API version 2017-10-17 of the Amazon Secrets Manager SDK configuration.

Secrets Manager can't decrypt the protected secret text using the provided KMS key.

Secrets Manager can't encrypt the protected secret text using the provided KMS key. Check that the KMS key is available, enabled, and not in an invalid state. For more information, see Key state: Effect on your KMS key.

An error occurred on the server side.

The NextToken value is invalid.

The parameter name or value is invalid.

A parameter value is not valid for the current state of the resource.

Possible causes:

• The secret is scheduled for deletion.
• You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.
• The secret is managed by another service, and you must use that service to update it. For more information, see Secrets managed by other Amazon Web Services services.

The request failed because it would exceed one of the Secrets Manager quotas.

The resource policy has syntax errors.

The request failed because you did not complete all the prerequisite steps.

The BlockPublicPolicy parameter is set to true, and the resource policy did not prevent broad access to the secret.

A resource with the ID you requested already exists.

Secrets Manager can't find the resource that you asked for.

Allows you to add filters when you use the search function in Secrets Manager. For more information, see Find secrets in Secrets Manager.

See: newFilter smart constructor.

Create a value of Filter with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:key:Filter', filter_key - The following are keys you can use:

• description: Prefix match, not case-sensitive.
• name: Prefix match, case-sensitive.
• tag-key: Prefix match, case-sensitive.
• tag-value: Prefix match, case-sensitive.
• primary-region: Prefix match, case-sensitive.
• all: Breaks the filter value string into words and then searches all attributes for matches. Not case-sensitive.

$sel:values:Filter', filter_values - The keyword to filter for.

You can prefix your search value with an exclamation mark (!) in order to perform negation filters.

The following are keys you can use:

• description: Prefix match, not case-sensitive.
• name: Prefix match, case-sensitive.
• tag-key: Prefix match, case-sensitive.
• tag-value: Prefix match, case-sensitive.
• primary-region: Prefix match, case-sensitive.
• all: Breaks the filter value string into words and then searches all attributes for matches. Not case-sensitive.

The keyword to filter for.

You can prefix your search value with an exclamation mark (!) in order to perform negation filters.

A custom type that specifies a Region and the KmsKeyId for a replica secret.

See: newReplicaRegionType smart constructor.

Create a value of ReplicaRegionType with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:kmsKeyId:ReplicaRegionType', replicaRegionType_kmsKeyId - The ARN, key ID, or alias of the KMS key to encrypt the secret. If you don't include this field, Secrets Manager uses aws/secretsmanager.

$sel:region:ReplicaRegionType', replicaRegionType_region - A Region code. For a list of Region codes, see Name and code of Regions.

The ARN, key ID, or alias of the KMS key to encrypt the secret. If you don't include this field, Secrets Manager uses aws/secretsmanager.

A Region code. For a list of Region codes, see Name and code of Regions.

A replication object consisting of a RegionReplicationStatus object and includes a Region, KMSKeyId, status, and status message.

See: newReplicationStatusType smart constructor.

Create a value of ReplicationStatusType with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:kmsKeyId:ReplicationStatusType', replicationStatusType_kmsKeyId - Can be an ARN, Key ID, or Alias.

$sel:lastAccessedDate:ReplicationStatusType', replicationStatusType_lastAccessedDate - The date that the secret was last accessed in the Region. This field is omitted if the secret has never been retrieved in the Region.

$sel:region:ReplicationStatusType', replicationStatusType_region - The Region where replication occurs.

$sel:status:ReplicationStatusType', replicationStatusType_status - The status can be InProgress, Failed, or InSync.

$sel:statusMessage:ReplicationStatusType', replicationStatusType_statusMessage - Status message such as "/Secret with this name already exists in this region/".

Can be an ARN, Key ID, or Alias.

The date that the secret was last accessed in the Region. This field is omitted if the secret has never been retrieved in the Region.

The Region where replication occurs.

The status can be InProgress, Failed, or InSync.

Status message such as "/Secret with this name already exists in this region/".

A structure that defines the rotation configuration for the secret.

See: newRotationRulesType smart constructor.

Create a value of RotationRulesType with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:automaticallyAfterDays:RotationRulesType', rotationRulesType_automaticallyAfterDays - The number of days between automatic scheduled rotations of the secret. You can use this value to check that your secret meets your compliance guidelines for how often secrets must be rotated.

In DescribeSecret and ListSecrets, this value is calculated from the rotation schedule after every successful rotation. In RotateSecret, you can set the rotation schedule in RotationRules with AutomaticallyAfterDays or ScheduleExpression, but not both. To set a rotation schedule in hours, use ScheduleExpression.

$sel:duration:RotationRulesType', rotationRulesType_duration - The length of the rotation window in hours, for example 3h for a three hour window. Secrets Manager rotates your secret at any time during this window. The window must not extend into the next rotation window or the next UTC day. The window starts according to the ScheduleExpression. If you don't specify a Duration, for a ScheduleExpression in hours, the window automatically closes after one hour. For a ScheduleExpression in days, the window automatically closes at the end of the UTC day. For more information, including examples, see Schedule expressions in Secrets Manager rotation in the Secrets Manager Users Guide.

$sel:scheduleExpression:RotationRulesType', rotationRulesType_scheduleExpression - A cron() or rate() expression that defines the schedule for rotating your secret. Secrets Manager rotation schedules use UTC time zone. Secrets Manager rotates your secret any time during a rotation window.

Secrets Manager rate() expressions represent the interval in hours or days that you want to rotate your secret, for example rate(12 hours) or rate(10 days). You can rotate a secret as often as every four hours. If you use a rate() expression, the rotation window starts at midnight. For a rate in hours, the default rotation window closes after one hour. For a rate in days, the default rotation window closes at the end of the day. You can set the Duration to change the rotation window. The rotation window must not extend into the next UTC day or into the next rotation window.

You can use a cron() expression to create a rotation schedule that is more detailed than a rotation interval. For more information, including examples, see Schedule expressions in Secrets Manager rotation in the Secrets Manager Users Guide. For a cron expression that represents a schedule in hours, the default rotation window closes after one hour. For a cron expression that represents a schedule in days, the default rotation window closes at the end of the day. You can set the Duration to change the rotation window. The rotation window must not extend into the next UTC day or into the next rotation window.

The number of days between automatic scheduled rotations of the secret. You can use this value to check that your secret meets your compliance guidelines for how often secrets must be rotated.

In DescribeSecret and ListSecrets, this value is calculated from the rotation schedule after every successful rotation. In RotateSecret, you can set the rotation schedule in RotationRules with AutomaticallyAfterDays or ScheduleExpression, but not both. To set a rotation schedule in hours, use ScheduleExpression.

The length of the rotation window in hours, for example 3h for a three hour window. Secrets Manager rotates your secret at any time during this window. The window must not extend into the next rotation window or the next UTC day. The window starts according to the ScheduleExpression. If you don't specify a Duration, for a ScheduleExpression in hours, the window automatically closes after one hour. For a ScheduleExpression in days, the window automatically closes at the end of the UTC day. For more information, including examples, see Schedule expressions in Secrets Manager rotation in the Secrets Manager Users Guide.

A cron() or rate() expression that defines the schedule for rotating your secret. Secrets Manager rotation schedules use UTC time zone. Secrets Manager rotates your secret any time during a rotation window.

Secrets Manager rate() expressions represent the interval in hours or days that you want to rotate your secret, for example rate(12 hours) or rate(10 days). You can rotate a secret as often as every four hours. If you use a rate() expression, the rotation window starts at midnight. For a rate in hours, the default rotation window closes after one hour. For a rate in days, the default rotation window closes at the end of the day. You can set the Duration to change the rotation window. The rotation window must not extend into the next UTC day or into the next rotation window.

You can use a cron() expression to create a rotation schedule that is more detailed than a rotation interval. For more information, including examples, see Schedule expressions in Secrets Manager rotation in the Secrets Manager Users Guide. For a cron expression that represents a schedule in hours, the default rotation window closes after one hour. For a cron expression that represents a schedule in days, the default rotation window closes at the end of the day. You can set the Duration to change the rotation window. The rotation window must not extend into the next UTC day or into the next rotation window.

A structure that contains the details about a secret. It does not include the encrypted SecretString and SecretBinary values. To get those values, use GetSecretValue .

See: newSecretListEntry smart constructor.

Create a value of SecretListEntry with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:arn:SecretListEntry', secretListEntry_arn - The Amazon Resource Name (ARN) of the secret.

$sel:createdDate:SecretListEntry', secretListEntry_createdDate - The date and time when a secret was created.

$sel:deletedDate:SecretListEntry', secretListEntry_deletedDate - The date and time the deletion of the secret occurred. Not present on active secrets. The secret can be recovered until the number of days in the recovery window has passed, as specified in the RecoveryWindowInDays parameter of the DeleteSecret operation.

$sel:description:SecretListEntry', secretListEntry_description - The user-provided description of the secret.

$sel:kmsKeyId:SecretListEntry', secretListEntry_kmsKeyId - The ARN of the KMS key that Secrets Manager uses to encrypt the secret value. If the secret is encrypted with the Amazon Web Services managed key aws/secretsmanager, this field is omitted.

$sel:lastAccessedDate:SecretListEntry', secretListEntry_lastAccessedDate - The date that the secret was last accessed in the Region. This field is omitted if the secret has never been retrieved in the Region.

$sel:lastChangedDate:SecretListEntry', secretListEntry_lastChangedDate - The last date and time that this secret was modified in any way.

$sel:lastRotatedDate:SecretListEntry', secretListEntry_lastRotatedDate - The most recent date and time that the Secrets Manager rotation process was successfully completed. This value is null if the secret hasn't ever rotated.

$sel:name:SecretListEntry', secretListEntry_name - The friendly name of the secret. You can use forward slashes in the name to represent a path hierarchy. For example, /prod/databases/dbserver1 could represent the secret for a server named dbserver1 in the folder databases in the folder prod.

$sel:nextRotationDate:SecretListEntry', secretListEntry_nextRotationDate - Undocumented member.

$sel:owningService:SecretListEntry', secretListEntry_owningService - Returns the name of the service that created the secret.

$sel:primaryRegion:SecretListEntry', secretListEntry_primaryRegion - The Region where Secrets Manager originated the secret.

$sel:rotationEnabled:SecretListEntry', secretListEntry_rotationEnabled - Indicates whether automatic, scheduled rotation is enabled for this secret.

$sel:rotationLambdaARN:SecretListEntry', secretListEntry_rotationLambdaARN - The ARN of an Amazon Web Services Lambda function invoked by Secrets Manager to rotate and expire the secret either automatically per the schedule or manually by a call to RotateSecret .

$sel:rotationRules:SecretListEntry', secretListEntry_rotationRules - A structure that defines the rotation configuration for the secret.

$sel:secretVersionsToStages:SecretListEntry', secretListEntry_secretVersionsToStages - A list of all of the currently assigned SecretVersionStage staging labels and the SecretVersionId attached to each one. Staging labels are used to keep track of the different versions during the rotation process.

A version that does not have any SecretVersionStage is considered deprecated and subject to deletion. Such versions are not included in this list.

$sel:tags:SecretListEntry', secretListEntry_tags - The list of user-defined tags associated with the secret. To add tags to a secret, use TagResource . To remove tags, use UntagResource .

The Amazon Resource Name (ARN) of the secret.

The date and time when a secret was created.

The date and time the deletion of the secret occurred. Not present on active secrets. The secret can be recovered until the number of days in the recovery window has passed, as specified in the RecoveryWindowInDays parameter of the DeleteSecret operation.

The user-provided description of the secret.

The ARN of the KMS key that Secrets Manager uses to encrypt the secret value. If the secret is encrypted with the Amazon Web Services managed key aws/secretsmanager, this field is omitted.

The date that the secret was last accessed in the Region. This field is omitted if the secret has never been retrieved in the Region.

The last date and time that this secret was modified in any way.

The most recent date and time that the Secrets Manager rotation process was successfully completed. This value is null if the secret hasn't ever rotated.

The friendly name of the secret. You can use forward slashes in the name to represent a path hierarchy. For example, /prod/databases/dbserver1 could represent the secret for a server named dbserver1 in the folder databases in the folder prod.

Undocumented member.

Returns the name of the service that created the secret.

The Region where Secrets Manager originated the secret.

Indicates whether automatic, scheduled rotation is enabled for this secret.

The ARN of an Amazon Web Services Lambda function invoked by Secrets Manager to rotate and expire the secret either automatically per the schedule or manually by a call to RotateSecret .

A structure that defines the rotation configuration for the secret.

A list of all of the currently assigned SecretVersionStage staging labels and the SecretVersionId attached to each one. Staging labels are used to keep track of the different versions during the rotation process.

A version that does not have any SecretVersionStage is considered deprecated and subject to deletion. Such versions are not included in this list.

The list of user-defined tags associated with the secret. To add tags to a secret, use TagResource . To remove tags, use UntagResource .

A structure that contains information about one version of a secret.

See: newSecretVersionsListEntry smart constructor.

Create a value of SecretVersionsListEntry with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:createdDate:SecretVersionsListEntry', secretVersionsListEntry_createdDate - The date and time this version of the secret was created.

$sel:kmsKeyIds:SecretVersionsListEntry', secretVersionsListEntry_kmsKeyIds - The KMS keys used to encrypt the secret version.

$sel:lastAccessedDate:SecretVersionsListEntry', secretVersionsListEntry_lastAccessedDate - The date that this version of the secret was last accessed. Note that the resolution of this field is at the date level and does not include the time.

$sel:versionId:SecretVersionsListEntry', secretVersionsListEntry_versionId - The unique version identifier of this version of the secret.

$sel:versionStages:SecretVersionsListEntry', secretVersionsListEntry_versionStages - An array of staging labels that are currently associated with this version of the secret.

The date and time this version of the secret was created.

The KMS keys used to encrypt the secret version.

The date that this version of the secret was last accessed. Note that the resolution of this field is at the date level and does not include the time.

The unique version identifier of this version of the secret.

An array of staging labels that are currently associated with this version of the secret.

A structure that contains information about a tag.

See: newTag smart constructor.

Create a value of Tag with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:key:Tag', tag_key - The key identifier, or name, of the tag.

$sel:value:Tag', tag_value - The string value associated with the key of the tag.

The key identifier, or name, of the tag.

The string value associated with the key of the tag.

Displays errors that occurred during validation of the resource policy.

See: newValidationErrorsEntry smart constructor.

Create a value of ValidationErrorsEntry with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:checkName:ValidationErrorsEntry', validationErrorsEntry_checkName - Checks the name of the policy.

$sel:errorMessage:ValidationErrorsEntry', validationErrorsEntry_errorMessage - Displays error messages if validation encounters problems during validation of the resource policy.

Checks the name of the policy.

Displays error messages if validation encounters problems during validation of the resource policy.