From 3f9a4c4fd52828371d8b7d455cd6c2ffa8a6a14c Mon Sep 17 00:00:00 2001
From: awstools
To encrypt the secret with a KMS key other than aws/secretsmanager
, you need kms:GenerateDataKey
and kms:Decrypt
permission to the key.
When you enter commands in a command shell, there is a risk of the command history being accessed or utilities having access to your command parameters. This is a concern if the command includes the value of a secret. Learn how to Mitigate the risks of using command-line tools to store Secrets Manager secrets.
+ *When you enter commands in a command shell, there is a risk of the command history being accessed or utilities having access to your command parameters. This is a concern if the command includes the value of a secret. Learn how to Mitigate the risks of using command-line tools to store Secrets Manager secrets.
+ *kms:GenerateDataKey
, kms:Encrypt
, and
- * kms:Decrypt
permissions on the key. If you change the KMS key and you don't have kms:Encrypt
permission to the new key, Secrets Manager does not re-ecrypt existing secret versions with the new key. For more information, see
+ * kms:Decrypt
permissions on the key. If you change the KMS key and you don't have kms:Encrypt
permission to the new key, Secrets Manager does not re-encrypt existing secret versions with the new key. For more information, see
* Secret encryption and decryption.
+ * When you enter commands in a command shell, there is a risk of the command history being accessed or utilities having access to your command parameters. This is a concern if the command includes the value of a secret. Learn how to Mitigate the risks of using command-line tools to store Secrets Manager secrets.
+ *The ARN, key ID, or alias of the KMS key that Secrets Manager
* uses to encrypt new secret versions as well as any existing versions with the staging labels
- * AWSCURRENT
, AWSPENDING
, or AWSPREVIOUS
. If you don't have kms:Encrypt
permission to the new key, Secrets Manager does not re-ecrypt existing secret versions with the new key. For more information about versions and staging labels, see Concepts: Version.
AWSCURRENT
, AWSPENDING
, or AWSPREVIOUS
. If you don't have kms:Encrypt
permission to the new key, Secrets Manager does not re-encrypt existing secret versions with the new key. For more information about versions and staging labels, see Concepts: Version.
* A key alias is always prefixed by alias/
, for example alias/aws/secretsmanager
.
* For more information, see About aliases.
If you set this to an empty string, Secrets Manager uses the Amazon Web Services managed key diff --git a/codegen/sdk-codegen/aws-models/secrets-manager.json b/codegen/sdk-codegen/aws-models/secrets-manager.json index f4cba1801823..d280cad1906d 100644 --- a/codegen/sdk-codegen/aws-models/secrets-manager.json +++ b/codegen/sdk-codegen/aws-models/secrets-manager.json @@ -350,7 +350,7 @@ } ], "traits": { - "smithy.api#documentation": "
Creates a new secret. A secret can be a password, a set of \n credentials such as a user name and password, an OAuth token, or other secret information \n that you store in an encrypted form in Secrets Manager. The secret also \n includes the connection information to access a database or other service, which Secrets Manager \n doesn't encrypt. A secret in Secrets Manager consists of both the protected secret data and the\n important information needed to manage the secret.
\nFor secrets that use managed rotation, you need to create the secret through the managing service. For more information, see Secrets Manager secrets managed by other Amazon Web Services services.\n\n
\nFor information about creating a secret in the console, see Create a secret.
\nTo create a secret, you can provide the secret value to be encrypted in either the\n SecretString
parameter or the SecretBinary
parameter, but not both. \n If you include SecretString
or SecretBinary
\n then Secrets Manager creates an initial secret version and automatically attaches the staging\n label AWSCURRENT
to it.
For database credentials you want to rotate, for Secrets Manager to be able to rotate the secret,\n you must make sure the JSON you store in the SecretString
matches the JSON structure of\n a database secret.
If you don't specify an KMS encryption key, Secrets Manager uses the Amazon Web Services managed key \n aws/secretsmanager
. If this key \n doesn't already exist in your account, then Secrets Manager creates it for you automatically. All\n users and roles in the Amazon Web Services account automatically have access to use aws/secretsmanager
. \n Creating aws/secretsmanager
can result in a one-time significant delay in returning the \n result.
If the secret is in a different Amazon Web Services account from the credentials calling the API, then \n you can't use aws/secretsmanager
to encrypt the secret, and you must create \n and use a customer managed KMS key.
Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information in request parameters except SecretBinary
or SecretString
because it might be logged. For more information, see Logging Secrets Manager events with CloudTrail.
\n Required permissions: \n secretsmanager:CreateSecret
. If you \n include tags in the secret, you also need secretsmanager:TagResource
. To add replica Regions, you must also have secretsmanager:ReplicateSecretToRegions
.\n For more information, see \n IAM policy actions for Secrets Manager and Authentication \n and access control in Secrets Manager.
To encrypt the secret with a KMS key other than aws/secretsmanager
, you need kms:GenerateDataKey
and kms:Decrypt
permission to the key.
Creates a new secret. A secret can be a password, a set of \n credentials such as a user name and password, an OAuth token, or other secret information \n that you store in an encrypted form in Secrets Manager. The secret also \n includes the connection information to access a database or other service, which Secrets Manager \n doesn't encrypt. A secret in Secrets Manager consists of both the protected secret data and the\n important information needed to manage the secret.
\nFor secrets that use managed rotation, you need to create the secret through the managing service. For more information, see Secrets Manager secrets managed by other Amazon Web Services services.\n\n
\nFor information about creating a secret in the console, see Create a secret.
\nTo create a secret, you can provide the secret value to be encrypted in either the\n SecretString
parameter or the SecretBinary
parameter, but not both. \n If you include SecretString
or SecretBinary
\n then Secrets Manager creates an initial secret version and automatically attaches the staging\n label AWSCURRENT
to it.
For database credentials you want to rotate, for Secrets Manager to be able to rotate the secret,\n you must make sure the JSON you store in the SecretString
matches the JSON structure of\n a database secret.
If you don't specify an KMS encryption key, Secrets Manager uses the Amazon Web Services managed key \n aws/secretsmanager
. If this key \n doesn't already exist in your account, then Secrets Manager creates it for you automatically. All\n users and roles in the Amazon Web Services account automatically have access to use aws/secretsmanager
. \n Creating aws/secretsmanager
can result in a one-time significant delay in returning the \n result.
If the secret is in a different Amazon Web Services account from the credentials calling the API, then \n you can't use aws/secretsmanager
to encrypt the secret, and you must create \n and use a customer managed KMS key.
Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information in request parameters except SecretBinary
or SecretString
because it might be logged. For more information, see Logging Secrets Manager events with CloudTrail.
\n Required permissions: \n secretsmanager:CreateSecret
. If you \n include tags in the secret, you also need secretsmanager:TagResource
. To add replica Regions, you must also have secretsmanager:ReplicateSecretToRegions
.\n For more information, see \n IAM policy actions for Secrets Manager and Authentication \n and access control in Secrets Manager.
To encrypt the secret with a KMS key other than aws/secretsmanager
, you need kms:GenerateDataKey
and kms:Decrypt
permission to the key.
When you enter commands in a command shell, there is a risk of the command history being accessed or utilities having access to your command parameters. This is a concern if the command includes the value of a secret. Learn how to Mitigate the risks of using command-line tools to store Secrets Manager secrets.
\nCreates a new version with a new encrypted secret value and attaches it to the secret. The \n version can contain a new SecretString
value or a new SecretBinary
value.
We recommend you avoid calling PutSecretValue
at a sustained rate of more than \n once every 10 minutes. When you update the secret value, Secrets Manager creates a new version \n of the secret. Secrets Manager removes outdated versions when there are more than 100, but it does not \n remove versions created less than 24 hours ago. If you call PutSecretValue
more \n than once every 10 minutes, you create more versions than Secrets Manager removes, and you will reach \n the quota for secret versions.
You can specify the staging labels to attach to the new version in VersionStages
. \n If you don't include VersionStages
, then Secrets Manager automatically\n moves the staging label AWSCURRENT
to this version. If this operation creates \n the first version for the secret, then Secrets Manager\n automatically attaches the staging label AWSCURRENT
to it. \n If this operation moves the staging label AWSCURRENT
from another version to this\n version, then Secrets Manager also automatically moves the staging label AWSPREVIOUS
to\n the version that AWSCURRENT
was removed from.
This operation is idempotent. If you call this operation with a ClientRequestToken
\n that matches an existing version's VersionId, and you specify the\n same secret data, the operation succeeds but does nothing. However, if the secret data is\n different, then the operation fails because you can't modify an existing version; you can\n only create new ones.
Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information in request parameters except SecretBinary
, SecretString
, or RotationToken
because it might be logged. For more information, see Logging Secrets Manager events with CloudTrail.
\n Required permissions: \n secretsmanager:PutSecretValue
. \n For more information, see \n IAM policy actions for Secrets Manager and Authentication \n and access control in Secrets Manager.
Creates a new version with a new encrypted secret value and attaches it to the secret. The \n version can contain a new SecretString
value or a new SecretBinary
value.
We recommend you avoid calling PutSecretValue
at a sustained rate of more than \n once every 10 minutes. When you update the secret value, Secrets Manager creates a new version \n of the secret. Secrets Manager removes outdated versions when there are more than 100, but it does not \n remove versions created less than 24 hours ago. If you call PutSecretValue
more \n than once every 10 minutes, you create more versions than Secrets Manager removes, and you will reach \n the quota for secret versions.
You can specify the staging labels to attach to the new version in VersionStages
. \n If you don't include VersionStages
, then Secrets Manager automatically\n moves the staging label AWSCURRENT
to this version. If this operation creates \n the first version for the secret, then Secrets Manager\n automatically attaches the staging label AWSCURRENT
to it. \n If this operation moves the staging label AWSCURRENT
from another version to this\n version, then Secrets Manager also automatically moves the staging label AWSPREVIOUS
to\n the version that AWSCURRENT
was removed from.
This operation is idempotent. If you call this operation with a ClientRequestToken
\n that matches an existing version's VersionId, and you specify the\n same secret data, the operation succeeds but does nothing. However, if the secret data is\n different, then the operation fails because you can't modify an existing version; you can\n only create new ones.
Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information in request parameters except SecretBinary
, SecretString
, or RotationToken
because it might be logged. For more information, see Logging Secrets Manager events with CloudTrail.
\n Required permissions: \n secretsmanager:PutSecretValue
. \n For more information, see \n IAM policy actions for Secrets Manager and Authentication \n and access control in Secrets Manager.
When you enter commands in a command shell, there is a risk of the command history being accessed or utilities having access to your command parameters. This is a concern if the command includes the value of a secret. Learn how to Mitigate the risks of using command-line tools to store Secrets Manager secrets.
\nModifies the details of a secret, including metadata and the secret value. To change the secret value, you can also use PutSecretValue.
\nTo change the rotation configuration of a secret, use RotateSecret instead.
\nTo change a secret so that it is managed by another service, you need to recreate the secret in that service. See Secrets Manager secrets managed by other Amazon Web Services services.
\nWe recommend you avoid calling UpdateSecret
at a sustained rate of more than \n once every 10 minutes. When you call UpdateSecret
to update the secret value, Secrets Manager creates a new version \n of the secret. Secrets Manager removes outdated versions when there are more than 100, but it does not \n remove versions created less than 24 hours ago. If you update the secret value more \n than once every 10 minutes, you create more versions than Secrets Manager removes, and you will reach \n the quota for secret versions.
If you include SecretString
or SecretBinary
to create a new\n secret version, Secrets Manager automatically moves the staging label AWSCURRENT
to the new\n version. Then it attaches the label AWSPREVIOUS
\n to the version that AWSCURRENT
was removed from.
If you call this operation with a ClientRequestToken
that matches an existing version's \n VersionId
, the operation results in an error. You can't modify an existing \n version, you can only create a new version. To remove a version, remove all staging labels from it. See \n UpdateSecretVersionStage.
Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information in request parameters except SecretBinary
or SecretString
because it might be logged. For more information, see Logging Secrets Manager events with CloudTrail.
\n Required permissions: \n secretsmanager:UpdateSecret
. \n For more information, see \n IAM policy actions for Secrets Manager and Authentication \n and access control in Secrets Manager. \n If you use a customer managed key, you must also have kms:GenerateDataKey
, kms:Encrypt
, and \n kms:Decrypt
permissions on the key. If you change the KMS key and you don't have kms:Encrypt
permission to the new key, Secrets Manager does not re-ecrypt existing secret versions with the new key. For more information, see \n Secret encryption and decryption.
Modifies the details of a secret, including metadata and the secret value. To change the secret value, you can also use PutSecretValue.
\nTo change the rotation configuration of a secret, use RotateSecret instead.
\nTo change a secret so that it is managed by another service, you need to recreate the secret in that service. See Secrets Manager secrets managed by other Amazon Web Services services.
\nWe recommend you avoid calling UpdateSecret
at a sustained rate of more than \n once every 10 minutes. When you call UpdateSecret
to update the secret value, Secrets Manager creates a new version \n of the secret. Secrets Manager removes outdated versions when there are more than 100, but it does not \n remove versions created less than 24 hours ago. If you update the secret value more \n than once every 10 minutes, you create more versions than Secrets Manager removes, and you will reach \n the quota for secret versions.
If you include SecretString
or SecretBinary
to create a new\n secret version, Secrets Manager automatically moves the staging label AWSCURRENT
to the new\n version. Then it attaches the label AWSPREVIOUS
\n to the version that AWSCURRENT
was removed from.
If you call this operation with a ClientRequestToken
that matches an existing version's \n VersionId
, the operation results in an error. You can't modify an existing \n version, you can only create a new version. To remove a version, remove all staging labels from it. See \n UpdateSecretVersionStage.
Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information in request parameters except SecretBinary
or SecretString
because it might be logged. For more information, see Logging Secrets Manager events with CloudTrail.
\n Required permissions: \n secretsmanager:UpdateSecret
. \n For more information, see \n IAM policy actions for Secrets Manager and Authentication \n and access control in Secrets Manager. \n If you use a customer managed key, you must also have kms:GenerateDataKey
, kms:Encrypt
, and \n kms:Decrypt
permissions on the key. If you change the KMS key and you don't have kms:Encrypt
permission to the new key, Secrets Manager does not re-encrypt existing secret versions with the new key. For more information, see \n Secret encryption and decryption.
When you enter commands in a command shell, there is a risk of the command history being accessed or utilities having access to your command parameters. This is a concern if the command includes the value of a secret. Learn how to Mitigate the risks of using command-line tools to store Secrets Manager secrets.
\nThe ARN, key ID, or alias of the KMS key that Secrets Manager \n uses to encrypt new secret versions as well as any existing versions with the staging labels \n AWSCURRENT
, AWSPENDING
, or AWSPREVIOUS
. If you don't have kms:Encrypt
permission to the new key, Secrets Manager does not re-ecrypt existing secret versions with the new key. For more information about versions and staging labels, see Concepts: Version.
A key alias is always prefixed by alias/
, for example alias/aws/secretsmanager
.\n For more information, see About aliases.
If you set this to an empty string, Secrets Manager uses the Amazon Web Services managed key \n aws/secretsmanager
. If this key doesn't already exist in your account, then Secrets Manager \n creates it for you automatically. All users and roles in the Amazon Web Services account automatically have access \n to use aws/secretsmanager
. Creating aws/secretsmanager
can result in a one-time \n significant delay in returning the result.
You can only use the Amazon Web Services managed key aws/secretsmanager
if you call this\n operation using credentials from the same Amazon Web Services account that owns the secret. If the secret is in\n a different account, then you must use a customer managed key and provide the ARN of that KMS key in\n this field. The user making the call must have permissions to both the secret and the KMS key in\n their respective accounts.
The ARN, key ID, or alias of the KMS key that Secrets Manager \n uses to encrypt new secret versions as well as any existing versions with the staging labels \n AWSCURRENT
, AWSPENDING
, or AWSPREVIOUS
. If you don't have kms:Encrypt
permission to the new key, Secrets Manager does not re-encrypt existing secret versions with the new key. For more information about versions and staging labels, see Concepts: Version.
A key alias is always prefixed by alias/
, for example alias/aws/secretsmanager
.\n For more information, see About aliases.
If you set this to an empty string, Secrets Manager uses the Amazon Web Services managed key \n aws/secretsmanager
. If this key doesn't already exist in your account, then Secrets Manager \n creates it for you automatically. All users and roles in the Amazon Web Services account automatically have access \n to use aws/secretsmanager
. Creating aws/secretsmanager
can result in a one-time \n significant delay in returning the result.
You can only use the Amazon Web Services managed key aws/secretsmanager
if you call this\n operation using credentials from the same Amazon Web Services account that owns the secret. If the secret is in\n a different account, then you must use a customer managed key and provide the ARN of that KMS key in\n this field. The user making the call must have permissions to both the secret and the KMS key in\n their respective accounts.