@Generated(value="com.amazonaws:aws-java-sdk-code-generator") public interface AWSSecretsManagerAsync extends AWSSecretsManager
AsyncHandler can be used to receive
notification when an asynchronous operation completes.
Note: Do not directly implement this interface, new methods are added to it regularly. Extend from
AbstractAWSSecretsManagerAsync instead.
Amazon Web Services Secrets Manager provides a service to enable you to store, manage, and retrieve, secrets.
This guide provides descriptions of the Secrets Manager API. For more information about using this service, see the Amazon Web Services Secrets Manager User Guide.
API Version
This version of the Secrets Manager API Reference documents the Secrets Manager API version 2017-10-17.
As an alternative to using the API, you can use one of the Amazon Web Services SDKs, which consist of libraries and sample code for various programming languages and platforms such as Java, Ruby, .NET, iOS, and Android. The SDKs provide a convenient way to create programmatic access to Amazon Web Services Secrets Manager. For example, the SDKs provide cryptographically signing requests, managing errors, and retrying requests automatically. For more information about the Amazon Web Services SDKs, including downloading and installing them, see Tools for Amazon Web Services.
We recommend you use the Amazon Web Services SDKs to make programmatic API calls to Secrets Manager. However, you also can use the Secrets Manager HTTP Query API to make direct calls to the Secrets Manager web service. To learn more about the Secrets Manager HTTP Query API, see Making Query Requests in the Amazon Web Services Secrets Manager User Guide.
Secrets Manager API supports GET and POST requests for all actions, and doesn't require you to use GET for some actions and POST for others. However, GET requests are subject to the limitation size of a URL. Therefore, for operations that require larger sizes, use a POST request.
Support and Feedback for Amazon Web Services Secrets Manager
We welcome your feedback. Send your comments to [email protected], or post your feedback and questions in the Amazon Web Services Secrets Manager Discussion Forum. For more information about the Amazon Web Services Discussion Forums, see Forums Help.
How examples are presented
The JSON that Amazon Web Services Secrets Manager expects as your request parameters and the service returns as a response to HTTP query requests contain single, long strings without line breaks or white space formatting. The JSON shown in the examples displays the code formatted with both line breaks and white space to improve readability. When example input parameters can also cause long strings extending beyond the screen, you can insert line breaks to enhance readability. You should always submit the input as a single JSON text string.
Logging API Requests
Amazon Web Services Secrets Manager supports Amazon Web Services CloudTrail, a service that records Amazon Web Services API calls for your Amazon Web Services account and delivers log files to an Amazon S3 bucket. By using information that's collected by Amazon Web Services CloudTrail, you can determine the requests successfully made to Secrets Manager, who made the request, when it was made, and so on. For more about Amazon Web Services Secrets Manager and support for Amazon Web Services CloudTrail, see Logging Amazon Web Services Secrets Manager Events with Amazon Web Services CloudTrail in the Amazon Web Services Secrets Manager User Guide. To learn more about CloudTrail, including enabling it and find your log files, see the Amazon Web Services CloudTrail User Guide.
ENDPOINT_PREFIX| Modifier and Type | Method and Description |
|---|---|
Future<CancelRotateSecretResult> |
cancelRotateSecretAsync(CancelRotateSecretRequest cancelRotateSecretRequest)
Disables automatic scheduled rotation and cancels the rotation of a secret if currently in progress.
|
Future<CancelRotateSecretResult> |
cancelRotateSecretAsync(CancelRotateSecretRequest cancelRotateSecretRequest,
AsyncHandler<CancelRotateSecretRequest,CancelRotateSecretResult> asyncHandler)
Disables automatic scheduled rotation and cancels the rotation of a secret if currently in progress.
|
Future<CreateSecretResult> |
createSecretAsync(CreateSecretRequest createSecretRequest)
Creates a new secret.
|
Future<CreateSecretResult> |
createSecretAsync(CreateSecretRequest createSecretRequest,
AsyncHandler<CreateSecretRequest,CreateSecretResult> asyncHandler)
Creates a new secret.
|
Future<DeleteResourcePolicyResult> |
deleteResourcePolicyAsync(DeleteResourcePolicyRequest deleteResourcePolicyRequest)
Deletes the resource-based permission policy attached to the secret.
|
Future<DeleteResourcePolicyResult> |
deleteResourcePolicyAsync(DeleteResourcePolicyRequest deleteResourcePolicyRequest,
AsyncHandler<DeleteResourcePolicyRequest,DeleteResourcePolicyResult> asyncHandler)
Deletes the resource-based permission policy attached to the secret.
|
Future<DeleteSecretResult> |
deleteSecretAsync(DeleteSecretRequest deleteSecretRequest)
Deletes an entire secret and all of the versions.
|
Future<DeleteSecretResult> |
deleteSecretAsync(DeleteSecretRequest deleteSecretRequest,
AsyncHandler<DeleteSecretRequest,DeleteSecretResult> asyncHandler)
Deletes an entire secret and all of the versions.
|
Future<DescribeSecretResult> |
describeSecretAsync(DescribeSecretRequest describeSecretRequest)
Retrieves the details of a secret.
|
Future<DescribeSecretResult> |
describeSecretAsync(DescribeSecretRequest describeSecretRequest,
AsyncHandler<DescribeSecretRequest,DescribeSecretResult> asyncHandler)
Retrieves the details of a secret.
|
Future<GetRandomPasswordResult> |
getRandomPasswordAsync(GetRandomPasswordRequest getRandomPasswordRequest)
Generates a random password of the specified complexity.
|
Future<GetRandomPasswordResult> |
getRandomPasswordAsync(GetRandomPasswordRequest getRandomPasswordRequest,
AsyncHandler<GetRandomPasswordRequest,GetRandomPasswordResult> asyncHandler)
Generates a random password of the specified complexity.
|
Future<GetResourcePolicyResult> |
getResourcePolicyAsync(GetResourcePolicyRequest getResourcePolicyRequest)
Retrieves the JSON text of the resource-based policy document attached to the specified secret.
|
Future<GetResourcePolicyResult> |
getResourcePolicyAsync(GetResourcePolicyRequest getResourcePolicyRequest,
AsyncHandler<GetResourcePolicyRequest,GetResourcePolicyResult> asyncHandler)
Retrieves the JSON text of the resource-based policy document attached to the specified secret.
|
Future<GetSecretValueResult> |
getSecretValueAsync(GetSecretValueRequest getSecretValueRequest)
Retrieves the contents of the encrypted fields
SecretString or SecretBinary from the
specified version of a secret, whichever contains content. |
Future<GetSecretValueResult> |
getSecretValueAsync(GetSecretValueRequest getSecretValueRequest,
AsyncHandler<GetSecretValueRequest,GetSecretValueResult> asyncHandler)
Retrieves the contents of the encrypted fields
SecretString or SecretBinary from the
specified version of a secret, whichever contains content. |
Future<ListSecretsResult> |
listSecretsAsync(ListSecretsRequest listSecretsRequest)
Lists all of the secrets that are stored by Secrets Manager in the Amazon Web Services account.
|
Future<ListSecretsResult> |
listSecretsAsync(ListSecretsRequest listSecretsRequest,
AsyncHandler<ListSecretsRequest,ListSecretsResult> asyncHandler)
Lists all of the secrets that are stored by Secrets Manager in the Amazon Web Services account.
|
Future<ListSecretVersionIdsResult> |
listSecretVersionIdsAsync(ListSecretVersionIdsRequest listSecretVersionIdsRequest)
Lists all of the versions attached to the specified secret.
|
Future<ListSecretVersionIdsResult> |
listSecretVersionIdsAsync(ListSecretVersionIdsRequest listSecretVersionIdsRequest,
AsyncHandler<ListSecretVersionIdsRequest,ListSecretVersionIdsResult> asyncHandler)
Lists all of the versions attached to the specified secret.
|
Future<PutResourcePolicyResult> |
putResourcePolicyAsync(PutResourcePolicyRequest putResourcePolicyRequest)
Attaches the contents of the specified resource-based permission policy to a secret.
|
Future<PutResourcePolicyResult> |
putResourcePolicyAsync(PutResourcePolicyRequest putResourcePolicyRequest,
AsyncHandler<PutResourcePolicyRequest,PutResourcePolicyResult> asyncHandler)
Attaches the contents of the specified resource-based permission policy to a secret.
|
Future<PutSecretValueResult> |
putSecretValueAsync(PutSecretValueRequest putSecretValueRequest)
Stores a new encrypted secret value in the specified secret.
|
Future<PutSecretValueResult> |
putSecretValueAsync(PutSecretValueRequest putSecretValueRequest,
AsyncHandler<PutSecretValueRequest,PutSecretValueResult> asyncHandler)
Stores a new encrypted secret value in the specified secret.
|
Future<RemoveRegionsFromReplicationResult> |
removeRegionsFromReplicationAsync(RemoveRegionsFromReplicationRequest removeRegionsFromReplicationRequest)
Remove regions from replication.
|
Future<RemoveRegionsFromReplicationResult> |
removeRegionsFromReplicationAsync(RemoveRegionsFromReplicationRequest removeRegionsFromReplicationRequest,
AsyncHandler<RemoveRegionsFromReplicationRequest,RemoveRegionsFromReplicationResult> asyncHandler)
Remove regions from replication.
|
Future<ReplicateSecretToRegionsResult> |
replicateSecretToRegionsAsync(ReplicateSecretToRegionsRequest replicateSecretToRegionsRequest)
Converts an existing secret to a multi-Region secret and begins replication the secret to a list of new regions.
|
Future<ReplicateSecretToRegionsResult> |
replicateSecretToRegionsAsync(ReplicateSecretToRegionsRequest replicateSecretToRegionsRequest,
AsyncHandler<ReplicateSecretToRegionsRequest,ReplicateSecretToRegionsResult> asyncHandler)
Converts an existing secret to a multi-Region secret and begins replication the secret to a list of new regions.
|
Future<RestoreSecretResult> |
restoreSecretAsync(RestoreSecretRequest restoreSecretRequest)
Cancels the scheduled deletion of a secret by removing the
DeletedDate time stamp. |
Future<RestoreSecretResult> |
restoreSecretAsync(RestoreSecretRequest restoreSecretRequest,
AsyncHandler<RestoreSecretRequest,RestoreSecretResult> asyncHandler)
Cancels the scheduled deletion of a secret by removing the
DeletedDate time stamp. |
Future<RotateSecretResult> |
rotateSecretAsync(RotateSecretRequest rotateSecretRequest)
Configures and starts the asynchronous process of rotating this secret.
|
Future<RotateSecretResult> |
rotateSecretAsync(RotateSecretRequest rotateSecretRequest,
AsyncHandler<RotateSecretRequest,RotateSecretResult> asyncHandler)
Configures and starts the asynchronous process of rotating this secret.
|
Future<StopReplicationToReplicaResult> |
stopReplicationToReplicaAsync(StopReplicationToReplicaRequest stopReplicationToReplicaRequest)
Removes the secret from replication and promotes the secret to a regional secret in the replica Region.
|
Future<StopReplicationToReplicaResult> |
stopReplicationToReplicaAsync(StopReplicationToReplicaRequest stopReplicationToReplicaRequest,
AsyncHandler<StopReplicationToReplicaRequest,StopReplicationToReplicaResult> asyncHandler)
Removes the secret from replication and promotes the secret to a regional secret in the replica Region.
|
Future<TagResourceResult> |
tagResourceAsync(TagResourceRequest tagResourceRequest)
Attaches one or more tags, each consisting of a key name and a value, to the specified secret.
|
Future<TagResourceResult> |
tagResourceAsync(TagResourceRequest tagResourceRequest,
AsyncHandler<TagResourceRequest,TagResourceResult> asyncHandler)
Attaches one or more tags, each consisting of a key name and a value, to the specified secret.
|
Future<UntagResourceResult> |
untagResourceAsync(UntagResourceRequest untagResourceRequest)
Removes one or more tags from the specified secret.
|
Future<UntagResourceResult> |
untagResourceAsync(UntagResourceRequest untagResourceRequest,
AsyncHandler<UntagResourceRequest,UntagResourceResult> asyncHandler)
Removes one or more tags from the specified secret.
|
Future<UpdateSecretResult> |
updateSecretAsync(UpdateSecretRequest updateSecretRequest)
Modifies many of the details of the specified secret.
|
Future<UpdateSecretResult> |
updateSecretAsync(UpdateSecretRequest updateSecretRequest,
AsyncHandler<UpdateSecretRequest,UpdateSecretResult> asyncHandler)
Modifies many of the details of the specified secret.
|
Future<UpdateSecretVersionStageResult> |
updateSecretVersionStageAsync(UpdateSecretVersionStageRequest updateSecretVersionStageRequest)
Modifies the staging labels attached to a version of a secret.
|
Future<UpdateSecretVersionStageResult> |
updateSecretVersionStageAsync(UpdateSecretVersionStageRequest updateSecretVersionStageRequest,
AsyncHandler<UpdateSecretVersionStageRequest,UpdateSecretVersionStageResult> asyncHandler)
Modifies the staging labels attached to a version of a secret.
|
Future<ValidateResourcePolicyResult> |
validateResourcePolicyAsync(ValidateResourcePolicyRequest validateResourcePolicyRequest)
Validates that the resource policy does not grant a wide range of IAM principals access to your secret.
|
Future<ValidateResourcePolicyResult> |
validateResourcePolicyAsync(ValidateResourcePolicyRequest validateResourcePolicyRequest,
AsyncHandler<ValidateResourcePolicyRequest,ValidateResourcePolicyResult> asyncHandler)
Validates that the resource policy does not grant a wide range of IAM principals access to your secret.
|
cancelRotateSecret, createSecret, deleteResourcePolicy, deleteSecret, describeSecret, getCachedResponseMetadata, getRandomPassword, getResourcePolicy, getSecretValue, listSecrets, listSecretVersionIds, putResourcePolicy, putSecretValue, removeRegionsFromReplication, replicateSecretToRegions, restoreSecret, rotateSecret, shutdown, stopReplicationToReplica, tagResource, untagResource, updateSecret, updateSecretVersionStage, validateResourcePolicyFuture<CancelRotateSecretResult> cancelRotateSecretAsync(CancelRotateSecretRequest cancelRotateSecretRequest)
Disables automatic scheduled rotation and cancels the rotation of a secret if currently in progress.
To re-enable scheduled rotation, call RotateSecret with AutomaticallyRotateAfterDays set to a
value greater than 0. This immediately rotates your secret and then enables the automatic schedule.
If you cancel a rotation while in progress, it can leave the VersionStage labels in an unexpected
state. Depending on the step of the rotation in progress, you might need to remove the staging label
AWSPENDING from the partially created version, specified by the VersionId response
value. You should also evaluate the partially rotated new version to see if it should be deleted, which you can
do by removing all staging labels from the new version VersionStage field.
To successfully start a rotation, the staging label AWSPENDING must be in one of the following
states:
Not attached to any version at all
Attached to the same version as the staging label AWSCURRENT
If the staging label AWSPENDING attached to a different version than the version with
AWSCURRENT then the attempt to rotate fails.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:CancelRotateSecret
Related operations
To configure rotation for a secret or to manually trigger a rotation, use RotateSecret.
To get the rotation configuration details for a secret, use DescribeSecret.
To list all of the currently available secrets, use ListSecrets.
To list all of the versions currently associated with a secret, use ListSecretVersionIds.
cancelRotateSecretRequest - Future<CancelRotateSecretResult> cancelRotateSecretAsync(CancelRotateSecretRequest cancelRotateSecretRequest, AsyncHandler<CancelRotateSecretRequest,CancelRotateSecretResult> asyncHandler)
Disables automatic scheduled rotation and cancels the rotation of a secret if currently in progress.
To re-enable scheduled rotation, call RotateSecret with AutomaticallyRotateAfterDays set to a
value greater than 0. This immediately rotates your secret and then enables the automatic schedule.
If you cancel a rotation while in progress, it can leave the VersionStage labels in an unexpected
state. Depending on the step of the rotation in progress, you might need to remove the staging label
AWSPENDING from the partially created version, specified by the VersionId response
value. You should also evaluate the partially rotated new version to see if it should be deleted, which you can
do by removing all staging labels from the new version VersionStage field.
To successfully start a rotation, the staging label AWSPENDING must be in one of the following
states:
Not attached to any version at all
Attached to the same version as the staging label AWSCURRENT
If the staging label AWSPENDING attached to a different version than the version with
AWSCURRENT then the attempt to rotate fails.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:CancelRotateSecret
Related operations
To configure rotation for a secret or to manually trigger a rotation, use RotateSecret.
To get the rotation configuration details for a secret, use DescribeSecret.
To list all of the currently available secrets, use ListSecrets.
To list all of the versions currently associated with a secret, use ListSecretVersionIds.
cancelRotateSecretRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<CreateSecretResult> createSecretAsync(CreateSecretRequest createSecretRequest)
Creates a new secret. A secret in Secrets Manager consists of both the protected secret data and the important information needed to manage the secret.
Secrets Manager stores the encrypted secret data in one of a collection of "versions" associated with the secret.
Each version contains a copy of the encrypted secret data. Each version is associated with one or more
"staging labels" that identify where the version is in the rotation cycle. The
SecretVersionsToStages field of the secret contains the mapping of staging labels to the active
versions of the secret. Versions without a staging label are considered deprecated and not included in the list.
You provide the secret data to be encrypted by putting text in either the SecretString parameter or
binary data in the SecretBinary parameter, but not both. If you include SecretString or
SecretBinary then Secrets Manager also creates an initial secret version and automatically attaches
the staging label AWSCURRENT to the new version.
If you call an operation to encrypt or decrypt the SecretString or SecretBinary for a
secret in the same account as the calling user and that secret doesn't specify a Amazon Web Services KMS
encryption key, Secrets Manager uses the account's default Amazon Web Services managed customer master key (CMK)
with the alias aws/secretsmanager. If this key doesn't already exist in your account then Secrets
Manager creates it for you automatically. All users and roles in the same Amazon Web Services account
automatically have access to use the default CMK. Note that if an Secrets Manager API call results in Amazon Web
Services creating the account's Amazon Web Services-managed CMK, it can result in a one-time significant delay in
returning the result.
If the secret resides in a different Amazon Web Services account from the credentials calling an API that
requires encryption or decryption of the secret value then you must create and use a custom Amazon Web Services
KMS CMK because you can't access the default CMK for the account using credentials from a different Amazon Web
Services account. Store the ARN of the CMK in the secret when you create the secret or when you update it by
including it in the KMSKeyId. If you call an API that must encrypt or decrypt
SecretString or SecretBinary using credentials from a different account then the Amazon
Web Services KMS key policy must grant cross-account access to that other account's user or role for both the
kms:GenerateDataKey and kms:Decrypt operations.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:CreateSecret
kms:GenerateDataKey - needed only if you use a customer-managed Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account default Amazon Web Services managed CMK for Secrets Manager.
kms:Decrypt - needed only if you use a customer-managed Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account default Amazon Web Services managed CMK for Secrets Manager.
secretsmanager:TagResource - needed only if you include the Tags parameter.
Related operations
To delete a secret, use DeleteSecret.
To modify an existing secret, use UpdateSecret.
To create a new version of a secret, use PutSecretValue.
To retrieve the encrypted secure string and secure binary values, use GetSecretValue.
To retrieve all other details for a secret, use DescribeSecret. This does not include the encrypted secure string and secure binary values.
To retrieve the list of secret versions associated with the current secret, use DescribeSecret and examine
the SecretVersionsToStages response value.
createSecretRequest - Future<CreateSecretResult> createSecretAsync(CreateSecretRequest createSecretRequest, AsyncHandler<CreateSecretRequest,CreateSecretResult> asyncHandler)
Creates a new secret. A secret in Secrets Manager consists of both the protected secret data and the important information needed to manage the secret.
Secrets Manager stores the encrypted secret data in one of a collection of "versions" associated with the secret.
Each version contains a copy of the encrypted secret data. Each version is associated with one or more
"staging labels" that identify where the version is in the rotation cycle. The
SecretVersionsToStages field of the secret contains the mapping of staging labels to the active
versions of the secret. Versions without a staging label are considered deprecated and not included in the list.
You provide the secret data to be encrypted by putting text in either the SecretString parameter or
binary data in the SecretBinary parameter, but not both. If you include SecretString or
SecretBinary then Secrets Manager also creates an initial secret version and automatically attaches
the staging label AWSCURRENT to the new version.
If you call an operation to encrypt or decrypt the SecretString or SecretBinary for a
secret in the same account as the calling user and that secret doesn't specify a Amazon Web Services KMS
encryption key, Secrets Manager uses the account's default Amazon Web Services managed customer master key (CMK)
with the alias aws/secretsmanager. If this key doesn't already exist in your account then Secrets
Manager creates it for you automatically. All users and roles in the same Amazon Web Services account
automatically have access to use the default CMK. Note that if an Secrets Manager API call results in Amazon Web
Services creating the account's Amazon Web Services-managed CMK, it can result in a one-time significant delay in
returning the result.
If the secret resides in a different Amazon Web Services account from the credentials calling an API that
requires encryption or decryption of the secret value then you must create and use a custom Amazon Web Services
KMS CMK because you can't access the default CMK for the account using credentials from a different Amazon Web
Services account. Store the ARN of the CMK in the secret when you create the secret or when you update it by
including it in the KMSKeyId. If you call an API that must encrypt or decrypt
SecretString or SecretBinary using credentials from a different account then the Amazon
Web Services KMS key policy must grant cross-account access to that other account's user or role for both the
kms:GenerateDataKey and kms:Decrypt operations.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:CreateSecret
kms:GenerateDataKey - needed only if you use a customer-managed Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account default Amazon Web Services managed CMK for Secrets Manager.
kms:Decrypt - needed only if you use a customer-managed Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account default Amazon Web Services managed CMK for Secrets Manager.
secretsmanager:TagResource - needed only if you include the Tags parameter.
Related operations
To delete a secret, use DeleteSecret.
To modify an existing secret, use UpdateSecret.
To create a new version of a secret, use PutSecretValue.
To retrieve the encrypted secure string and secure binary values, use GetSecretValue.
To retrieve all other details for a secret, use DescribeSecret. This does not include the encrypted secure string and secure binary values.
To retrieve the list of secret versions associated with the current secret, use DescribeSecret and examine
the SecretVersionsToStages response value.
createSecretRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<DeleteResourcePolicyResult> deleteResourcePolicyAsync(DeleteResourcePolicyRequest deleteResourcePolicyRequest)
Deletes the resource-based permission policy attached to the secret.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:DeleteResourcePolicy
Related operations
To attach a resource policy to a secret, use PutResourcePolicy.
To retrieve the current resource-based policy attached to a secret, use GetResourcePolicy.
To list all of the currently available secrets, use ListSecrets.
deleteResourcePolicyRequest - Future<DeleteResourcePolicyResult> deleteResourcePolicyAsync(DeleteResourcePolicyRequest deleteResourcePolicyRequest, AsyncHandler<DeleteResourcePolicyRequest,DeleteResourcePolicyResult> asyncHandler)
Deletes the resource-based permission policy attached to the secret.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:DeleteResourcePolicy
Related operations
To attach a resource policy to a secret, use PutResourcePolicy.
To retrieve the current resource-based policy attached to a secret, use GetResourcePolicy.
To list all of the currently available secrets, use ListSecrets.
deleteResourcePolicyRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<DeleteSecretResult> deleteSecretAsync(DeleteSecretRequest deleteSecretRequest)
Deletes an entire secret and all of the versions. You can optionally include a recovery window during which you
can restore the secret. If you don't specify a recovery window value, the operation defaults to 30 days. Secrets
Manager attaches a DeletionDate stamp to the secret that specifies the end of the recovery window.
At the end of the recovery window, Secrets Manager deletes the secret permanently.
At any time before recovery window ends, you can use RestoreSecret to remove the DeletionDate
and cancel the deletion of the secret.
You cannot access the encrypted secret information in any secret scheduled for deletion. If you need to access that information, you must cancel the deletion with RestoreSecret and then retrieve the information.
There is no explicit operation to delete a version of a secret. Instead, remove all staging labels from the
VersionStage field of a version. That marks the version as deprecated and allows Secrets Manager to
delete it as needed. Versions without any staging labels do not show up in ListSecretVersionIds unless you
specify IncludeDeprecated.
The permanent secret deletion at the end of the waiting period is performed as a background task with low priority. There is no guarantee of a specific time after the recovery window for the actual delete operation to occur.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:DeleteSecret
Related operations
To create a secret, use CreateSecret.
To cancel deletion of a version of a secret before the recovery window has expired, use RestoreSecret.
deleteSecretRequest - Future<DeleteSecretResult> deleteSecretAsync(DeleteSecretRequest deleteSecretRequest, AsyncHandler<DeleteSecretRequest,DeleteSecretResult> asyncHandler)
Deletes an entire secret and all of the versions. You can optionally include a recovery window during which you
can restore the secret. If you don't specify a recovery window value, the operation defaults to 30 days. Secrets
Manager attaches a DeletionDate stamp to the secret that specifies the end of the recovery window.
At the end of the recovery window, Secrets Manager deletes the secret permanently.
At any time before recovery window ends, you can use RestoreSecret to remove the DeletionDate
and cancel the deletion of the secret.
You cannot access the encrypted secret information in any secret scheduled for deletion. If you need to access that information, you must cancel the deletion with RestoreSecret and then retrieve the information.
There is no explicit operation to delete a version of a secret. Instead, remove all staging labels from the
VersionStage field of a version. That marks the version as deprecated and allows Secrets Manager to
delete it as needed. Versions without any staging labels do not show up in ListSecretVersionIds unless you
specify IncludeDeprecated.
The permanent secret deletion at the end of the waiting period is performed as a background task with low priority. There is no guarantee of a specific time after the recovery window for the actual delete operation to occur.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:DeleteSecret
Related operations
To create a secret, use CreateSecret.
To cancel deletion of a version of a secret before the recovery window has expired, use RestoreSecret.
deleteSecretRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<DescribeSecretResult> describeSecretAsync(DescribeSecretRequest describeSecretRequest)
Retrieves the details of a secret. It does not include the encrypted fields. Secrets Manager only returns fields populated with a value in the response.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:DescribeSecret
Related operations
To create a secret, use CreateSecret.
To modify a secret, use UpdateSecret.
To retrieve the encrypted secret information in a version of the secret, use GetSecretValue.
To list all of the secrets in the Amazon Web Services account, use ListSecrets.
describeSecretRequest - Future<DescribeSecretResult> describeSecretAsync(DescribeSecretRequest describeSecretRequest, AsyncHandler<DescribeSecretRequest,DescribeSecretResult> asyncHandler)
Retrieves the details of a secret. It does not include the encrypted fields. Secrets Manager only returns fields populated with a value in the response.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:DescribeSecret
Related operations
To create a secret, use CreateSecret.
To modify a secret, use UpdateSecret.
To retrieve the encrypted secret information in a version of the secret, use GetSecretValue.
To list all of the secrets in the Amazon Web Services account, use ListSecrets.
describeSecretRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<GetRandomPasswordResult> getRandomPasswordAsync(GetRandomPasswordRequest getRandomPasswordRequest)
Generates a random password of the specified complexity. This operation is intended for use in the Lambda rotation function. Per best practice, we recommend that you specify the maximum length and include every character type that the system you are generating a password for can support.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:GetRandomPassword
getRandomPasswordRequest - Future<GetRandomPasswordResult> getRandomPasswordAsync(GetRandomPasswordRequest getRandomPasswordRequest, AsyncHandler<GetRandomPasswordRequest,GetRandomPasswordResult> asyncHandler)
Generates a random password of the specified complexity. This operation is intended for use in the Lambda rotation function. Per best practice, we recommend that you specify the maximum length and include every character type that the system you are generating a password for can support.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:GetRandomPassword
getRandomPasswordRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<GetResourcePolicyResult> getResourcePolicyAsync(GetResourcePolicyRequest getResourcePolicyRequest)
Retrieves the JSON text of the resource-based policy document attached to the specified secret. The JSON request string input and response output displays formatted code with white space and line breaks for better readability. Submit your input as a single line JSON string.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:GetResourcePolicy
Related operations
To attach a resource policy to a secret, use PutResourcePolicy.
To delete the resource-based policy attached to a secret, use DeleteResourcePolicy.
To list all of the currently available secrets, use ListSecrets.
getResourcePolicyRequest - Future<GetResourcePolicyResult> getResourcePolicyAsync(GetResourcePolicyRequest getResourcePolicyRequest, AsyncHandler<GetResourcePolicyRequest,GetResourcePolicyResult> asyncHandler)
Retrieves the JSON text of the resource-based policy document attached to the specified secret. The JSON request string input and response output displays formatted code with white space and line breaks for better readability. Submit your input as a single line JSON string.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:GetResourcePolicy
Related operations
To attach a resource policy to a secret, use PutResourcePolicy.
To delete the resource-based policy attached to a secret, use DeleteResourcePolicy.
To list all of the currently available secrets, use ListSecrets.
getResourcePolicyRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<GetSecretValueResult> getSecretValueAsync(GetSecretValueRequest getSecretValueRequest)
Retrieves the contents of the encrypted fields SecretString or SecretBinary from the
specified version of a secret, whichever contains content.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:GetSecretValue
kms:Decrypt - required only if you use a customer-managed Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account's default Amazon Web Services managed CMK for Secrets Manager.
Related operations
To create a new version of the secret with different encrypted information, use PutSecretValue.
To retrieve the non-encrypted details for the secret, use DescribeSecret.
getSecretValueRequest - Future<GetSecretValueResult> getSecretValueAsync(GetSecretValueRequest getSecretValueRequest, AsyncHandler<GetSecretValueRequest,GetSecretValueResult> asyncHandler)
Retrieves the contents of the encrypted fields SecretString or SecretBinary from the
specified version of a secret, whichever contains content.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:GetSecretValue
kms:Decrypt - required only if you use a customer-managed Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account's default Amazon Web Services managed CMK for Secrets Manager.
Related operations
To create a new version of the secret with different encrypted information, use PutSecretValue.
To retrieve the non-encrypted details for the secret, use DescribeSecret.
getSecretValueRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<ListSecretVersionIdsResult> listSecretVersionIdsAsync(ListSecretVersionIdsRequest listSecretVersionIdsRequest)
Lists all of the versions attached to the specified secret. The output does not include the
SecretString or SecretBinary fields. By default, the list includes only versions that
have at least one staging label in VersionStage attached.
Always check the NextToken response parameter when calling any of the List* operations.
These operations can occasionally return an empty or shorter than expected list of results even when there more
results become available. When this happens, the NextToken response parameter contains a value to
pass to the next call to the same API to request the next part of the list.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:ListSecretVersionIds
Related operations
To list the secrets in an account, use ListSecrets.
listSecretVersionIdsRequest - Future<ListSecretVersionIdsResult> listSecretVersionIdsAsync(ListSecretVersionIdsRequest listSecretVersionIdsRequest, AsyncHandler<ListSecretVersionIdsRequest,ListSecretVersionIdsResult> asyncHandler)
Lists all of the versions attached to the specified secret. The output does not include the
SecretString or SecretBinary fields. By default, the list includes only versions that
have at least one staging label in VersionStage attached.
Always check the NextToken response parameter when calling any of the List* operations.
These operations can occasionally return an empty or shorter than expected list of results even when there more
results become available. When this happens, the NextToken response parameter contains a value to
pass to the next call to the same API to request the next part of the list.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:ListSecretVersionIds
Related operations
To list the secrets in an account, use ListSecrets.
listSecretVersionIdsRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<ListSecretsResult> listSecretsAsync(ListSecretsRequest listSecretsRequest)
Lists all of the secrets that are stored by Secrets Manager in the Amazon Web Services account. To list the
versions currently stored for a specific secret, use ListSecretVersionIds. The encrypted fields
SecretString and SecretBinary are not included in the output. To get that information,
call the GetSecretValue operation.
Always check the NextToken response parameter when calling any of the List* operations.
These operations can occasionally return an empty or shorter than expected list of results even when there more
results become available. When this happens, the NextToken response parameter contains a value to
pass to the next call to the same API to request the next part of the list.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:ListSecrets
Related operations
To list the versions attached to a secret, use ListSecretVersionIds.
listSecretsRequest - Future<ListSecretsResult> listSecretsAsync(ListSecretsRequest listSecretsRequest, AsyncHandler<ListSecretsRequest,ListSecretsResult> asyncHandler)
Lists all of the secrets that are stored by Secrets Manager in the Amazon Web Services account. To list the
versions currently stored for a specific secret, use ListSecretVersionIds. The encrypted fields
SecretString and SecretBinary are not included in the output. To get that information,
call the GetSecretValue operation.
Always check the NextToken response parameter when calling any of the List* operations.
These operations can occasionally return an empty or shorter than expected list of results even when there more
results become available. When this happens, the NextToken response parameter contains a value to
pass to the next call to the same API to request the next part of the list.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:ListSecrets
Related operations
To list the versions attached to a secret, use ListSecretVersionIds.
listSecretsRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<PutResourcePolicyResult> putResourcePolicyAsync(PutResourcePolicyRequest putResourcePolicyRequest)
Attaches the contents of the specified resource-based permission policy to a secret. A resource-based policy is
optional. Alternatively, you can use IAM identity-based policies that specify the secret's Amazon Resource Name
(ARN) in the policy statement's Resources element. You can also use a combination of both
identity-based and resource-based policies. The affected users and roles receive the permissions that are
permitted by all of the relevant policies. For more information, see Using Resource-Based Policies for Amazon Web Services Secrets Manager. For the complete description of the
Amazon Web Services policy syntax and grammar, see IAM JSON Policy Reference in
the IAM User Guide.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:PutResourcePolicy
Related operations
To retrieve the resource policy attached to a secret, use GetResourcePolicy.
To delete the resource-based policy attached to a secret, use DeleteResourcePolicy.
To list all of the currently available secrets, use ListSecrets.
putResourcePolicyRequest - Future<PutResourcePolicyResult> putResourcePolicyAsync(PutResourcePolicyRequest putResourcePolicyRequest, AsyncHandler<PutResourcePolicyRequest,PutResourcePolicyResult> asyncHandler)
Attaches the contents of the specified resource-based permission policy to a secret. A resource-based policy is
optional. Alternatively, you can use IAM identity-based policies that specify the secret's Amazon Resource Name
(ARN) in the policy statement's Resources element. You can also use a combination of both
identity-based and resource-based policies. The affected users and roles receive the permissions that are
permitted by all of the relevant policies. For more information, see Using Resource-Based Policies for Amazon Web Services Secrets Manager. For the complete description of the
Amazon Web Services policy syntax and grammar, see IAM JSON Policy Reference in
the IAM User Guide.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:PutResourcePolicy
Related operations
To retrieve the resource policy attached to a secret, use GetResourcePolicy.
To delete the resource-based policy attached to a secret, use DeleteResourcePolicy.
To list all of the currently available secrets, use ListSecrets.
putResourcePolicyRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<PutSecretValueResult> putSecretValueAsync(PutSecretValueRequest putSecretValueRequest)
Stores a new encrypted secret value in the specified secret. To do this, the operation creates a new version and
attaches it to the secret. The version can contain a new SecretString value or a new
SecretBinary value. You can also specify the staging labels that are initially attached to the new
version.
We recommend you avoid calling PutSecretValue at a sustained rate of more than once every 10
minutes. When you update the secret value, Secrets Manager creates a new version of the secret. Secrets Manager
removes outdated versions when there are more than 100, but it does not remove versions created less than 24
hours ago. If you call PutSecretValue more than once every 10 minutes, you create more versions than
Secrets Manager removes, and you will reach the quota for secret versions.
If this operation creates the first version for the secret then Secrets Manager automatically attaches the
staging label AWSCURRENT to the new version.
If you do not specify a value for VersionStages then Secrets Manager automatically moves the staging label
AWSCURRENT to this new version.
If this operation moves the staging label AWSCURRENT from another version to this version, then
Secrets Manager also automatically moves the staging label AWSPREVIOUS to the version that
AWSCURRENT was removed from.
This operation is idempotent. If a version with a VersionId with the same value as the
ClientRequestToken parameter already exists and you specify the same secret data, the operation
succeeds but does nothing. However, if the secret data is different, then the operation fails because you cannot
modify an existing version; you can only create new ones.
If you call an operation to encrypt or decrypt the SecretString or SecretBinary for a
secret in the same account as the calling user and that secret doesn't specify a Amazon Web Services KMS
encryption key, Secrets Manager uses the account's default Amazon Web Services managed customer master key (CMK)
with the alias aws/secretsmanager. If this key doesn't already exist in your account then Secrets
Manager creates it for you automatically. All users and roles in the same Amazon Web Services account
automatically have access to use the default CMK. Note that if an Secrets Manager API call results in Amazon Web
Services creating the account's Amazon Web Services-managed CMK, it can result in a one-time significant delay in
returning the result.
If the secret resides in a different Amazon Web Services account from the credentials calling an API that
requires encryption or decryption of the secret value then you must create and use a custom Amazon Web Services
KMS CMK because you can't access the default CMK for the account using credentials from a different Amazon Web
Services account. Store the ARN of the CMK in the secret when you create the secret or when you update it by
including it in the KMSKeyId. If you call an API that must encrypt or decrypt
SecretString or SecretBinary using credentials from a different account then the Amazon
Web Services KMS key policy must grant cross-account access to that other account's user or role for both the
kms:GenerateDataKey and kms:Decrypt operations.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:PutSecretValue
kms:GenerateDataKey - needed only if you use a customer-managed Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account's default Amazon Web Services managed CMK for Secrets Manager.
Related operations
To retrieve the encrypted value you store in the version of a secret, use GetSecretValue.
To create a secret, use CreateSecret.
To get the details for a secret, use DescribeSecret.
To list the versions attached to a secret, use ListSecretVersionIds.
putSecretValueRequest - Future<PutSecretValueResult> putSecretValueAsync(PutSecretValueRequest putSecretValueRequest, AsyncHandler<PutSecretValueRequest,PutSecretValueResult> asyncHandler)
Stores a new encrypted secret value in the specified secret. To do this, the operation creates a new version and
attaches it to the secret. The version can contain a new SecretString value or a new
SecretBinary value. You can also specify the staging labels that are initially attached to the new
version.
We recommend you avoid calling PutSecretValue at a sustained rate of more than once every 10
minutes. When you update the secret value, Secrets Manager creates a new version of the secret. Secrets Manager
removes outdated versions when there are more than 100, but it does not remove versions created less than 24
hours ago. If you call PutSecretValue more than once every 10 minutes, you create more versions than
Secrets Manager removes, and you will reach the quota for secret versions.
If this operation creates the first version for the secret then Secrets Manager automatically attaches the
staging label AWSCURRENT to the new version.
If you do not specify a value for VersionStages then Secrets Manager automatically moves the staging label
AWSCURRENT to this new version.
If this operation moves the staging label AWSCURRENT from another version to this version, then
Secrets Manager also automatically moves the staging label AWSPREVIOUS to the version that
AWSCURRENT was removed from.
This operation is idempotent. If a version with a VersionId with the same value as the
ClientRequestToken parameter already exists and you specify the same secret data, the operation
succeeds but does nothing. However, if the secret data is different, then the operation fails because you cannot
modify an existing version; you can only create new ones.
If you call an operation to encrypt or decrypt the SecretString or SecretBinary for a
secret in the same account as the calling user and that secret doesn't specify a Amazon Web Services KMS
encryption key, Secrets Manager uses the account's default Amazon Web Services managed customer master key (CMK)
with the alias aws/secretsmanager. If this key doesn't already exist in your account then Secrets
Manager creates it for you automatically. All users and roles in the same Amazon Web Services account
automatically have access to use the default CMK. Note that if an Secrets Manager API call results in Amazon Web
Services creating the account's Amazon Web Services-managed CMK, it can result in a one-time significant delay in
returning the result.
If the secret resides in a different Amazon Web Services account from the credentials calling an API that
requires encryption or decryption of the secret value then you must create and use a custom Amazon Web Services
KMS CMK because you can't access the default CMK for the account using credentials from a different Amazon Web
Services account. Store the ARN of the CMK in the secret when you create the secret or when you update it by
including it in the KMSKeyId. If you call an API that must encrypt or decrypt
SecretString or SecretBinary using credentials from a different account then the Amazon
Web Services KMS key policy must grant cross-account access to that other account's user or role for both the
kms:GenerateDataKey and kms:Decrypt operations.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:PutSecretValue
kms:GenerateDataKey - needed only if you use a customer-managed Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account's default Amazon Web Services managed CMK for Secrets Manager.
Related operations
To retrieve the encrypted value you store in the version of a secret, use GetSecretValue.
To create a secret, use CreateSecret.
To get the details for a secret, use DescribeSecret.
To list the versions attached to a secret, use ListSecretVersionIds.
putSecretValueRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<RemoveRegionsFromReplicationResult> removeRegionsFromReplicationAsync(RemoveRegionsFromReplicationRequest removeRegionsFromReplicationRequest)
Remove regions from replication.
removeRegionsFromReplicationRequest - Future<RemoveRegionsFromReplicationResult> removeRegionsFromReplicationAsync(RemoveRegionsFromReplicationRequest removeRegionsFromReplicationRequest, AsyncHandler<RemoveRegionsFromReplicationRequest,RemoveRegionsFromReplicationResult> asyncHandler)
Remove regions from replication.
removeRegionsFromReplicationRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<ReplicateSecretToRegionsResult> replicateSecretToRegionsAsync(ReplicateSecretToRegionsRequest replicateSecretToRegionsRequest)
Converts an existing secret to a multi-Region secret and begins replication the secret to a list of new regions.
replicateSecretToRegionsRequest - Future<ReplicateSecretToRegionsResult> replicateSecretToRegionsAsync(ReplicateSecretToRegionsRequest replicateSecretToRegionsRequest, AsyncHandler<ReplicateSecretToRegionsRequest,ReplicateSecretToRegionsResult> asyncHandler)
Converts an existing secret to a multi-Region secret and begins replication the secret to a list of new regions.
replicateSecretToRegionsRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<RestoreSecretResult> restoreSecretAsync(RestoreSecretRequest restoreSecretRequest)
Cancels the scheduled deletion of a secret by removing the DeletedDate time stamp. This makes the
secret accessible to query once again.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:RestoreSecret
Related operations
To delete a secret, use DeleteSecret.
restoreSecretRequest - Future<RestoreSecretResult> restoreSecretAsync(RestoreSecretRequest restoreSecretRequest, AsyncHandler<RestoreSecretRequest,RestoreSecretResult> asyncHandler)
Cancels the scheduled deletion of a secret by removing the DeletedDate time stamp. This makes the
secret accessible to query once again.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:RestoreSecret
Related operations
To delete a secret, use DeleteSecret.
restoreSecretRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<RotateSecretResult> rotateSecretAsync(RotateSecretRequest rotateSecretRequest)
Configures and starts the asynchronous process of rotating this secret. If you include the configuration parameters, the operation sets those values for the secret and then immediately starts a rotation. If you do not include the configuration parameters, the operation starts a rotation with the values already stored in the secret. After the rotation completes, the protected service and its clients all use the new version of the secret.
This required configuration information includes the ARN of an Amazon Web Services Lambda function and
optionally, the time between scheduled rotations. The Lambda rotation function creates a new version of the
secret and creates or updates the credentials on the protected service to match. After testing the new
credentials, the function marks the new secret with the staging label AWSCURRENT so that your
clients all immediately begin to use the new version. For more information about rotating secrets and how to
configure a Lambda function to rotate the secrets for your protected service, see Rotating Secrets in
Amazon Web Services Secrets Manager in the Amazon Web Services Secrets Manager User Guide.
Secrets Manager schedules the next rotation when the previous one completes. Secrets Manager schedules the date by adding the rotation interval (number of days) to the actual date of the last rotation. The service chooses the hour within that 24-hour date window randomly. The minute is also chosen somewhat randomly, but weighted towards the top of the hour and influenced by a variety of factors that help distribute load.
The rotation function must end with the versions of the secret in one of two states:
The AWSPENDING and AWSCURRENT staging labels are attached to the same version of the
secret, or
The AWSPENDING staging label is not attached to any version of the secret.
If the AWSPENDING staging label is present but not attached to the same version as
AWSCURRENT then any later invocation of RotateSecret assumes that a previous rotation
request is still in progress and returns an error.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:RotateSecret
lambda:InvokeFunction (on the function specified in the secret's metadata)
Related operations
To list the secrets in your account, use ListSecrets.
To get the details for a version of a secret, use DescribeSecret.
To create a new version of a secret, use CreateSecret.
To attach staging labels to or remove staging labels from a version of a secret, use UpdateSecretVersionStage.
rotateSecretRequest - Future<RotateSecretResult> rotateSecretAsync(RotateSecretRequest rotateSecretRequest, AsyncHandler<RotateSecretRequest,RotateSecretResult> asyncHandler)
Configures and starts the asynchronous process of rotating this secret. If you include the configuration parameters, the operation sets those values for the secret and then immediately starts a rotation. If you do not include the configuration parameters, the operation starts a rotation with the values already stored in the secret. After the rotation completes, the protected service and its clients all use the new version of the secret.
This required configuration information includes the ARN of an Amazon Web Services Lambda function and
optionally, the time between scheduled rotations. The Lambda rotation function creates a new version of the
secret and creates or updates the credentials on the protected service to match. After testing the new
credentials, the function marks the new secret with the staging label AWSCURRENT so that your
clients all immediately begin to use the new version. For more information about rotating secrets and how to
configure a Lambda function to rotate the secrets for your protected service, see Rotating Secrets in
Amazon Web Services Secrets Manager in the Amazon Web Services Secrets Manager User Guide.
Secrets Manager schedules the next rotation when the previous one completes. Secrets Manager schedules the date by adding the rotation interval (number of days) to the actual date of the last rotation. The service chooses the hour within that 24-hour date window randomly. The minute is also chosen somewhat randomly, but weighted towards the top of the hour and influenced by a variety of factors that help distribute load.
The rotation function must end with the versions of the secret in one of two states:
The AWSPENDING and AWSCURRENT staging labels are attached to the same version of the
secret, or
The AWSPENDING staging label is not attached to any version of the secret.
If the AWSPENDING staging label is present but not attached to the same version as
AWSCURRENT then any later invocation of RotateSecret assumes that a previous rotation
request is still in progress and returns an error.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:RotateSecret
lambda:InvokeFunction (on the function specified in the secret's metadata)
Related operations
To list the secrets in your account, use ListSecrets.
To get the details for a version of a secret, use DescribeSecret.
To create a new version of a secret, use CreateSecret.
To attach staging labels to or remove staging labels from a version of a secret, use UpdateSecretVersionStage.
rotateSecretRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<StopReplicationToReplicaResult> stopReplicationToReplicaAsync(StopReplicationToReplicaRequest stopReplicationToReplicaRequest)
Removes the secret from replication and promotes the secret to a regional secret in the replica Region.
stopReplicationToReplicaRequest - Future<StopReplicationToReplicaResult> stopReplicationToReplicaAsync(StopReplicationToReplicaRequest stopReplicationToReplicaRequest, AsyncHandler<StopReplicationToReplicaRequest,StopReplicationToReplicaResult> asyncHandler)
Removes the secret from replication and promotes the secret to a regional secret in the replica Region.
stopReplicationToReplicaRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<TagResourceResult> tagResourceAsync(TagResourceRequest tagResourceRequest)
Attaches one or more tags, each consisting of a key name and a value, to the specified secret. Tags are part of the secret's overall metadata, and are not associated with any specific version of the secret. This operation only appends tags to the existing list of tags. To remove tags, you must use UntagResource.
The following basic restrictions apply to tags:
Maximum number of tags per secret—50
Maximum key length—127 Unicode characters in UTF-8
Maximum value length—255 Unicode characters in UTF-8
Tag keys and values are case sensitive.
Do not use the aws: prefix in your tag names or values because Amazon Web Services reserves it for
Amazon Web Services use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do
not count against your tags per secret limit.
If you use your tagging schema across multiple services and resources, remember other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @.
If you use tags as part of your security strategy, then adding or removing a tag can change permissions. If successfully completing this operation would result in you losing your permissions for this secret, then the operation is blocked and returns an Access Denied error.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:TagResource
Related operations
To remove one or more tags from the collection attached to a secret, use UntagResource.
To view the list of tags attached to a secret, use DescribeSecret.
tagResourceRequest - Future<TagResourceResult> tagResourceAsync(TagResourceRequest tagResourceRequest, AsyncHandler<TagResourceRequest,TagResourceResult> asyncHandler)
Attaches one or more tags, each consisting of a key name and a value, to the specified secret. Tags are part of the secret's overall metadata, and are not associated with any specific version of the secret. This operation only appends tags to the existing list of tags. To remove tags, you must use UntagResource.
The following basic restrictions apply to tags:
Maximum number of tags per secret—50
Maximum key length—127 Unicode characters in UTF-8
Maximum value length—255 Unicode characters in UTF-8
Tag keys and values are case sensitive.
Do not use the aws: prefix in your tag names or values because Amazon Web Services reserves it for
Amazon Web Services use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do
not count against your tags per secret limit.
If you use your tagging schema across multiple services and resources, remember other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @.
If you use tags as part of your security strategy, then adding or removing a tag can change permissions. If successfully completing this operation would result in you losing your permissions for this secret, then the operation is blocked and returns an Access Denied error.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:TagResource
Related operations
To remove one or more tags from the collection attached to a secret, use UntagResource.
To view the list of tags attached to a secret, use DescribeSecret.
tagResourceRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<UntagResourceResult> untagResourceAsync(UntagResourceRequest untagResourceRequest)
Removes one or more tags from the specified secret.
This operation is idempotent. If a requested tag is not attached to the secret, no error is returned and the secret metadata is unchanged.
If you use tags as part of your security strategy, then removing a tag can change permissions. If successfully completing this operation would result in you losing your permissions for this secret, then the operation is blocked and returns an Access Denied error.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:UntagResource
Related operations
To add one or more tags to the collection attached to a secret, use TagResource.
To view the list of tags attached to a secret, use DescribeSecret.
untagResourceRequest - Future<UntagResourceResult> untagResourceAsync(UntagResourceRequest untagResourceRequest, AsyncHandler<UntagResourceRequest,UntagResourceResult> asyncHandler)
Removes one or more tags from the specified secret.
This operation is idempotent. If a requested tag is not attached to the secret, no error is returned and the secret metadata is unchanged.
If you use tags as part of your security strategy, then removing a tag can change permissions. If successfully completing this operation would result in you losing your permissions for this secret, then the operation is blocked and returns an Access Denied error.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:UntagResource
Related operations
To add one or more tags to the collection attached to a secret, use TagResource.
To view the list of tags attached to a secret, use DescribeSecret.
untagResourceRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<UpdateSecretResult> updateSecretAsync(UpdateSecretRequest updateSecretRequest)
Modifies many of the details of the specified secret.
To change the secret value, you can also use PutSecretValue.
To change the rotation configuration of a secret, use RotateSecret instead.
We recommend you avoid calling UpdateSecret at a sustained rate of more than once every 10 minutes.
When you call UpdateSecret to update the secret value, Secrets Manager creates a new version of the
secret. Secrets Manager removes outdated versions when there are more than 100, but it does not remove versions
created less than 24 hours ago. If you update the secret value more than once every 10 minutes, you create more
versions than Secrets Manager removes, and you will reach the quota for secret versions.
The Secrets Manager console uses only the SecretString parameter and therefore limits you to
encrypting and storing only a text string. To encrypt and store binary data as part of the version of a secret,
you must use either the Amazon Web Services CLI or one of the Amazon Web Services SDKs.
If a version with a VersionId with the same value as the ClientRequestToken parameter
already exists, the operation results in an error. You cannot modify an existing version, you can only create a
new version.
If you include SecretString or SecretBinary to create a new secret version, Secrets
Manager automatically attaches the staging label AWSCURRENT to the new version.
If you call an operation to encrypt or decrypt the SecretString or SecretBinary for a
secret in the same account as the calling user and that secret doesn't specify a Amazon Web Services KMS
encryption key, Secrets Manager uses the account's default Amazon Web Services managed customer master key (CMK)
with the alias aws/secretsmanager. If this key doesn't already exist in your account then Secrets
Manager creates it for you automatically. All users and roles in the same Amazon Web Services account
automatically have access to use the default CMK. Note that if an Secrets Manager API call results in Amazon Web
Services creating the account's Amazon Web Services-managed CMK, it can result in a one-time significant delay in
returning the result.
If the secret resides in a different Amazon Web Services account from the credentials calling an API that
requires encryption or decryption of the secret value then you must create and use a custom Amazon Web Services
KMS CMK because you can't access the default CMK for the account using credentials from a different Amazon Web
Services account. Store the ARN of the CMK in the secret when you create the secret or when you update it by
including it in the KMSKeyId. If you call an API that must encrypt or decrypt
SecretString or SecretBinary using credentials from a different account then the Amazon
Web Services KMS key policy must grant cross-account access to that other account's user or role for both the
kms:GenerateDataKey and kms:Decrypt operations.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:UpdateSecret
kms:GenerateDataKey - needed only if you use a custom Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account's Amazon Web Services managed CMK for Secrets Manager.
kms:Decrypt - needed only if you use a custom Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account's Amazon Web Services managed CMK for Secrets Manager.
Related operations
To create a new secret, use CreateSecret.
To add only a new version to an existing secret, use PutSecretValue.
To get the details for a secret, use DescribeSecret.
To list the versions contained in a secret, use ListSecretVersionIds.
updateSecretRequest - Future<UpdateSecretResult> updateSecretAsync(UpdateSecretRequest updateSecretRequest, AsyncHandler<UpdateSecretRequest,UpdateSecretResult> asyncHandler)
Modifies many of the details of the specified secret.
To change the secret value, you can also use PutSecretValue.
To change the rotation configuration of a secret, use RotateSecret instead.
We recommend you avoid calling UpdateSecret at a sustained rate of more than once every 10 minutes.
When you call UpdateSecret to update the secret value, Secrets Manager creates a new version of the
secret. Secrets Manager removes outdated versions when there are more than 100, but it does not remove versions
created less than 24 hours ago. If you update the secret value more than once every 10 minutes, you create more
versions than Secrets Manager removes, and you will reach the quota for secret versions.
The Secrets Manager console uses only the SecretString parameter and therefore limits you to
encrypting and storing only a text string. To encrypt and store binary data as part of the version of a secret,
you must use either the Amazon Web Services CLI or one of the Amazon Web Services SDKs.
If a version with a VersionId with the same value as the ClientRequestToken parameter
already exists, the operation results in an error. You cannot modify an existing version, you can only create a
new version.
If you include SecretString or SecretBinary to create a new secret version, Secrets
Manager automatically attaches the staging label AWSCURRENT to the new version.
If you call an operation to encrypt or decrypt the SecretString or SecretBinary for a
secret in the same account as the calling user and that secret doesn't specify a Amazon Web Services KMS
encryption key, Secrets Manager uses the account's default Amazon Web Services managed customer master key (CMK)
with the alias aws/secretsmanager. If this key doesn't already exist in your account then Secrets
Manager creates it for you automatically. All users and roles in the same Amazon Web Services account
automatically have access to use the default CMK. Note that if an Secrets Manager API call results in Amazon Web
Services creating the account's Amazon Web Services-managed CMK, it can result in a one-time significant delay in
returning the result.
If the secret resides in a different Amazon Web Services account from the credentials calling an API that
requires encryption or decryption of the secret value then you must create and use a custom Amazon Web Services
KMS CMK because you can't access the default CMK for the account using credentials from a different Amazon Web
Services account. Store the ARN of the CMK in the secret when you create the secret or when you update it by
including it in the KMSKeyId. If you call an API that must encrypt or decrypt
SecretString or SecretBinary using credentials from a different account then the Amazon
Web Services KMS key policy must grant cross-account access to that other account's user or role for both the
kms:GenerateDataKey and kms:Decrypt operations.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:UpdateSecret
kms:GenerateDataKey - needed only if you use a custom Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account's Amazon Web Services managed CMK for Secrets Manager.
kms:Decrypt - needed only if you use a custom Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account's Amazon Web Services managed CMK for Secrets Manager.
Related operations
To create a new secret, use CreateSecret.
To add only a new version to an existing secret, use PutSecretValue.
To get the details for a secret, use DescribeSecret.
To list the versions contained in a secret, use ListSecretVersionIds.
updateSecretRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<UpdateSecretVersionStageResult> updateSecretVersionStageAsync(UpdateSecretVersionStageRequest updateSecretVersionStageRequest)
Modifies the staging labels attached to a version of a secret. Staging labels are used to track a version as it progresses through the secret rotation process. You can attach a staging label to only one version of a secret at a time. If a staging label to be added is already attached to another version, then it is moved--removed from the other version first and then attached to this one. For more information about staging labels, see Staging Labels in the Amazon Web Services Secrets Manager User Guide.
The staging labels that you specify in the VersionStage parameter are added to the existing list of
staging labels--they don't replace it.
You can move the AWSCURRENT staging label to this version by including it in this call.
Whenever you move AWSCURRENT, Secrets Manager automatically moves the label AWSPREVIOUS
to the version that AWSCURRENT was removed from.
If this action results in the last label being removed from a version, then the version is considered to be 'deprecated' and can be deleted by Secrets Manager.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:UpdateSecretVersionStage
Related operations
To get the list of staging labels that are currently associated with a version of a secret, use
DescribeSecret and examine the SecretVersionsToStages response value.
updateSecretVersionStageRequest - Future<UpdateSecretVersionStageResult> updateSecretVersionStageAsync(UpdateSecretVersionStageRequest updateSecretVersionStageRequest, AsyncHandler<UpdateSecretVersionStageRequest,UpdateSecretVersionStageResult> asyncHandler)
Modifies the staging labels attached to a version of a secret. Staging labels are used to track a version as it progresses through the secret rotation process. You can attach a staging label to only one version of a secret at a time. If a staging label to be added is already attached to another version, then it is moved--removed from the other version first and then attached to this one. For more information about staging labels, see Staging Labels in the Amazon Web Services Secrets Manager User Guide.
The staging labels that you specify in the VersionStage parameter are added to the existing list of
staging labels--they don't replace it.
You can move the AWSCURRENT staging label to this version by including it in this call.
Whenever you move AWSCURRENT, Secrets Manager automatically moves the label AWSPREVIOUS
to the version that AWSCURRENT was removed from.
If this action results in the last label being removed from a version, then the version is considered to be 'deprecated' and can be deleted by Secrets Manager.
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:UpdateSecretVersionStage
Related operations
To get the list of staging labels that are currently associated with a version of a secret, use
DescribeSecret and examine the SecretVersionsToStages response value.
updateSecretVersionStageRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.Future<ValidateResourcePolicyResult> validateResourcePolicyAsync(ValidateResourcePolicyRequest validateResourcePolicyRequest)
Validates that the resource policy does not grant a wide range of IAM principals access to your secret. The JSON request string input and response output displays formatted code with white space and line breaks for better readability. Submit your input as a single line JSON string. A resource-based policy is optional for secrets.
The API performs three checks when validating the secret:
Sends a call to Zelkova, an automated reasoning engine, to ensure your Resource Policy does not allow broad access to your secret.
Checks for correct syntax in a policy.
Verifies the policy does not lock out a caller.
Minimum Permissions
You must have the permissions required to access the following APIs:
secretsmanager:PutResourcePolicy
secretsmanager:ValidateResourcePolicy
validateResourcePolicyRequest - Future<ValidateResourcePolicyResult> validateResourcePolicyAsync(ValidateResourcePolicyRequest validateResourcePolicyRequest, AsyncHandler<ValidateResourcePolicyRequest,ValidateResourcePolicyResult> asyncHandler)
Validates that the resource policy does not grant a wide range of IAM principals access to your secret. The JSON request string input and response output displays formatted code with white space and line breaks for better readability. Submit your input as a single line JSON string. A resource-based policy is optional for secrets.
The API performs three checks when validating the secret:
Sends a call to Zelkova, an automated reasoning engine, to ensure your Resource Policy does not allow broad access to your secret.
Checks for correct syntax in a policy.
Verifies the policy does not lock out a caller.
Minimum Permissions
You must have the permissions required to access the following APIs:
secretsmanager:PutResourcePolicy
secretsmanager:ValidateResourcePolicy
validateResourcePolicyRequest - asyncHandler - Asynchronous callback handler for events in the lifecycle of the request. Users can provide an
implementation of the callback methods in this interface to receive notification of successful or
unsuccessful completion of the operation.