| Copyright | (c) 2013-2023 Brendan Hay |
|---|---|
| License | Mozilla Public License, v. 2.0. |
| Maintainer | Brendan Hay |
| Stability | auto-generated |
| Portability | non-portable (GHC extensions) |
| Safe Haskell | Safe-Inferred |
| Language | Haskell2010 |
Amazonka.SecretsManager.RotateSecret
Description
Configures and starts the asynchronous process of rotating the secret. For more information about rotation, see Rotate secrets.
If you include the configuration parameters, the operation sets the values for the secret and then immediately starts a rotation. If you don't include the configuration parameters, the operation starts a rotation with the values already stored in the secret.
For database credentials you want to rotate, for Secrets Manager to be able to rotate the secret, you must make sure the secret value is in the JSON structure of a database secret. In particular, if you want to use the alternating users strategy, your secret must contain the ARN of a superuser secret.
To configure rotation, you also need the ARN of an Amazon Web Services
Lambda function and the schedule for the rotation. The Lambda rotation
function creates a new version of the secret and creates or updates the
credentials on the database or service to match. After testing the new
credentials, the function marks the new secret version with the staging
label AWSCURRENT. Then anyone who retrieves the secret gets the new
version. For more information, see
How rotation works.
You can create the Lambda rotation function based on the rotation function templates that Secrets Manager provides. Choose a template that matches your Rotation strategy.
When rotation is successful, the AWSPENDING staging label might be
attached to the same version as the AWSCURRENT version, or it might
not be attached to any version. If the AWSPENDING staging label is
present but not attached to the same version as AWSCURRENT, then any
later invocation of RotateSecret assumes that a previous rotation
request is still in progress and returns an error.
When rotation is unsuccessful, the AWSPENDING staging label might be
attached to an empty secret version. For more information, see
Troubleshoot rotation
in the Secrets Manager User Guide.
Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information in request parameters because it might be logged. For more information, see Logging Secrets Manager events with CloudTrail.
Required permissions: secretsmanager:RotateSecret. For more
information, see
IAM policy actions for Secrets Manager
and
Authentication and access control in Secrets Manager.
You also need lambda:InvokeFunction permissions on the rotation
function. For more information, see
Permissions for rotation.
Synopsis
- data RotateSecret = RotateSecret' {}
- newRotateSecret :: Text -> RotateSecret
- rotateSecret_clientRequestToken :: Lens' RotateSecret (Maybe Text)
- rotateSecret_rotateImmediately :: Lens' RotateSecret (Maybe Bool)
- rotateSecret_rotationLambdaARN :: Lens' RotateSecret (Maybe Text)
- rotateSecret_rotationRules :: Lens' RotateSecret (Maybe RotationRulesType)
- rotateSecret_secretId :: Lens' RotateSecret Text
- data RotateSecretResponse = RotateSecretResponse' {}
- newRotateSecretResponse :: Int -> RotateSecretResponse
- rotateSecretResponse_arn :: Lens' RotateSecretResponse (Maybe Text)
- rotateSecretResponse_name :: Lens' RotateSecretResponse (Maybe Text)
- rotateSecretResponse_versionId :: Lens' RotateSecretResponse (Maybe Text)
- rotateSecretResponse_httpStatus :: Lens' RotateSecretResponse Int
Creating a Request
data RotateSecret Source #
See: newRotateSecret smart constructor.
Constructors
| RotateSecret' | |
Fields
| |
Instances
Arguments
| :: Text | |
| -> RotateSecret |
Create a value of RotateSecret with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:clientRequestToken:RotateSecret', rotateSecret_clientRequestToken - A unique identifier for the new version of the secret that helps ensure
idempotency. Secrets Manager uses this value to prevent the accidental
creation of duplicate versions if there are failures and retries during
rotation. This value becomes the VersionId of the new version.
If you use the Amazon Web Services CLI or one of the Amazon Web Services
SDK to call this operation, then you can leave this parameter empty. The
CLI or SDK generates a random UUID for you and includes that in the
request for this parameter. If you don't use the SDK and instead
generate a raw HTTP request to the Secrets Manager service endpoint,
then you must generate a ClientRequestToken yourself for new versions
and include that value in the request.
You only need to specify this value if you implement your own retry logic and you want to ensure that Secrets Manager doesn't attempt to create a secret version twice. We recommend that you generate a UUID-type value to ensure uniqueness within the specified secret.
$sel:rotateImmediately:RotateSecret', rotateSecret_rotateImmediately - Specifies whether to rotate the secret immediately or wait until the
next scheduled rotation window. The rotation schedule is defined in
RotateSecretRequest$RotationRules.
If you don't immediately rotate the secret, Secrets Manager tests the
rotation configuration by running the
testSecret step
of the Lambda rotation function. The test creates an AWSPENDING
version of the secret and then removes it.
If you don't specify this value, then by default, Secrets Manager rotates the secret immediately.
RotateSecret, rotateSecret_rotationLambdaARN - The ARN of the Lambda rotation function that can rotate the secret.
RotateSecret, rotateSecret_rotationRules - A structure that defines the rotation configuration for this secret.
$sel:secretId:RotateSecret', rotateSecret_secretId - The ARN or name of the secret to rotate.
For an ARN, we recommend that you specify a complete ARN rather than a partial ARN. See Finding a secret from a partial ARN.
Request Lenses
rotateSecret_clientRequestToken :: Lens' RotateSecret (Maybe Text) Source #
A unique identifier for the new version of the secret that helps ensure
idempotency. Secrets Manager uses this value to prevent the accidental
creation of duplicate versions if there are failures and retries during
rotation. This value becomes the VersionId of the new version.
If you use the Amazon Web Services CLI or one of the Amazon Web Services
SDK to call this operation, then you can leave this parameter empty. The
CLI or SDK generates a random UUID for you and includes that in the
request for this parameter. If you don't use the SDK and instead
generate a raw HTTP request to the Secrets Manager service endpoint,
then you must generate a ClientRequestToken yourself for new versions
and include that value in the request.
You only need to specify this value if you implement your own retry logic and you want to ensure that Secrets Manager doesn't attempt to create a secret version twice. We recommend that you generate a UUID-type value to ensure uniqueness within the specified secret.
rotateSecret_rotateImmediately :: Lens' RotateSecret (Maybe Bool) Source #
Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. The rotation schedule is defined in RotateSecretRequest$RotationRules.
If you don't immediately rotate the secret, Secrets Manager tests the
rotation configuration by running the
testSecret step
of the Lambda rotation function. The test creates an AWSPENDING
version of the secret and then removes it.
If you don't specify this value, then by default, Secrets Manager rotates the secret immediately.
rotateSecret_rotationLambdaARN :: Lens' RotateSecret (Maybe Text) Source #
The ARN of the Lambda rotation function that can rotate the secret.
rotateSecret_rotationRules :: Lens' RotateSecret (Maybe RotationRulesType) Source #
A structure that defines the rotation configuration for this secret.
rotateSecret_secretId :: Lens' RotateSecret Text Source #
The ARN or name of the secret to rotate.
For an ARN, we recommend that you specify a complete ARN rather than a partial ARN. See Finding a secret from a partial ARN.
Destructuring the Response
data RotateSecretResponse Source #
See: newRotateSecretResponse smart constructor.
Constructors
| RotateSecretResponse' | |
Instances
newRotateSecretResponse Source #
Arguments
| :: Int | |
| -> RotateSecretResponse |
Create a value of RotateSecretResponse with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
RotateSecretResponse, rotateSecretResponse_arn - The ARN of the secret.
RotateSecretResponse, rotateSecretResponse_name - The name of the secret.
RotateSecretResponse, rotateSecretResponse_versionId - The ID of the new version of the secret.
$sel:httpStatus:RotateSecretResponse', rotateSecretResponse_httpStatus - The response's http status code.
Response Lenses
rotateSecretResponse_arn :: Lens' RotateSecretResponse (Maybe Text) Source #
The ARN of the secret.
rotateSecretResponse_name :: Lens' RotateSecretResponse (Maybe Text) Source #
The name of the secret.
rotateSecretResponse_versionId :: Lens' RotateSecretResponse (Maybe Text) Source #
The ID of the new version of the secret.
rotateSecretResponse_httpStatus :: Lens' RotateSecretResponse Int Source #
The response's http status code.