/** * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * SPDX-License-Identifier: Apache-2.0. */ #pragma once #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include namespace Aws { namespace Http { class HttpClient; class HttpClientFactory; } // namespace Http namespace Utils { template< typename R, typename E> class Outcome; namespace Threading { class Executor; } // namespace Threading } // namespace Utils namespace Auth { class AWSCredentials; class AWSCredentialsProvider; } // namespace Auth namespace Client { class RetryStrategy; } // namespace Client namespace SecretsManager { namespace Model { class CancelRotateSecretRequest; class CreateSecretRequest; class DeleteResourcePolicyRequest; class DeleteSecretRequest; class DescribeSecretRequest; class GetRandomPasswordRequest; class GetResourcePolicyRequest; class GetSecretValueRequest; class ListSecretVersionIdsRequest; class ListSecretsRequest; class PutResourcePolicyRequest; class PutSecretValueRequest; class RestoreSecretRequest; class RotateSecretRequest; class TagResourceRequest; class UntagResourceRequest; class UpdateSecretRequest; class UpdateSecretVersionStageRequest; class ValidateResourcePolicyRequest; typedef Aws::Utils::Outcome CancelRotateSecretOutcome; typedef Aws::Utils::Outcome CreateSecretOutcome; typedef Aws::Utils::Outcome DeleteResourcePolicyOutcome; typedef Aws::Utils::Outcome DeleteSecretOutcome; typedef Aws::Utils::Outcome DescribeSecretOutcome; typedef Aws::Utils::Outcome GetRandomPasswordOutcome; typedef Aws::Utils::Outcome GetResourcePolicyOutcome; typedef Aws::Utils::Outcome GetSecretValueOutcome; typedef Aws::Utils::Outcome ListSecretVersionIdsOutcome; typedef Aws::Utils::Outcome ListSecretsOutcome; typedef Aws::Utils::Outcome PutResourcePolicyOutcome; typedef Aws::Utils::Outcome PutSecretValueOutcome; typedef Aws::Utils::Outcome RestoreSecretOutcome; typedef Aws::Utils::Outcome RotateSecretOutcome; typedef Aws::Utils::Outcome TagResourceOutcome; typedef Aws::Utils::Outcome UntagResourceOutcome; typedef Aws::Utils::Outcome UpdateSecretOutcome; typedef Aws::Utils::Outcome UpdateSecretVersionStageOutcome; typedef Aws::Utils::Outcome ValidateResourcePolicyOutcome; typedef std::future CancelRotateSecretOutcomeCallable; typedef std::future CreateSecretOutcomeCallable; typedef std::future DeleteResourcePolicyOutcomeCallable; typedef std::future DeleteSecretOutcomeCallable; typedef std::future DescribeSecretOutcomeCallable; typedef std::future GetRandomPasswordOutcomeCallable; typedef std::future GetResourcePolicyOutcomeCallable; typedef std::future GetSecretValueOutcomeCallable; typedef std::future ListSecretVersionIdsOutcomeCallable; typedef std::future ListSecretsOutcomeCallable; typedef std::future PutResourcePolicyOutcomeCallable; typedef std::future PutSecretValueOutcomeCallable; typedef std::future RestoreSecretOutcomeCallable; typedef std::future RotateSecretOutcomeCallable; typedef std::future TagResourceOutcomeCallable; typedef std::future UntagResourceOutcomeCallable; typedef std::future UpdateSecretOutcomeCallable; typedef std::future UpdateSecretVersionStageOutcomeCallable; typedef std::future ValidateResourcePolicyOutcomeCallable; } // namespace Model class SecretsManagerClient; typedef std::function&) > CancelRotateSecretResponseReceivedHandler; typedef std::function&) > CreateSecretResponseReceivedHandler; typedef std::function&) > DeleteResourcePolicyResponseReceivedHandler; typedef std::function&) > DeleteSecretResponseReceivedHandler; typedef std::function&) > DescribeSecretResponseReceivedHandler; typedef std::function&) > GetRandomPasswordResponseReceivedHandler; typedef std::function&) > GetResourcePolicyResponseReceivedHandler; typedef std::function&) > GetSecretValueResponseReceivedHandler; typedef std::function&) > ListSecretVersionIdsResponseReceivedHandler; typedef std::function&) > ListSecretsResponseReceivedHandler; typedef std::function&) > PutResourcePolicyResponseReceivedHandler; typedef std::function&) > PutSecretValueResponseReceivedHandler; typedef std::function&) > RestoreSecretResponseReceivedHandler; typedef std::function&) > RotateSecretResponseReceivedHandler; typedef std::function&) > TagResourceResponseReceivedHandler; typedef std::function&) > UntagResourceResponseReceivedHandler; typedef std::function&) > UpdateSecretResponseReceivedHandler; typedef std::function&) > UpdateSecretVersionStageResponseReceivedHandler; typedef std::function&) > ValidateResourcePolicyResponseReceivedHandler; /** * AWS Secrets Manager API Reference

AWS Secrets Manager * provides a service to enable you to store, manage, and retrieve, secrets.

*

This guide provides descriptions of the Secrets Manager API. For more * information about using this service, see the AWS * Secrets Manager User Guide.

API Version

This version * of the Secrets Manager API Reference documents the Secrets Manager API version * 2017-10-17.

As an alternative to using the API, you can use one of * the AWS SDKs, which consist of libraries and sample code for various programming * languages and platforms such as Java, Ruby, .NET, iOS, and Android. The SDKs * provide a convenient way to create programmatic access to AWS Secrets Manager. * For example, the SDKs provide cryptographically signing requests, managing * errors, and retrying requests automatically. For more information about the AWS * SDKs, including downloading and installing them, see Tools for Amazon Web Services.

*

We recommend you use the AWS SDKs to make programmatic API calls to * Secrets Manager. However, you also can use the Secrets Manager HTTP Query API to * make direct calls to the Secrets Manager web service. To learn more about the * Secrets Manager HTTP Query API, see Making * Query Requests in the AWS Secrets Manager User Guide.

Secrets * Manager API supports GET and POST requests for all actions, and doesn't require * you to use GET for some actions and POST for others. However, GET requests are * subject to the limitation size of a URL. Therefore, for operations that require * larger sizes, use a POST request.

Support and Feedback for AWS * Secrets Manager

We welcome your feedback. Send your comments to awssecretsmanager-feedback@amazon.com, * or post your feedback and questions in the AWS Secrets Manager * Discussion Forum. For more information about the AWS Discussion Forums, see * Forums Help.

How * examples are presented

The JSON that AWS Secrets Manager expects as * your request parameters and the service returns as a response to HTTP query * requests contain single, long strings without line breaks or white space * formatting. The JSON shown in the examples displays the code formatted with both * line breaks and white space to improve readability. When example input * parameters can also cause long strings extending beyond the screen, you can * insert line breaks to enhance readability. You should always submit the input as * a single JSON text string.

Logging API Requests

AWS * Secrets Manager supports AWS CloudTrail, a service that records AWS API calls * for your AWS account and delivers log files to an Amazon S3 bucket. By using * information that's collected by AWS CloudTrail, you can determine the requests * successfully made to Secrets Manager, who made the request, when it was made, * and so on. For more about AWS Secrets Manager and support for AWS CloudTrail, * see Logging * AWS Secrets Manager Events with AWS CloudTrail in the AWS Secrets Manager * User Guide. To learn more about CloudTrail, including enabling it and find * your log files, see the AWS * CloudTrail User Guide.

*/ class AWS_SECRETSMANAGER_API SecretsManagerClient : public Aws::Client::AWSJsonClient { public: typedef Aws::Client::AWSJsonClient BASECLASS; /** * Initializes client to use DefaultCredentialProviderChain, with default http client factory, and optional client config. If client config * is not specified, it will be initialized to default values. */ SecretsManagerClient(const Aws::Client::ClientConfiguration& clientConfiguration = Aws::Client::ClientConfiguration()); /** * Initializes client to use SimpleAWSCredentialsProvider, with default http client factory, and optional client config. If client config * is not specified, it will be initialized to default values. */ SecretsManagerClient(const Aws::Auth::AWSCredentials& credentials, const Aws::Client::ClientConfiguration& clientConfiguration = Aws::Client::ClientConfiguration()); /** * Initializes client to use specified credentials provider with specified client config. If http client factory is not supplied, * the default http client factory will be used */ SecretsManagerClient(const std::shared_ptr& credentialsProvider, const Aws::Client::ClientConfiguration& clientConfiguration = Aws::Client::ClientConfiguration()); virtual ~SecretsManagerClient(); /** *

Disables automatic scheduled rotation and cancels the rotation of a secret if * currently in progress.

To re-enable scheduled rotation, call * RotateSecret with AutomaticallyRotateAfterDays set to a * value greater than 0. This immediately rotates your secret and then enables the * automatic schedule.

If you cancel a rotation while in progress, it * can leave the VersionStage labels in an unexpected state. Depending * on the step of the rotation in progress, you might need to remove the staging * label AWSPENDING from the partially created version, specified by * the VersionId response value. You should also evaluate the * partially rotated new version to see if it should be deleted, which you can do * by removing all staging labels from the new version VersionStage * field.

To successfully start a rotation, the staging label * AWSPENDING must be in one of the following states:

  • *

    Not attached to any version at all

  • Attached to the same * version as the staging label AWSCURRENT

If the * staging label AWSPENDING attached to a different version than the * version with AWSCURRENT then the attempt to rotate fails.

* Minimum permissions

To run this command, you must have the * following permissions:

  • secretsmanager:CancelRotateSecret

    *

Related operations

  • To configure * rotation for a secret or to manually trigger a rotation, use * RotateSecret.

  • To get the rotation configuration details * for a secret, use DescribeSecret.

  • To list all of the * currently available secrets, use ListSecrets.

  • To list * all of the versions currently associated with a secret, use * ListSecretVersionIds.

See Also:

AWS * API Reference

*/ virtual Model::CancelRotateSecretOutcome CancelRotateSecret(const Model::CancelRotateSecretRequest& request) const; /** *

Disables automatic scheduled rotation and cancels the rotation of a secret if * currently in progress.

To re-enable scheduled rotation, call * RotateSecret with AutomaticallyRotateAfterDays set to a * value greater than 0. This immediately rotates your secret and then enables the * automatic schedule.

If you cancel a rotation while in progress, it * can leave the VersionStage labels in an unexpected state. Depending * on the step of the rotation in progress, you might need to remove the staging * label AWSPENDING from the partially created version, specified by * the VersionId response value. You should also evaluate the * partially rotated new version to see if it should be deleted, which you can do * by removing all staging labels from the new version VersionStage * field.

To successfully start a rotation, the staging label * AWSPENDING must be in one of the following states:

  • *

    Not attached to any version at all

  • Attached to the same * version as the staging label AWSCURRENT

If the * staging label AWSPENDING attached to a different version than the * version with AWSCURRENT then the attempt to rotate fails.

* Minimum permissions

To run this command, you must have the * following permissions:

  • secretsmanager:CancelRotateSecret

    *

Related operations

  • To configure * rotation for a secret or to manually trigger a rotation, use * RotateSecret.

  • To get the rotation configuration details * for a secret, use DescribeSecret.

  • To list all of the * currently available secrets, use ListSecrets.

  • To list * all of the versions currently associated with a secret, use * ListSecretVersionIds.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::CancelRotateSecretOutcomeCallable CancelRotateSecretCallable(const Model::CancelRotateSecretRequest& request) const; /** *

Disables automatic scheduled rotation and cancels the rotation of a secret if * currently in progress.

To re-enable scheduled rotation, call * RotateSecret with AutomaticallyRotateAfterDays set to a * value greater than 0. This immediately rotates your secret and then enables the * automatic schedule.

If you cancel a rotation while in progress, it * can leave the VersionStage labels in an unexpected state. Depending * on the step of the rotation in progress, you might need to remove the staging * label AWSPENDING from the partially created version, specified by * the VersionId response value. You should also evaluate the * partially rotated new version to see if it should be deleted, which you can do * by removing all staging labels from the new version VersionStage * field.

To successfully start a rotation, the staging label * AWSPENDING must be in one of the following states:

  • *

    Not attached to any version at all

  • Attached to the same * version as the staging label AWSCURRENT

If the * staging label AWSPENDING attached to a different version than the * version with AWSCURRENT then the attempt to rotate fails.

* Minimum permissions

To run this command, you must have the * following permissions:

  • secretsmanager:CancelRotateSecret

    *

Related operations

  • To configure * rotation for a secret or to manually trigger a rotation, use * RotateSecret.

  • To get the rotation configuration details * for a secret, use DescribeSecret.

  • To list all of the * currently available secrets, use ListSecrets.

  • To list * all of the versions currently associated with a secret, use * ListSecretVersionIds.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void CancelRotateSecretAsync(const Model::CancelRotateSecretRequest& request, const CancelRotateSecretResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Creates a new secret. A secret in Secrets Manager consists of both the * protected secret data and the important information needed to manage the * secret.

Secrets Manager stores the encrypted secret data in one of a * collection of "versions" associated with the secret. Each version contains a * copy of the encrypted secret data. Each version is associated with one or more * "staging labels" that identify where the version is in the rotation cycle. The * SecretVersionsToStages field of the secret contains the mapping of * staging labels to the active versions of the secret. Versions without a staging * label are considered deprecated and not included in the list.

You provide * the secret data to be encrypted by putting text in either the * SecretString parameter or binary data in the * SecretBinary parameter, but not both. If you include * SecretString or SecretBinary then Secrets Manager also * creates an initial secret version and automatically attaches the staging label * AWSCURRENT to the new version.

  • If you call * an operation to encrypt or decrypt the SecretString or * SecretBinary for a secret in the same account as the calling user * and that secret doesn't specify a AWS KMS encryption key, Secrets Manager uses * the account's default AWS managed customer master key (CMK) with the alias * aws/secretsmanager. If this key doesn't already exist in your * account then Secrets Manager creates it for you automatically. All users and * roles in the same AWS account automatically have access to use the default CMK. * Note that if an Secrets Manager API call results in AWS creating the account's * AWS-managed CMK, it can result in a one-time significant delay in returning the * result.

  • If the secret resides in a different AWS account from * the credentials calling an API that requires encryption or decryption of the * secret value then you must create and use a custom AWS KMS CMK because you can't * access the default CMK for the account using credentials from a different AWS * account. Store the ARN of the CMK in the secret when you create the secret or * when you update it by including it in the KMSKeyId. If you call an * API that must encrypt or decrypt SecretString or * SecretBinary using credentials from a different account then the * AWS KMS key policy must grant cross-account access to that other account's user * or role for both the kms:GenerateDataKey and kms:Decrypt operations.

    • *

Minimum permissions

To run this * command, you must have the following permissions:

  • *

    secretsmanager:CreateSecret

  • kms:GenerateDataKey - needed * only if you use a customer-managed AWS KMS key to encrypt the secret. You do not * need this permission to use the account default AWS managed CMK for Secrets * Manager.

  • kms:Decrypt - needed only if you use a * customer-managed AWS KMS key to encrypt the secret. You do not need this * permission to use the account default AWS managed CMK for Secrets Manager.

    *

  • secretsmanager:TagResource - needed only if you include the * Tags parameter.

Related operations

*

  • To delete a secret, use DeleteSecret.

  • To * modify an existing secret, use UpdateSecret.

  • To create * a new version of a secret, use PutSecretValue.

  • To * retrieve the encrypted secure string and secure binary values, use * GetSecretValue.

  • To retrieve all other details for a * secret, use DescribeSecret. This does not include the encrypted secure * string and secure binary values.

  • To retrieve the list of * secret versions associated with the current secret, use DescribeSecret * and examine the SecretVersionsToStages response value.

    • *

See Also:

AWS * API Reference

*/ virtual Model::CreateSecretOutcome CreateSecret(const Model::CreateSecretRequest& request) const; /** *

Creates a new secret. A secret in Secrets Manager consists of both the * protected secret data and the important information needed to manage the * secret.

Secrets Manager stores the encrypted secret data in one of a * collection of "versions" associated with the secret. Each version contains a * copy of the encrypted secret data. Each version is associated with one or more * "staging labels" that identify where the version is in the rotation cycle. The * SecretVersionsToStages field of the secret contains the mapping of * staging labels to the active versions of the secret. Versions without a staging * label are considered deprecated and not included in the list.

You provide * the secret data to be encrypted by putting text in either the * SecretString parameter or binary data in the * SecretBinary parameter, but not both. If you include * SecretString or SecretBinary then Secrets Manager also * creates an initial secret version and automatically attaches the staging label * AWSCURRENT to the new version.

  • If you call * an operation to encrypt or decrypt the SecretString or * SecretBinary for a secret in the same account as the calling user * and that secret doesn't specify a AWS KMS encryption key, Secrets Manager uses * the account's default AWS managed customer master key (CMK) with the alias * aws/secretsmanager. If this key doesn't already exist in your * account then Secrets Manager creates it for you automatically. All users and * roles in the same AWS account automatically have access to use the default CMK. * Note that if an Secrets Manager API call results in AWS creating the account's * AWS-managed CMK, it can result in a one-time significant delay in returning the * result.

  • If the secret resides in a different AWS account from * the credentials calling an API that requires encryption or decryption of the * secret value then you must create and use a custom AWS KMS CMK because you can't * access the default CMK for the account using credentials from a different AWS * account. Store the ARN of the CMK in the secret when you create the secret or * when you update it by including it in the KMSKeyId. If you call an * API that must encrypt or decrypt SecretString or * SecretBinary using credentials from a different account then the * AWS KMS key policy must grant cross-account access to that other account's user * or role for both the kms:GenerateDataKey and kms:Decrypt operations.

    • *

Minimum permissions

To run this * command, you must have the following permissions:

  • *

    secretsmanager:CreateSecret

  • kms:GenerateDataKey - needed * only if you use a customer-managed AWS KMS key to encrypt the secret. You do not * need this permission to use the account default AWS managed CMK for Secrets * Manager.

  • kms:Decrypt - needed only if you use a * customer-managed AWS KMS key to encrypt the secret. You do not need this * permission to use the account default AWS managed CMK for Secrets Manager.

    *

  • secretsmanager:TagResource - needed only if you include the * Tags parameter.

Related operations

*

  • To delete a secret, use DeleteSecret.

  • To * modify an existing secret, use UpdateSecret.

  • To create * a new version of a secret, use PutSecretValue.

  • To * retrieve the encrypted secure string and secure binary values, use * GetSecretValue.

  • To retrieve all other details for a * secret, use DescribeSecret. This does not include the encrypted secure * string and secure binary values.

  • To retrieve the list of * secret versions associated with the current secret, use DescribeSecret * and examine the SecretVersionsToStages response value.

    • *

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::CreateSecretOutcomeCallable CreateSecretCallable(const Model::CreateSecretRequest& request) const; /** *

Creates a new secret. A secret in Secrets Manager consists of both the * protected secret data and the important information needed to manage the * secret.

Secrets Manager stores the encrypted secret data in one of a * collection of "versions" associated with the secret. Each version contains a * copy of the encrypted secret data. Each version is associated with one or more * "staging labels" that identify where the version is in the rotation cycle. The * SecretVersionsToStages field of the secret contains the mapping of * staging labels to the active versions of the secret. Versions without a staging * label are considered deprecated and not included in the list.

You provide * the secret data to be encrypted by putting text in either the * SecretString parameter or binary data in the * SecretBinary parameter, but not both. If you include * SecretString or SecretBinary then Secrets Manager also * creates an initial secret version and automatically attaches the staging label * AWSCURRENT to the new version.

  • If you call * an operation to encrypt or decrypt the SecretString or * SecretBinary for a secret in the same account as the calling user * and that secret doesn't specify a AWS KMS encryption key, Secrets Manager uses * the account's default AWS managed customer master key (CMK) with the alias * aws/secretsmanager. If this key doesn't already exist in your * account then Secrets Manager creates it for you automatically. All users and * roles in the same AWS account automatically have access to use the default CMK. * Note that if an Secrets Manager API call results in AWS creating the account's * AWS-managed CMK, it can result in a one-time significant delay in returning the * result.

  • If the secret resides in a different AWS account from * the credentials calling an API that requires encryption or decryption of the * secret value then you must create and use a custom AWS KMS CMK because you can't * access the default CMK for the account using credentials from a different AWS * account. Store the ARN of the CMK in the secret when you create the secret or * when you update it by including it in the KMSKeyId. If you call an * API that must encrypt or decrypt SecretString or * SecretBinary using credentials from a different account then the * AWS KMS key policy must grant cross-account access to that other account's user * or role for both the kms:GenerateDataKey and kms:Decrypt operations.

    • *

Minimum permissions

To run this * command, you must have the following permissions:

  • *

    secretsmanager:CreateSecret

  • kms:GenerateDataKey - needed * only if you use a customer-managed AWS KMS key to encrypt the secret. You do not * need this permission to use the account default AWS managed CMK for Secrets * Manager.

  • kms:Decrypt - needed only if you use a * customer-managed AWS KMS key to encrypt the secret. You do not need this * permission to use the account default AWS managed CMK for Secrets Manager.

    *

  • secretsmanager:TagResource - needed only if you include the * Tags parameter.

Related operations

*

  • To delete a secret, use DeleteSecret.

  • To * modify an existing secret, use UpdateSecret.

  • To create * a new version of a secret, use PutSecretValue.

  • To * retrieve the encrypted secure string and secure binary values, use * GetSecretValue.

  • To retrieve all other details for a * secret, use DescribeSecret. This does not include the encrypted secure * string and secure binary values.

  • To retrieve the list of * secret versions associated with the current secret, use DescribeSecret * and examine the SecretVersionsToStages response value.

    • *

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void CreateSecretAsync(const Model::CreateSecretRequest& request, const CreateSecretResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Deletes the resource-based permission policy attached to the secret.

* Minimum permissions

To run this command, you must have the * following permissions:

  • secretsmanager:DeleteResourcePolicy

    *

Related operations

  • To attach a resource * policy to a secret, use PutResourcePolicy.

  • To retrieve * the current resource-based policy that's attached to a secret, use * GetResourcePolicy.

  • To list all of the currently * available secrets, use ListSecrets.

See Also:

* AWS * API Reference

*/ virtual Model::DeleteResourcePolicyOutcome DeleteResourcePolicy(const Model::DeleteResourcePolicyRequest& request) const; /** *

Deletes the resource-based permission policy attached to the secret.

* Minimum permissions

To run this command, you must have the * following permissions:

  • secretsmanager:DeleteResourcePolicy

    *

Related operations

  • To attach a resource * policy to a secret, use PutResourcePolicy.

  • To retrieve * the current resource-based policy that's attached to a secret, use * GetResourcePolicy.

  • To list all of the currently * available secrets, use ListSecrets.

See Also:

* AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::DeleteResourcePolicyOutcomeCallable DeleteResourcePolicyCallable(const Model::DeleteResourcePolicyRequest& request) const; /** *

Deletes the resource-based permission policy attached to the secret.

* Minimum permissions

To run this command, you must have the * following permissions:

  • secretsmanager:DeleteResourcePolicy

    *

Related operations

  • To attach a resource * policy to a secret, use PutResourcePolicy.

  • To retrieve * the current resource-based policy that's attached to a secret, use * GetResourcePolicy.

  • To list all of the currently * available secrets, use ListSecrets.

See Also:

* AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void DeleteResourcePolicyAsync(const Model::DeleteResourcePolicyRequest& request, const DeleteResourcePolicyResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Deletes an entire secret and all of its versions. You can optionally include * a recovery window during which you can restore the secret. If you don't specify * a recovery window value, the operation defaults to 30 days. Secrets Manager * attaches a DeletionDate stamp to the secret that specifies the end * of the recovery window. At the end of the recovery window, Secrets Manager * deletes the secret permanently.

At any time before recovery window ends, * you can use RestoreSecret to remove the DeletionDate and * cancel the deletion of the secret.

You cannot access the encrypted secret * information in any secret that is scheduled for deletion. If you need to access * that information, you must cancel the deletion with RestoreSecret and * then retrieve the information.

  • There is no explicit * operation to delete a version of a secret. Instead, remove all staging labels * from the VersionStage field of a version. That marks the version as * deprecated and allows Secrets Manager to delete it as needed. Versions that do * not have any staging labels do not show up in ListSecretVersionIds unless * you specify IncludeDeprecated.

  • The permanent * secret deletion at the end of the waiting period is performed as a background * task with low priority. There is no guarantee of a specific time after the * recovery window for the actual delete operation to occur.

*

Minimum permissions

To run this command, you must * have the following permissions:

  • secretsmanager:DeleteSecret

    *

Related operations

  • To create a secret, * use CreateSecret.

  • To cancel deletion of a version of a * secret before the recovery window has expired, use RestoreSecret.

    *

See Also:

AWS * API Reference

*/ virtual Model::DeleteSecretOutcome DeleteSecret(const Model::DeleteSecretRequest& request) const; /** *

Deletes an entire secret and all of its versions. You can optionally include * a recovery window during which you can restore the secret. If you don't specify * a recovery window value, the operation defaults to 30 days. Secrets Manager * attaches a DeletionDate stamp to the secret that specifies the end * of the recovery window. At the end of the recovery window, Secrets Manager * deletes the secret permanently.

At any time before recovery window ends, * you can use RestoreSecret to remove the DeletionDate and * cancel the deletion of the secret.

You cannot access the encrypted secret * information in any secret that is scheduled for deletion. If you need to access * that information, you must cancel the deletion with RestoreSecret and * then retrieve the information.

  • There is no explicit * operation to delete a version of a secret. Instead, remove all staging labels * from the VersionStage field of a version. That marks the version as * deprecated and allows Secrets Manager to delete it as needed. Versions that do * not have any staging labels do not show up in ListSecretVersionIds unless * you specify IncludeDeprecated.

  • The permanent * secret deletion at the end of the waiting period is performed as a background * task with low priority. There is no guarantee of a specific time after the * recovery window for the actual delete operation to occur.

*

Minimum permissions

To run this command, you must * have the following permissions:

  • secretsmanager:DeleteSecret

    *

Related operations

  • To create a secret, * use CreateSecret.

  • To cancel deletion of a version of a * secret before the recovery window has expired, use RestoreSecret.

    *

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::DeleteSecretOutcomeCallable DeleteSecretCallable(const Model::DeleteSecretRequest& request) const; /** *

Deletes an entire secret and all of its versions. You can optionally include * a recovery window during which you can restore the secret. If you don't specify * a recovery window value, the operation defaults to 30 days. Secrets Manager * attaches a DeletionDate stamp to the secret that specifies the end * of the recovery window. At the end of the recovery window, Secrets Manager * deletes the secret permanently.

At any time before recovery window ends, * you can use RestoreSecret to remove the DeletionDate and * cancel the deletion of the secret.

You cannot access the encrypted secret * information in any secret that is scheduled for deletion. If you need to access * that information, you must cancel the deletion with RestoreSecret and * then retrieve the information.

  • There is no explicit * operation to delete a version of a secret. Instead, remove all staging labels * from the VersionStage field of a version. That marks the version as * deprecated and allows Secrets Manager to delete it as needed. Versions that do * not have any staging labels do not show up in ListSecretVersionIds unless * you specify IncludeDeprecated.

  • The permanent * secret deletion at the end of the waiting period is performed as a background * task with low priority. There is no guarantee of a specific time after the * recovery window for the actual delete operation to occur.

*

Minimum permissions

To run this command, you must * have the following permissions:

  • secretsmanager:DeleteSecret

    *

Related operations

  • To create a secret, * use CreateSecret.

  • To cancel deletion of a version of a * secret before the recovery window has expired, use RestoreSecret.

    *

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void DeleteSecretAsync(const Model::DeleteSecretRequest& request, const DeleteSecretResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Retrieves the details of a secret. It does not include the encrypted fields. * Secrets Manager only returns fields populated with a value in the response.

*

Minimum permissions

To run this command, you must have the * following permissions:

  • secretsmanager:DescribeSecret

    • *

Related operations

See Also:

AWS * API Reference

*/ virtual Model::DescribeSecretOutcome DescribeSecret(const Model::DescribeSecretRequest& request) const; /** *

Retrieves the details of a secret. It does not include the encrypted fields. * Secrets Manager only returns fields populated with a value in the response.

*

Minimum permissions

To run this command, you must have the * following permissions:

  • secretsmanager:DescribeSecret

    • *

Related operations

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::DescribeSecretOutcomeCallable DescribeSecretCallable(const Model::DescribeSecretRequest& request) const; /** *

Retrieves the details of a secret. It does not include the encrypted fields. * Secrets Manager only returns fields populated with a value in the response.

*

Minimum permissions

To run this command, you must have the * following permissions:

  • secretsmanager:DescribeSecret

    • *

Related operations

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void DescribeSecretAsync(const Model::DescribeSecretRequest& request, const DescribeSecretResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Generates a random password of the specified complexity. This operation is * intended for use in the Lambda rotation function. Per best practice, we * recommend that you specify the maximum length and include every character type * that the system you are generating a password for can support.

* Minimum permissions

To run this command, you must have the * following permissions:

  • secretsmanager:GetRandomPassword

    *

See Also:

AWS * API Reference

*/ virtual Model::GetRandomPasswordOutcome GetRandomPassword(const Model::GetRandomPasswordRequest& request) const; /** *

Generates a random password of the specified complexity. This operation is * intended for use in the Lambda rotation function. Per best practice, we * recommend that you specify the maximum length and include every character type * that the system you are generating a password for can support.

* Minimum permissions

To run this command, you must have the * following permissions:

  • secretsmanager:GetRandomPassword

    *

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::GetRandomPasswordOutcomeCallable GetRandomPasswordCallable(const Model::GetRandomPasswordRequest& request) const; /** *

Generates a random password of the specified complexity. This operation is * intended for use in the Lambda rotation function. Per best practice, we * recommend that you specify the maximum length and include every character type * that the system you are generating a password for can support.

* Minimum permissions

To run this command, you must have the * following permissions:

  • secretsmanager:GetRandomPassword

    *

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void GetRandomPasswordAsync(const Model::GetRandomPasswordRequest& request, const GetRandomPasswordResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Retrieves the JSON text of the resource-based policy document attached to the * specified secret. The JSON request string input and response output displays * formatted code with white space and line breaks for better readability. Submit * your input as a single line JSON string.

Minimum permissions

*

To run this command, you must have the following permissions:

  • *

    secretsmanager:GetResourcePolicy

Related * operations

See Also:

AWS * API Reference

*/ virtual Model::GetResourcePolicyOutcome GetResourcePolicy(const Model::GetResourcePolicyRequest& request) const; /** *

Retrieves the JSON text of the resource-based policy document attached to the * specified secret. The JSON request string input and response output displays * formatted code with white space and line breaks for better readability. Submit * your input as a single line JSON string.

Minimum permissions

*

To run this command, you must have the following permissions:

  • *

    secretsmanager:GetResourcePolicy

Related * operations

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::GetResourcePolicyOutcomeCallable GetResourcePolicyCallable(const Model::GetResourcePolicyRequest& request) const; /** *

Retrieves the JSON text of the resource-based policy document attached to the * specified secret. The JSON request string input and response output displays * formatted code with white space and line breaks for better readability. Submit * your input as a single line JSON string.

Minimum permissions

*

To run this command, you must have the following permissions:

  • *

    secretsmanager:GetResourcePolicy

Related * operations

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void GetResourcePolicyAsync(const Model::GetResourcePolicyRequest& request, const GetResourcePolicyResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Retrieves the contents of the encrypted fields SecretString or * SecretBinary from the specified version of a secret, whichever * contains content.

Minimum permissions

To run this * command, you must have the following permissions:

  • *

    secretsmanager:GetSecretValue

  • kms:Decrypt - required only * if you use a customer-managed AWS KMS key to encrypt the secret. You do not need * this permission to use the account's default AWS managed CMK for Secrets * Manager.

Related operations

  • To * create a new version of the secret with different encrypted information, use * PutSecretValue.

  • To retrieve the non-encrypted details * for the secret, use DescribeSecret.

See Also:

* AWS * API Reference

*/ virtual Model::GetSecretValueOutcome GetSecretValue(const Model::GetSecretValueRequest& request) const; /** *

Retrieves the contents of the encrypted fields SecretString or * SecretBinary from the specified version of a secret, whichever * contains content.

Minimum permissions

To run this * command, you must have the following permissions:

  • *

    secretsmanager:GetSecretValue

  • kms:Decrypt - required only * if you use a customer-managed AWS KMS key to encrypt the secret. You do not need * this permission to use the account's default AWS managed CMK for Secrets * Manager.

Related operations

  • To * create a new version of the secret with different encrypted information, use * PutSecretValue.

  • To retrieve the non-encrypted details * for the secret, use DescribeSecret.

See Also:

* AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::GetSecretValueOutcomeCallable GetSecretValueCallable(const Model::GetSecretValueRequest& request) const; /** *

Retrieves the contents of the encrypted fields SecretString or * SecretBinary from the specified version of a secret, whichever * contains content.

Minimum permissions

To run this * command, you must have the following permissions:

  • *

    secretsmanager:GetSecretValue

  • kms:Decrypt - required only * if you use a customer-managed AWS KMS key to encrypt the secret. You do not need * this permission to use the account's default AWS managed CMK for Secrets * Manager.

Related operations

  • To * create a new version of the secret with different encrypted information, use * PutSecretValue.

  • To retrieve the non-encrypted details * for the secret, use DescribeSecret.

See Also:

* AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void GetSecretValueAsync(const Model::GetSecretValueRequest& request, const GetSecretValueResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Lists all of the versions attached to the specified secret. The output does * not include the SecretString or SecretBinary fields. * By default, the list includes only versions that have at least one staging label * in VersionStage attached.

Always check the * NextToken response parameter when calling any of the * List* operations. These operations can occasionally return an empty * or shorter than expected list of results even when there more results become * available. When this happens, the NextToken response parameter * contains a value to pass to the next call to the same API to request the next * part of the list.

Minimum permissions

To run this * command, you must have the following permissions:

  • *

    secretsmanager:ListSecretVersionIds

Related * operations

  • To list the secrets in an account, use * ListSecrets.

See Also:

AWS * API Reference

*/ virtual Model::ListSecretVersionIdsOutcome ListSecretVersionIds(const Model::ListSecretVersionIdsRequest& request) const; /** *

Lists all of the versions attached to the specified secret. The output does * not include the SecretString or SecretBinary fields. * By default, the list includes only versions that have at least one staging label * in VersionStage attached.

Always check the * NextToken response parameter when calling any of the * List* operations. These operations can occasionally return an empty * or shorter than expected list of results even when there more results become * available. When this happens, the NextToken response parameter * contains a value to pass to the next call to the same API to request the next * part of the list.

Minimum permissions

To run this * command, you must have the following permissions:

  • *

    secretsmanager:ListSecretVersionIds

Related * operations

  • To list the secrets in an account, use * ListSecrets.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::ListSecretVersionIdsOutcomeCallable ListSecretVersionIdsCallable(const Model::ListSecretVersionIdsRequest& request) const; /** *

Lists all of the versions attached to the specified secret. The output does * not include the SecretString or SecretBinary fields. * By default, the list includes only versions that have at least one staging label * in VersionStage attached.

Always check the * NextToken response parameter when calling any of the * List* operations. These operations can occasionally return an empty * or shorter than expected list of results even when there more results become * available. When this happens, the NextToken response parameter * contains a value to pass to the next call to the same API to request the next * part of the list.

Minimum permissions

To run this * command, you must have the following permissions:

  • *

    secretsmanager:ListSecretVersionIds

Related * operations

  • To list the secrets in an account, use * ListSecrets.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void ListSecretVersionIdsAsync(const Model::ListSecretVersionIdsRequest& request, const ListSecretVersionIdsResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Lists all of the secrets that are stored by Secrets Manager in the AWS * account. To list the versions currently stored for a specific secret, use * ListSecretVersionIds. The encrypted fields SecretString and * SecretBinary are not included in the output. To get that * information, call the GetSecretValue operation.

Always * check the NextToken response parameter when calling any of the * List* operations. These operations can occasionally return an empty * or shorter than expected list of results even when there more results become * available. When this happens, the NextToken response parameter * contains a value to pass to the next call to the same API to request the next * part of the list.

Minimum permissions

To run this * command, you must have the following permissions:

  • *

    secretsmanager:ListSecrets

Related operations

*

See Also:

AWS * API Reference

*/ virtual Model::ListSecretsOutcome ListSecrets(const Model::ListSecretsRequest& request) const; /** *

Lists all of the secrets that are stored by Secrets Manager in the AWS * account. To list the versions currently stored for a specific secret, use * ListSecretVersionIds. The encrypted fields SecretString and * SecretBinary are not included in the output. To get that * information, call the GetSecretValue operation.

Always * check the NextToken response parameter when calling any of the * List* operations. These operations can occasionally return an empty * or shorter than expected list of results even when there more results become * available. When this happens, the NextToken response parameter * contains a value to pass to the next call to the same API to request the next * part of the list.

Minimum permissions

To run this * command, you must have the following permissions:

  • *

    secretsmanager:ListSecrets

Related operations

*

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::ListSecretsOutcomeCallable ListSecretsCallable(const Model::ListSecretsRequest& request) const; /** *

Lists all of the secrets that are stored by Secrets Manager in the AWS * account. To list the versions currently stored for a specific secret, use * ListSecretVersionIds. The encrypted fields SecretString and * SecretBinary are not included in the output. To get that * information, call the GetSecretValue operation.

Always * check the NextToken response parameter when calling any of the * List* operations. These operations can occasionally return an empty * or shorter than expected list of results even when there more results become * available. When this happens, the NextToken response parameter * contains a value to pass to the next call to the same API to request the next * part of the list.

Minimum permissions

To run this * command, you must have the following permissions:

  • *

    secretsmanager:ListSecrets

Related operations

*

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void ListSecretsAsync(const Model::ListSecretsRequest& request, const ListSecretsResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Attaches the contents of the specified resource-based permission policy to a * secret. A resource-based policy is optional. Alternatively, you can use IAM * identity-based policies that specify the secret's Amazon Resource Name (ARN) in * the policy statement's Resources element. You can also use a * combination of both identity-based and resource-based policies. The affected * users and roles receive the permissions that are permitted by all of the * relevant policies. For more information, see Using * Resource-Based Policies for AWS Secrets Manager. For the complete * description of the AWS policy syntax and grammar, see IAM * JSON Policy Reference in the IAM User Guide.

Minimum * permissions

To run this command, you must have the following * permissions:

  • secretsmanager:PutResourcePolicy

*

Related operations

  • To retrieve the resource policy * attached to a secret, use GetResourcePolicy.

  • To delete * the resource-based policy that's attached to a secret, use * DeleteResourcePolicy.

  • To list all of the currently * available secrets, use ListSecrets.

See Also:

* AWS * API Reference

*/ virtual Model::PutResourcePolicyOutcome PutResourcePolicy(const Model::PutResourcePolicyRequest& request) const; /** *

Attaches the contents of the specified resource-based permission policy to a * secret. A resource-based policy is optional. Alternatively, you can use IAM * identity-based policies that specify the secret's Amazon Resource Name (ARN) in * the policy statement's Resources element. You can also use a * combination of both identity-based and resource-based policies. The affected * users and roles receive the permissions that are permitted by all of the * relevant policies. For more information, see Using * Resource-Based Policies for AWS Secrets Manager. For the complete * description of the AWS policy syntax and grammar, see IAM * JSON Policy Reference in the IAM User Guide.

Minimum * permissions

To run this command, you must have the following * permissions:

  • secretsmanager:PutResourcePolicy

*

Related operations

  • To retrieve the resource policy * attached to a secret, use GetResourcePolicy.

  • To delete * the resource-based policy that's attached to a secret, use * DeleteResourcePolicy.

  • To list all of the currently * available secrets, use ListSecrets.

See Also:

* AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::PutResourcePolicyOutcomeCallable PutResourcePolicyCallable(const Model::PutResourcePolicyRequest& request) const; /** *

Attaches the contents of the specified resource-based permission policy to a * secret. A resource-based policy is optional. Alternatively, you can use IAM * identity-based policies that specify the secret's Amazon Resource Name (ARN) in * the policy statement's Resources element. You can also use a * combination of both identity-based and resource-based policies. The affected * users and roles receive the permissions that are permitted by all of the * relevant policies. For more information, see Using * Resource-Based Policies for AWS Secrets Manager. For the complete * description of the AWS policy syntax and grammar, see IAM * JSON Policy Reference in the IAM User Guide.

Minimum * permissions

To run this command, you must have the following * permissions:

  • secretsmanager:PutResourcePolicy

*

Related operations

  • To retrieve the resource policy * attached to a secret, use GetResourcePolicy.

  • To delete * the resource-based policy that's attached to a secret, use * DeleteResourcePolicy.

  • To list all of the currently * available secrets, use ListSecrets.

See Also:

* AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void PutResourcePolicyAsync(const Model::PutResourcePolicyRequest& request, const PutResourcePolicyResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Stores a new encrypted secret value in the specified secret. To do this, the * operation creates a new version and attaches it to the secret. The version can * contain a new SecretString value or a new SecretBinary * value. You can also specify the staging labels that are initially attached to * the new version.

The Secrets Manager console uses only the * SecretString field. To add binary data to a secret with the * SecretBinary field you must use the AWS CLI or one of the AWS * SDKs.

  • If this operation creates the first version for * the secret then Secrets Manager automatically attaches the staging label * AWSCURRENT to the new version.

  • If another version * of this secret already exists, then this operation does not automatically move * any staging labels other than those that you explicitly specify in the * VersionStages parameter.

  • If this operation moves * the staging label AWSCURRENT from another version to this version * (because you included it in the StagingLabels parameter) then * Secrets Manager also automatically moves the staging label * AWSPREVIOUS to the version that AWSCURRENT was removed * from.

  • This operation is idempotent. If a version with a * VersionId with the same value as the * ClientRequestToken parameter already exists and you specify the * same secret data, the operation succeeds but does nothing. However, if the * secret data is different, then the operation fails because you cannot modify an * existing version; you can only create new ones.

  • *

    If you call an operation to encrypt or decrypt the SecretString * or SecretBinary for a secret in the same account as the calling * user and that secret doesn't specify a AWS KMS encryption key, Secrets Manager * uses the account's default AWS managed customer master key (CMK) with the alias * aws/secretsmanager. If this key doesn't already exist in your * account then Secrets Manager creates it for you automatically. All users and * roles in the same AWS account automatically have access to use the default CMK. * Note that if an Secrets Manager API call results in AWS creating the account's * AWS-managed CMK, it can result in a one-time significant delay in returning the * result.

  • If the secret resides in a different AWS account from * the credentials calling an API that requires encryption or decryption of the * secret value then you must create and use a custom AWS KMS CMK because you can't * access the default CMK for the account using credentials from a different AWS * account. Store the ARN of the CMK in the secret when you create the secret or * when you update it by including it in the KMSKeyId. If you call an * API that must encrypt or decrypt SecretString or * SecretBinary using credentials from a different account then the * AWS KMS key policy must grant cross-account access to that other account's user * or role for both the kms:GenerateDataKey and kms:Decrypt operations.

    • *

Minimum permissions

To run this command, you * must have the following permissions:

  • *

    secretsmanager:PutSecretValue

  • kms:GenerateDataKey - needed * only if you use a customer-managed AWS KMS key to encrypt the secret. You do not * need this permission to use the account's default AWS managed CMK for Secrets * Manager.

Related operations

See Also:

* AWS * API Reference

*/ virtual Model::PutSecretValueOutcome PutSecretValue(const Model::PutSecretValueRequest& request) const; /** *

Stores a new encrypted secret value in the specified secret. To do this, the * operation creates a new version and attaches it to the secret. The version can * contain a new SecretString value or a new SecretBinary * value. You can also specify the staging labels that are initially attached to * the new version.

The Secrets Manager console uses only the * SecretString field. To add binary data to a secret with the * SecretBinary field you must use the AWS CLI or one of the AWS * SDKs.

  • If this operation creates the first version for * the secret then Secrets Manager automatically attaches the staging label * AWSCURRENT to the new version.

  • If another version * of this secret already exists, then this operation does not automatically move * any staging labels other than those that you explicitly specify in the * VersionStages parameter.

  • If this operation moves * the staging label AWSCURRENT from another version to this version * (because you included it in the StagingLabels parameter) then * Secrets Manager also automatically moves the staging label * AWSPREVIOUS to the version that AWSCURRENT was removed * from.

  • This operation is idempotent. If a version with a * VersionId with the same value as the * ClientRequestToken parameter already exists and you specify the * same secret data, the operation succeeds but does nothing. However, if the * secret data is different, then the operation fails because you cannot modify an * existing version; you can only create new ones.

  • *

    If you call an operation to encrypt or decrypt the SecretString * or SecretBinary for a secret in the same account as the calling * user and that secret doesn't specify a AWS KMS encryption key, Secrets Manager * uses the account's default AWS managed customer master key (CMK) with the alias * aws/secretsmanager. If this key doesn't already exist in your * account then Secrets Manager creates it for you automatically. All users and * roles in the same AWS account automatically have access to use the default CMK. * Note that if an Secrets Manager API call results in AWS creating the account's * AWS-managed CMK, it can result in a one-time significant delay in returning the * result.

  • If the secret resides in a different AWS account from * the credentials calling an API that requires encryption or decryption of the * secret value then you must create and use a custom AWS KMS CMK because you can't * access the default CMK for the account using credentials from a different AWS * account. Store the ARN of the CMK in the secret when you create the secret or * when you update it by including it in the KMSKeyId. If you call an * API that must encrypt or decrypt SecretString or * SecretBinary using credentials from a different account then the * AWS KMS key policy must grant cross-account access to that other account's user * or role for both the kms:GenerateDataKey and kms:Decrypt operations.

    • *

Minimum permissions

To run this command, you * must have the following permissions:

  • *

    secretsmanager:PutSecretValue

  • kms:GenerateDataKey - needed * only if you use a customer-managed AWS KMS key to encrypt the secret. You do not * need this permission to use the account's default AWS managed CMK for Secrets * Manager.

Related operations

See Also:

* AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::PutSecretValueOutcomeCallable PutSecretValueCallable(const Model::PutSecretValueRequest& request) const; /** *

Stores a new encrypted secret value in the specified secret. To do this, the * operation creates a new version and attaches it to the secret. The version can * contain a new SecretString value or a new SecretBinary * value. You can also specify the staging labels that are initially attached to * the new version.

The Secrets Manager console uses only the * SecretString field. To add binary data to a secret with the * SecretBinary field you must use the AWS CLI or one of the AWS * SDKs.

  • If this operation creates the first version for * the secret then Secrets Manager automatically attaches the staging label * AWSCURRENT to the new version.

  • If another version * of this secret already exists, then this operation does not automatically move * any staging labels other than those that you explicitly specify in the * VersionStages parameter.

  • If this operation moves * the staging label AWSCURRENT from another version to this version * (because you included it in the StagingLabels parameter) then * Secrets Manager also automatically moves the staging label * AWSPREVIOUS to the version that AWSCURRENT was removed * from.

  • This operation is idempotent. If a version with a * VersionId with the same value as the * ClientRequestToken parameter already exists and you specify the * same secret data, the operation succeeds but does nothing. However, if the * secret data is different, then the operation fails because you cannot modify an * existing version; you can only create new ones.

  • *

    If you call an operation to encrypt or decrypt the SecretString * or SecretBinary for a secret in the same account as the calling * user and that secret doesn't specify a AWS KMS encryption key, Secrets Manager * uses the account's default AWS managed customer master key (CMK) with the alias * aws/secretsmanager. If this key doesn't already exist in your * account then Secrets Manager creates it for you automatically. All users and * roles in the same AWS account automatically have access to use the default CMK. * Note that if an Secrets Manager API call results in AWS creating the account's * AWS-managed CMK, it can result in a one-time significant delay in returning the * result.

  • If the secret resides in a different AWS account from * the credentials calling an API that requires encryption or decryption of the * secret value then you must create and use a custom AWS KMS CMK because you can't * access the default CMK for the account using credentials from a different AWS * account. Store the ARN of the CMK in the secret when you create the secret or * when you update it by including it in the KMSKeyId. If you call an * API that must encrypt or decrypt SecretString or * SecretBinary using credentials from a different account then the * AWS KMS key policy must grant cross-account access to that other account's user * or role for both the kms:GenerateDataKey and kms:Decrypt operations.

    • *

Minimum permissions

To run this command, you * must have the following permissions:

  • *

    secretsmanager:PutSecretValue

  • kms:GenerateDataKey - needed * only if you use a customer-managed AWS KMS key to encrypt the secret. You do not * need this permission to use the account's default AWS managed CMK for Secrets * Manager.

Related operations

See Also:

* AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void PutSecretValueAsync(const Model::PutSecretValueRequest& request, const PutSecretValueResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Cancels the scheduled deletion of a secret by removing the * DeletedDate time stamp. This makes the secret accessible to query * once again.

Minimum permissions

To run this command, you * must have the following permissions:

  • *

    secretsmanager:RestoreSecret

Related operations *

See Also:

AWS * API Reference

*/ virtual Model::RestoreSecretOutcome RestoreSecret(const Model::RestoreSecretRequest& request) const; /** *

Cancels the scheduled deletion of a secret by removing the * DeletedDate time stamp. This makes the secret accessible to query * once again.

Minimum permissions

To run this command, you * must have the following permissions:

  • *

    secretsmanager:RestoreSecret

Related operations *

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::RestoreSecretOutcomeCallable RestoreSecretCallable(const Model::RestoreSecretRequest& request) const; /** *

Cancels the scheduled deletion of a secret by removing the * DeletedDate time stamp. This makes the secret accessible to query * once again.

Minimum permissions

To run this command, you * must have the following permissions:

  • *

    secretsmanager:RestoreSecret

Related operations *

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void RestoreSecretAsync(const Model::RestoreSecretRequest& request, const RestoreSecretResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Configures and starts the asynchronous process of rotating this secret. If * you include the configuration parameters, the operation sets those values for * the secret and then immediately starts a rotation. If you do not include the * configuration parameters, the operation starts a rotation with the values * already stored in the secret. After the rotation completes, the protected * service and its clients all use the new version of the secret.

This * required configuration information includes the ARN of an AWS Lambda function * and the time between scheduled rotations. The Lambda rotation function creates a * new version of the secret and creates or updates the credentials on the * protected service to match. After testing the new credentials, the function * marks the new secret with the staging label AWSCURRENT so that your * clients all immediately begin to use the new version. For more information about * rotating secrets and how to configure a Lambda function to rotate the secrets * for your protected service, see Rotating * Secrets in AWS Secrets Manager in the AWS Secrets Manager User * Guide.

Secrets Manager schedules the next rotation when the previous * one completes. Secrets Manager schedules the date by adding the rotation * interval (number of days) to the actual date of the last rotation. The service * chooses the hour within that 24-hour date window randomly. The minute is also * chosen somewhat randomly, but weighted towards the top of the hour and * influenced by a variety of factors that help distribute load.

The * rotation function must end with the versions of the secret in one of two * states:

  • The AWSPENDING and AWSCURRENT * staging labels are attached to the same version of the secret, or

  • *

    The AWSPENDING staging label is not attached to any version of * the secret.

If the AWSPENDING staging label is * present but not attached to the same version as AWSCURRENT then any * later invocation of RotateSecret assumes that a previous rotation * request is still in progress and returns an error.

Minimum * permissions

To run this command, you must have the following * permissions:

  • secretsmanager:RotateSecret

  • *

    lambda:InvokeFunction (on the function specified in the secret's * metadata)

Related operations

See * Also:

AWS * API Reference

*/ virtual Model::RotateSecretOutcome RotateSecret(const Model::RotateSecretRequest& request) const; /** *

Configures and starts the asynchronous process of rotating this secret. If * you include the configuration parameters, the operation sets those values for * the secret and then immediately starts a rotation. If you do not include the * configuration parameters, the operation starts a rotation with the values * already stored in the secret. After the rotation completes, the protected * service and its clients all use the new version of the secret.

This * required configuration information includes the ARN of an AWS Lambda function * and the time between scheduled rotations. The Lambda rotation function creates a * new version of the secret and creates or updates the credentials on the * protected service to match. After testing the new credentials, the function * marks the new secret with the staging label AWSCURRENT so that your * clients all immediately begin to use the new version. For more information about * rotating secrets and how to configure a Lambda function to rotate the secrets * for your protected service, see Rotating * Secrets in AWS Secrets Manager in the AWS Secrets Manager User * Guide.

Secrets Manager schedules the next rotation when the previous * one completes. Secrets Manager schedules the date by adding the rotation * interval (number of days) to the actual date of the last rotation. The service * chooses the hour within that 24-hour date window randomly. The minute is also * chosen somewhat randomly, but weighted towards the top of the hour and * influenced by a variety of factors that help distribute load.

The * rotation function must end with the versions of the secret in one of two * states:

  • The AWSPENDING and AWSCURRENT * staging labels are attached to the same version of the secret, or

  • *

    The AWSPENDING staging label is not attached to any version of * the secret.

If the AWSPENDING staging label is * present but not attached to the same version as AWSCURRENT then any * later invocation of RotateSecret assumes that a previous rotation * request is still in progress and returns an error.

Minimum * permissions

To run this command, you must have the following * permissions:

  • secretsmanager:RotateSecret

  • *

    lambda:InvokeFunction (on the function specified in the secret's * metadata)

Related operations

See * Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::RotateSecretOutcomeCallable RotateSecretCallable(const Model::RotateSecretRequest& request) const; /** *

Configures and starts the asynchronous process of rotating this secret. If * you include the configuration parameters, the operation sets those values for * the secret and then immediately starts a rotation. If you do not include the * configuration parameters, the operation starts a rotation with the values * already stored in the secret. After the rotation completes, the protected * service and its clients all use the new version of the secret.

This * required configuration information includes the ARN of an AWS Lambda function * and the time between scheduled rotations. The Lambda rotation function creates a * new version of the secret and creates or updates the credentials on the * protected service to match. After testing the new credentials, the function * marks the new secret with the staging label AWSCURRENT so that your * clients all immediately begin to use the new version. For more information about * rotating secrets and how to configure a Lambda function to rotate the secrets * for your protected service, see Rotating * Secrets in AWS Secrets Manager in the AWS Secrets Manager User * Guide.

Secrets Manager schedules the next rotation when the previous * one completes. Secrets Manager schedules the date by adding the rotation * interval (number of days) to the actual date of the last rotation. The service * chooses the hour within that 24-hour date window randomly. The minute is also * chosen somewhat randomly, but weighted towards the top of the hour and * influenced by a variety of factors that help distribute load.

The * rotation function must end with the versions of the secret in one of two * states:

  • The AWSPENDING and AWSCURRENT * staging labels are attached to the same version of the secret, or

  • *

    The AWSPENDING staging label is not attached to any version of * the secret.

If the AWSPENDING staging label is * present but not attached to the same version as AWSCURRENT then any * later invocation of RotateSecret assumes that a previous rotation * request is still in progress and returns an error.

Minimum * permissions

To run this command, you must have the following * permissions:

  • secretsmanager:RotateSecret

  • *

    lambda:InvokeFunction (on the function specified in the secret's * metadata)

Related operations

See * Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void RotateSecretAsync(const Model::RotateSecretRequest& request, const RotateSecretResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Attaches one or more tags, each consisting of a key name and a value, to the * specified secret. Tags are part of the secret's overall metadata, and are not * associated with any specific version of the secret. This operation only appends * tags to the existing list of tags. To remove tags, you must use * UntagResource.

The following basic restrictions apply to tags:

*

  • Maximum number of tags per secret—50

  • Maximum key * length—127 Unicode characters in UTF-8

  • Maximum value * length—255 Unicode characters in UTF-8

  • Tag keys and values are * case sensitive.

  • Do not use the aws: prefix in * your tag names or values because AWS reserves it for AWS use. You can't edit or * delete tag names or values with this prefix. Tags with this prefix do not count * against your tags per secret limit.

  • If you use your tagging * schema across multiple services and resources, remember other services might * have restrictions on allowed characters. Generally allowed characters: letters, * spaces, and numbers representable in UTF-8, plus the following special * characters: + - = . _ : / @.

If you use tags as * part of your security strategy, then adding or removing a tag can change * permissions. If successfully completing this operation would result in you * losing your permissions for this secret, then the operation is blocked and * returns an Access Denied error.

Minimum permissions *

To run this command, you must have the following permissions:

    *

  • secretsmanager:TagResource

Related operations *

  • To remove one or more tags from the collection attached to a * secret, use UntagResource.

  • To view the list of tags * attached to a secret, use DescribeSecret.

See * Also:

AWS * API Reference

*/ virtual Model::TagResourceOutcome TagResource(const Model::TagResourceRequest& request) const; /** *

Attaches one or more tags, each consisting of a key name and a value, to the * specified secret. Tags are part of the secret's overall metadata, and are not * associated with any specific version of the secret. This operation only appends * tags to the existing list of tags. To remove tags, you must use * UntagResource.

The following basic restrictions apply to tags:

*

  • Maximum number of tags per secret—50

  • Maximum key * length—127 Unicode characters in UTF-8

  • Maximum value * length—255 Unicode characters in UTF-8

  • Tag keys and values are * case sensitive.

  • Do not use the aws: prefix in * your tag names or values because AWS reserves it for AWS use. You can't edit or * delete tag names or values with this prefix. Tags with this prefix do not count * against your tags per secret limit.

  • If you use your tagging * schema across multiple services and resources, remember other services might * have restrictions on allowed characters. Generally allowed characters: letters, * spaces, and numbers representable in UTF-8, plus the following special * characters: + - = . _ : / @.

If you use tags as * part of your security strategy, then adding or removing a tag can change * permissions. If successfully completing this operation would result in you * losing your permissions for this secret, then the operation is blocked and * returns an Access Denied error.

Minimum permissions *

To run this command, you must have the following permissions:

    *

  • secretsmanager:TagResource

Related operations *

  • To remove one or more tags from the collection attached to a * secret, use UntagResource.

  • To view the list of tags * attached to a secret, use DescribeSecret.

See * Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::TagResourceOutcomeCallable TagResourceCallable(const Model::TagResourceRequest& request) const; /** *

Attaches one or more tags, each consisting of a key name and a value, to the * specified secret. Tags are part of the secret's overall metadata, and are not * associated with any specific version of the secret. This operation only appends * tags to the existing list of tags. To remove tags, you must use * UntagResource.

The following basic restrictions apply to tags:

*

  • Maximum number of tags per secret—50

  • Maximum key * length—127 Unicode characters in UTF-8

  • Maximum value * length—255 Unicode characters in UTF-8

  • Tag keys and values are * case sensitive.

  • Do not use the aws: prefix in * your tag names or values because AWS reserves it for AWS use. You can't edit or * delete tag names or values with this prefix. Tags with this prefix do not count * against your tags per secret limit.

  • If you use your tagging * schema across multiple services and resources, remember other services might * have restrictions on allowed characters. Generally allowed characters: letters, * spaces, and numbers representable in UTF-8, plus the following special * characters: + - = . _ : / @.

If you use tags as * part of your security strategy, then adding or removing a tag can change * permissions. If successfully completing this operation would result in you * losing your permissions for this secret, then the operation is blocked and * returns an Access Denied error.

Minimum permissions *

To run this command, you must have the following permissions:

    *

  • secretsmanager:TagResource

Related operations *

  • To remove one or more tags from the collection attached to a * secret, use UntagResource.

  • To view the list of tags * attached to a secret, use DescribeSecret.

See * Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void TagResourceAsync(const Model::TagResourceRequest& request, const TagResourceResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Removes one or more tags from the specified secret.

This operation is * idempotent. If a requested tag is not attached to the secret, no error is * returned and the secret metadata is unchanged.

If you use * tags as part of your security strategy, then removing a tag can change * permissions. If successfully completing this operation would result in you * losing your permissions for this secret, then the operation is blocked and * returns an Access Denied error.

Minimum permissions *

To run this command, you must have the following permissions:

    *

  • secretsmanager:UntagResource

Related * operations

  • To add one or more tags to the collection * attached to a secret, use TagResource.

  • To view the list * of tags attached to a secret, use DescribeSecret.

    • *

See Also:

AWS * API Reference

*/ virtual Model::UntagResourceOutcome UntagResource(const Model::UntagResourceRequest& request) const; /** *

Removes one or more tags from the specified secret.

This operation is * idempotent. If a requested tag is not attached to the secret, no error is * returned and the secret metadata is unchanged.

If you use * tags as part of your security strategy, then removing a tag can change * permissions. If successfully completing this operation would result in you * losing your permissions for this secret, then the operation is blocked and * returns an Access Denied error.

Minimum permissions *

To run this command, you must have the following permissions:

    *

  • secretsmanager:UntagResource

Related * operations

  • To add one or more tags to the collection * attached to a secret, use TagResource.

  • To view the list * of tags attached to a secret, use DescribeSecret.

    • *

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::UntagResourceOutcomeCallable UntagResourceCallable(const Model::UntagResourceRequest& request) const; /** *

Removes one or more tags from the specified secret.

This operation is * idempotent. If a requested tag is not attached to the secret, no error is * returned and the secret metadata is unchanged.

If you use * tags as part of your security strategy, then removing a tag can change * permissions. If successfully completing this operation would result in you * losing your permissions for this secret, then the operation is blocked and * returns an Access Denied error.

Minimum permissions *

To run this command, you must have the following permissions:

    *

  • secretsmanager:UntagResource

Related * operations

  • To add one or more tags to the collection * attached to a secret, use TagResource.

  • To view the list * of tags attached to a secret, use DescribeSecret.

    • *

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void UntagResourceAsync(const Model::UntagResourceRequest& request, const UntagResourceResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Modifies many of the details of the specified secret. If you include a * ClientRequestToken and either SecretString or * SecretBinary then it also creates a new version attached to the * secret.

To modify the rotation configuration of a secret, use * RotateSecret instead.

The Secrets Manager console uses only * the SecretString parameter and therefore limits you to encrypting * and storing only a text string. To encrypt and store binary data as part of the * version of a secret, you must use either the AWS CLI or one of the AWS SDKs.

*

  • If a version with a VersionId with the same * value as the ClientRequestToken parameter already exists, the * operation results in an error. You cannot modify an existing version, you can * only create a new version.

  • If you include * SecretString or SecretBinary to create a new secret * version, Secrets Manager automatically attaches the staging label * AWSCURRENT to the new version.

  • *

    If you call an operation to encrypt or decrypt the SecretString * or SecretBinary for a secret in the same account as the calling * user and that secret doesn't specify a AWS KMS encryption key, Secrets Manager * uses the account's default AWS managed customer master key (CMK) with the alias * aws/secretsmanager. If this key doesn't already exist in your * account then Secrets Manager creates it for you automatically. All users and * roles in the same AWS account automatically have access to use the default CMK. * Note that if an Secrets Manager API call results in AWS creating the account's * AWS-managed CMK, it can result in a one-time significant delay in returning the * result.

  • If the secret resides in a different AWS account from * the credentials calling an API that requires encryption or decryption of the * secret value then you must create and use a custom AWS KMS CMK because you can't * access the default CMK for the account using credentials from a different AWS * account. Store the ARN of the CMK in the secret when you create the secret or * when you update it by including it in the KMSKeyId. If you call an * API that must encrypt or decrypt SecretString or * SecretBinary using credentials from a different account then the * AWS KMS key policy must grant cross-account access to that other account's user * or role for both the kms:GenerateDataKey and kms:Decrypt operations.

    • *

Minimum permissions

To run this command, you * must have the following permissions:

  • *

    secretsmanager:UpdateSecret

  • kms:GenerateDataKey - needed * only if you use a custom AWS KMS key to encrypt the secret. You do not need this * permission to use the account's AWS managed CMK for Secrets Manager.

    • *

  • kms:Decrypt - needed only if you use a custom AWS KMS key to encrypt the * secret. You do not need this permission to use the account's AWS managed CMK for * Secrets Manager.

Related operations

See Also:

AWS * API Reference

*/ virtual Model::UpdateSecretOutcome UpdateSecret(const Model::UpdateSecretRequest& request) const; /** *

Modifies many of the details of the specified secret. If you include a * ClientRequestToken and either SecretString or * SecretBinary then it also creates a new version attached to the * secret.

To modify the rotation configuration of a secret, use * RotateSecret instead.

The Secrets Manager console uses only * the SecretString parameter and therefore limits you to encrypting * and storing only a text string. To encrypt and store binary data as part of the * version of a secret, you must use either the AWS CLI or one of the AWS SDKs.

*

  • If a version with a VersionId with the same * value as the ClientRequestToken parameter already exists, the * operation results in an error. You cannot modify an existing version, you can * only create a new version.

  • If you include * SecretString or SecretBinary to create a new secret * version, Secrets Manager automatically attaches the staging label * AWSCURRENT to the new version.

  • *

    If you call an operation to encrypt or decrypt the SecretString * or SecretBinary for a secret in the same account as the calling * user and that secret doesn't specify a AWS KMS encryption key, Secrets Manager * uses the account's default AWS managed customer master key (CMK) with the alias * aws/secretsmanager. If this key doesn't already exist in your * account then Secrets Manager creates it for you automatically. All users and * roles in the same AWS account automatically have access to use the default CMK. * Note that if an Secrets Manager API call results in AWS creating the account's * AWS-managed CMK, it can result in a one-time significant delay in returning the * result.

  • If the secret resides in a different AWS account from * the credentials calling an API that requires encryption or decryption of the * secret value then you must create and use a custom AWS KMS CMK because you can't * access the default CMK for the account using credentials from a different AWS * account. Store the ARN of the CMK in the secret when you create the secret or * when you update it by including it in the KMSKeyId. If you call an * API that must encrypt or decrypt SecretString or * SecretBinary using credentials from a different account then the * AWS KMS key policy must grant cross-account access to that other account's user * or role for both the kms:GenerateDataKey and kms:Decrypt operations.

    • *

Minimum permissions

To run this command, you * must have the following permissions:

  • *

    secretsmanager:UpdateSecret

  • kms:GenerateDataKey - needed * only if you use a custom AWS KMS key to encrypt the secret. You do not need this * permission to use the account's AWS managed CMK for Secrets Manager.

    • *

  • kms:Decrypt - needed only if you use a custom AWS KMS key to encrypt the * secret. You do not need this permission to use the account's AWS managed CMK for * Secrets Manager.

Related operations

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::UpdateSecretOutcomeCallable UpdateSecretCallable(const Model::UpdateSecretRequest& request) const; /** *

Modifies many of the details of the specified secret. If you include a * ClientRequestToken and either SecretString or * SecretBinary then it also creates a new version attached to the * secret.

To modify the rotation configuration of a secret, use * RotateSecret instead.

The Secrets Manager console uses only * the SecretString parameter and therefore limits you to encrypting * and storing only a text string. To encrypt and store binary data as part of the * version of a secret, you must use either the AWS CLI or one of the AWS SDKs.

*

  • If a version with a VersionId with the same * value as the ClientRequestToken parameter already exists, the * operation results in an error. You cannot modify an existing version, you can * only create a new version.

  • If you include * SecretString or SecretBinary to create a new secret * version, Secrets Manager automatically attaches the staging label * AWSCURRENT to the new version.

  • *

    If you call an operation to encrypt or decrypt the SecretString * or SecretBinary for a secret in the same account as the calling * user and that secret doesn't specify a AWS KMS encryption key, Secrets Manager * uses the account's default AWS managed customer master key (CMK) with the alias * aws/secretsmanager. If this key doesn't already exist in your * account then Secrets Manager creates it for you automatically. All users and * roles in the same AWS account automatically have access to use the default CMK. * Note that if an Secrets Manager API call results in AWS creating the account's * AWS-managed CMK, it can result in a one-time significant delay in returning the * result.

  • If the secret resides in a different AWS account from * the credentials calling an API that requires encryption or decryption of the * secret value then you must create and use a custom AWS KMS CMK because you can't * access the default CMK for the account using credentials from a different AWS * account. Store the ARN of the CMK in the secret when you create the secret or * when you update it by including it in the KMSKeyId. If you call an * API that must encrypt or decrypt SecretString or * SecretBinary using credentials from a different account then the * AWS KMS key policy must grant cross-account access to that other account's user * or role for both the kms:GenerateDataKey and kms:Decrypt operations.

    • *

Minimum permissions

To run this command, you * must have the following permissions:

  • *

    secretsmanager:UpdateSecret

  • kms:GenerateDataKey - needed * only if you use a custom AWS KMS key to encrypt the secret. You do not need this * permission to use the account's AWS managed CMK for Secrets Manager.

    • *

  • kms:Decrypt - needed only if you use a custom AWS KMS key to encrypt the * secret. You do not need this permission to use the account's AWS managed CMK for * Secrets Manager.

Related operations

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void UpdateSecretAsync(const Model::UpdateSecretRequest& request, const UpdateSecretResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Modifies the staging labels attached to a version of a secret. Staging labels * are used to track a version as it progresses through the secret rotation * process. You can attach a staging label to only one version of a secret at a * time. If a staging label to be added is already attached to another version, * then it is moved--removed from the other version first and then attached to this * one. For more information about staging labels, see Staging * Labels in the AWS Secrets Manager User Guide.

The staging * labels that you specify in the VersionStage parameter are added to * the existing list of staging labels--they don't replace it.

You can move * the AWSCURRENT staging label to this version by including it in * this call.

Whenever you move AWSCURRENT, Secrets * Manager automatically moves the label AWSPREVIOUS to the version * that AWSCURRENT was removed from.

If this action * results in the last label being removed from a version, then the version is * considered to be 'deprecated' and can be deleted by Secrets Manager.

* Minimum permissions

To run this command, you must have the * following permissions:

  • *

    secretsmanager:UpdateSecretVersionStage

Related * operations

  • To get the list of staging labels that are * currently associated with a version of a secret, use * DescribeSecret and examine the * SecretVersionsToStages response value.

See * Also:

AWS * API Reference

*/ virtual Model::UpdateSecretVersionStageOutcome UpdateSecretVersionStage(const Model::UpdateSecretVersionStageRequest& request) const; /** *

Modifies the staging labels attached to a version of a secret. Staging labels * are used to track a version as it progresses through the secret rotation * process. You can attach a staging label to only one version of a secret at a * time. If a staging label to be added is already attached to another version, * then it is moved--removed from the other version first and then attached to this * one. For more information about staging labels, see Staging * Labels in the AWS Secrets Manager User Guide.

The staging * labels that you specify in the VersionStage parameter are added to * the existing list of staging labels--they don't replace it.

You can move * the AWSCURRENT staging label to this version by including it in * this call.

Whenever you move AWSCURRENT, Secrets * Manager automatically moves the label AWSPREVIOUS to the version * that AWSCURRENT was removed from.

If this action * results in the last label being removed from a version, then the version is * considered to be 'deprecated' and can be deleted by Secrets Manager.

* Minimum permissions

To run this command, you must have the * following permissions:

  • *

    secretsmanager:UpdateSecretVersionStage

Related * operations

  • To get the list of staging labels that are * currently associated with a version of a secret, use * DescribeSecret and examine the * SecretVersionsToStages response value.

See * Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::UpdateSecretVersionStageOutcomeCallable UpdateSecretVersionStageCallable(const Model::UpdateSecretVersionStageRequest& request) const; /** *

Modifies the staging labels attached to a version of a secret. Staging labels * are used to track a version as it progresses through the secret rotation * process. You can attach a staging label to only one version of a secret at a * time. If a staging label to be added is already attached to another version, * then it is moved--removed from the other version first and then attached to this * one. For more information about staging labels, see Staging * Labels in the AWS Secrets Manager User Guide.

The staging * labels that you specify in the VersionStage parameter are added to * the existing list of staging labels--they don't replace it.

You can move * the AWSCURRENT staging label to this version by including it in * this call.

Whenever you move AWSCURRENT, Secrets * Manager automatically moves the label AWSPREVIOUS to the version * that AWSCURRENT was removed from.

If this action * results in the last label being removed from a version, then the version is * considered to be 'deprecated' and can be deleted by Secrets Manager.

* Minimum permissions

To run this command, you must have the * following permissions:

  • *

    secretsmanager:UpdateSecretVersionStage

Related * operations

  • To get the list of staging labels that are * currently associated with a version of a secret, use * DescribeSecret and examine the * SecretVersionsToStages response value.

See * Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void UpdateSecretVersionStageAsync(const Model::UpdateSecretVersionStageRequest& request, const UpdateSecretVersionStageResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Validates the JSON text of the resource-based policy document attached to the * specified secret. The JSON request string input and response output displays * formatted code with white space and line breaks for better readability. Submit * your input as a single line JSON string. A resource-based policy is * optional.

See Also:

AWS * API Reference

*/ virtual Model::ValidateResourcePolicyOutcome ValidateResourcePolicy(const Model::ValidateResourcePolicyRequest& request) const; /** *

Validates the JSON text of the resource-based policy document attached to the * specified secret. The JSON request string input and response output displays * formatted code with white space and line breaks for better readability. Submit * your input as a single line JSON string. A resource-based policy is * optional.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::ValidateResourcePolicyOutcomeCallable ValidateResourcePolicyCallable(const Model::ValidateResourcePolicyRequest& request) const; /** *

Validates the JSON text of the resource-based policy document attached to the * specified secret. The JSON request string input and response output displays * formatted code with white space and line breaks for better readability. Submit * your input as a single line JSON string. A resource-based policy is * optional.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void ValidateResourcePolicyAsync(const Model::ValidateResourcePolicyRequest& request, const ValidateResourcePolicyResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; void OverrideEndpoint(const Aws::String& endpoint); private: void init(const Aws::Client::ClientConfiguration& clientConfiguration); void CancelRotateSecretAsyncHelper(const Model::CancelRotateSecretRequest& request, const CancelRotateSecretResponseReceivedHandler& handler, const std::shared_ptr& context) const; void CreateSecretAsyncHelper(const Model::CreateSecretRequest& request, const CreateSecretResponseReceivedHandler& handler, const std::shared_ptr& context) const; void DeleteResourcePolicyAsyncHelper(const Model::DeleteResourcePolicyRequest& request, const DeleteResourcePolicyResponseReceivedHandler& handler, const std::shared_ptr& context) const; void DeleteSecretAsyncHelper(const Model::DeleteSecretRequest& request, const DeleteSecretResponseReceivedHandler& handler, const std::shared_ptr& context) const; void DescribeSecretAsyncHelper(const Model::DescribeSecretRequest& request, const DescribeSecretResponseReceivedHandler& handler, const std::shared_ptr& context) const; void GetRandomPasswordAsyncHelper(const Model::GetRandomPasswordRequest& request, const GetRandomPasswordResponseReceivedHandler& handler, const std::shared_ptr& context) const; void GetResourcePolicyAsyncHelper(const Model::GetResourcePolicyRequest& request, const GetResourcePolicyResponseReceivedHandler& handler, const std::shared_ptr& context) const; void GetSecretValueAsyncHelper(const Model::GetSecretValueRequest& request, const GetSecretValueResponseReceivedHandler& handler, const std::shared_ptr& context) const; void ListSecretVersionIdsAsyncHelper(const Model::ListSecretVersionIdsRequest& request, const ListSecretVersionIdsResponseReceivedHandler& handler, const std::shared_ptr& context) const; void ListSecretsAsyncHelper(const Model::ListSecretsRequest& request, const ListSecretsResponseReceivedHandler& handler, const std::shared_ptr& context) const; void PutResourcePolicyAsyncHelper(const Model::PutResourcePolicyRequest& request, const PutResourcePolicyResponseReceivedHandler& handler, const std::shared_ptr& context) const; void PutSecretValueAsyncHelper(const Model::PutSecretValueRequest& request, const PutSecretValueResponseReceivedHandler& handler, const std::shared_ptr& context) const; void RestoreSecretAsyncHelper(const Model::RestoreSecretRequest& request, const RestoreSecretResponseReceivedHandler& handler, const std::shared_ptr& context) const; void RotateSecretAsyncHelper(const Model::RotateSecretRequest& request, const RotateSecretResponseReceivedHandler& handler, const std::shared_ptr& context) const; void TagResourceAsyncHelper(const Model::TagResourceRequest& request, const TagResourceResponseReceivedHandler& handler, const std::shared_ptr& context) const; void UntagResourceAsyncHelper(const Model::UntagResourceRequest& request, const UntagResourceResponseReceivedHandler& handler, const std::shared_ptr& context) const; void UpdateSecretAsyncHelper(const Model::UpdateSecretRequest& request, const UpdateSecretResponseReceivedHandler& handler, const std::shared_ptr& context) const; void UpdateSecretVersionStageAsyncHelper(const Model::UpdateSecretVersionStageRequest& request, const UpdateSecretVersionStageResponseReceivedHandler& handler, const std::shared_ptr& context) const; void ValidateResourcePolicyAsyncHelper(const Model::ValidateResourcePolicyRequest& request, const ValidateResourcePolicyResponseReceivedHandler& handler, const std::shared_ptr& context) const; Aws::String m_uri; Aws::String m_configScheme; std::shared_ptr m_executor; }; } // namespace SecretsManager } // namespace Aws