","password":"abc123xyz456"\}` # # If your command-line tool or SDK requires quotation marks around the @@ -678,11 +684,11 @@ # result in you losing your permissions for this secret, then this # operation is blocked and returns an `Access Denied` error. # # This parameter requires a JSON text string argument. For information # on how to format a JSON parameter for the various command line tool - # environments, see [Using JSON for Parameters][1] in the *AWS CLI User + # environments, see [Using JSON for Parameters][1] in the *CLI User # Guide*. For example: # # `[\{"Key":"CostCenter","Value":"12345"\},\{"Key":"environment","Value":"production"\}]` # # If your command-line tool or SDK requires quotation marks around the @@ -697,14 +703,14 @@ # # * Maximum value length—255 Unicode characters in UTF-8 # # * Tag keys and values are case sensitive. # - # * Do not use the `aws:` prefix in your tag names or values because AWS - # reserves it for AWS use. You can't edit or delete tag names or - # values with this prefix. Tags with this prefix do not count against - # your tags per secret limit. + # * Do not use the `aws:` prefix in your tag names or values because + # Amazon Web Services reserves it for Amazon Web Services use. You + # can't edit or delete tag names or values with this prefix. Tags + # with this prefix do not count against your tags per secret limit. # # * If you use your tagging schema across multiple services and # resources, remember other services might have restrictions on # allowed characters. Generally allowed characters: letters, spaces, # and numbers representable in UTF-8, plus the following special @@ -968,14 +974,14 @@ # same name, ensure that your code includes appropriate back off and # retry logic. # # Use this parameter with caution. This parameter causes the operation # to skip the normal waiting period before the permanent deletion that - # AWS would normally impose with the `RecoveryWindowInDays` parameter. - # If you delete a secret with the `ForceDeleteWithouRecovery` parameter, - # then you have no opportunity to recover the secret. You lose the - # secret permanently. + # Amazon Web Services would normally impose with the + # `RecoveryWindowInDays` parameter. If you delete a secret with the + # `ForceDeleteWithouRecovery` parameter, then you have no opportunity to + # recover the secret. You lose the secret permanently. # # If you use this parameter and include a previously deleted or # nonexistent secret, the operation does not return the error # `ResourceNotFoundException` in order to correctly handle retries. # @@ -1046,11 +1052,12 @@ # * To modify a secret, use UpdateSecret. # # * To retrieve the encrypted secret information in a version of the # secret, use GetSecretValue. # - # * To list all of the secrets in the AWS account, use ListSecrets. + # * To list all of the secrets in the Amazon Web Services account, use + # ListSecrets. # # @option params [required, String] :secret_id # The identifier of the secret whose details you want to retrieve. You # can specify either the Amazon Resource Name (ARN) or the friendly name # of the secret. @@ -1390,13 +1397,14 @@ # # To run this command, you must have the following permissions: # # * secretsmanager:GetSecretValue # - # * kms:Decrypt - required only if you use a customer-managed AWS KMS - # key to encrypt the secret. You do not need this permission to use - # the account's default AWS managed CMK for Secrets Manager. + # * kms:Decrypt - required only if you use a customer-managed Amazon Web + # Services KMS key to encrypt the secret. You do not need this + # permission to use the account's default Amazon Web Services managed + # CMK for Secrets Manager. # # **Related operations** # # * To create a new version of the secret with different encrypted # information, use PutSecretValue. @@ -1658,10 +1666,12 @@ # resp.versions[0].version_id #=> String # resp.versions[0].version_stages #=> Array # resp.versions[0].version_stages[0] #=> String # resp.versions[0].last_accessed_date #=> Time # resp.versions[0].created_date #=> Time + # resp.versions[0].kms_key_ids #=> Array + # resp.versions[0].kms_key_ids[0] #=> String # resp.next_token #=> String # resp.arn #=> String # resp.name #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ListSecretVersionIds AWS API Documentation @@ -1671,15 +1681,15 @@ def list_secret_version_ids(params = {}, options = {}) req = build_request(:list_secret_version_ids, params) req.send_request(options) end - # Lists all of the secrets that are stored by Secrets Manager in the AWS - # account. To list the versions currently stored for a specific secret, - # use ListSecretVersionIds. The encrypted fields `SecretString` and - # `SecretBinary` are not included in the output. To get that - # information, call the GetSecretValue operation. + # Lists all of the secrets that are stored by Secrets Manager in the + # Amazon Web Services account. To list the versions currently stored for + # a specific secret, use ListSecretVersionIds. The encrypted fields + # `SecretString` and `SecretBinary` are not included in the output. To + # get that information, call the GetSecretValue operation. # # <note markdown="1"> Always check the `NextToken` response parameter when calling any of # the `List*` operations. These operations can occasionally return an # empty or shorter than expected list of results even when there more # results become available. When this happens, the `NextToken` response @@ -1824,13 +1834,13 @@ # the secret's Amazon Resource Name (ARN) in the policy statement's # `Resources` element. You can also use a combination of both # identity-based and resource-based policies. The affected users and # roles receive the permissions that are permitted by all of the # relevant policies. For more information, see [Using Resource-Based - # Policies for AWS Secrets Manager][1]. For the complete description of - # the AWS policy syntax and grammar, see [IAM JSON Policy Reference][2] - # in the *IAM User Guide*. + # Policies for Amazon Web Services Secrets Manager][1]. For the complete + # description of the Amazon Web Services policy syntax and grammar, see + # [IAM JSON Policy Reference][2] in the *IAM User Guide*. # # **Minimum permissions** # # To run this command, you must have the following permissions: # @@ -1879,15 +1889,15 @@ # # </note> # # @option params [required, String] :resource_policy # A JSON-formatted string constructed according to the grammar and - # syntax for an AWS resource-based policy. The policy in the string - # identifies who can access or manage this secret and its versions. For - # information on how to format a JSON parameter for the various command - # line tool environments, see [Using JSON for Parameters][1] in the *AWS - # CLI User Guide*. + # syntax for an Amazon Web Services resource-based policy. The policy in + # the string identifies who can access or manage this secret and its + # versions. For information on how to format a JSON parameter for the + # various command line tool environments, see [Using JSON for + # Parameters][1] in the *CLI User Guide*. # # # # [1]: http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json # @@ -1945,11 +1955,11 @@ # `SecretBinary` value. You can also specify the staging labels that are # initially attached to the new version. # # <note markdown="1"> The Secrets Manager console uses only the `SecretString` field. To add # binary data to a secret with the `SecretBinary` field you must use the - # AWS CLI or one of the AWS SDKs. + # Amazon Web Services CLI or one of the Amazon Web Services SDKs. # # </note> # # * If this operation creates the first version for the secret then # Secrets Manager automatically attaches the staging label @@ -1971,29 +1981,31 @@ # operation fails because you cannot modify an existing version; you # can only create new ones. # # <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or # `SecretBinary` for a secret in the same account as the calling user - # and that secret doesn't specify a AWS KMS encryption key, Secrets - # Manager uses the account's default AWS managed customer master key - # (CMK) with the alias `aws/secretsmanager`. If this key doesn't - # already exist in your account then Secrets Manager creates it for - # you automatically. All users and roles in the same AWS account + # and that secret doesn't specify a Amazon Web Services KMS + # encryption key, Secrets Manager uses the account's default Amazon + # Web Services managed customer master key (CMK) with the alias + # `aws/secretsmanager`. If this key doesn't already exist in your + # account then Secrets Manager creates it for you automatically. All + # users and roles in the same Amazon Web Services account # automatically have access to use the default CMK. Note that if an - # Secrets Manager API call results in AWS creating the account's - # AWS-managed CMK, it can result in a one-time significant delay in - # returning the result. + # Secrets Manager API call results in Amazon Web Services creating the + # account's Amazon Web Services-managed CMK, it can result in a + # one-time significant delay in returning the result. # - # * If the secret resides in a different AWS account from the - # credentials calling an API that requires encryption or decryption of - # the secret value then you must create and use a custom AWS KMS CMK - # because you can't access the default CMK for the account using - # credentials from a different AWS account. Store the ARN of the CMK - # in the secret when you create the secret or when you update it by - # including it in the `KMSKeyId`. If you call an API that must encrypt - # or decrypt `SecretString` or `SecretBinary` using credentials from a - # different account then the AWS KMS key policy must grant + # * If the secret resides in a different Amazon Web Services account + # from the credentials calling an API that requires encryption or + # decryption of the secret value then you must create and use a custom + # Amazon Web Services KMS CMK because you can't access the default + # CMK for the account using credentials from a different Amazon Web + # Services account. Store the ARN of the CMK in the secret when you + # create the secret or when you update it by including it in the + # `KMSKeyId`. If you call an API that must encrypt or decrypt + # `SecretString` or `SecretBinary` using credentials from a different + # account then the Amazon Web Services KMS key policy must grant # cross-account access to that other account's user or role for both # the kms:GenerateDataKey and kms:Decrypt operations. # # </note> # @@ -2001,13 +2013,14 @@ # # To run this command, you must have the following permissions: # # * secretsmanager:PutSecretValue # - # * kms:GenerateDataKey - needed only if you use a customer-managed AWS - # KMS key to encrypt the secret. You do not need this permission to - # use the account's default AWS managed CMK for Secrets Manager. + # * kms:GenerateDataKey - needed only if you use a customer-managed + # Amazon Web Services KMS key to encrypt the secret. You do not need + # this permission to use the account's default Amazon Web Services + # managed CMK for Secrets Manager. # # **Related operations** # # * To retrieve the encrypted value you store in the version of a # secret, use GetSecretValue. @@ -2046,17 +2059,17 @@ # # @option params [String] :client_request_token # (Optional) Specifies a unique identifier for the new version of the # secret. # - # <note markdown="1"> If you use the AWS CLI or one of the AWS SDK to call this operation, - # then you can leave this parameter empty. The CLI or SDK generates a - # random UUID for you and includes that in the request. If you don't - # use the SDK and instead generate a raw HTTP request to the Secrets - # Manager service endpoint, then you must generate a - # `ClientRequestToken` yourself for new versions and include that value - # in the request. + # <note markdown="1"> If you use the Amazon Web Services CLI or one of the Amazon Web + # Services SDK to call this operation, then you can leave this parameter + # empty. The CLI or SDK generates a random UUID for you and includes + # that in the request. If you don't use the SDK and instead generate a + # raw HTTP request to the Secrets Manager service endpoint, then you + # must generate a `ClientRequestToken` yourself for new versions and + # include that value in the request. # # </note> # # This value helps ensure idempotency. Secrets Manager uses this value # to prevent the accidental creation of duplicate versions if there are @@ -2111,11 +2124,11 @@ # Lambda rotation function knows how to parse. # # For storing multiple values, we recommend that you use a JSON text # string argument and specify key/value pairs. For information on how to # format a JSON parameter for the various command line tool - # environments, see [Using JSON for Parameters][1] in the *AWS CLI User + # environments, see [Using JSON for Parameters][1] in the *CLI User # Guide*. # # For example: # # `[\{"username":"bob"\},\{"password":"abc123xyz456"\}]` @@ -2378,20 +2391,21 @@ # rotation. If you do not include the configuration parameters, the # operation starts a rotation with the values already stored in the # secret. After the rotation completes, the protected service and its # clients all use the new version of the secret. # - # This required configuration information includes the ARN of an AWS - # Lambda function and the time between scheduled rotations. The Lambda - # rotation function creates a new version of the secret and creates or - # updates the credentials on the protected service to match. After - # testing the new credentials, the function marks the new secret with - # the staging label `AWSCURRENT` so that your clients all immediately - # begin to use the new version. For more information about rotating - # secrets and how to configure a Lambda function to rotate the secrets - # for your protected service, see [Rotating Secrets in AWS Secrets - # Manager][1] in the *AWS Secrets Manager User Guide*. + # This required configuration information includes the ARN of an Amazon + # Web Services Lambda function and optionally, the time between + # scheduled rotations. The Lambda rotation function creates a new + # version of the secret and creates or updates the credentials on the + # protected service to match. After testing the new credentials, the + # function marks the new secret with the staging label `AWSCURRENT` so + # that your clients all immediately begin to use the new version. For + # more information about rotating secrets and how to configure a Lambda + # function to rotate the secrets for your protected service, see + # [Rotating Secrets in Amazon Web Services Secrets Manager][1] in the + # *Amazon Web Services Secrets Manager User Guide*. # # Secrets Manager schedules the next rotation when the previous one # completes. Secrets Manager schedules the date by adding the rotation # interval (number of days) to the actual date of the last rotation. The # service chooses the hour within that 24-hour date window randomly. The @@ -2464,17 +2478,17 @@ # # @option params [String] :client_request_token # (Optional) Specifies a unique identifier for the new version of the # secret that helps ensure idempotency. # - # If you use the AWS CLI or one of the AWS SDK to call this operation, - # then you can leave this parameter empty. The CLI or SDK generates a - # random UUID for you and includes that in the request for this - # parameter. If you don't use the SDK and instead generate a raw HTTP - # request to the Secrets Manager service endpoint, then you must - # generate a `ClientRequestToken` yourself for new versions and include - # that value in the request. + # If you use the Amazon Web Services CLI or one of the Amazon Web + # Services SDK to call this operation, then you can leave this parameter + # empty. The CLI or SDK generates a random UUID for you and includes + # that in the request for this parameter. If you don't use the SDK and + # instead generate a raw HTTP request to the Secrets Manager service + # endpoint, then you must generate a `ClientRequestToken` yourself for + # new versions and include that value in the request. # # You only need to specify your own value if you implement your own # retry logic and want to ensure that a given secret is not created # twice. We recommend that you generate a [UUID-type][1] value to ensure # uniqueness within the specified secret. @@ -2574,14 +2588,14 @@ # # * Maximum value length—255 Unicode characters in UTF-8 # # * Tag keys and values are case sensitive. # - # * Do not use the `aws:` prefix in your tag names or values because AWS - # reserves it for AWS use. You can't edit or delete tag names or - # values with this prefix. Tags with this prefix do not count against - # your tags per secret limit. + # * Do not use the `aws:` prefix in your tag names or values because + # Amazon Web Services reserves it for Amazon Web Services use. You + # can't edit or delete tag names or values with this prefix. Tags + # with this prefix do not count against your tags per secret limit. # # * If you use your tagging schema across multiple services and # resources, remember other services might have restrictions on # allowed characters. Generally allowed characters: letters, spaces, # and numbers representable in UTF-8, plus the following special @@ -2637,12 +2651,12 @@ # The tags to attach to the secret. Each element in the list consists of # a `Key` and a `Value`. # # This parameter to the API requires a JSON text string argument. For # information on how to format a JSON parameter for the various command - # line tool environments, see [Using JSON for Parameters][1] in the *AWS - # CLI User Guide*. For the AWS CLI, you can also use the syntax: `--Tags + # line tool environments, see [Using JSON for Parameters][1] in the *CLI + # User Guide*. For the CLI, you can also use the syntax: `--Tags # Key="Key1",Value="Value1" Key="Key2",Value="Value2"[,…]` # # # # [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json @@ -2745,12 +2759,12 @@ # A list of tag key names to remove from the secret. You don't specify # the value. Both the key and its associated value are removed. # # This parameter to the API requires a JSON text string argument. For # information on how to format a JSON parameter for the various command - # line tool environments, see [Using JSON for Parameters][1] in the *AWS - # CLI User Guide*. + # line tool environments, see [Using JSON for Parameters][1] in the *CLI + # User Guide*. # # # # [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json # @@ -2794,11 +2808,12 @@ # instead. # # <note markdown="1"> The Secrets Manager console uses only the `SecretString` parameter and # therefore limits you to encrypting and storing only a text string. To # encrypt and store binary data as part of the version of a secret, you - # must use either the AWS CLI or one of the AWS SDKs. + # must use either the Amazon Web Services CLI or one of the Amazon Web + # Services SDKs. # # </note> # # * If a version with a `VersionId` with the same value as the # `ClientRequestToken` parameter already exists, the operation results @@ -2809,29 +2824,31 @@ # secret version, Secrets Manager automatically attaches the staging # label `AWSCURRENT` to the new version. # # <note markdown="1"> * If you call an operation to encrypt or decrypt the `SecretString` or # `SecretBinary` for a secret in the same account as the calling user - # and that secret doesn't specify a AWS KMS encryption key, Secrets - # Manager uses the account's default AWS managed customer master key - # (CMK) with the alias `aws/secretsmanager`. If this key doesn't - # already exist in your account then Secrets Manager creates it for - # you automatically. All users and roles in the same AWS account + # and that secret doesn't specify a Amazon Web Services KMS + # encryption key, Secrets Manager uses the account's default Amazon + # Web Services managed customer master key (CMK) with the alias + # `aws/secretsmanager`. If this key doesn't already exist in your + # account then Secrets Manager creates it for you automatically. All + # users and roles in the same Amazon Web Services account # automatically have access to use the default CMK. Note that if an - # Secrets Manager API call results in AWS creating the account's - # AWS-managed CMK, it can result in a one-time significant delay in - # returning the result. + # Secrets Manager API call results in Amazon Web Services creating the + # account's Amazon Web Services-managed CMK, it can result in a + # one-time significant delay in returning the result. # - # * If the secret resides in a different AWS account from the - # credentials calling an API that requires encryption or decryption of - # the secret value then you must create and use a custom AWS KMS CMK - # because you can't access the default CMK for the account using - # credentials from a different AWS account. Store the ARN of the CMK - # in the secret when you create the secret or when you update it by - # including it in the `KMSKeyId`. If you call an API that must encrypt - # or decrypt `SecretString` or `SecretBinary` using credentials from a - # different account then the AWS KMS key policy must grant + # * If the secret resides in a different Amazon Web Services account + # from the credentials calling an API that requires encryption or + # decryption of the secret value then you must create and use a custom + # Amazon Web Services KMS CMK because you can't access the default + # CMK for the account using credentials from a different Amazon Web + # Services account. Store the ARN of the CMK in the secret when you + # create the secret or when you update it by including it in the + # `KMSKeyId`. If you call an API that must encrypt or decrypt + # `SecretString` or `SecretBinary` using credentials from a different + # account then the Amazon Web Services KMS key policy must grant # cross-account access to that other account's user or role for both # the kms:GenerateDataKey and kms:Decrypt operations. # # </note> # @@ -2839,17 +2856,19 @@ # # To run this command, you must have the following permissions: # # * secretsmanager:UpdateSecret # - # * kms:GenerateDataKey - needed only if you use a custom AWS KMS key to - # encrypt the secret. You do not need this permission to use the - # account's AWS managed CMK for Secrets Manager. + # * kms:GenerateDataKey - needed only if you use a custom Amazon Web + # Services KMS key to encrypt the secret. You do not need this + # permission to use the account's Amazon Web Services managed CMK for + # Secrets Manager. # - # * kms:Decrypt - needed only if you use a custom AWS KMS key to encrypt - # the secret. You do not need this permission to use the account's - # AWS managed CMK for Secrets Manager. + # * kms:Decrypt - needed only if you use a custom Amazon Web Services + # KMS key to encrypt the secret. You do not need this permission to + # use the account's Amazon Web Services managed CMK for Secrets + # Manager. # # **Related operations** # # * To create a new secret, use CreateSecret. # @@ -2889,17 +2908,17 @@ # @option params [String] :client_request_token # (Optional) If you want to add a new version to the secret, this # parameter specifies a unique identifier for the new version that helps # ensure idempotency. # - # If you use the AWS CLI or one of the AWS SDK to call this operation, - # then you can leave this parameter empty. The CLI or SDK generates a - # random UUID for you and includes that in the request. If you don't - # use the SDK and instead generate a raw HTTP request to the Secrets - # Manager service endpoint, then you must generate a - # `ClientRequestToken` yourself for new versions and include that value - # in the request. + # If you use the Amazon Web Services CLI or one of the Amazon Web + # Services SDK to call this operation, then you can leave this parameter + # empty. The CLI or SDK generates a random UUID for you and includes + # that in the request. If you don't use the SDK and instead generate a + # raw HTTP request to the Secrets Manager service endpoint, then you + # must generate a `ClientRequestToken` yourself for new versions and + # include that value in the request. # # You typically only need to interact with this value if you implement # your own retry logic and want to ensure that a given secret is not # created twice. We recommend that you generate a [UUID-type][1] value # to ensure uniqueness within the specified secret. @@ -2933,13 +2952,13 @@ # @option params [String] :description # (Optional) Specifies an updated user-provided description of the # secret. # # @option params [String] :kms_key_id - # (Optional) Specifies an updated ARN or alias of the AWS KMS customer - # master key (CMK) to be used to encrypt the protected text in new - # versions of this secret. + # (Optional) Specifies an updated ARN or alias of the Amazon Web + # Services KMS customer master key (CMK) to be used to encrypt the + # protected text in new versions of this secret. # # You can only use the account's default CMK to encrypt and decrypt if # you call this operation using credentials from the same account that # owns the secret. If the secret is in a different account, then you # must create a custom CMK and provide the ARN of that CMK in this @@ -2970,11 +2989,11 @@ # Lambda rotation function knows how to parse. # # For storing multiple values, we recommend that you use a JSON text # string argument and specify key/value pairs. For information on how to # format a JSON parameter for the various command line tool - # environments, see [Using JSON for Parameters][1] in the *AWS CLI User + # environments, see [Using JSON for Parameters][1] in the *CLI User # Guide*. For example: # # `[\{"username":"bob"\},\{"password":"abc123xyz456"\}]` # # If your command-line tool or SDK requires quotation marks around the @@ -3076,12 +3095,12 @@ # labels are used to track a version as it progresses through the secret # rotation process. You can attach a staging label to only one version # of a secret at a time. If a staging label to be added is already # attached to another version, then it is moved--removed from the other # version first and then attached to this one. For more information - # about staging labels, see [Staging Labels][1] in the *AWS Secrets - # Manager User Guide*. + # about staging labels, see [Staging Labels][1] in the *Amazon Web + # Services Secrets Manager User Guide*. # # The staging labels that you specify in the `VersionStage` parameter # are added to the existing list of staging labels--they don't replace # it. # @@ -3302,15 +3321,15 @@ # # </note> # # @option params [required, String] :resource_policy # A JSON-formatted string constructed according to the grammar and - # syntax for an AWS resource-based policy. The policy in the string - # identifies who can access or manage this secret and its versions. For - # information on how to format a JSON parameter for the various command - # line tool environments, see [Using JSON for Parameters][1] in the *AWS - # CLI User Guide*.publi + # syntax for an Amazon Web Services resource-based policy. The policy in + # the string identifies who can access or manage this secret and its + # versions. For information on how to format a JSON parameter for the + # various command line tool environments, see [Using JSON for + # Parameters][1] in the *CLI User Guide*.publi # # # # [1]: http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json # @@ -3370,10 +3389,10 @@ operation: config.api.operation(operation_name), client: self, params: params, config: config) context[:gem_name] = 'aws-sdk-secretsmanager' - context[:gem_version] = '1.47.0' + context[:gem_version] = '1.48.0' Seahorse::Client::Request.new(handlers, context) end # @api private # @deprecated