software.amazon.awssdk.services.secretsmanager

Interface SecretsManagerClient

All Superinterfaces:

AutoCloseable, SdkAutoCloseable, SdkClient

@Generated(value="software.amazon.awssdk:codegen")
 @ThreadSafe
public interface SecretsManagerClient
extends SdkClient

Service client for accessing AWS Secrets Manager. This can be created using the static builder() method. Amazon Web Services Secrets Manager

Amazon Web Services Secrets Manager provides a service to enable you to store, manage, and retrieve, secrets.

This guide provides descriptions of the Secrets Manager API. For more information about using this service, see the Amazon Web Services Secrets Manager User Guide.

API Version

This version of the Secrets Manager API Reference documents the Secrets Manager API version 2017-10-17.

As an alternative to using the API, you can use one of the Amazon Web Services SDKs, which consist of libraries and sample code for various programming languages and platforms such as Java, Ruby, .NET, iOS, and Android. The SDKs provide a convenient way to create programmatic access to Amazon Web Services Secrets Manager. For example, the SDKs provide cryptographically signing requests, managing errors, and retrying requests automatically. For more information about the Amazon Web Services SDKs, including downloading and installing them, see Tools for Amazon Web Services.

We recommend you use the Amazon Web Services SDKs to make programmatic API calls to Secrets Manager. However, you also can use the Secrets Manager HTTP Query API to make direct calls to the Secrets Manager web service. To learn more about the Secrets Manager HTTP Query API, see Making Query Requests in the Amazon Web Services Secrets Manager User Guide.

Secrets Manager API supports GET and POST requests for all actions, and doesn't require you to use GET for some actions and POST for others. However, GET requests are subject to the limitation size of a URL. Therefore, for operations that require larger sizes, use a POST request.

Support and Feedback for Amazon Web Services Secrets Manager

We welcome your feedback. Send your comments to awssecretsmanager-feedback@amazon.com, or post your feedback and questions in the Amazon Web Services Secrets Manager Discussion Forum. For more information about the Amazon Web Services Discussion Forums, see Forums Help.

How examples are presented

The JSON that Amazon Web Services Secrets Manager expects as your request parameters and the service returns as a response to HTTP query requests contain single, long strings without line breaks or white space formatting. The JSON shown in the examples displays the code formatted with both line breaks and white space to improve readability. When example input parameters can also cause long strings extending beyond the screen, you can insert line breaks to enhance readability. You should always submit the input as a single JSON text string.

Logging API Requests

Amazon Web Services Secrets Manager supports Amazon Web Services CloudTrail, a service that records Amazon Web Services API calls for your Amazon Web Services account and delivers log files to an Amazon S3 bucket. By using information that's collected by Amazon Web Services CloudTrail, you can determine the requests successfully made to Secrets Manager, who made the request, when it was made, and so on. For more about Amazon Web Services Secrets Manager and support for Amazon Web Services CloudTrail, see Logging Amazon Web Services Secrets Manager Events with Amazon Web Services CloudTrail in the Amazon Web Services Secrets Manager User Guide. To learn more about CloudTrail, including enabling it and find your log files, see the Amazon Web Services CloudTrail User Guide.

Field Summary

Fields

Modifier and Type	Field and Description
static String	SERVICE_METADATA_ID Value for looking up the service's metadata from the ServiceMetadataProvider.
static String	SERVICE_NAME

Method Summary

Modifier and Type	Method and Description
static SecretsManagerClientBuilder	builder() Create a builder that can be used to configure and create a SecretsManagerClient.
default CancelRotateSecretResponse	cancelRotateSecret(CancelRotateSecretRequest cancelRotateSecretRequest) Disables automatic scheduled rotation and cancels the rotation of a secret if currently in progress.
default CancelRotateSecretResponse	cancelRotateSecret(Consumer<CancelRotateSecretRequest.Builder> cancelRotateSecretRequest) Disables automatic scheduled rotation and cancels the rotation of a secret if currently in progress.
static SecretsManagerClient	create() Create a SecretsManagerClient with the region loaded from the DefaultAwsRegionProviderChain and credentials loaded from the DefaultCredentialsProvider.
default CreateSecretResponse	createSecret(Consumer<CreateSecretRequest.Builder> createSecretRequest) Creates a new secret.
default CreateSecretResponse	createSecret(CreateSecretRequest createSecretRequest) Creates a new secret.
default DeleteResourcePolicyResponse	deleteResourcePolicy(Consumer<DeleteResourcePolicyRequest.Builder> deleteResourcePolicyRequest) Deletes the resource-based permission policy attached to the secret.
default DeleteResourcePolicyResponse	deleteResourcePolicy(DeleteResourcePolicyRequest deleteResourcePolicyRequest) Deletes the resource-based permission policy attached to the secret.
default DeleteSecretResponse	deleteSecret(Consumer<DeleteSecretRequest.Builder> deleteSecretRequest) Deletes an entire secret and all of the versions.
default DeleteSecretResponse	deleteSecret(DeleteSecretRequest deleteSecretRequest) Deletes an entire secret and all of the versions.
default DescribeSecretResponse	describeSecret(Consumer<DescribeSecretRequest.Builder> describeSecretRequest) Retrieves the details of a secret.
default DescribeSecretResponse	describeSecret(DescribeSecretRequest describeSecretRequest) Retrieves the details of a secret.
default GetRandomPasswordResponse	getRandomPassword() Generates a random password of the specified complexity.
default GetRandomPasswordResponse	getRandomPassword(Consumer<GetRandomPasswordRequest.Builder> getRandomPasswordRequest) Generates a random password of the specified complexity.
default GetRandomPasswordResponse	getRandomPassword(GetRandomPasswordRequest getRandomPasswordRequest) Generates a random password of the specified complexity.
default GetResourcePolicyResponse	getResourcePolicy(Consumer<GetResourcePolicyRequest.Builder> getResourcePolicyRequest) Retrieves the JSON text of the resource-based policy document attached to the specified secret.
default GetResourcePolicyResponse	getResourcePolicy(GetResourcePolicyRequest getResourcePolicyRequest) Retrieves the JSON text of the resource-based policy document attached to the specified secret.
default GetSecretValueResponse	getSecretValue(Consumer<GetSecretValueRequest.Builder> getSecretValueRequest) Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.
default GetSecretValueResponse	getSecretValue(GetSecretValueRequest getSecretValueRequest) Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.
default ListSecretsResponse	listSecrets() Lists all of the secrets that are stored by Secrets Manager in the Amazon Web Services account.
default ListSecretsResponse	listSecrets(Consumer<ListSecretsRequest.Builder> listSecretsRequest) Lists all of the secrets that are stored by Secrets Manager in the Amazon Web Services account.
default ListSecretsResponse	listSecrets(ListSecretsRequest listSecretsRequest) Lists all of the secrets that are stored by Secrets Manager in the Amazon Web Services account.
default ListSecretsIterable	listSecretsPaginator() Lists all of the secrets that are stored by Secrets Manager in the Amazon Web Services account.
default ListSecretsIterable	listSecretsPaginator(Consumer<ListSecretsRequest.Builder> listSecretsRequest) Lists all of the secrets that are stored by Secrets Manager in the Amazon Web Services account.
default ListSecretsIterable	listSecretsPaginator(ListSecretsRequest listSecretsRequest) Lists all of the secrets that are stored by Secrets Manager in the Amazon Web Services account.
default ListSecretVersionIdsResponse	listSecretVersionIds(Consumer<ListSecretVersionIdsRequest.Builder> listSecretVersionIdsRequest) Lists all of the versions attached to the specified secret.
default ListSecretVersionIdsResponse	listSecretVersionIds(ListSecretVersionIdsRequest listSecretVersionIdsRequest) Lists all of the versions attached to the specified secret.
default ListSecretVersionIdsIterable	listSecretVersionIdsPaginator(Consumer<ListSecretVersionIdsRequest.Builder> listSecretVersionIdsRequest) Lists all of the versions attached to the specified secret.
default ListSecretVersionIdsIterable	listSecretVersionIdsPaginator(ListSecretVersionIdsRequest listSecretVersionIdsRequest) Lists all of the versions attached to the specified secret.
default PutResourcePolicyResponse	putResourcePolicy(Consumer<PutResourcePolicyRequest.Builder> putResourcePolicyRequest) Attaches the contents of the specified resource-based permission policy to a secret.
default PutResourcePolicyResponse	putResourcePolicy(PutResourcePolicyRequest putResourcePolicyRequest) Attaches the contents of the specified resource-based permission policy to a secret.
default PutSecretValueResponse	putSecretValue(Consumer<PutSecretValueRequest.Builder> putSecretValueRequest) Stores a new encrypted secret value in the specified secret.
default PutSecretValueResponse	putSecretValue(PutSecretValueRequest putSecretValueRequest) Stores a new encrypted secret value in the specified secret.
default RemoveRegionsFromReplicationResponse	removeRegionsFromReplication(Consumer<RemoveRegionsFromReplicationRequest.Builder> removeRegionsFromReplicationRequest) Remove regions from replication.
default RemoveRegionsFromReplicationResponse	removeRegionsFromReplication(RemoveRegionsFromReplicationRequest removeRegionsFromReplicationRequest) Remove regions from replication.
default ReplicateSecretToRegionsResponse	replicateSecretToRegions(Consumer<ReplicateSecretToRegionsRequest.Builder> replicateSecretToRegionsRequest) Converts an existing secret to a multi-Region secret and begins replication the secret to a list of new regions.
default ReplicateSecretToRegionsResponse	replicateSecretToRegions(ReplicateSecretToRegionsRequest replicateSecretToRegionsRequest) Converts an existing secret to a multi-Region secret and begins replication the secret to a list of new regions.
default RestoreSecretResponse	restoreSecret(Consumer<RestoreSecretRequest.Builder> restoreSecretRequest) Cancels the scheduled deletion of a secret by removing the DeletedDate time stamp.
default RestoreSecretResponse	restoreSecret(RestoreSecretRequest restoreSecretRequest) Cancels the scheduled deletion of a secret by removing the DeletedDate time stamp.
default RotateSecretResponse	rotateSecret(Consumer<RotateSecretRequest.Builder> rotateSecretRequest) Configures and starts the asynchronous process of rotating this secret.
default RotateSecretResponse	rotateSecret(RotateSecretRequest rotateSecretRequest) Configures and starts the asynchronous process of rotating this secret.
static ServiceMetadata	serviceMetadata()
default StopReplicationToReplicaResponse	stopReplicationToReplica(Consumer<StopReplicationToReplicaRequest.Builder> stopReplicationToReplicaRequest) Removes the secret from replication and promotes the secret to a regional secret in the replica Region.
default StopReplicationToReplicaResponse	stopReplicationToReplica(StopReplicationToReplicaRequest stopReplicationToReplicaRequest) Removes the secret from replication and promotes the secret to a regional secret in the replica Region.
default TagResourceResponse	tagResource(Consumer<TagResourceRequest.Builder> tagResourceRequest) Attaches one or more tags, each consisting of a key name and a value, to the specified secret.
default TagResourceResponse	tagResource(TagResourceRequest tagResourceRequest) Attaches one or more tags, each consisting of a key name and a value, to the specified secret.
default UntagResourceResponse	untagResource(Consumer<UntagResourceRequest.Builder> untagResourceRequest) Removes one or more tags from the specified secret.
default UntagResourceResponse	untagResource(UntagResourceRequest untagResourceRequest) Removes one or more tags from the specified secret.
default UpdateSecretResponse	updateSecret(Consumer<UpdateSecretRequest.Builder> updateSecretRequest) Modifies many of the details of the specified secret.
default UpdateSecretResponse	updateSecret(UpdateSecretRequest updateSecretRequest) Modifies many of the details of the specified secret.
default UpdateSecretVersionStageResponse	updateSecretVersionStage(Consumer<UpdateSecretVersionStageRequest.Builder> updateSecretVersionStageRequest) Modifies the staging labels attached to a version of a secret.
default UpdateSecretVersionStageResponse	updateSecretVersionStage(UpdateSecretVersionStageRequest updateSecretVersionStageRequest) Modifies the staging labels attached to a version of a secret.
default ValidateResourcePolicyResponse	validateResourcePolicy(Consumer<ValidateResourcePolicyRequest.Builder> validateResourcePolicyRequest) Validates that the resource policy does not grant a wide range of IAM principals access to your secret.
default ValidateResourcePolicyResponse	validateResourcePolicy(ValidateResourcePolicyRequest validateResourcePolicyRequest) Validates that the resource policy does not grant a wide range of IAM principals access to your secret.

Methods inherited from interface software.amazon.awssdk.core.SdkClient

serviceName

Methods inherited from interface software.amazon.awssdk.utils.SdkAutoCloseable

close

Field Detail

SERVICE_NAME

static final String SERVICE_NAME

See Also:

Constant Field Values

SERVICE_METADATA_ID

static final String SERVICE_METADATA_ID

Value for looking up the service's metadata from the ServiceMetadataProvider.

See Also:

Constant Field Values

Method Detail

create

static SecretsManagerClient create()

Create a SecretsManagerClient with the region loaded from the DefaultAwsRegionProviderChain and credentials loaded from the DefaultCredentialsProvider.

builder

static SecretsManagerClientBuilder builder()

Create a builder that can be used to configure and create a SecretsManagerClient.

cancelRotateSecret

default CancelRotateSecretResponse cancelRotateSecret(CancelRotateSecretRequest cancelRotateSecretRequest)
                                               throws ResourceNotFoundException,
                                                      InvalidParameterException,
                                                      InternalServiceErrorException,
                                                      InvalidRequestException,
                                                      AwsServiceException,
                                                      SdkClientException,
                                                      SecretsManagerException

Disables automatic scheduled rotation and cancels the rotation of a secret if currently in progress.

To re-enable scheduled rotation, call RotateSecret with AutomaticallyRotateAfterDays set to a value greater than 0. This immediately rotates your secret and then enables the automatic schedule.

If you cancel a rotation while in progress, it can leave the VersionStage labels in an unexpected state. Depending on the step of the rotation in progress, you might need to remove the staging label AWSPENDING from the partially created version, specified by the VersionId response value. You should also evaluate the partially rotated new version to see if it should be deleted, which you can do by removing all staging labels from the new version VersionStage field.

To successfully start a rotation, the staging label AWSPENDING must be in one of the following states:

• Not attached to any version at all

• Attached to the same version as the staging label AWSCURRENT

If the staging label AWSPENDING attached to a different version than the version with AWSCURRENT then the attempt to rotate fails.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:CancelRotateSecret

Related operations

• To configure rotation for a secret or to manually trigger a rotation, use RotateSecret.

• To get the rotation configuration details for a secret, use DescribeSecret.

• To list all of the currently available secrets, use ListSecrets.

• To list all of the versions currently associated with a secret, use ListSecretVersionIds.

Parameters:

cancelRotateSecretRequest -

Returns:

Result of the CancelRotateSecret operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidParameterException - You provided an invalid value for a parameter.

InternalServiceErrorException - An error occurred on the server side.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

cancelRotateSecret

default CancelRotateSecretResponse cancelRotateSecret(Consumer<CancelRotateSecretRequest.Builder> cancelRotateSecretRequest)
                                               throws ResourceNotFoundException,
                                                      InvalidParameterException,
                                                      InternalServiceErrorException,
                                                      InvalidRequestException,
                                                      AwsServiceException,
                                                      SdkClientException,
                                                      SecretsManagerException

Disables automatic scheduled rotation and cancels the rotation of a secret if currently in progress.

To re-enable scheduled rotation, call RotateSecret with AutomaticallyRotateAfterDays set to a value greater than 0. This immediately rotates your secret and then enables the automatic schedule.

If you cancel a rotation while in progress, it can leave the VersionStage labels in an unexpected state. Depending on the step of the rotation in progress, you might need to remove the staging label AWSPENDING from the partially created version, specified by the VersionId response value. You should also evaluate the partially rotated new version to see if it should be deleted, which you can do by removing all staging labels from the new version VersionStage field.

To successfully start a rotation, the staging label AWSPENDING must be in one of the following states:

• Not attached to any version at all

• Attached to the same version as the staging label AWSCURRENT

If the staging label AWSPENDING attached to a different version than the version with AWSCURRENT then the attempt to rotate fails.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:CancelRotateSecret

Related operations

• To configure rotation for a secret or to manually trigger a rotation, use RotateSecret.

• To get the rotation configuration details for a secret, use DescribeSecret.

• To list all of the currently available secrets, use ListSecrets.

• To list all of the versions currently associated with a secret, use ListSecretVersionIds.

This is a convenience which creates an instance of the CancelRotateSecretRequest.Builder avoiding the need to create one manually via CancelRotateSecretRequest.builder()

Parameters:

cancelRotateSecretRequest - A Consumer that will call methods on CancelRotateSecretRequest.Builder to create a request.

Returns:

Result of the CancelRotateSecret operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidParameterException - You provided an invalid value for a parameter.

InternalServiceErrorException - An error occurred on the server side.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

createSecret

default CreateSecretResponse createSecret(CreateSecretRequest createSecretRequest)
                                   throws InvalidParameterException,
                                          InvalidRequestException,
                                          LimitExceededException,
                                          EncryptionFailureException,
                                          ResourceExistsException,
                                          ResourceNotFoundException,
                                          MalformedPolicyDocumentException,
                                          InternalServiceErrorException,
                                          PreconditionNotMetException,
                                          AwsServiceException,
                                          SdkClientException,
                                          SecretsManagerException

Creates a new secret. A secret in Secrets Manager consists of both the protected secret data and the important information needed to manage the secret.

Secrets Manager stores the encrypted secret data in one of a collection of "versions" associated with the secret. Each version contains a copy of the encrypted secret data. Each version is associated with one or more "staging labels" that identify where the version is in the rotation cycle. The SecretVersionsToStages field of the secret contains the mapping of staging labels to the active versions of the secret. Versions without a staging label are considered deprecated and not included in the list.

You provide the secret data to be encrypted by putting text in either the SecretString parameter or binary data in the SecretBinary parameter, but not both. If you include SecretString or SecretBinary then Secrets Manager also creates an initial secret version and automatically attaches the staging label AWSCURRENT to the new version.

• If you call an operation to encrypt or decrypt the SecretString or SecretBinary for a secret in the same account as the calling user and that secret doesn't specify a Amazon Web Services KMS encryption key, Secrets Manager uses the account's default Amazon Web Services managed customer master key (CMK) with the alias aws/secretsmanager. If this key doesn't already exist in your account then Secrets Manager creates it for you automatically. All users and roles in the same Amazon Web Services account automatically have access to use the default CMK. Note that if an Secrets Manager API call results in Amazon Web Services creating the account's Amazon Web Services-managed CMK, it can result in a one-time significant delay in returning the result.

• If the secret resides in a different Amazon Web Services account from the credentials calling an API that requires encryption or decryption of the secret value then you must create and use a custom Amazon Web Services KMS CMK because you can't access the default CMK for the account using credentials from a different Amazon Web Services account. Store the ARN of the CMK in the secret when you create the secret or when you update it by including it in the KMSKeyId. If you call an API that must encrypt or decrypt SecretString or SecretBinary using credentials from a different account then the Amazon Web Services KMS key policy must grant cross-account access to that other account's user or role for both the kms:GenerateDataKey and kms:Decrypt operations.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:CreateSecret

• kms:GenerateDataKey - needed only if you use a customer-managed Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account default Amazon Web Services managed CMK for Secrets Manager.

• kms:Decrypt - needed only if you use a customer-managed Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account default Amazon Web Services managed CMK for Secrets Manager.

• secretsmanager:TagResource - needed only if you include the Tags parameter.

Related operations

• To delete a secret, use DeleteSecret.

• To modify an existing secret, use UpdateSecret.

• To create a new version of a secret, use PutSecretValue.

• To retrieve the encrypted secure string and secure binary values, use GetSecretValue.

• To retrieve all other details for a secret, use DescribeSecret. This does not include the encrypted secure string and secure binary values.

• To retrieve the list of secret versions associated with the current secret, use DescribeSecret and examine the SecretVersionsToStages response value.

Parameters:

createSecretRequest -

Returns:

Result of the CreateSecret operation returned by the service.

Throws:

InvalidParameterException - You provided an invalid value for a parameter.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

LimitExceededException - The request failed because it would exceed one of the Secrets Manager internal limits.

EncryptionFailureException - Secrets Manager can't encrypt the protected secret text using the provided KMS key. Check that the customer master key (CMK) is available, enabled, and not in an invalid state. For more information, see How Key State Affects Use of a Customer Master Key.

ResourceExistsException - A resource with the ID you requested already exists.

ResourceNotFoundException - We can't find the resource that you asked for.

MalformedPolicyDocumentException - You provided a resource-based policy with syntax errors.

InternalServiceErrorException - An error occurred on the server side.

PreconditionNotMetException - The request failed because you did not complete all the prerequisite steps.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

createSecret

default CreateSecretResponse createSecret(Consumer<CreateSecretRequest.Builder> createSecretRequest)
                                   throws InvalidParameterException,
                                          InvalidRequestException,
                                          LimitExceededException,
                                          EncryptionFailureException,
                                          ResourceExistsException,
                                          ResourceNotFoundException,
                                          MalformedPolicyDocumentException,
                                          InternalServiceErrorException,
                                          PreconditionNotMetException,
                                          AwsServiceException,
                                          SdkClientException,
                                          SecretsManagerException

Creates a new secret. A secret in Secrets Manager consists of both the protected secret data and the important information needed to manage the secret.

Secrets Manager stores the encrypted secret data in one of a collection of "versions" associated with the secret. Each version contains a copy of the encrypted secret data. Each version is associated with one or more "staging labels" that identify where the version is in the rotation cycle. The SecretVersionsToStages field of the secret contains the mapping of staging labels to the active versions of the secret. Versions without a staging label are considered deprecated and not included in the list.

You provide the secret data to be encrypted by putting text in either the SecretString parameter or binary data in the SecretBinary parameter, but not both. If you include SecretString or SecretBinary then Secrets Manager also creates an initial secret version and automatically attaches the staging label AWSCURRENT to the new version.

• If you call an operation to encrypt or decrypt the SecretString or SecretBinary for a secret in the same account as the calling user and that secret doesn't specify a Amazon Web Services KMS encryption key, Secrets Manager uses the account's default Amazon Web Services managed customer master key (CMK) with the alias aws/secretsmanager. If this key doesn't already exist in your account then Secrets Manager creates it for you automatically. All users and roles in the same Amazon Web Services account automatically have access to use the default CMK. Note that if an Secrets Manager API call results in Amazon Web Services creating the account's Amazon Web Services-managed CMK, it can result in a one-time significant delay in returning the result.

• If the secret resides in a different Amazon Web Services account from the credentials calling an API that requires encryption or decryption of the secret value then you must create and use a custom Amazon Web Services KMS CMK because you can't access the default CMK for the account using credentials from a different Amazon Web Services account. Store the ARN of the CMK in the secret when you create the secret or when you update it by including it in the KMSKeyId. If you call an API that must encrypt or decrypt SecretString or SecretBinary using credentials from a different account then the Amazon Web Services KMS key policy must grant cross-account access to that other account's user or role for both the kms:GenerateDataKey and kms:Decrypt operations.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:CreateSecret

• kms:GenerateDataKey - needed only if you use a customer-managed Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account default Amazon Web Services managed CMK for Secrets Manager.

• kms:Decrypt - needed only if you use a customer-managed Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account default Amazon Web Services managed CMK for Secrets Manager.

• secretsmanager:TagResource - needed only if you include the Tags parameter.

Related operations

• To delete a secret, use DeleteSecret.

• To modify an existing secret, use UpdateSecret.

• To create a new version of a secret, use PutSecretValue.

• To retrieve the encrypted secure string and secure binary values, use GetSecretValue.

• To retrieve all other details for a secret, use DescribeSecret. This does not include the encrypted secure string and secure binary values.

• To retrieve the list of secret versions associated with the current secret, use DescribeSecret and examine the SecretVersionsToStages response value.

This is a convenience which creates an instance of the CreateSecretRequest.Builder avoiding the need to create one manually via CreateSecretRequest.builder()

Parameters:

createSecretRequest - A Consumer that will call methods on CreateSecretRequest.Builder to create a request.

Returns:

Result of the CreateSecret operation returned by the service.

Throws:

InvalidParameterException - You provided an invalid value for a parameter.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

LimitExceededException - The request failed because it would exceed one of the Secrets Manager internal limits.

EncryptionFailureException - Secrets Manager can't encrypt the protected secret text using the provided KMS key. Check that the customer master key (CMK) is available, enabled, and not in an invalid state. For more information, see How Key State Affects Use of a Customer Master Key.

ResourceExistsException - A resource with the ID you requested already exists.

ResourceNotFoundException - We can't find the resource that you asked for.

MalformedPolicyDocumentException - You provided a resource-based policy with syntax errors.

InternalServiceErrorException - An error occurred on the server side.

PreconditionNotMetException - The request failed because you did not complete all the prerequisite steps.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

deleteResourcePolicy

default DeleteResourcePolicyResponse deleteResourcePolicy(DeleteResourcePolicyRequest deleteResourcePolicyRequest)
                                                   throws ResourceNotFoundException,
                                                          InternalServiceErrorException,
                                                          InvalidRequestException,
                                                          InvalidParameterException,
                                                          AwsServiceException,
                                                          SdkClientException,
                                                          SecretsManagerException

Deletes the resource-based permission policy attached to the secret.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:DeleteResourcePolicy

Related operations

• To attach a resource policy to a secret, use PutResourcePolicy.

• To retrieve the current resource-based policy attached to a secret, use GetResourcePolicy.

• To list all of the currently available secrets, use ListSecrets.

Parameters:

deleteResourcePolicyRequest -

Returns:

Result of the DeleteResourcePolicy operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InternalServiceErrorException - An error occurred on the server side.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InvalidParameterException - You provided an invalid value for a parameter.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

deleteResourcePolicy

default DeleteResourcePolicyResponse deleteResourcePolicy(Consumer<DeleteResourcePolicyRequest.Builder> deleteResourcePolicyRequest)
                                                   throws ResourceNotFoundException,
                                                          InternalServiceErrorException,
                                                          InvalidRequestException,
                                                          InvalidParameterException,
                                                          AwsServiceException,
                                                          SdkClientException,
                                                          SecretsManagerException

Deletes the resource-based permission policy attached to the secret.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:DeleteResourcePolicy

Related operations

• To attach a resource policy to a secret, use PutResourcePolicy.

• To retrieve the current resource-based policy attached to a secret, use GetResourcePolicy.

• To list all of the currently available secrets, use ListSecrets.

This is a convenience which creates an instance of the DeleteResourcePolicyRequest.Builder avoiding the need to create one manually via DeleteResourcePolicyRequest.builder()

Parameters:

deleteResourcePolicyRequest - A Consumer that will call methods on DeleteResourcePolicyRequest.Builder to create a request.

Returns:

Result of the DeleteResourcePolicy operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InternalServiceErrorException - An error occurred on the server side.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InvalidParameterException - You provided an invalid value for a parameter.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

deleteSecret

default DeleteSecretResponse deleteSecret(DeleteSecretRequest deleteSecretRequest)
                                   throws ResourceNotFoundException,
                                          InvalidParameterException,
                                          InvalidRequestException,
                                          InternalServiceErrorException,
                                          AwsServiceException,
                                          SdkClientException,
                                          SecretsManagerException

Deletes an entire secret and all of the versions. You can optionally include a recovery window during which you can restore the secret. If you don't specify a recovery window value, the operation defaults to 30 days. Secrets Manager attaches a DeletionDate stamp to the secret that specifies the end of the recovery window. At the end of the recovery window, Secrets Manager deletes the secret permanently.

At any time before recovery window ends, you can use RestoreSecret to remove the DeletionDate and cancel the deletion of the secret.

You cannot access the encrypted secret information in any secret scheduled for deletion. If you need to access that information, you must cancel the deletion with RestoreSecret and then retrieve the information.

• There is no explicit operation to delete a version of a secret. Instead, remove all staging labels from the VersionStage field of a version. That marks the version as deprecated and allows Secrets Manager to delete it as needed. Versions without any staging labels do not show up in ListSecretVersionIds unless you specify IncludeDeprecated.

• The permanent secret deletion at the end of the waiting period is performed as a background task with low priority. There is no guarantee of a specific time after the recovery window for the actual delete operation to occur.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:DeleteSecret

Related operations

• To create a secret, use CreateSecret.

• To cancel deletion of a version of a secret before the recovery window has expired, use RestoreSecret.

Parameters:

deleteSecretRequest -

Returns:

Result of the DeleteSecret operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidParameterException - You provided an invalid value for a parameter.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

deleteSecret

default DeleteSecretResponse deleteSecret(Consumer<DeleteSecretRequest.Builder> deleteSecretRequest)
                                   throws ResourceNotFoundException,
                                          InvalidParameterException,
                                          InvalidRequestException,
                                          InternalServiceErrorException,
                                          AwsServiceException,
                                          SdkClientException,
                                          SecretsManagerException

Deletes an entire secret and all of the versions. You can optionally include a recovery window during which you can restore the secret. If you don't specify a recovery window value, the operation defaults to 30 days. Secrets Manager attaches a DeletionDate stamp to the secret that specifies the end of the recovery window. At the end of the recovery window, Secrets Manager deletes the secret permanently.

At any time before recovery window ends, you can use RestoreSecret to remove the DeletionDate and cancel the deletion of the secret.

You cannot access the encrypted secret information in any secret scheduled for deletion. If you need to access that information, you must cancel the deletion with RestoreSecret and then retrieve the information.

• There is no explicit operation to delete a version of a secret. Instead, remove all staging labels from the VersionStage field of a version. That marks the version as deprecated and allows Secrets Manager to delete it as needed. Versions without any staging labels do not show up in ListSecretVersionIds unless you specify IncludeDeprecated.

• The permanent secret deletion at the end of the waiting period is performed as a background task with low priority. There is no guarantee of a specific time after the recovery window for the actual delete operation to occur.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:DeleteSecret

Related operations

• To create a secret, use CreateSecret.

• To cancel deletion of a version of a secret before the recovery window has expired, use RestoreSecret.

This is a convenience which creates an instance of the DeleteSecretRequest.Builder avoiding the need to create one manually via DeleteSecretRequest.builder()

Parameters:

deleteSecretRequest - A Consumer that will call methods on DeleteSecretRequest.Builder to create a request.

Returns:

Result of the DeleteSecret operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidParameterException - You provided an invalid value for a parameter.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

describeSecret

default DescribeSecretResponse describeSecret(DescribeSecretRequest describeSecretRequest)
                                       throws ResourceNotFoundException,
                                              InternalServiceErrorException,
                                              InvalidParameterException,
                                              AwsServiceException,
                                              SdkClientException,
                                              SecretsManagerException

Retrieves the details of a secret. It does not include the encrypted fields. Secrets Manager only returns fields populated with a value in the response.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:DescribeSecret

Related operations

• To create a secret, use CreateSecret.

• To modify a secret, use UpdateSecret.

• To retrieve the encrypted secret information in a version of the secret, use GetSecretValue.

• To list all of the secrets in the Amazon Web Services account, use ListSecrets.

Parameters:

describeSecretRequest -

Returns:

Result of the DescribeSecret operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InternalServiceErrorException - An error occurred on the server side.

InvalidParameterException - You provided an invalid value for a parameter.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

describeSecret

default DescribeSecretResponse describeSecret(Consumer<DescribeSecretRequest.Builder> describeSecretRequest)
                                       throws ResourceNotFoundException,
                                              InternalServiceErrorException,
                                              InvalidParameterException,
                                              AwsServiceException,
                                              SdkClientException,
                                              SecretsManagerException

Retrieves the details of a secret. It does not include the encrypted fields. Secrets Manager only returns fields populated with a value in the response.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:DescribeSecret

Related operations

• To create a secret, use CreateSecret.

• To modify a secret, use UpdateSecret.

• To retrieve the encrypted secret information in a version of the secret, use GetSecretValue.

• To list all of the secrets in the Amazon Web Services account, use ListSecrets.

This is a convenience which creates an instance of the DescribeSecretRequest.Builder avoiding the need to create one manually via DescribeSecretRequest.builder()

Parameters:

describeSecretRequest - A Consumer that will call methods on DescribeSecretRequest.Builder to create a request.

Returns:

Result of the DescribeSecret operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InternalServiceErrorException - An error occurred on the server side.

InvalidParameterException - You provided an invalid value for a parameter.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

getRandomPassword

default GetRandomPasswordResponse getRandomPassword()
                                             throws InvalidParameterException,
                                                    InvalidRequestException,
                                                    InternalServiceErrorException,
                                                    AwsServiceException,
                                                    SdkClientException,
                                                    SecretsManagerException

Generates a random password of the specified complexity. This operation is intended for use in the Lambda rotation function. Per best practice, we recommend that you specify the maximum length and include every character type that the system you are generating a password for can support.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:GetRandomPassword

Returns:

Result of the GetRandomPassword operation returned by the service.

Throws:

InvalidParameterException - You provided an invalid value for a parameter.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

getRandomPassword(GetRandomPasswordRequest), AWS API Documentation

getRandomPassword

default GetRandomPasswordResponse getRandomPassword(GetRandomPasswordRequest getRandomPasswordRequest)
                                             throws InvalidParameterException,
                                                    InvalidRequestException,
                                                    InternalServiceErrorException,
                                                    AwsServiceException,
                                                    SdkClientException,
                                                    SecretsManagerException

Generates a random password of the specified complexity. This operation is intended for use in the Lambda rotation function. Per best practice, we recommend that you specify the maximum length and include every character type that the system you are generating a password for can support.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:GetRandomPassword

Parameters:

getRandomPasswordRequest -

Returns:

Result of the GetRandomPassword operation returned by the service.

Throws:

InvalidParameterException - You provided an invalid value for a parameter.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

getRandomPassword

default GetRandomPasswordResponse getRandomPassword(Consumer<GetRandomPasswordRequest.Builder> getRandomPasswordRequest)
                                             throws InvalidParameterException,
                                                    InvalidRequestException,
                                                    InternalServiceErrorException,
                                                    AwsServiceException,
                                                    SdkClientException,
                                                    SecretsManagerException

Generates a random password of the specified complexity. This operation is intended for use in the Lambda rotation function. Per best practice, we recommend that you specify the maximum length and include every character type that the system you are generating a password for can support.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:GetRandomPassword

This is a convenience which creates an instance of the GetRandomPasswordRequest.Builder avoiding the need to create one manually via GetRandomPasswordRequest.builder()

Parameters:

getRandomPasswordRequest - A Consumer that will call methods on GetRandomPasswordRequest.Builder to create a request.

Returns:

Result of the GetRandomPassword operation returned by the service.

Throws:

InvalidParameterException - You provided an invalid value for a parameter.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

getResourcePolicy

default GetResourcePolicyResponse getResourcePolicy(GetResourcePolicyRequest getResourcePolicyRequest)
                                             throws ResourceNotFoundException,
                                                    InternalServiceErrorException,
                                                    InvalidRequestException,
                                                    InvalidParameterException,
                                                    AwsServiceException,
                                                    SdkClientException,
                                                    SecretsManagerException

Retrieves the JSON text of the resource-based policy document attached to the specified secret. The JSON request string input and response output displays formatted code with white space and line breaks for better readability. Submit your input as a single line JSON string.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:GetResourcePolicy

Related operations

• To attach a resource policy to a secret, use PutResourcePolicy.

• To delete the resource-based policy attached to a secret, use DeleteResourcePolicy.

• To list all of the currently available secrets, use ListSecrets.

Parameters:

getResourcePolicyRequest -

Returns:

Result of the GetResourcePolicy operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InternalServiceErrorException - An error occurred on the server side.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InvalidParameterException - You provided an invalid value for a parameter.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

getResourcePolicy

default GetResourcePolicyResponse getResourcePolicy(Consumer<GetResourcePolicyRequest.Builder> getResourcePolicyRequest)
                                             throws ResourceNotFoundException,
                                                    InternalServiceErrorException,
                                                    InvalidRequestException,
                                                    InvalidParameterException,
                                                    AwsServiceException,
                                                    SdkClientException,
                                                    SecretsManagerException

Retrieves the JSON text of the resource-based policy document attached to the specified secret. The JSON request string input and response output displays formatted code with white space and line breaks for better readability. Submit your input as a single line JSON string.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:GetResourcePolicy

Related operations

• To attach a resource policy to a secret, use PutResourcePolicy.

• To delete the resource-based policy attached to a secret, use DeleteResourcePolicy.

• To list all of the currently available secrets, use ListSecrets.

This is a convenience which creates an instance of the GetResourcePolicyRequest.Builder avoiding the need to create one manually via GetResourcePolicyRequest.builder()

Parameters:

getResourcePolicyRequest - A Consumer that will call methods on GetResourcePolicyRequest.Builder to create a request.

Returns:

Result of the GetResourcePolicy operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InternalServiceErrorException - An error occurred on the server side.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InvalidParameterException - You provided an invalid value for a parameter.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

getSecretValue

default GetSecretValueResponse getSecretValue(GetSecretValueRequest getSecretValueRequest)
                                       throws ResourceNotFoundException,
                                              InvalidParameterException,
                                              InvalidRequestException,
                                              DecryptionFailureException,
                                              InternalServiceErrorException,
                                              AwsServiceException,
                                              SdkClientException,
                                              SecretsManagerException

Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:GetSecretValue

• kms:Decrypt - required only if you use a customer-managed Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account's default Amazon Web Services managed CMK for Secrets Manager.

Related operations

• To create a new version of the secret with different encrypted information, use PutSecretValue.

• To retrieve the non-encrypted details for the secret, use DescribeSecret.

Parameters:

getSecretValueRequest -

Returns:

Result of the GetSecretValue operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidParameterException - You provided an invalid value for a parameter.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

DecryptionFailureException - Secrets Manager can't decrypt the protected secret text using the provided KMS key.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

getSecretValue

default GetSecretValueResponse getSecretValue(Consumer<GetSecretValueRequest.Builder> getSecretValueRequest)
                                       throws ResourceNotFoundException,
                                              InvalidParameterException,
                                              InvalidRequestException,
                                              DecryptionFailureException,
                                              InternalServiceErrorException,
                                              AwsServiceException,
                                              SdkClientException,
                                              SecretsManagerException

Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:GetSecretValue

• kms:Decrypt - required only if you use a customer-managed Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account's default Amazon Web Services managed CMK for Secrets Manager.

Related operations

• To create a new version of the secret with different encrypted information, use PutSecretValue.

• To retrieve the non-encrypted details for the secret, use DescribeSecret.

This is a convenience which creates an instance of the GetSecretValueRequest.Builder avoiding the need to create one manually via GetSecretValueRequest.builder()

Parameters:

getSecretValueRequest - A Consumer that will call methods on GetSecretValueRequest.Builder to create a request.

Returns:

Result of the GetSecretValue operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidParameterException - You provided an invalid value for a parameter.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

DecryptionFailureException - Secrets Manager can't decrypt the protected secret text using the provided KMS key.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

listSecretVersionIds

default ListSecretVersionIdsResponse listSecretVersionIds(ListSecretVersionIdsRequest listSecretVersionIdsRequest)
                                                   throws InvalidNextTokenException,
                                                          ResourceNotFoundException,
                                                          InternalServiceErrorException,
                                                          InvalidParameterException,
                                                          AwsServiceException,
                                                          SdkClientException,
                                                          SecretsManagerException

Lists all of the versions attached to the specified secret. The output does not include the SecretString or SecretBinary fields. By default, the list includes only versions that have at least one staging label in VersionStage attached.

Always check the NextToken response parameter when calling any of the List* operations. These operations can occasionally return an empty or shorter than expected list of results even when there more results become available. When this happens, the NextToken response parameter contains a value to pass to the next call to the same API to request the next part of the list.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:ListSecretVersionIds

Related operations

• To list the secrets in an account, use ListSecrets.

Parameters:

listSecretVersionIdsRequest -

Returns:

Result of the ListSecretVersionIds operation returned by the service.

Throws:

InvalidNextTokenException - You provided an invalid NextToken value.

ResourceNotFoundException - We can't find the resource that you asked for.

InternalServiceErrorException - An error occurred on the server side.

InvalidParameterException - You provided an invalid value for a parameter.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

listSecretVersionIds

default ListSecretVersionIdsResponse listSecretVersionIds(Consumer<ListSecretVersionIdsRequest.Builder> listSecretVersionIdsRequest)
                                                   throws InvalidNextTokenException,
                                                          ResourceNotFoundException,
                                                          InternalServiceErrorException,
                                                          InvalidParameterException,
                                                          AwsServiceException,
                                                          SdkClientException,
                                                          SecretsManagerException

Lists all of the versions attached to the specified secret. The output does not include the SecretString or SecretBinary fields. By default, the list includes only versions that have at least one staging label in VersionStage attached.

Always check the NextToken response parameter when calling any of the List* operations. These operations can occasionally return an empty or shorter than expected list of results even when there more results become available. When this happens, the NextToken response parameter contains a value to pass to the next call to the same API to request the next part of the list.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:ListSecretVersionIds

Related operations

• To list the secrets in an account, use ListSecrets.

This is a convenience which creates an instance of the ListSecretVersionIdsRequest.Builder avoiding the need to create one manually via ListSecretVersionIdsRequest.builder()

Parameters:

listSecretVersionIdsRequest - A Consumer that will call methods on ListSecretVersionIdsRequest.Builder to create a request.

Returns:

Result of the ListSecretVersionIds operation returned by the service.

Throws:

InvalidNextTokenException - You provided an invalid NextToken value.

ResourceNotFoundException - We can't find the resource that you asked for.

InternalServiceErrorException - An error occurred on the server side.

InvalidParameterException - You provided an invalid value for a parameter.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

listSecretVersionIdsPaginator

default ListSecretVersionIdsIterable listSecretVersionIdsPaginator(ListSecretVersionIdsRequest listSecretVersionIdsRequest)
                                                            throws InvalidNextTokenException,
                                                                   ResourceNotFoundException,
                                                                   InternalServiceErrorException,
                                                                   InvalidParameterException,
                                                                   AwsServiceException,
                                                                   SdkClientException,
                                                                   SecretsManagerException

Lists all of the versions attached to the specified secret. The output does not include the SecretString or SecretBinary fields. By default, the list includes only versions that have at least one staging label in VersionStage attached.

Always check the NextToken response parameter when calling any of the List* operations. These operations can occasionally return an empty or shorter than expected list of results even when there more results become available. When this happens, the NextToken response parameter contains a value to pass to the next call to the same API to request the next part of the list.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:ListSecretVersionIds

Related operations

• To list the secrets in an account, use ListSecrets.

This is a variant of listSecretVersionIds(software.amazon.awssdk.services.secretsmanager.model.ListSecretVersionIdsRequest) operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will internally handle making service calls for you.

When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response pages by making service calls until there are no pages left or your iteration stops. If there are errors in your request, you will see the failures only after you start iterating through the iterable.

The following are few ways to iterate through the response pages:

1) Using a Stream

 
 software.amazon.awssdk.services.secretsmanager.paginators.ListSecretVersionIdsIterable responses = client.listSecretVersionIdsPaginator(request);
 responses.stream().forEach(....);
 
 

2) Using For loop

 {
     @code
     software.amazon.awssdk.services.secretsmanager.paginators.ListSecretVersionIdsIterable responses = client
             .listSecretVersionIdsPaginator(request);
     for (software.amazon.awssdk.services.secretsmanager.model.ListSecretVersionIdsResponse response : responses) {
         // do something;
     }
 }
 

3) Use iterator directly

 
 software.amazon.awssdk.services.secretsmanager.paginators.ListSecretVersionIdsIterable responses = client.listSecretVersionIdsPaginator(request);
 responses.iterator().forEachRemaining(....);
 
 

Please notice that the configuration of MaxResults won't limit the number of results you get with the paginator. It only limits the number of results in each page.

Note: If you prefer to have control on service calls, use the listSecretVersionIds(software.amazon.awssdk.services.secretsmanager.model.ListSecretVersionIdsRequest) operation.

Parameters:

listSecretVersionIdsRequest -

Returns:

A custom iterable that can be used to iterate through all the response pages.

Throws:

InvalidNextTokenException - You provided an invalid NextToken value.

ResourceNotFoundException - We can't find the resource that you asked for.

InternalServiceErrorException - An error occurred on the server side.

InvalidParameterException - You provided an invalid value for a parameter.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

listSecretVersionIdsPaginator

default ListSecretVersionIdsIterable listSecretVersionIdsPaginator(Consumer<ListSecretVersionIdsRequest.Builder> listSecretVersionIdsRequest)
                                                            throws InvalidNextTokenException,
                                                                   ResourceNotFoundException,
                                                                   InternalServiceErrorException,
                                                                   InvalidParameterException,
                                                                   AwsServiceException,
                                                                   SdkClientException,
                                                                   SecretsManagerException

Lists all of the versions attached to the specified secret. The output does not include the SecretString or SecretBinary fields. By default, the list includes only versions that have at least one staging label in VersionStage attached.

Always check the NextToken response parameter when calling any of the List* operations. These operations can occasionally return an empty or shorter than expected list of results even when there more results become available. When this happens, the NextToken response parameter contains a value to pass to the next call to the same API to request the next part of the list.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:ListSecretVersionIds

Related operations

• To list the secrets in an account, use ListSecrets.

This is a variant of listSecretVersionIds(software.amazon.awssdk.services.secretsmanager.model.ListSecretVersionIdsRequest) operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will internally handle making service calls for you.

When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response pages by making service calls until there are no pages left or your iteration stops. If there are errors in your request, you will see the failures only after you start iterating through the iterable.

The following are few ways to iterate through the response pages:

1) Using a Stream

 
 software.amazon.awssdk.services.secretsmanager.paginators.ListSecretVersionIdsIterable responses = client.listSecretVersionIdsPaginator(request);
 responses.stream().forEach(....);
 
 

2) Using For loop

 {
     @code
     software.amazon.awssdk.services.secretsmanager.paginators.ListSecretVersionIdsIterable responses = client
             .listSecretVersionIdsPaginator(request);
     for (software.amazon.awssdk.services.secretsmanager.model.ListSecretVersionIdsResponse response : responses) {
         // do something;
     }
 }
 

3) Use iterator directly

 
 software.amazon.awssdk.services.secretsmanager.paginators.ListSecretVersionIdsIterable responses = client.listSecretVersionIdsPaginator(request);
 responses.iterator().forEachRemaining(....);
 
 

Please notice that the configuration of MaxResults won't limit the number of results you get with the paginator. It only limits the number of results in each page.

Note: If you prefer to have control on service calls, use the listSecretVersionIds(software.amazon.awssdk.services.secretsmanager.model.ListSecretVersionIdsRequest) operation.

This is a convenience which creates an instance of the ListSecretVersionIdsRequest.Builder avoiding the need to create one manually via ListSecretVersionIdsRequest.builder()

Parameters:

listSecretVersionIdsRequest - A Consumer that will call methods on ListSecretVersionIdsRequest.Builder to create a request.

Returns:

A custom iterable that can be used to iterate through all the response pages.

Throws:

InvalidNextTokenException - You provided an invalid NextToken value.

ResourceNotFoundException - We can't find the resource that you asked for.

InternalServiceErrorException - An error occurred on the server side.

InvalidParameterException - You provided an invalid value for a parameter.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

listSecrets

default ListSecretsResponse listSecrets()
                                 throws InvalidParameterException,
                                        InvalidNextTokenException,
                                        InternalServiceErrorException,
                                        AwsServiceException,
                                        SdkClientException,
                                        SecretsManagerException

Lists all of the secrets that are stored by Secrets Manager in the Amazon Web Services account. To list the versions currently stored for a specific secret, use ListSecretVersionIds. The encrypted fields SecretString and SecretBinary are not included in the output. To get that information, call the GetSecretValue operation.

Always check the NextToken response parameter when calling any of the List* operations. These operations can occasionally return an empty or shorter than expected list of results even when there more results become available. When this happens, the NextToken response parameter contains a value to pass to the next call to the same API to request the next part of the list.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:ListSecrets

Related operations

• To list the versions attached to a secret, use ListSecretVersionIds.

Returns:

Result of the ListSecrets operation returned by the service.

Throws:

InvalidParameterException - You provided an invalid value for a parameter.

InvalidNextTokenException - You provided an invalid NextToken value.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

listSecrets(ListSecretsRequest), AWS API Documentation

listSecrets

default ListSecretsResponse listSecrets(ListSecretsRequest listSecretsRequest)
                                 throws InvalidParameterException,
                                        InvalidNextTokenException,
                                        InternalServiceErrorException,
                                        AwsServiceException,
                                        SdkClientException,
                                        SecretsManagerException

Lists all of the secrets that are stored by Secrets Manager in the Amazon Web Services account. To list the versions currently stored for a specific secret, use ListSecretVersionIds. The encrypted fields SecretString and SecretBinary are not included in the output. To get that information, call the GetSecretValue operation.

Always check the NextToken response parameter when calling any of the List* operations. These operations can occasionally return an empty or shorter than expected list of results even when there more results become available. When this happens, the NextToken response parameter contains a value to pass to the next call to the same API to request the next part of the list.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:ListSecrets

Related operations

• To list the versions attached to a secret, use ListSecretVersionIds.

Parameters:

listSecretsRequest -

Returns:

Result of the ListSecrets operation returned by the service.

Throws:

InvalidParameterException - You provided an invalid value for a parameter.

InvalidNextTokenException - You provided an invalid NextToken value.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

listSecrets

default ListSecretsResponse listSecrets(Consumer<ListSecretsRequest.Builder> listSecretsRequest)
                                 throws InvalidParameterException,
                                        InvalidNextTokenException,
                                        InternalServiceErrorException,
                                        AwsServiceException,
                                        SdkClientException,
                                        SecretsManagerException

Lists all of the secrets that are stored by Secrets Manager in the Amazon Web Services account. To list the versions currently stored for a specific secret, use ListSecretVersionIds. The encrypted fields SecretString and SecretBinary are not included in the output. To get that information, call the GetSecretValue operation.

Always check the NextToken response parameter when calling any of the List* operations. These operations can occasionally return an empty or shorter than expected list of results even when there more results become available. When this happens, the NextToken response parameter contains a value to pass to the next call to the same API to request the next part of the list.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:ListSecrets

Related operations

• To list the versions attached to a secret, use ListSecretVersionIds.

This is a convenience which creates an instance of the ListSecretsRequest.Builder avoiding the need to create one manually via ListSecretsRequest.builder()

Parameters:

listSecretsRequest - A Consumer that will call methods on ListSecretsRequest.Builder to create a request.

Returns:

Result of the ListSecrets operation returned by the service.

Throws:

InvalidParameterException - You provided an invalid value for a parameter.

InvalidNextTokenException - You provided an invalid NextToken value.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

listSecretsPaginator

default ListSecretsIterable listSecretsPaginator()
                                          throws InvalidParameterException,
                                                 InvalidNextTokenException,
                                                 InternalServiceErrorException,
                                                 AwsServiceException,
                                                 SdkClientException,
                                                 SecretsManagerException

Lists all of the secrets that are stored by Secrets Manager in the Amazon Web Services account. To list the versions currently stored for a specific secret, use ListSecretVersionIds. The encrypted fields SecretString and SecretBinary are not included in the output. To get that information, call the GetSecretValue operation.

Always check the NextToken response parameter when calling any of the List* operations. These operations can occasionally return an empty or shorter than expected list of results even when there more results become available. When this happens, the NextToken response parameter contains a value to pass to the next call to the same API to request the next part of the list.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:ListSecrets

Related operations

• To list the versions attached to a secret, use ListSecretVersionIds.

This is a variant of listSecrets(software.amazon.awssdk.services.secretsmanager.model.ListSecretsRequest) operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will internally handle making service calls for you.

When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response pages by making service calls until there are no pages left or your iteration stops. If there are errors in your request, you will see the failures only after you start iterating through the iterable.

The following are few ways to iterate through the response pages:

1) Using a Stream

 
 software.amazon.awssdk.services.secretsmanager.paginators.ListSecretsIterable responses = client.listSecretsPaginator(request);
 responses.stream().forEach(....);
 
 

2) Using For loop

 {
     @code
     software.amazon.awssdk.services.secretsmanager.paginators.ListSecretsIterable responses = client
             .listSecretsPaginator(request);
     for (software.amazon.awssdk.services.secretsmanager.model.ListSecretsResponse response : responses) {
         // do something;
     }
 }
 

3) Use iterator directly

 
 software.amazon.awssdk.services.secretsmanager.paginators.ListSecretsIterable responses = client.listSecretsPaginator(request);
 responses.iterator().forEachRemaining(....);
 
 

Please notice that the configuration of MaxResults won't limit the number of results you get with the paginator. It only limits the number of results in each page.

Note: If you prefer to have control on service calls, use the listSecrets(software.amazon.awssdk.services.secretsmanager.model.ListSecretsRequest) operation.

Returns:

A custom iterable that can be used to iterate through all the response pages.

Throws:

InvalidParameterException - You provided an invalid value for a parameter.

InvalidNextTokenException - You provided an invalid NextToken value.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

listSecretsPaginator(ListSecretsRequest), AWS API Documentation

listSecretsPaginator

default ListSecretsIterable listSecretsPaginator(ListSecretsRequest listSecretsRequest)
                                          throws InvalidParameterException,
                                                 InvalidNextTokenException,
                                                 InternalServiceErrorException,
                                                 AwsServiceException,
                                                 SdkClientException,
                                                 SecretsManagerException

Lists all of the secrets that are stored by Secrets Manager in the Amazon Web Services account. To list the versions currently stored for a specific secret, use ListSecretVersionIds. The encrypted fields SecretString and SecretBinary are not included in the output. To get that information, call the GetSecretValue operation.

Always check the NextToken response parameter when calling any of the List* operations. These operations can occasionally return an empty or shorter than expected list of results even when there more results become available. When this happens, the NextToken response parameter contains a value to pass to the next call to the same API to request the next part of the list.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:ListSecrets

Related operations

• To list the versions attached to a secret, use ListSecretVersionIds.

This is a variant of listSecrets(software.amazon.awssdk.services.secretsmanager.model.ListSecretsRequest) operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will internally handle making service calls for you.

When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response pages by making service calls until there are no pages left or your iteration stops. If there are errors in your request, you will see the failures only after you start iterating through the iterable.

The following are few ways to iterate through the response pages:

1) Using a Stream

 
 software.amazon.awssdk.services.secretsmanager.paginators.ListSecretsIterable responses = client.listSecretsPaginator(request);
 responses.stream().forEach(....);
 
 

2) Using For loop

 {
     @code
     software.amazon.awssdk.services.secretsmanager.paginators.ListSecretsIterable responses = client
             .listSecretsPaginator(request);
     for (software.amazon.awssdk.services.secretsmanager.model.ListSecretsResponse response : responses) {
         // do something;
     }
 }
 

3) Use iterator directly

 
 software.amazon.awssdk.services.secretsmanager.paginators.ListSecretsIterable responses = client.listSecretsPaginator(request);
 responses.iterator().forEachRemaining(....);
 
 

Please notice that the configuration of MaxResults won't limit the number of results you get with the paginator. It only limits the number of results in each page.

Note: If you prefer to have control on service calls, use the listSecrets(software.amazon.awssdk.services.secretsmanager.model.ListSecretsRequest) operation.

Parameters:

listSecretsRequest -

Returns:

A custom iterable that can be used to iterate through all the response pages.

Throws:

InvalidParameterException - You provided an invalid value for a parameter.

InvalidNextTokenException - You provided an invalid NextToken value.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

listSecretsPaginator

default ListSecretsIterable listSecretsPaginator(Consumer<ListSecretsRequest.Builder> listSecretsRequest)
                                          throws InvalidParameterException,
                                                 InvalidNextTokenException,
                                                 InternalServiceErrorException,
                                                 AwsServiceException,
                                                 SdkClientException,
                                                 SecretsManagerException

Lists all of the secrets that are stored by Secrets Manager in the Amazon Web Services account. To list the versions currently stored for a specific secret, use ListSecretVersionIds. The encrypted fields SecretString and SecretBinary are not included in the output. To get that information, call the GetSecretValue operation.

Always check the NextToken response parameter when calling any of the List* operations. These operations can occasionally return an empty or shorter than expected list of results even when there more results become available. When this happens, the NextToken response parameter contains a value to pass to the next call to the same API to request the next part of the list.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:ListSecrets

Related operations

• To list the versions attached to a secret, use ListSecretVersionIds.

This is a variant of listSecrets(software.amazon.awssdk.services.secretsmanager.model.ListSecretsRequest) operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will internally handle making service calls for you.

When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response pages by making service calls until there are no pages left or your iteration stops. If there are errors in your request, you will see the failures only after you start iterating through the iterable.

The following are few ways to iterate through the response pages:

1) Using a Stream

 
 software.amazon.awssdk.services.secretsmanager.paginators.ListSecretsIterable responses = client.listSecretsPaginator(request);
 responses.stream().forEach(....);
 
 

2) Using For loop

 {
     @code
     software.amazon.awssdk.services.secretsmanager.paginators.ListSecretsIterable responses = client
             .listSecretsPaginator(request);
     for (software.amazon.awssdk.services.secretsmanager.model.ListSecretsResponse response : responses) {
         // do something;
     }
 }
 

3) Use iterator directly

 
 software.amazon.awssdk.services.secretsmanager.paginators.ListSecretsIterable responses = client.listSecretsPaginator(request);
 responses.iterator().forEachRemaining(....);
 
 

Please notice that the configuration of MaxResults won't limit the number of results you get with the paginator. It only limits the number of results in each page.

Note: If you prefer to have control on service calls, use the listSecrets(software.amazon.awssdk.services.secretsmanager.model.ListSecretsRequest) operation.

This is a convenience which creates an instance of the ListSecretsRequest.Builder avoiding the need to create one manually via ListSecretsRequest.builder()

Parameters:

listSecretsRequest - A Consumer that will call methods on ListSecretsRequest.Builder to create a request.

Returns:

A custom iterable that can be used to iterate through all the response pages.

Throws:

InvalidParameterException - You provided an invalid value for a parameter.

InvalidNextTokenException - You provided an invalid NextToken value.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

putResourcePolicy

default PutResourcePolicyResponse putResourcePolicy(PutResourcePolicyRequest putResourcePolicyRequest)
                                             throws MalformedPolicyDocumentException,
                                                    ResourceNotFoundException,
                                                    InvalidParameterException,
                                                    InternalServiceErrorException,
                                                    InvalidRequestException,
                                                    PublicPolicyException,
                                                    AwsServiceException,
                                                    SdkClientException,
                                                    SecretsManagerException

Attaches the contents of the specified resource-based permission policy to a secret. A resource-based policy is optional. Alternatively, you can use IAM identity-based policies that specify the secret's Amazon Resource Name (ARN) in the policy statement's Resources element. You can also use a combination of both identity-based and resource-based policies. The affected users and roles receive the permissions that are permitted by all of the relevant policies. For more information, see Using Resource-Based Policies for Amazon Web Services Secrets Manager. For the complete description of the Amazon Web Services policy syntax and grammar, see IAM JSON Policy Reference in the IAM User Guide.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:PutResourcePolicy

Related operations

• To retrieve the resource policy attached to a secret, use GetResourcePolicy.

• To delete the resource-based policy attached to a secret, use DeleteResourcePolicy.

• To list all of the currently available secrets, use ListSecrets.

Parameters:

putResourcePolicyRequest -

Returns:

Result of the PutResourcePolicy operation returned by the service.

Throws:

MalformedPolicyDocumentException - You provided a resource-based policy with syntax errors.

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidParameterException - You provided an invalid value for a parameter.

InternalServiceErrorException - An error occurred on the server side.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

PublicPolicyException - The BlockPublicPolicy parameter is set to true and the resource policy did not prevent broad access to the secret.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

putResourcePolicy

default PutResourcePolicyResponse putResourcePolicy(Consumer<PutResourcePolicyRequest.Builder> putResourcePolicyRequest)
                                             throws MalformedPolicyDocumentException,
                                                    ResourceNotFoundException,
                                                    InvalidParameterException,
                                                    InternalServiceErrorException,
                                                    InvalidRequestException,
                                                    PublicPolicyException,
                                                    AwsServiceException,
                                                    SdkClientException,
                                                    SecretsManagerException

Attaches the contents of the specified resource-based permission policy to a secret. A resource-based policy is optional. Alternatively, you can use IAM identity-based policies that specify the secret's Amazon Resource Name (ARN) in the policy statement's Resources element. You can also use a combination of both identity-based and resource-based policies. The affected users and roles receive the permissions that are permitted by all of the relevant policies. For more information, see Using Resource-Based Policies for Amazon Web Services Secrets Manager. For the complete description of the Amazon Web Services policy syntax and grammar, see IAM JSON Policy Reference in the IAM User Guide.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:PutResourcePolicy

Related operations

• To retrieve the resource policy attached to a secret, use GetResourcePolicy.

• To delete the resource-based policy attached to a secret, use DeleteResourcePolicy.

• To list all of the currently available secrets, use ListSecrets.

This is a convenience which creates an instance of the PutResourcePolicyRequest.Builder avoiding the need to create one manually via PutResourcePolicyRequest.builder()

Parameters:

putResourcePolicyRequest - A Consumer that will call methods on PutResourcePolicyRequest.Builder to create a request.

Returns:

Result of the PutResourcePolicy operation returned by the service.

Throws:

MalformedPolicyDocumentException - You provided a resource-based policy with syntax errors.

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidParameterException - You provided an invalid value for a parameter.

InternalServiceErrorException - An error occurred on the server side.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

PublicPolicyException - The BlockPublicPolicy parameter is set to true and the resource policy did not prevent broad access to the secret.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

putSecretValue

default PutSecretValueResponse putSecretValue(PutSecretValueRequest putSecretValueRequest)
                                       throws InvalidParameterException,
                                              InvalidRequestException,
                                              LimitExceededException,
                                              EncryptionFailureException,
                                              ResourceExistsException,
                                              ResourceNotFoundException,
                                              InternalServiceErrorException,
                                              AwsServiceException,
                                              SdkClientException,
                                              SecretsManagerException

Stores a new encrypted secret value in the specified secret. To do this, the operation creates a new version and attaches it to the secret. The version can contain a new SecretString value or a new SecretBinary value. You can also specify the staging labels that are initially attached to the new version.

We recommend you avoid calling PutSecretValue at a sustained rate of more than once every 10 minutes. When you update the secret value, Secrets Manager creates a new version of the secret. Secrets Manager removes outdated versions when there are more than 100, but it does not remove versions created less than 24 hours ago. If you call PutSecretValue more than once every 10 minutes, you create more versions than Secrets Manager removes, and you will reach the quota for secret versions.

• If this operation creates the first version for the secret then Secrets Manager automatically attaches the staging label AWSCURRENT to the new version.

• If you do not specify a value for VersionStages then Secrets Manager automatically moves the staging label AWSCURRENT to this new version.

• If this operation moves the staging label AWSCURRENT from another version to this version, then Secrets Manager also automatically moves the staging label AWSPREVIOUS to the version that AWSCURRENT was removed from.

• This operation is idempotent. If a version with a VersionId with the same value as the ClientRequestToken parameter already exists and you specify the same secret data, the operation succeeds but does nothing. However, if the secret data is different, then the operation fails because you cannot modify an existing version; you can only create new ones.

• If you call an operation to encrypt or decrypt the SecretString or SecretBinary for a secret in the same account as the calling user and that secret doesn't specify a Amazon Web Services KMS encryption key, Secrets Manager uses the account's default Amazon Web Services managed customer master key (CMK) with the alias aws/secretsmanager. If this key doesn't already exist in your account then Secrets Manager creates it for you automatically. All users and roles in the same Amazon Web Services account automatically have access to use the default CMK. Note that if an Secrets Manager API call results in Amazon Web Services creating the account's Amazon Web Services-managed CMK, it can result in a one-time significant delay in returning the result.

• If the secret resides in a different Amazon Web Services account from the credentials calling an API that requires encryption or decryption of the secret value then you must create and use a custom Amazon Web Services KMS CMK because you can't access the default CMK for the account using credentials from a different Amazon Web Services account. Store the ARN of the CMK in the secret when you create the secret or when you update it by including it in the KMSKeyId. If you call an API that must encrypt or decrypt SecretString or SecretBinary using credentials from a different account then the Amazon Web Services KMS key policy must grant cross-account access to that other account's user or role for both the kms:GenerateDataKey and kms:Decrypt operations.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:PutSecretValue

• kms:GenerateDataKey - needed only if you use a customer-managed Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account's default Amazon Web Services managed CMK for Secrets Manager.

Related operations

• To retrieve the encrypted value you store in the version of a secret, use GetSecretValue.

• To create a secret, use CreateSecret.

• To get the details for a secret, use DescribeSecret.

• To list the versions attached to a secret, use ListSecretVersionIds.

Parameters:

putSecretValueRequest -

Returns:

Result of the PutSecretValue operation returned by the service.

Throws:

InvalidParameterException - You provided an invalid value for a parameter.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

LimitExceededException - The request failed because it would exceed one of the Secrets Manager internal limits.

EncryptionFailureException - Secrets Manager can't encrypt the protected secret text using the provided KMS key. Check that the customer master key (CMK) is available, enabled, and not in an invalid state. For more information, see How Key State Affects Use of a Customer Master Key.

ResourceExistsException - A resource with the ID you requested already exists.

ResourceNotFoundException - We can't find the resource that you asked for.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

putSecretValue

default PutSecretValueResponse putSecretValue(Consumer<PutSecretValueRequest.Builder> putSecretValueRequest)
                                       throws InvalidParameterException,
                                              InvalidRequestException,
                                              LimitExceededException,
                                              EncryptionFailureException,
                                              ResourceExistsException,
                                              ResourceNotFoundException,
                                              InternalServiceErrorException,
                                              AwsServiceException,
                                              SdkClientException,
                                              SecretsManagerException

Stores a new encrypted secret value in the specified secret. To do this, the operation creates a new version and attaches it to the secret. The version can contain a new SecretString value or a new SecretBinary value. You can also specify the staging labels that are initially attached to the new version.

We recommend you avoid calling PutSecretValue at a sustained rate of more than once every 10 minutes. When you update the secret value, Secrets Manager creates a new version of the secret. Secrets Manager removes outdated versions when there are more than 100, but it does not remove versions created less than 24 hours ago. If you call PutSecretValue more than once every 10 minutes, you create more versions than Secrets Manager removes, and you will reach the quota for secret versions.

• If this operation creates the first version for the secret then Secrets Manager automatically attaches the staging label AWSCURRENT to the new version.

• If you do not specify a value for VersionStages then Secrets Manager automatically moves the staging label AWSCURRENT to this new version.

• If this operation moves the staging label AWSCURRENT from another version to this version, then Secrets Manager also automatically moves the staging label AWSPREVIOUS to the version that AWSCURRENT was removed from.

• This operation is idempotent. If a version with a VersionId with the same value as the ClientRequestToken parameter already exists and you specify the same secret data, the operation succeeds but does nothing. However, if the secret data is different, then the operation fails because you cannot modify an existing version; you can only create new ones.

• If you call an operation to encrypt or decrypt the SecretString or SecretBinary for a secret in the same account as the calling user and that secret doesn't specify a Amazon Web Services KMS encryption key, Secrets Manager uses the account's default Amazon Web Services managed customer master key (CMK) with the alias aws/secretsmanager. If this key doesn't already exist in your account then Secrets Manager creates it for you automatically. All users and roles in the same Amazon Web Services account automatically have access to use the default CMK. Note that if an Secrets Manager API call results in Amazon Web Services creating the account's Amazon Web Services-managed CMK, it can result in a one-time significant delay in returning the result.

• If the secret resides in a different Amazon Web Services account from the credentials calling an API that requires encryption or decryption of the secret value then you must create and use a custom Amazon Web Services KMS CMK because you can't access the default CMK for the account using credentials from a different Amazon Web Services account. Store the ARN of the CMK in the secret when you create the secret or when you update it by including it in the KMSKeyId. If you call an API that must encrypt or decrypt SecretString or SecretBinary using credentials from a different account then the Amazon Web Services KMS key policy must grant cross-account access to that other account's user or role for both the kms:GenerateDataKey and kms:Decrypt operations.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:PutSecretValue

• kms:GenerateDataKey - needed only if you use a customer-managed Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account's default Amazon Web Services managed CMK for Secrets Manager.

Related operations

• To retrieve the encrypted value you store in the version of a secret, use GetSecretValue.

• To create a secret, use CreateSecret.

• To get the details for a secret, use DescribeSecret.

• To list the versions attached to a secret, use ListSecretVersionIds.

This is a convenience which creates an instance of the PutSecretValueRequest.Builder avoiding the need to create one manually via PutSecretValueRequest.builder()

Parameters:

putSecretValueRequest - A Consumer that will call methods on PutSecretValueRequest.Builder to create a request.

Returns:

Result of the PutSecretValue operation returned by the service.

Throws:

InvalidParameterException - You provided an invalid value for a parameter.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

LimitExceededException - The request failed because it would exceed one of the Secrets Manager internal limits.

EncryptionFailureException - Secrets Manager can't encrypt the protected secret text using the provided KMS key. Check that the customer master key (CMK) is available, enabled, and not in an invalid state. For more information, see How Key State Affects Use of a Customer Master Key.

ResourceExistsException - A resource with the ID you requested already exists.

ResourceNotFoundException - We can't find the resource that you asked for.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

removeRegionsFromReplication

default RemoveRegionsFromReplicationResponse removeRegionsFromReplication(RemoveRegionsFromReplicationRequest removeRegionsFromReplicationRequest)
                                                                   throws ResourceNotFoundException,
                                                                          InvalidRequestException,
                                                                          InvalidParameterException,
                                                                          InternalServiceErrorException,
                                                                          AwsServiceException,
                                                                          SdkClientException,
                                                                          SecretsManagerException

Remove regions from replication.

Parameters:

removeRegionsFromReplicationRequest -

Returns:

Result of the RemoveRegionsFromReplication operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InvalidParameterException - You provided an invalid value for a parameter.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

removeRegionsFromReplication

default RemoveRegionsFromReplicationResponse removeRegionsFromReplication(Consumer<RemoveRegionsFromReplicationRequest.Builder> removeRegionsFromReplicationRequest)
                                                                   throws ResourceNotFoundException,
                                                                          InvalidRequestException,
                                                                          InvalidParameterException,
                                                                          InternalServiceErrorException,
                                                                          AwsServiceException,
                                                                          SdkClientException,
                                                                          SecretsManagerException

Remove regions from replication.

This is a convenience which creates an instance of the RemoveRegionsFromReplicationRequest.Builder avoiding the need to create one manually via RemoveRegionsFromReplicationRequest.builder()

Parameters:

removeRegionsFromReplicationRequest - A Consumer that will call methods on RemoveRegionsFromReplicationRequest.Builder to create a request.

Returns:

Result of the RemoveRegionsFromReplication operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InvalidParameterException - You provided an invalid value for a parameter.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

replicateSecretToRegions

default ReplicateSecretToRegionsResponse replicateSecretToRegions(ReplicateSecretToRegionsRequest replicateSecretToRegionsRequest)
                                                           throws ResourceNotFoundException,
                                                                  InvalidRequestException,
                                                                  InvalidParameterException,
                                                                  InternalServiceErrorException,
                                                                  AwsServiceException,
                                                                  SdkClientException,
                                                                  SecretsManagerException

Converts an existing secret to a multi-Region secret and begins replication the secret to a list of new regions.

Parameters:

replicateSecretToRegionsRequest -

Returns:

Result of the ReplicateSecretToRegions operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InvalidParameterException - You provided an invalid value for a parameter.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

replicateSecretToRegions

default ReplicateSecretToRegionsResponse replicateSecretToRegions(Consumer<ReplicateSecretToRegionsRequest.Builder> replicateSecretToRegionsRequest)
                                                           throws ResourceNotFoundException,
                                                                  InvalidRequestException,
                                                                  InvalidParameterException,
                                                                  InternalServiceErrorException,
                                                                  AwsServiceException,
                                                                  SdkClientException,
                                                                  SecretsManagerException

Converts an existing secret to a multi-Region secret and begins replication the secret to a list of new regions.

This is a convenience which creates an instance of the ReplicateSecretToRegionsRequest.Builder avoiding the need to create one manually via ReplicateSecretToRegionsRequest.builder()

Parameters:

replicateSecretToRegionsRequest - A Consumer that will call methods on ReplicateSecretToRegionsRequest.Builder to create a request.

Returns:

Result of the ReplicateSecretToRegions operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InvalidParameterException - You provided an invalid value for a parameter.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

restoreSecret

default RestoreSecretResponse restoreSecret(RestoreSecretRequest restoreSecretRequest)
                                     throws ResourceNotFoundException,
                                            InvalidParameterException,
                                            InvalidRequestException,
                                            InternalServiceErrorException,
                                            AwsServiceException,
                                            SdkClientException,
                                            SecretsManagerException

Cancels the scheduled deletion of a secret by removing the DeletedDate time stamp. This makes the secret accessible to query once again.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:RestoreSecret

Related operations

• To delete a secret, use DeleteSecret.

Parameters:

restoreSecretRequest -

Returns:

Result of the RestoreSecret operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidParameterException - You provided an invalid value for a parameter.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

restoreSecret

default RestoreSecretResponse restoreSecret(Consumer<RestoreSecretRequest.Builder> restoreSecretRequest)
                                     throws ResourceNotFoundException,
                                            InvalidParameterException,
                                            InvalidRequestException,
                                            InternalServiceErrorException,
                                            AwsServiceException,
                                            SdkClientException,
                                            SecretsManagerException

Cancels the scheduled deletion of a secret by removing the DeletedDate time stamp. This makes the secret accessible to query once again.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:RestoreSecret

Related operations

• To delete a secret, use DeleteSecret.

This is a convenience which creates an instance of the RestoreSecretRequest.Builder avoiding the need to create one manually via RestoreSecretRequest.builder()

Parameters:

restoreSecretRequest - A Consumer that will call methods on RestoreSecretRequest.Builder to create a request.

Returns:

Result of the RestoreSecret operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidParameterException - You provided an invalid value for a parameter.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

rotateSecret

default RotateSecretResponse rotateSecret(RotateSecretRequest rotateSecretRequest)
                                   throws ResourceNotFoundException,
                                          InvalidParameterException,
                                          InternalServiceErrorException,
                                          InvalidRequestException,
                                          AwsServiceException,
                                          SdkClientException,
                                          SecretsManagerException

Configures and starts the asynchronous process of rotating this secret. If you include the configuration parameters, the operation sets those values for the secret and then immediately starts a rotation. If you do not include the configuration parameters, the operation starts a rotation with the values already stored in the secret. After the rotation completes, the protected service and its clients all use the new version of the secret.

This required configuration information includes the ARN of an Amazon Web Services Lambda function and optionally, the time between scheduled rotations. The Lambda rotation function creates a new version of the secret and creates or updates the credentials on the protected service to match. After testing the new credentials, the function marks the new secret with the staging label AWSCURRENT so that your clients all immediately begin to use the new version. For more information about rotating secrets and how to configure a Lambda function to rotate the secrets for your protected service, see Rotating Secrets in Amazon Web Services Secrets Manager in the Amazon Web Services Secrets Manager User Guide.

Secrets Manager schedules the next rotation when the previous one completes. Secrets Manager schedules the date by adding the rotation interval (number of days) to the actual date of the last rotation. The service chooses the hour within that 24-hour date window randomly. The minute is also chosen somewhat randomly, but weighted towards the top of the hour and influenced by a variety of factors that help distribute load.

The rotation function must end with the versions of the secret in one of two states:

• The AWSPENDING and AWSCURRENT staging labels are attached to the same version of the secret, or

• The AWSPENDING staging label is not attached to any version of the secret.

If the AWSPENDING staging label is present but not attached to the same version as AWSCURRENT then any later invocation of RotateSecret assumes that a previous rotation request is still in progress and returns an error.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:RotateSecret

• lambda:InvokeFunction (on the function specified in the secret's metadata)

Related operations

• To list the secrets in your account, use ListSecrets.

• To get the details for a version of a secret, use DescribeSecret.

• To create a new version of a secret, use CreateSecret.

• To attach staging labels to or remove staging labels from a version of a secret, use UpdateSecretVersionStage.

Parameters:

rotateSecretRequest -

Returns:

Result of the RotateSecret operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidParameterException - You provided an invalid value for a parameter.

InternalServiceErrorException - An error occurred on the server side.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

rotateSecret

default RotateSecretResponse rotateSecret(Consumer<RotateSecretRequest.Builder> rotateSecretRequest)
                                   throws ResourceNotFoundException,
                                          InvalidParameterException,
                                          InternalServiceErrorException,
                                          InvalidRequestException,
                                          AwsServiceException,
                                          SdkClientException,
                                          SecretsManagerException

Configures and starts the asynchronous process of rotating this secret. If you include the configuration parameters, the operation sets those values for the secret and then immediately starts a rotation. If you do not include the configuration parameters, the operation starts a rotation with the values already stored in the secret. After the rotation completes, the protected service and its clients all use the new version of the secret.

This required configuration information includes the ARN of an Amazon Web Services Lambda function and optionally, the time between scheduled rotations. The Lambda rotation function creates a new version of the secret and creates or updates the credentials on the protected service to match. After testing the new credentials, the function marks the new secret with the staging label AWSCURRENT so that your clients all immediately begin to use the new version. For more information about rotating secrets and how to configure a Lambda function to rotate the secrets for your protected service, see Rotating Secrets in Amazon Web Services Secrets Manager in the Amazon Web Services Secrets Manager User Guide.

Secrets Manager schedules the next rotation when the previous one completes. Secrets Manager schedules the date by adding the rotation interval (number of days) to the actual date of the last rotation. The service chooses the hour within that 24-hour date window randomly. The minute is also chosen somewhat randomly, but weighted towards the top of the hour and influenced by a variety of factors that help distribute load.

The rotation function must end with the versions of the secret in one of two states:

• The AWSPENDING and AWSCURRENT staging labels are attached to the same version of the secret, or

• The AWSPENDING staging label is not attached to any version of the secret.

If the AWSPENDING staging label is present but not attached to the same version as AWSCURRENT then any later invocation of RotateSecret assumes that a previous rotation request is still in progress and returns an error.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:RotateSecret

• lambda:InvokeFunction (on the function specified in the secret's metadata)

Related operations

• To list the secrets in your account, use ListSecrets.

• To get the details for a version of a secret, use DescribeSecret.

• To create a new version of a secret, use CreateSecret.

• To attach staging labels to or remove staging labels from a version of a secret, use UpdateSecretVersionStage.

This is a convenience which creates an instance of the RotateSecretRequest.Builder avoiding the need to create one manually via RotateSecretRequest.builder()

Parameters:

rotateSecretRequest - A Consumer that will call methods on RotateSecretRequest.Builder to create a request.

Returns:

Result of the RotateSecret operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidParameterException - You provided an invalid value for a parameter.

InternalServiceErrorException - An error occurred on the server side.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

stopReplicationToReplica

default StopReplicationToReplicaResponse stopReplicationToReplica(StopReplicationToReplicaRequest stopReplicationToReplicaRequest)
                                                           throws ResourceNotFoundException,
                                                                  InvalidRequestException,
                                                                  InvalidParameterException,
                                                                  InternalServiceErrorException,
                                                                  AwsServiceException,
                                                                  SdkClientException,
                                                                  SecretsManagerException

Removes the secret from replication and promotes the secret to a regional secret in the replica Region.

Parameters:

stopReplicationToReplicaRequest -

Returns:

Result of the StopReplicationToReplica operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InvalidParameterException - You provided an invalid value for a parameter.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

stopReplicationToReplica

default StopReplicationToReplicaResponse stopReplicationToReplica(Consumer<StopReplicationToReplicaRequest.Builder> stopReplicationToReplicaRequest)
                                                           throws ResourceNotFoundException,
                                                                  InvalidRequestException,
                                                                  InvalidParameterException,
                                                                  InternalServiceErrorException,
                                                                  AwsServiceException,
                                                                  SdkClientException,
                                                                  SecretsManagerException

Removes the secret from replication and promotes the secret to a regional secret in the replica Region.

This is a convenience which creates an instance of the StopReplicationToReplicaRequest.Builder avoiding the need to create one manually via StopReplicationToReplicaRequest.builder()

Parameters:

stopReplicationToReplicaRequest - A Consumer that will call methods on StopReplicationToReplicaRequest.Builder to create a request.

Returns:

Result of the StopReplicationToReplica operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InvalidParameterException - You provided an invalid value for a parameter.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

tagResource

default TagResourceResponse tagResource(TagResourceRequest tagResourceRequest)
                                 throws ResourceNotFoundException,
                                        InvalidRequestException,
                                        InvalidParameterException,
                                        InternalServiceErrorException,
                                        AwsServiceException,
                                        SdkClientException,
                                        SecretsManagerException

Attaches one or more tags, each consisting of a key name and a value, to the specified secret. Tags are part of the secret's overall metadata, and are not associated with any specific version of the secret. This operation only appends tags to the existing list of tags. To remove tags, you must use UntagResource.

The following basic restrictions apply to tags:

• Maximum number of tags per secret—50

• Maximum key length—127 Unicode characters in UTF-8

• Maximum value length—255 Unicode characters in UTF-8

• Tag keys and values are case sensitive.

• Do not use the aws: prefix in your tag names or values because Amazon Web Services reserves it for Amazon Web Services use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit.

• If you use your tagging schema across multiple services and resources, remember other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @.

If you use tags as part of your security strategy, then adding or removing a tag can change permissions. If successfully completing this operation would result in you losing your permissions for this secret, then the operation is blocked and returns an Access Denied error.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:TagResource

Related operations

• To remove one or more tags from the collection attached to a secret, use UntagResource.

• To view the list of tags attached to a secret, use DescribeSecret.

Parameters:

tagResourceRequest -

Returns:

Result of the TagResource operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InvalidParameterException - You provided an invalid value for a parameter.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

tagResource

default TagResourceResponse tagResource(Consumer<TagResourceRequest.Builder> tagResourceRequest)
                                 throws ResourceNotFoundException,
                                        InvalidRequestException,
                                        InvalidParameterException,
                                        InternalServiceErrorException,
                                        AwsServiceException,
                                        SdkClientException,
                                        SecretsManagerException

Attaches one or more tags, each consisting of a key name and a value, to the specified secret. Tags are part of the secret's overall metadata, and are not associated with any specific version of the secret. This operation only appends tags to the existing list of tags. To remove tags, you must use UntagResource.

The following basic restrictions apply to tags:

• Maximum number of tags per secret—50

• Maximum key length—127 Unicode characters in UTF-8

• Maximum value length—255 Unicode characters in UTF-8

• Tag keys and values are case sensitive.

• Do not use the aws: prefix in your tag names or values because Amazon Web Services reserves it for Amazon Web Services use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit.

• If you use your tagging schema across multiple services and resources, remember other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @.

If you use tags as part of your security strategy, then adding or removing a tag can change permissions. If successfully completing this operation would result in you losing your permissions for this secret, then the operation is blocked and returns an Access Denied error.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:TagResource

Related operations

• To remove one or more tags from the collection attached to a secret, use UntagResource.

• To view the list of tags attached to a secret, use DescribeSecret.

This is a convenience which creates an instance of the TagResourceRequest.Builder avoiding the need to create one manually via TagResourceRequest.builder()

Parameters:

tagResourceRequest - A Consumer that will call methods on TagResourceRequest.Builder to create a request.

Returns:

Result of the TagResource operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InvalidParameterException - You provided an invalid value for a parameter.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

untagResource

default UntagResourceResponse untagResource(UntagResourceRequest untagResourceRequest)
                                     throws ResourceNotFoundException,
                                            InvalidRequestException,
                                            InvalidParameterException,
                                            InternalServiceErrorException,
                                            AwsServiceException,
                                            SdkClientException,
                                            SecretsManagerException

Removes one or more tags from the specified secret.

This operation is idempotent. If a requested tag is not attached to the secret, no error is returned and the secret metadata is unchanged.

If you use tags as part of your security strategy, then removing a tag can change permissions. If successfully completing this operation would result in you losing your permissions for this secret, then the operation is blocked and returns an Access Denied error.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:UntagResource

Related operations

• To add one or more tags to the collection attached to a secret, use TagResource.

• To view the list of tags attached to a secret, use DescribeSecret.

Parameters:

untagResourceRequest -

Returns:

Result of the UntagResource operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InvalidParameterException - You provided an invalid value for a parameter.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

untagResource

default UntagResourceResponse untagResource(Consumer<UntagResourceRequest.Builder> untagResourceRequest)
                                     throws ResourceNotFoundException,
                                            InvalidRequestException,
                                            InvalidParameterException,
                                            InternalServiceErrorException,
                                            AwsServiceException,
                                            SdkClientException,
                                            SecretsManagerException

Removes one or more tags from the specified secret.

This operation is idempotent. If a requested tag is not attached to the secret, no error is returned and the secret metadata is unchanged.

If you use tags as part of your security strategy, then removing a tag can change permissions. If successfully completing this operation would result in you losing your permissions for this secret, then the operation is blocked and returns an Access Denied error.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:UntagResource

Related operations

• To add one or more tags to the collection attached to a secret, use TagResource.

• To view the list of tags attached to a secret, use DescribeSecret.

This is a convenience which creates an instance of the UntagResourceRequest.Builder avoiding the need to create one manually via UntagResourceRequest.builder()

Parameters:

untagResourceRequest - A Consumer that will call methods on UntagResourceRequest.Builder to create a request.

Returns:

Result of the UntagResource operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

InvalidParameterException - You provided an invalid value for a parameter.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

updateSecret

default UpdateSecretResponse updateSecret(UpdateSecretRequest updateSecretRequest)
                                   throws InvalidParameterException,
                                          InvalidRequestException,
                                          LimitExceededException,
                                          EncryptionFailureException,
                                          ResourceExistsException,
                                          ResourceNotFoundException,
                                          MalformedPolicyDocumentException,
                                          InternalServiceErrorException,
                                          PreconditionNotMetException,
                                          AwsServiceException,
                                          SdkClientException,
                                          SecretsManagerException

Modifies many of the details of the specified secret.

To change the secret value, you can also use PutSecretValue.

To change the rotation configuration of a secret, use RotateSecret instead.

We recommend you avoid calling UpdateSecret at a sustained rate of more than once every 10 minutes. When you call UpdateSecret to update the secret value, Secrets Manager creates a new version of the secret. Secrets Manager removes outdated versions when there are more than 100, but it does not remove versions created less than 24 hours ago. If you update the secret value more than once every 10 minutes, you create more versions than Secrets Manager removes, and you will reach the quota for secret versions.

The Secrets Manager console uses only the SecretString parameter and therefore limits you to encrypting and storing only a text string. To encrypt and store binary data as part of the version of a secret, you must use either the Amazon Web Services CLI or one of the Amazon Web Services SDKs.

• If a version with a VersionId with the same value as the ClientRequestToken parameter already exists, the operation results in an error. You cannot modify an existing version, you can only create a new version.

• If you include SecretString or SecretBinary to create a new secret version, Secrets Manager automatically attaches the staging label AWSCURRENT to the new version.

• If you call an operation to encrypt or decrypt the SecretString or SecretBinary for a secret in the same account as the calling user and that secret doesn't specify a Amazon Web Services KMS encryption key, Secrets Manager uses the account's default Amazon Web Services managed customer master key (CMK) with the alias aws/secretsmanager. If this key doesn't already exist in your account then Secrets Manager creates it for you automatically. All users and roles in the same Amazon Web Services account automatically have access to use the default CMK. Note that if an Secrets Manager API call results in Amazon Web Services creating the account's Amazon Web Services-managed CMK, it can result in a one-time significant delay in returning the result.

• If the secret resides in a different Amazon Web Services account from the credentials calling an API that requires encryption or decryption of the secret value then you must create and use a custom Amazon Web Services KMS CMK because you can't access the default CMK for the account using credentials from a different Amazon Web Services account. Store the ARN of the CMK in the secret when you create the secret or when you update it by including it in the KMSKeyId. If you call an API that must encrypt or decrypt SecretString or SecretBinary using credentials from a different account then the Amazon Web Services KMS key policy must grant cross-account access to that other account's user or role for both the kms:GenerateDataKey and kms:Decrypt operations.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:UpdateSecret

• kms:GenerateDataKey - needed only if you use a custom Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account's Amazon Web Services managed CMK for Secrets Manager.

• kms:Decrypt - needed only if you use a custom Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account's Amazon Web Services managed CMK for Secrets Manager.

Related operations

• To create a new secret, use CreateSecret.

• To add only a new version to an existing secret, use PutSecretValue.

• To get the details for a secret, use DescribeSecret.

• To list the versions contained in a secret, use ListSecretVersionIds.

Parameters:

updateSecretRequest -

Returns:

Result of the UpdateSecret operation returned by the service.

Throws:

InvalidParameterException - You provided an invalid value for a parameter.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

LimitExceededException - The request failed because it would exceed one of the Secrets Manager internal limits.

EncryptionFailureException - Secrets Manager can't encrypt the protected secret text using the provided KMS key. Check that the customer master key (CMK) is available, enabled, and not in an invalid state. For more information, see How Key State Affects Use of a Customer Master Key.

ResourceExistsException - A resource with the ID you requested already exists.

ResourceNotFoundException - We can't find the resource that you asked for.

MalformedPolicyDocumentException - You provided a resource-based policy with syntax errors.

InternalServiceErrorException - An error occurred on the server side.

PreconditionNotMetException - The request failed because you did not complete all the prerequisite steps.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

updateSecret

default UpdateSecretResponse updateSecret(Consumer<UpdateSecretRequest.Builder> updateSecretRequest)
                                   throws InvalidParameterException,
                                          InvalidRequestException,
                                          LimitExceededException,
                                          EncryptionFailureException,
                                          ResourceExistsException,
                                          ResourceNotFoundException,
                                          MalformedPolicyDocumentException,
                                          InternalServiceErrorException,
                                          PreconditionNotMetException,
                                          AwsServiceException,
                                          SdkClientException,
                                          SecretsManagerException

Modifies many of the details of the specified secret.

To change the secret value, you can also use PutSecretValue.

To change the rotation configuration of a secret, use RotateSecret instead.

We recommend you avoid calling UpdateSecret at a sustained rate of more than once every 10 minutes. When you call UpdateSecret to update the secret value, Secrets Manager creates a new version of the secret. Secrets Manager removes outdated versions when there are more than 100, but it does not remove versions created less than 24 hours ago. If you update the secret value more than once every 10 minutes, you create more versions than Secrets Manager removes, and you will reach the quota for secret versions.

The Secrets Manager console uses only the SecretString parameter and therefore limits you to encrypting and storing only a text string. To encrypt and store binary data as part of the version of a secret, you must use either the Amazon Web Services CLI or one of the Amazon Web Services SDKs.

• If a version with a VersionId with the same value as the ClientRequestToken parameter already exists, the operation results in an error. You cannot modify an existing version, you can only create a new version.

• If you include SecretString or SecretBinary to create a new secret version, Secrets Manager automatically attaches the staging label AWSCURRENT to the new version.

• If you call an operation to encrypt or decrypt the SecretString or SecretBinary for a secret in the same account as the calling user and that secret doesn't specify a Amazon Web Services KMS encryption key, Secrets Manager uses the account's default Amazon Web Services managed customer master key (CMK) with the alias aws/secretsmanager. If this key doesn't already exist in your account then Secrets Manager creates it for you automatically. All users and roles in the same Amazon Web Services account automatically have access to use the default CMK. Note that if an Secrets Manager API call results in Amazon Web Services creating the account's Amazon Web Services-managed CMK, it can result in a one-time significant delay in returning the result.

• If the secret resides in a different Amazon Web Services account from the credentials calling an API that requires encryption or decryption of the secret value then you must create and use a custom Amazon Web Services KMS CMK because you can't access the default CMK for the account using credentials from a different Amazon Web Services account. Store the ARN of the CMK in the secret when you create the secret or when you update it by including it in the KMSKeyId. If you call an API that must encrypt or decrypt SecretString or SecretBinary using credentials from a different account then the Amazon Web Services KMS key policy must grant cross-account access to that other account's user or role for both the kms:GenerateDataKey and kms:Decrypt operations.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:UpdateSecret

• kms:GenerateDataKey - needed only if you use a custom Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account's Amazon Web Services managed CMK for Secrets Manager.

• kms:Decrypt - needed only if you use a custom Amazon Web Services KMS key to encrypt the secret. You do not need this permission to use the account's Amazon Web Services managed CMK for Secrets Manager.

Related operations

• To create a new secret, use CreateSecret.

• To add only a new version to an existing secret, use PutSecretValue.

• To get the details for a secret, use DescribeSecret.

• To list the versions contained in a secret, use ListSecretVersionIds.

This is a convenience which creates an instance of the UpdateSecretRequest.Builder avoiding the need to create one manually via UpdateSecretRequest.builder()

Parameters:

updateSecretRequest - A Consumer that will call methods on UpdateSecretRequest.Builder to create a request.

Returns:

Result of the UpdateSecret operation returned by the service.

Throws:

InvalidParameterException - You provided an invalid value for a parameter.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

LimitExceededException - The request failed because it would exceed one of the Secrets Manager internal limits.

EncryptionFailureException - Secrets Manager can't encrypt the protected secret text using the provided KMS key. Check that the customer master key (CMK) is available, enabled, and not in an invalid state. For more information, see How Key State Affects Use of a Customer Master Key.

ResourceExistsException - A resource with the ID you requested already exists.

ResourceNotFoundException - We can't find the resource that you asked for.

MalformedPolicyDocumentException - You provided a resource-based policy with syntax errors.

InternalServiceErrorException - An error occurred on the server side.

PreconditionNotMetException - The request failed because you did not complete all the prerequisite steps.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

updateSecretVersionStage

default UpdateSecretVersionStageResponse updateSecretVersionStage(UpdateSecretVersionStageRequest updateSecretVersionStageRequest)
                                                           throws ResourceNotFoundException,
                                                                  InvalidParameterException,
                                                                  InvalidRequestException,
                                                                  LimitExceededException,
                                                                  InternalServiceErrorException,
                                                                  AwsServiceException,
                                                                  SdkClientException,
                                                                  SecretsManagerException

Modifies the staging labels attached to a version of a secret. Staging labels are used to track a version as it progresses through the secret rotation process. You can attach a staging label to only one version of a secret at a time. If a staging label to be added is already attached to another version, then it is moved--removed from the other version first and then attached to this one. For more information about staging labels, see Staging Labels in the Amazon Web Services Secrets Manager User Guide.

The staging labels that you specify in the VersionStage parameter are added to the existing list of staging labels--they don't replace it.

You can move the AWSCURRENT staging label to this version by including it in this call.

Whenever you move AWSCURRENT, Secrets Manager automatically moves the label AWSPREVIOUS to the version that AWSCURRENT was removed from.

If this action results in the last label being removed from a version, then the version is considered to be 'deprecated' and can be deleted by Secrets Manager.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:UpdateSecretVersionStage

Related operations

• To get the list of staging labels that are currently associated with a version of a secret, use DescribeSecret and examine the SecretVersionsToStages response value.

Parameters:

updateSecretVersionStageRequest -

Returns:

Result of the UpdateSecretVersionStage operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidParameterException - You provided an invalid value for a parameter.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

LimitExceededException - The request failed because it would exceed one of the Secrets Manager internal limits.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

updateSecretVersionStage

default UpdateSecretVersionStageResponse updateSecretVersionStage(Consumer<UpdateSecretVersionStageRequest.Builder> updateSecretVersionStageRequest)
                                                           throws ResourceNotFoundException,
                                                                  InvalidParameterException,
                                                                  InvalidRequestException,
                                                                  LimitExceededException,
                                                                  InternalServiceErrorException,
                                                                  AwsServiceException,
                                                                  SdkClientException,
                                                                  SecretsManagerException

Modifies the staging labels attached to a version of a secret. Staging labels are used to track a version as it progresses through the secret rotation process. You can attach a staging label to only one version of a secret at a time. If a staging label to be added is already attached to another version, then it is moved--removed from the other version first and then attached to this one. For more information about staging labels, see Staging Labels in the Amazon Web Services Secrets Manager User Guide.

The staging labels that you specify in the VersionStage parameter are added to the existing list of staging labels--they don't replace it.

You can move the AWSCURRENT staging label to this version by including it in this call.

Whenever you move AWSCURRENT, Secrets Manager automatically moves the label AWSPREVIOUS to the version that AWSCURRENT was removed from.

If this action results in the last label being removed from a version, then the version is considered to be 'deprecated' and can be deleted by Secrets Manager.

Minimum permissions

To run this command, you must have the following permissions:

• secretsmanager:UpdateSecretVersionStage

Related operations

• To get the list of staging labels that are currently associated with a version of a secret, use DescribeSecret and examine the SecretVersionsToStages response value.

This is a convenience which creates an instance of the UpdateSecretVersionStageRequest.Builder avoiding the need to create one manually via UpdateSecretVersionStageRequest.builder()

Parameters:

updateSecretVersionStageRequest - A Consumer that will call methods on UpdateSecretVersionStageRequest.Builder to create a request.

Returns:

Result of the UpdateSecretVersionStage operation returned by the service.

Throws:

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidParameterException - You provided an invalid value for a parameter.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

LimitExceededException - The request failed because it would exceed one of the Secrets Manager internal limits.

InternalServiceErrorException - An error occurred on the server side.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

validateResourcePolicy

default ValidateResourcePolicyResponse validateResourcePolicy(ValidateResourcePolicyRequest validateResourcePolicyRequest)
                                                       throws MalformedPolicyDocumentException,
                                                              ResourceNotFoundException,
                                                              InvalidParameterException,
                                                              InternalServiceErrorException,
                                                              InvalidRequestException,
                                                              AwsServiceException,
                                                              SdkClientException,
                                                              SecretsManagerException

Validates that the resource policy does not grant a wide range of IAM principals access to your secret. The JSON request string input and response output displays formatted code with white space and line breaks for better readability. Submit your input as a single line JSON string. A resource-based policy is optional for secrets.

The API performs three checks when validating the secret:

• Sends a call to Zelkova, an automated reasoning engine, to ensure your Resource Policy does not allow broad access to your secret.

• Checks for correct syntax in a policy.

• Verifies the policy does not lock out a caller.

Minimum Permissions

You must have the permissions required to access the following APIs:

• secretsmanager:PutResourcePolicy

• secretsmanager:ValidateResourcePolicy

Parameters:

validateResourcePolicyRequest -

Returns:

Result of the ValidateResourcePolicy operation returned by the service.

Throws:

MalformedPolicyDocumentException - You provided a resource-based policy with syntax errors.

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidParameterException - You provided an invalid value for a parameter.

InternalServiceErrorException - An error occurred on the server side.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

validateResourcePolicy

default ValidateResourcePolicyResponse validateResourcePolicy(Consumer<ValidateResourcePolicyRequest.Builder> validateResourcePolicyRequest)
                                                       throws MalformedPolicyDocumentException,
                                                              ResourceNotFoundException,
                                                              InvalidParameterException,
                                                              InternalServiceErrorException,
                                                              InvalidRequestException,
                                                              AwsServiceException,
                                                              SdkClientException,
                                                              SecretsManagerException

Validates that the resource policy does not grant a wide range of IAM principals access to your secret. The JSON request string input and response output displays formatted code with white space and line breaks for better readability. Submit your input as a single line JSON string. A resource-based policy is optional for secrets.

The API performs three checks when validating the secret:

• Sends a call to Zelkova, an automated reasoning engine, to ensure your Resource Policy does not allow broad access to your secret.

• Checks for correct syntax in a policy.

• Verifies the policy does not lock out a caller.

Minimum Permissions

You must have the permissions required to access the following APIs:

• secretsmanager:PutResourcePolicy

• secretsmanager:ValidateResourcePolicy

This is a convenience which creates an instance of the ValidateResourcePolicyRequest.Builder avoiding the need to create one manually via ValidateResourcePolicyRequest.builder()

Parameters:

validateResourcePolicyRequest - A Consumer that will call methods on ValidateResourcePolicyRequest.Builder to create a request.

Returns:

Result of the ValidateResourcePolicy operation returned by the service.

Throws:

MalformedPolicyDocumentException - You provided a resource-based policy with syntax errors.

ResourceNotFoundException - We can't find the resource that you asked for.

InvalidParameterException - You provided an invalid value for a parameter.

InternalServiceErrorException - An error occurred on the server side.

InvalidRequestException - You provided a parameter value that is not valid for the current state of the resource.

Possible causes:

• You tried to perform the operation on a secret that's currently marked deleted.

• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

SdkException - Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.

SdkClientException - If any client side error occurs such as an IO related failure, failure to get credentials, etc.

SecretsManagerException - Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.

AwsServiceException

See Also:

AWS API Documentation

serviceMetadata

static ServiceMetadata serviceMetadata()