AWS Secrets Manager

2020/07/09 - AWS Secrets Manager - 1 new3 updated api methods

Changes  Update secretsmanager client to latest version

ValidateResourcePolicy (new) Link ¶

Validates the JSON text of the resource-based policy document attached to the specified secret. The JSON request string input and response output displays formatted code with white space and line breaks for better readability. Submit your input as a single line JSON string. A resource-based policy is optional.

See also: AWS API Documentation

Request Syntax

client.validate_resource_policy(
    SecretId='string',
    ResourcePolicy='string'
)
type SecretId:

string

param SecretId:

The identifier for the secret that you want to validate a resource policy. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.

type ResourcePolicy:

string

param ResourcePolicy:

[REQUIRED]

Identifies the Resource Policy attached to the secret.

rtype:

dict

returns:

Response Syntax

{
    'PolicyValidationPassed': True|False,
    'ValidationErrors': [
        {
            'CheckName': 'string',
            'ErrorMessage': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • PolicyValidationPassed (boolean) --

      Returns a message stating that your Reource Policy passed validation.

    • ValidationErrors (list) --

      Returns an error message if your policy doesn't pass validatation.

      • (dict) --

        Displays errors that occurred during validation of the resource policy.

        • CheckName (string) --

          Checks the name of the policy.

        • ErrorMessage (string) --

          Displays error messages if validation encounters problems during validation of the resource policy.

DescribeSecret (updated) Link ¶
Changes (response)
{'CreatedDate': 'timestamp'}

Retrieves the details of a secret. It does not include the encrypted fields. Secrets Manager only returns fields populated with a value in the response.

Minimum permissions

To run this command, you must have the following permissions:

  • secretsmanager:DescribeSecret

Related operations

  • To create a secret, use CreateSecret.

  • To modify a secret, use UpdateSecret.

  • To retrieve the encrypted secret information in a version of the secret, use GetSecretValue.

  • To list all of the secrets in the AWS account, use ListSecrets.

See also: AWS API Documentation

Request Syntax

client.describe_secret(
    SecretId='string'
)
type SecretId:

string

param SecretId:

[REQUIRED]

The identifier of the secret whose details you want to retrieve. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.

rtype:

dict

returns:

Response Syntax

{
    'ARN': 'string',
    'Name': 'string',
    'Description': 'string',
    'KmsKeyId': 'string',
    'RotationEnabled': True|False,
    'RotationLambdaARN': 'string',
    'RotationRules': {
        'AutomaticallyAfterDays': 123
    },
    'LastRotatedDate': datetime(2015, 1, 1),
    'LastChangedDate': datetime(2015, 1, 1),
    'LastAccessedDate': datetime(2015, 1, 1),
    'DeletedDate': datetime(2015, 1, 1),
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    'VersionIdsToStages': {
        'string': [
            'string',
        ]
    },
    'OwningService': 'string',
    'CreatedDate': datetime(2015, 1, 1)
}

Response Structure

  • (dict) --

    • ARN (string) --

      The ARN of the secret.

    • Name (string) --

      The user-provided friendly name of the secret.

    • Description (string) --

      The user-provided description of the secret.

    • KmsKeyId (string) --

      The ARN or alias of the AWS KMS customer master key (CMK) that's used to encrypt the SecretString or SecretBinary fields in each version of the secret. If you don't provide a key, then Secrets Manager defaults to encrypting the secret fields with the default AWS KMS CMK (the one named awssecretsmanager) for this account.

    • RotationEnabled (boolean) --

      Specifies whether automatic rotation is enabled for this secret.

      To enable rotation, use RotateSecret with AutomaticallyRotateAfterDays set to a value greater than 0. To disable rotation, use CancelRotateSecret.

    • RotationLambdaARN (string) --

      The ARN of a Lambda function that's invoked by Secrets Manager to rotate the secret either automatically per the schedule or manually by a call to RotateSecret.

    • RotationRules (dict) --

      A structure that contains the rotation configuration for this secret.

      • AutomaticallyAfterDays (integer) --

        Specifies the number of days between automatic scheduled rotations of the secret.

        Secrets Manager schedules the next rotation when the previous one is complete. Secrets Manager schedules the date by adding the rotation interval (number of days) to the actual date of the last rotation. The service chooses the hour within that 24-hour date window randomly. The minute is also chosen somewhat randomly, but weighted towards the top of the hour and influenced by a variety of factors that help distribute load.

    • LastRotatedDate (datetime) --

      The most recent date and time that the Secrets Manager rotation process was successfully completed. This value is null if the secret has never rotated.

    • LastChangedDate (datetime) --

      The last date and time that this secret was modified in any way.

    • LastAccessedDate (datetime) --

      The last date that this secret was accessed. This value is truncated to midnight of the date and therefore shows only the date, not the time.

    • DeletedDate (datetime) --

      This value exists if the secret is scheduled for deletion. Some time after the specified date and time, Secrets Manager deletes the secret and all of its versions.

      If a secret is scheduled for deletion, then its details, including the encrypted secret information, is not accessible. To cancel a scheduled deletion and restore access, use RestoreSecret.

    • Tags (list) --

      The list of user-defined tags that are associated with the secret. To add tags to a secret, use TagResource. To remove tags, use UntagResource.

      • (dict) --

        A structure that contains information about a tag.

        • Key (string) --

          The key identifier, or name, of the tag.

        • Value (string) --

          The string value associated with the key of the tag.

    • VersionIdsToStages (dict) --

      A list of all of the currently assigned VersionStage staging labels and the VersionId that each is attached to. Staging labels are used to keep track of the different versions during the rotation process.

      • (string) --

        • (list) --

          • (string) --

    • OwningService (string) --

      Returns the name of the service that created this secret.

    • CreatedDate (datetime) --

      The date that the secret was created.

ListSecrets (updated) Link ¶
Changes (request, response)
Request
{'Filters': [{'Key': 'description | name | tag-key | tag-value | all',
              'Values': ['string']}],
 'SortOrder': 'asc | desc'}
Response
{'SecretList': {'CreatedDate': 'timestamp'}}

Lists all of the secrets that are stored by Secrets Manager in the AWS account. To list the versions currently stored for a specific secret, use ListSecretVersionIds. The encrypted fields SecretString and SecretBinary are not included in the output. To get that information, call the GetSecretValue operation.

Minimum permissions

To run this command, you must have the following permissions:

  • secretsmanager:ListSecrets

Related operations

  • To list the versions attached to a secret, use ListSecretVersionIds.

See also: AWS API Documentation

Request Syntax

client.list_secrets(
    MaxResults=123,
    NextToken='string',
    Filters=[
        {
            'Key': 'description'|'name'|'tag-key'|'tag-value'|'all',
            'Values': [
                'string',
            ]
        },
    ],
    SortOrder='asc'|'desc'
)
type MaxResults:

integer

param MaxResults:

(Optional) Limits the number of results you want to include in the response. If you don't include this parameter, it defaults to a value that's specific to the operation. If additional items exist beyond the maximum you specify, the NextToken response element is present and has a value (isn't null). Include that value as the NextToken request parameter in the next call to the operation to get the next part of the results. Note that Secrets Manager might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.

type NextToken:

string

param NextToken:

(Optional) Use this parameter in a request if you receive a NextToken response in a previous request indicating there's more output available. In a subsequent call, set it to the value of the previous call NextToken response to indicate where the output should continue from.

type Filters:

list

param Filters:

Lists the secret request filters.

  • (dict) --

    Allows you to filter your list of secrets.

    • Key (string) --

      Filters your list of secrets by a specific key.

    • Values (list) --

      Filters your list of secrets by a specific value.

      • (string) --

type SortOrder:

string

param SortOrder:

Lists secrets in the requested order.

rtype:

dict

returns:

Response Syntax

{
    'SecretList': [
        {
            'ARN': 'string',
            'Name': 'string',
            'Description': 'string',
            'KmsKeyId': 'string',
            'RotationEnabled': True|False,
            'RotationLambdaARN': 'string',
            'RotationRules': {
                'AutomaticallyAfterDays': 123
            },
            'LastRotatedDate': datetime(2015, 1, 1),
            'LastChangedDate': datetime(2015, 1, 1),
            'LastAccessedDate': datetime(2015, 1, 1),
            'DeletedDate': datetime(2015, 1, 1),
            'Tags': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ],
            'SecretVersionsToStages': {
                'string': [
                    'string',
                ]
            },
            'OwningService': 'string',
            'CreatedDate': datetime(2015, 1, 1)
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • SecretList (list) --

      A list of the secrets in the account.

      • (dict) --

        A structure that contains the details about a secret. It does not include the encrypted SecretString and SecretBinary values. To get those values, use the GetSecretValue operation.

        • ARN (string) --

          The Amazon Resource Name (ARN) of the secret.

          For more information about ARNs in Secrets Manager, see Policy Resources in the AWS Secrets Manager User Guide.

        • Name (string) --

          The friendly name of the secret. You can use forward slashes in the name to represent a path hierarchy. For example, /prod/databases/dbserver1 could represent the secret for a server named dbserver1 in the folder databases in the folder prod.

        • Description (string) --

          The user-provided description of the secret.

        • KmsKeyId (string) --

          The ARN or alias of the AWS KMS customer master key (CMK) used to encrypt the SecretString and SecretBinary fields in each version of the secret. If you don't provide a key, then Secrets Manager defaults to encrypting the secret fields with the default KMS CMK, the key named awssecretsmanager, for this account.

        • RotationEnabled (boolean) --

          Indicates whether automatic, scheduled rotation is enabled for this secret.

        • RotationLambdaARN (string) --

          The ARN of an AWS Lambda function invoked by Secrets Manager to rotate and expire the secret either automatically per the schedule or manually by a call to RotateSecret.

        • RotationRules (dict) --

          A structure that defines the rotation configuration for the secret.

          • AutomaticallyAfterDays (integer) --

            Specifies the number of days between automatic scheduled rotations of the secret.

            Secrets Manager schedules the next rotation when the previous one is complete. Secrets Manager schedules the date by adding the rotation interval (number of days) to the actual date of the last rotation. The service chooses the hour within that 24-hour date window randomly. The minute is also chosen somewhat randomly, but weighted towards the top of the hour and influenced by a variety of factors that help distribute load.

        • LastRotatedDate (datetime) --

          The last date and time that the rotation process for this secret was invoked.

        • LastChangedDate (datetime) --

          The last date and time that this secret was modified in any way.

        • LastAccessedDate (datetime) --

          The last date that this secret was accessed. This value is truncated to midnight of the date and therefore shows only the date, not the time.

        • DeletedDate (datetime) --

          The date and time the deletion of the secret occurred. Not present on active secrets. The secret can be recovered until the number of days in the recovery window has passed, as specified in the RecoveryWindowInDays parameter of the DeleteSecret operation.

        • Tags (list) --

          The list of user-defined tags associated with the secret. To add tags to a secret, use TagResource. To remove tags, use UntagResource.

          • (dict) --

            A structure that contains information about a tag.

            • Key (string) --

              The key identifier, or name, of the tag.

            • Value (string) --

              The string value associated with the key of the tag.

        • SecretVersionsToStages (dict) --

          A list of all of the currently assigned SecretVersionStage staging labels and the SecretVersionId attached to each one. Staging labels are used to keep track of the different versions during the rotation process.

          • (string) --

            • (list) --

              • (string) --

        • OwningService (string) --

          Returns the name of the service that created the secret.

        • CreatedDate (datetime) --

          The date and time when a secret was created.

    • NextToken (string) --

      If present in the response, this value indicates that there's more output available than included in the current response. This can occur even when the response includes no values at all, such as when you ask for a filtered view of a very long list. Use this value in the NextToken request parameter in a subsequent call to the operation to continue processing and get the next part of the output. You should repeat this until the NextToken response element comes back empty (as null).

PutResourcePolicy (updated) Link ¶
Changes (request)
{'BlockPublicPolicy': 'boolean'}

Attaches the contents of the specified resource-based permission policy to a secret. A resource-based policy is optional. Alternatively, you can use IAM identity-based policies that specify the secret's Amazon Resource Name (ARN) in the policy statement's Resources element. You can also use a combination of both identity-based and resource-based policies. The affected users and roles receive the permissions that are permitted by all of the relevant policies. For more information, see Using Resource-Based Policies for AWS Secrets Manager. For the complete description of the AWS policy syntax and grammar, see IAM JSON Policy Reference in the IAM User Guide.

Minimum permissions

To run this command, you must have the following permissions:

  • secretsmanager:PutResourcePolicy

Related operations

  • To retrieve the resource policy attached to a secret, use GetResourcePolicy.

  • To delete the resource-based policy that's attached to a secret, use DeleteResourcePolicy.

  • To list all of the currently available secrets, use ListSecrets.

See also: AWS API Documentation

Request Syntax

client.put_resource_policy(
    SecretId='string',
    ResourcePolicy='string',
    BlockPublicPolicy=True|False
)
type SecretId:

string

param SecretId:

[REQUIRED]

Specifies the secret that you want to attach the resource-based policy to. You can specify either the ARN or the friendly name of the secret.

type ResourcePolicy:

string

param ResourcePolicy:

[REQUIRED]

A JSON-formatted string that's constructed according to the grammar and syntax for an AWS resource-based policy. The policy in the string identifies who can access or manage this secret and its versions. For information on how to format a JSON parameter for the various command line tool environments, see Using JSON for Parameters in the AWS CLI User Guide.

type BlockPublicPolicy:

boolean

param BlockPublicPolicy:

Makes an optional API call to Zelkova to validate the Resource Policy to prevent broad access to your secret.

rtype:

dict

returns:

Response Syntax

{
    'ARN': 'string',
    'Name': 'string'
}

Response Structure

  • (dict) --

    • ARN (string) --

      The ARN of the secret retrieved by the resource-based policy.

    • Name (string) --

      The friendly name of the secret that the retrieved by the resource-based policy.