Copyright | (c) 2013-2023 Brendan Hay |
---|---|
License | Mozilla Public License, v. 2.0. |
Maintainer | Brendan Hay |
Stability | auto-generated |
Portability | non-portable (GHC extensions) |
Safe Haskell | Safe-Inferred |
Language | Haskell2010 |
Modifies the details of a secret, including metadata and the secret value. To change the secret value, you can also use PutSecretValue.
To change the rotation configuration of a secret, use RotateSecret instead.
We recommend you avoid calling UpdateSecret
at a sustained rate of
more than once every 10 minutes. When you call UpdateSecret
to update
the secret value, Secrets Manager creates a new version of the secret.
Secrets Manager removes outdated versions when there are more than 100,
but it does not remove versions created less than 24 hours ago. If you
update the secret value more than once every 10 minutes, you create more
versions than Secrets Manager removes, and you will reach the quota for
secret versions.
If you include SecretString
or SecretBinary
to create a new secret
version, Secrets Manager automatically moves the staging label
AWSCURRENT
to the new version. Then it attaches the label
AWSPREVIOUS
to the version that AWSCURRENT
was removed from.
If you call this operation with a ClientRequestToken
that matches an
existing version's VersionId
, the operation results in an error. You
can't modify an existing version, you can only create a new version. To
remove a version, remove all staging labels from it. See
UpdateSecretVersionStage.
Secrets Manager generates a CloudTrail log entry when you call this
action. Do not include sensitive information in request parameters
except SecretBinary
or SecretString
because it might be logged. For
more information, see
Logging Secrets Manager events with CloudTrail.
Required permissions: secretsmanager:UpdateSecret
. For more
information, see
IAM policy actions for Secrets Manager
and
Authentication and access control in Secrets Manager.
If you use a customer managed key, you must also have
kms:GenerateDataKey
and kms:Decrypt
permissions on the key. For more
information, see
Secret encryption and decryption.
Synopsis
- data UpdateSecret = UpdateSecret' {
- clientRequestToken :: Maybe Text
- description :: Maybe Text
- kmsKeyId :: Maybe Text
- secretBinary :: Maybe (Sensitive Base64)
- secretString :: Maybe (Sensitive Text)
- secretId :: Text
- newUpdateSecret :: Text -> UpdateSecret
- updateSecret_clientRequestToken :: Lens' UpdateSecret (Maybe Text)
- updateSecret_description :: Lens' UpdateSecret (Maybe Text)
- updateSecret_kmsKeyId :: Lens' UpdateSecret (Maybe Text)
- updateSecret_secretBinary :: Lens' UpdateSecret (Maybe ByteString)
- updateSecret_secretString :: Lens' UpdateSecret (Maybe Text)
- updateSecret_secretId :: Lens' UpdateSecret Text
- data UpdateSecretResponse = UpdateSecretResponse' {}
- newUpdateSecretResponse :: Int -> UpdateSecretResponse
- updateSecretResponse_arn :: Lens' UpdateSecretResponse (Maybe Text)
- updateSecretResponse_name :: Lens' UpdateSecretResponse (Maybe Text)
- updateSecretResponse_versionId :: Lens' UpdateSecretResponse (Maybe Text)
- updateSecretResponse_httpStatus :: Lens' UpdateSecretResponse Int
Creating a Request
data UpdateSecret Source #
See: newUpdateSecret
smart constructor.
UpdateSecret' | |
|
Instances
Create a value of UpdateSecret
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:clientRequestToken:UpdateSecret'
, updateSecret_clientRequestToken
- If you include SecretString
or SecretBinary
, then Secrets Manager
creates a new version for the secret, and this parameter specifies the
unique identifier for the new version.
If you use the Amazon Web Services CLI or one of the Amazon Web Services
SDKs to call this operation, then you can leave this parameter empty.
The CLI or SDK generates a random UUID for you and includes it as the
value for this parameter in the request. If you don't use the SDK and
instead generate a raw HTTP request to the Secrets Manager service
endpoint, then you must generate a ClientRequestToken
yourself for the
new version and include the value in the request.
This value becomes the VersionId
of the new version.
UpdateSecret
, updateSecret_description
- The description of the secret.
UpdateSecret
, updateSecret_kmsKeyId
- The ARN, key ID, or alias of the KMS key that Secrets Manager uses to
encrypt new secret versions as well as any existing versions with the
staging labels AWSCURRENT
, AWSPENDING
, or AWSPREVIOUS
. For more
information about versions and staging labels, see
Concepts: Version.
A key alias is always prefixed by alias/
, for example
alias/aws/secretsmanager
. For more information, see
About aliases.
If you set this to an empty string, Secrets Manager uses the Amazon Web
Services managed key aws/secretsmanager
. If this key doesn't already
exist in your account, then Secrets Manager creates it for you
automatically. All users and roles in the Amazon Web Services account
automatically have access to use aws/secretsmanager
. Creating
aws/secretsmanager
can result in a one-time significant delay in
returning the result.
You can only use the Amazon Web Services managed key
aws/secretsmanager
if you call this operation using credentials from
the same Amazon Web Services account that owns the secret. If the secret
is in a different account, then you must use a customer managed key and
provide the ARN of that KMS key in this field. The user making the call
must have permissions to both the secret and the KMS key in their
respective accounts.
$sel:secretBinary:UpdateSecret'
, updateSecret_secretBinary
- The binary data to encrypt and store in the new version of the secret.
We recommend that you store your binary data in a file and then pass the
contents of the file as a parameter.
Either SecretBinary
or SecretString
must have a value, but not both.
You can't access this parameter in the Secrets Manager console.--
-- Note: This Lens
automatically encodes and decodes Base64 data.
-- The underlying isomorphism will encode to Base64 representation during
-- serialisation, and decode from Base64 representation during deserialisation.
-- This Lens
accepts and returns only raw unencoded data.
$sel:secretString:UpdateSecret'
, updateSecret_secretString
- The text data to encrypt and store in the new version of the secret. We
recommend you use a JSON structure of key/value pairs for your secret
value.
Either SecretBinary
or SecretString
must have a value, but not both.
$sel:secretId:UpdateSecret'
, updateSecret_secretId
- The ARN or name of the secret.
For an ARN, we recommend that you specify a complete ARN rather than a partial ARN. See Finding a secret from a partial ARN.
Request Lenses
updateSecret_clientRequestToken :: Lens' UpdateSecret (Maybe Text) Source #
If you include SecretString
or SecretBinary
, then Secrets Manager
creates a new version for the secret, and this parameter specifies the
unique identifier for the new version.
If you use the Amazon Web Services CLI or one of the Amazon Web Services
SDKs to call this operation, then you can leave this parameter empty.
The CLI or SDK generates a random UUID for you and includes it as the
value for this parameter in the request. If you don't use the SDK and
instead generate a raw HTTP request to the Secrets Manager service
endpoint, then you must generate a ClientRequestToken
yourself for the
new version and include the value in the request.
This value becomes the VersionId
of the new version.
updateSecret_description :: Lens' UpdateSecret (Maybe Text) Source #
The description of the secret.
updateSecret_kmsKeyId :: Lens' UpdateSecret (Maybe Text) Source #
The ARN, key ID, or alias of the KMS key that Secrets Manager uses to
encrypt new secret versions as well as any existing versions with the
staging labels AWSCURRENT
, AWSPENDING
, or AWSPREVIOUS
. For more
information about versions and staging labels, see
Concepts: Version.
A key alias is always prefixed by alias/
, for example
alias/aws/secretsmanager
. For more information, see
About aliases.
If you set this to an empty string, Secrets Manager uses the Amazon Web
Services managed key aws/secretsmanager
. If this key doesn't already
exist in your account, then Secrets Manager creates it for you
automatically. All users and roles in the Amazon Web Services account
automatically have access to use aws/secretsmanager
. Creating
aws/secretsmanager
can result in a one-time significant delay in
returning the result.
You can only use the Amazon Web Services managed key
aws/secretsmanager
if you call this operation using credentials from
the same Amazon Web Services account that owns the secret. If the secret
is in a different account, then you must use a customer managed key and
provide the ARN of that KMS key in this field. The user making the call
must have permissions to both the secret and the KMS key in their
respective accounts.
updateSecret_secretBinary :: Lens' UpdateSecret (Maybe ByteString) Source #
The binary data to encrypt and store in the new version of the secret. We recommend that you store your binary data in a file and then pass the contents of the file as a parameter.
Either SecretBinary
or SecretString
must have a value, but not both.
You can't access this parameter in the Secrets Manager console.--
-- Note: This Lens
automatically encodes and decodes Base64 data.
-- The underlying isomorphism will encode to Base64 representation during
-- serialisation, and decode from Base64 representation during deserialisation.
-- This Lens
accepts and returns only raw unencoded data.
updateSecret_secretString :: Lens' UpdateSecret (Maybe Text) Source #
The text data to encrypt and store in the new version of the secret. We recommend you use a JSON structure of key/value pairs for your secret value.
Either SecretBinary
or SecretString
must have a value, but not both.
updateSecret_secretId :: Lens' UpdateSecret Text Source #
The ARN or name of the secret.
For an ARN, we recommend that you specify a complete ARN rather than a partial ARN. See Finding a secret from a partial ARN.
Destructuring the Response
data UpdateSecretResponse Source #
See: newUpdateSecretResponse
smart constructor.
UpdateSecretResponse' | |
|
Instances
newUpdateSecretResponse Source #
Create a value of UpdateSecretResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
UpdateSecretResponse
, updateSecretResponse_arn
- The ARN of the secret that was updated.
UpdateSecretResponse
, updateSecretResponse_name
- The name of the secret that was updated.
UpdateSecretResponse
, updateSecretResponse_versionId
- If Secrets Manager created a new version of the secret during this
operation, then VersionId
contains the unique identifier of the new
version.
$sel:httpStatus:UpdateSecretResponse'
, updateSecretResponse_httpStatus
- The response's http status code.
Response Lenses
updateSecretResponse_arn :: Lens' UpdateSecretResponse (Maybe Text) Source #
The ARN of the secret that was updated.
updateSecretResponse_name :: Lens' UpdateSecretResponse (Maybe Text) Source #
The name of the secret that was updated.
updateSecretResponse_versionId :: Lens' UpdateSecretResponse (Maybe Text) Source #
If Secrets Manager created a new version of the secret during this
operation, then VersionId
contains the unique identifier of the new
version.
updateSecretResponse_httpStatus :: Lens' UpdateSecretResponse Int Source #
The response's http status code.