software.amazon.awssdk.services.secretsmanager.DefaultSecretsManagerClient Maven / Gradle / Ivy
Show all versions of secretsmanager Show documentation
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with
* the License. A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
* CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
* and limitations under the License.
*/
package software.amazon.awssdk.services.secretsmanager;
import java.util.Collections;
import java.util.List;
import java.util.function.Consumer;
import software.amazon.awssdk.annotations.Generated;
import software.amazon.awssdk.annotations.SdkInternalApi;
import software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler;
import software.amazon.awssdk.awscore.exception.AwsServiceException;
import software.amazon.awssdk.awscore.internal.AwsProtocolMetadata;
import software.amazon.awssdk.awscore.internal.AwsServiceProtocol;
import software.amazon.awssdk.awscore.retry.AwsRetryStrategy;
import software.amazon.awssdk.core.RequestOverrideConfiguration;
import software.amazon.awssdk.core.SdkPlugin;
import software.amazon.awssdk.core.SdkRequest;
import software.amazon.awssdk.core.client.config.ClientOverrideConfiguration;
import software.amazon.awssdk.core.client.config.SdkClientConfiguration;
import software.amazon.awssdk.core.client.config.SdkClientOption;
import software.amazon.awssdk.core.client.handler.ClientExecutionParams;
import software.amazon.awssdk.core.client.handler.SyncClientHandler;
import software.amazon.awssdk.core.exception.SdkClientException;
import software.amazon.awssdk.core.http.HttpResponseHandler;
import software.amazon.awssdk.core.metrics.CoreMetric;
import software.amazon.awssdk.core.retry.RetryMode;
import software.amazon.awssdk.metrics.MetricCollector;
import software.amazon.awssdk.metrics.MetricPublisher;
import software.amazon.awssdk.metrics.NoOpMetricCollector;
import software.amazon.awssdk.protocols.core.ExceptionMetadata;
import software.amazon.awssdk.protocols.json.AwsJsonProtocol;
import software.amazon.awssdk.protocols.json.AwsJsonProtocolFactory;
import software.amazon.awssdk.protocols.json.BaseAwsJsonProtocolFactory;
import software.amazon.awssdk.protocols.json.JsonOperationMetadata;
import software.amazon.awssdk.retries.api.RetryStrategy;
import software.amazon.awssdk.services.secretsmanager.internal.SecretsManagerServiceClientConfigurationBuilder;
import software.amazon.awssdk.services.secretsmanager.model.BatchGetSecretValueRequest;
import software.amazon.awssdk.services.secretsmanager.model.BatchGetSecretValueResponse;
import software.amazon.awssdk.services.secretsmanager.model.CancelRotateSecretRequest;
import software.amazon.awssdk.services.secretsmanager.model.CancelRotateSecretResponse;
import software.amazon.awssdk.services.secretsmanager.model.CreateSecretRequest;
import software.amazon.awssdk.services.secretsmanager.model.CreateSecretResponse;
import software.amazon.awssdk.services.secretsmanager.model.DecryptionFailureException;
import software.amazon.awssdk.services.secretsmanager.model.DeleteResourcePolicyRequest;
import software.amazon.awssdk.services.secretsmanager.model.DeleteResourcePolicyResponse;
import software.amazon.awssdk.services.secretsmanager.model.DeleteSecretRequest;
import software.amazon.awssdk.services.secretsmanager.model.DeleteSecretResponse;
import software.amazon.awssdk.services.secretsmanager.model.DescribeSecretRequest;
import software.amazon.awssdk.services.secretsmanager.model.DescribeSecretResponse;
import software.amazon.awssdk.services.secretsmanager.model.EncryptionFailureException;
import software.amazon.awssdk.services.secretsmanager.model.GetRandomPasswordRequest;
import software.amazon.awssdk.services.secretsmanager.model.GetRandomPasswordResponse;
import software.amazon.awssdk.services.secretsmanager.model.GetResourcePolicyRequest;
import software.amazon.awssdk.services.secretsmanager.model.GetResourcePolicyResponse;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueResponse;
import software.amazon.awssdk.services.secretsmanager.model.InternalServiceErrorException;
import software.amazon.awssdk.services.secretsmanager.model.InvalidNextTokenException;
import software.amazon.awssdk.services.secretsmanager.model.InvalidParameterException;
import software.amazon.awssdk.services.secretsmanager.model.InvalidRequestException;
import software.amazon.awssdk.services.secretsmanager.model.LimitExceededException;
import software.amazon.awssdk.services.secretsmanager.model.ListSecretVersionIdsRequest;
import software.amazon.awssdk.services.secretsmanager.model.ListSecretVersionIdsResponse;
import software.amazon.awssdk.services.secretsmanager.model.ListSecretsRequest;
import software.amazon.awssdk.services.secretsmanager.model.ListSecretsResponse;
import software.amazon.awssdk.services.secretsmanager.model.MalformedPolicyDocumentException;
import software.amazon.awssdk.services.secretsmanager.model.PreconditionNotMetException;
import software.amazon.awssdk.services.secretsmanager.model.PublicPolicyException;
import software.amazon.awssdk.services.secretsmanager.model.PutResourcePolicyRequest;
import software.amazon.awssdk.services.secretsmanager.model.PutResourcePolicyResponse;
import software.amazon.awssdk.services.secretsmanager.model.PutSecretValueRequest;
import software.amazon.awssdk.services.secretsmanager.model.PutSecretValueResponse;
import software.amazon.awssdk.services.secretsmanager.model.RemoveRegionsFromReplicationRequest;
import software.amazon.awssdk.services.secretsmanager.model.RemoveRegionsFromReplicationResponse;
import software.amazon.awssdk.services.secretsmanager.model.ReplicateSecretToRegionsRequest;
import software.amazon.awssdk.services.secretsmanager.model.ReplicateSecretToRegionsResponse;
import software.amazon.awssdk.services.secretsmanager.model.ResourceExistsException;
import software.amazon.awssdk.services.secretsmanager.model.ResourceNotFoundException;
import software.amazon.awssdk.services.secretsmanager.model.RestoreSecretRequest;
import software.amazon.awssdk.services.secretsmanager.model.RestoreSecretResponse;
import software.amazon.awssdk.services.secretsmanager.model.RotateSecretRequest;
import software.amazon.awssdk.services.secretsmanager.model.RotateSecretResponse;
import software.amazon.awssdk.services.secretsmanager.model.SecretsManagerException;
import software.amazon.awssdk.services.secretsmanager.model.StopReplicationToReplicaRequest;
import software.amazon.awssdk.services.secretsmanager.model.StopReplicationToReplicaResponse;
import software.amazon.awssdk.services.secretsmanager.model.TagResourceRequest;
import software.amazon.awssdk.services.secretsmanager.model.TagResourceResponse;
import software.amazon.awssdk.services.secretsmanager.model.UntagResourceRequest;
import software.amazon.awssdk.services.secretsmanager.model.UntagResourceResponse;
import software.amazon.awssdk.services.secretsmanager.model.UpdateSecretRequest;
import software.amazon.awssdk.services.secretsmanager.model.UpdateSecretResponse;
import software.amazon.awssdk.services.secretsmanager.model.UpdateSecretVersionStageRequest;
import software.amazon.awssdk.services.secretsmanager.model.UpdateSecretVersionStageResponse;
import software.amazon.awssdk.services.secretsmanager.model.ValidateResourcePolicyRequest;
import software.amazon.awssdk.services.secretsmanager.model.ValidateResourcePolicyResponse;
import software.amazon.awssdk.services.secretsmanager.transform.BatchGetSecretValueRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.CancelRotateSecretRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.CreateSecretRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.DeleteResourcePolicyRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.DeleteSecretRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.DescribeSecretRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.GetRandomPasswordRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.GetResourcePolicyRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.GetSecretValueRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.ListSecretVersionIdsRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.ListSecretsRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.PutResourcePolicyRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.PutSecretValueRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.RemoveRegionsFromReplicationRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.ReplicateSecretToRegionsRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.RestoreSecretRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.RotateSecretRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.StopReplicationToReplicaRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.TagResourceRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.UntagResourceRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.UpdateSecretRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.UpdateSecretVersionStageRequestMarshaller;
import software.amazon.awssdk.services.secretsmanager.transform.ValidateResourcePolicyRequestMarshaller;
import software.amazon.awssdk.utils.Logger;
/**
* Internal implementation of {@link SecretsManagerClient}.
*
* @see SecretsManagerClient#builder()
*/
@Generated("software.amazon.awssdk:codegen")
@SdkInternalApi
final class DefaultSecretsManagerClient implements SecretsManagerClient {
private static final Logger log = Logger.loggerFor(DefaultSecretsManagerClient.class);
private static final AwsProtocolMetadata protocolMetadata = AwsProtocolMetadata.builder()
.serviceProtocol(AwsServiceProtocol.AWS_JSON).build();
private final SyncClientHandler clientHandler;
private final AwsJsonProtocolFactory protocolFactory;
private final SdkClientConfiguration clientConfiguration;
protected DefaultSecretsManagerClient(SdkClientConfiguration clientConfiguration) {
this.clientHandler = new AwsSyncClientHandler(clientConfiguration);
this.clientConfiguration = clientConfiguration.toBuilder().option(SdkClientOption.SDK_CLIENT, this).build();
this.protocolFactory = init(AwsJsonProtocolFactory.builder()).build();
}
/**
*
* Retrieves the contents of the encrypted fields SecretString or SecretBinary for up to
* 20 secrets. To retrieve a single secret, call GetSecretValue.
*
*
* To choose which secrets to retrieve, you can specify a list of secrets by name or ARN, or you can use filters. If
* Secrets Manager encounters errors such as AccessDeniedException while attempting to retrieve any of
* the secrets, you can see the errors in Errors in the response.
*
*
* Secrets Manager generates CloudTrail GetSecretValue log entries for each secret you request when you
* call this action. Do not include sensitive information in request parameters because it might be logged. For more
* information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:BatchGetSecretValue, and you must have
* secretsmanager:GetSecretValue for each secret. If you use filters, you must also have
* secretsmanager:ListSecrets. If the secrets are encrypted using customer-managed keys instead of the
* Amazon Web Services managed key aws/secretsmanager, then you also need kms:Decrypt
* permissions for the keys. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* @param batchGetSecretValueRequest
* @return Result of the BatchGetSecretValue operation returned by the service.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws DecryptionFailureException
* Secrets Manager can't decrypt the protected secret text using the provided KMS key.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws InvalidNextTokenException
* The NextToken value is invalid.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.BatchGetSecretValue
* @see AWS API Documentation
*/
@Override
public BatchGetSecretValueResponse batchGetSecretValue(BatchGetSecretValueRequest batchGetSecretValueRequest)
throws ResourceNotFoundException, InvalidParameterException, InvalidRequestException, DecryptionFailureException,
InternalServiceErrorException, InvalidNextTokenException, AwsServiceException, SdkClientException,
SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, BatchGetSecretValueResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(batchGetSecretValueRequest,
this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, batchGetSecretValueRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "BatchGetSecretValue");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("BatchGetSecretValue").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(batchGetSecretValueRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new BatchGetSecretValueRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Turns off automatic rotation, and if a rotation is currently in progress, cancels the rotation.
*
*
* If you cancel a rotation in progress, it can leave the VersionStage labels in an unexpected state.
* You might need to remove the staging label AWSPENDING from the partially created version. You also
* need to determine whether to roll back to the previous version of the secret by moving the staging label
* AWSCURRENT to the version that has AWSPENDING. To determine which version has a
* specific staging label, call ListSecretVersionIds. Then use UpdateSecretVersionStage to change
* staging labels. For more information, see How rotation
* works.
*
*
* To turn on automatic rotation again, call RotateSecret.
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters because it might be logged. For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:CancelRotateSecret. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* @param cancelRotateSecretRequest
* @return Result of the CancelRotateSecret operation returned by the service.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.CancelRotateSecret
* @see AWS API Documentation
*/
@Override
public CancelRotateSecretResponse cancelRotateSecret(CancelRotateSecretRequest cancelRotateSecretRequest)
throws ResourceNotFoundException, InvalidParameterException, InternalServiceErrorException, InvalidRequestException,
AwsServiceException, SdkClientException, SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, CancelRotateSecretResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(cancelRotateSecretRequest,
this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, cancelRotateSecretRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "CancelRotateSecret");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("CancelRotateSecret").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(cancelRotateSecretRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new CancelRotateSecretRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Creates a new secret. A secret can be a password, a set of credentials such as a user name and password,
* an OAuth token, or other secret information that you store in an encrypted form in Secrets Manager. The secret
* also includes the connection information to access a database or other service, which Secrets Manager doesn't
* encrypt. A secret in Secrets Manager consists of both the protected secret data and the important information
* needed to manage the secret.
*
*
* For secrets that use managed rotation, you need to create the secret through the managing service. For
* more information, see Secrets Manager
* secrets managed by other Amazon Web Services services.
*
*
* For information about creating a secret in the console, see Create a
* secret.
*
*
* To create a secret, you can provide the secret value to be encrypted in either the SecretString
* parameter or the SecretBinary parameter, but not both. If you include SecretString or
* SecretBinary then Secrets Manager creates an initial secret version and automatically attaches the
* staging label AWSCURRENT to it.
*
*
* For database credentials you want to rotate, for Secrets Manager to be able to rotate the secret, you must make
* sure the JSON you store in the SecretString matches the JSON
* structure of a database secret.
*
*
* If you don't specify an KMS encryption key, Secrets Manager uses the Amazon Web Services managed key
* aws/secretsmanager. If this key doesn't already exist in your account, then Secrets Manager creates
* it for you automatically. All users and roles in the Amazon Web Services account automatically have access to use
* aws/secretsmanager. Creating aws/secretsmanager can result in a one-time significant
* delay in returning the result.
*
*
* If the secret is in a different Amazon Web Services account from the credentials calling the API, then you can't
* use aws/secretsmanager to encrypt the secret, and you must create and use a customer managed KMS
* key.
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters except SecretBinary or SecretString because it might be logged.
* For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:CreateSecret. If you include tags in the secret, you
* also need secretsmanager:TagResource. To add replica Regions, you must also have
* secretsmanager:ReplicateSecretToRegions. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* To encrypt the secret with a KMS key other than aws/secretsmanager, you need
* kms:GenerateDataKey and kms:Decrypt permission to the key.
*
*
*
* When you enter commands in a command shell, there is a risk of the command history being accessed or utilities
* having access to your command parameters. This is a concern if the command includes the value of a secret. Learn
* how to Mitigate the
* risks of using command-line tools to store Secrets Manager secrets.
*
*
*
* @param createSecretRequest
* @return Result of the CreateSecret operation returned by the service.
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws LimitExceededException
* The request failed because it would exceed one of the Secrets Manager quotas.
* @throws EncryptionFailureException
* Secrets Manager can't encrypt the protected secret text using the provided KMS key. Check that the KMS
* key is available, enabled, and not in an invalid state. For more information, see Key state: Effect on your KMS
* key.
* @throws ResourceExistsException
* A resource with the ID you requested already exists.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws MalformedPolicyDocumentException
* The resource policy has syntax errors.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws PreconditionNotMetException
* The request failed because you did not complete all the prerequisite steps.
* @throws DecryptionFailureException
* Secrets Manager can't decrypt the protected secret text using the provided KMS key.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.CreateSecret
* @see AWS
* API Documentation
*/
@Override
public CreateSecretResponse createSecret(CreateSecretRequest createSecretRequest) throws InvalidParameterException,
InvalidRequestException, LimitExceededException, EncryptionFailureException, ResourceExistsException,
ResourceNotFoundException, MalformedPolicyDocumentException, InternalServiceErrorException,
PreconditionNotMetException, DecryptionFailureException, AwsServiceException, SdkClientException,
SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
CreateSecretResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(createSecretRequest, this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, createSecretRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "CreateSecret");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("CreateSecret").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(createSecretRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new CreateSecretRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Deletes the resource-based permission policy attached to the secret. To attach a policy to a secret, use
* PutResourcePolicy.
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters because it might be logged. For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:DeleteResourcePolicy. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* @param deleteResourcePolicyRequest
* @return Result of the DeleteResourcePolicy operation returned by the service.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.DeleteResourcePolicy
* @see AWS API Documentation
*/
@Override
public DeleteResourcePolicyResponse deleteResourcePolicy(DeleteResourcePolicyRequest deleteResourcePolicyRequest)
throws ResourceNotFoundException, InternalServiceErrorException, InvalidRequestException, InvalidParameterException,
AwsServiceException, SdkClientException, SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, DeleteResourcePolicyResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(deleteResourcePolicyRequest,
this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, deleteResourcePolicyRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "DeleteResourcePolicy");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("DeleteResourcePolicy").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(deleteResourcePolicyRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new DeleteResourcePolicyRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Deletes a secret and all of its versions. You can specify a recovery window during which you can restore the
* secret. The minimum recovery window is 7 days. The default recovery window is 30 days. Secrets Manager attaches a
* DeletionDate stamp to the secret that specifies the end of the recovery window. At the end of the
* recovery window, Secrets Manager deletes the secret permanently.
*
*
* You can't delete a primary secret that is replicated to other Regions. You must first delete the replicas using
* RemoveRegionsFromReplication, and then delete the primary secret. When you delete a replica, it is deleted
* immediately.
*
*
* You can't directly delete a version of a secret. Instead, you remove all staging labels from the version using
* UpdateSecretVersionStage. This marks the version as deprecated, and then Secrets Manager can automatically
* delete the version in the background.
*
*
* To determine whether an application still uses a secret, you can create an Amazon CloudWatch alarm to alert you
* to any attempts to access a secret during the recovery window. For more information, see
* Monitor secrets scheduled for deletion.
*
*
* Secrets Manager performs the permanent secret deletion at the end of the waiting period as a background task with
* low priority. There is no guarantee of a specific time after the recovery window for the permanent delete to
* occur.
*
*
* At any time before recovery window ends, you can use RestoreSecret to remove the DeletionDate
* and cancel the deletion of the secret.
*
*
* When a secret is scheduled for deletion, you cannot retrieve the secret value. You must first cancel the deletion
* with RestoreSecret and then you can retrieve the secret.
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters because it might be logged. For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:DeleteSecret. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* @param deleteSecretRequest
* @return Result of the DeleteSecret operation returned by the service.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.DeleteSecret
* @see AWS
* API Documentation
*/
@Override
public DeleteSecretResponse deleteSecret(DeleteSecretRequest deleteSecretRequest) throws ResourceNotFoundException,
InvalidParameterException, InvalidRequestException, InternalServiceErrorException, AwsServiceException,
SdkClientException, SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
DeleteSecretResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(deleteSecretRequest, this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, deleteSecretRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "DeleteSecret");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("DeleteSecret").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(deleteSecretRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new DeleteSecretRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Retrieves the details of a secret. It does not include the encrypted secret value. Secrets Manager only returns
* fields that have a value in the response.
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters because it might be logged. For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:DescribeSecret. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* @param describeSecretRequest
* @return Result of the DescribeSecret operation returned by the service.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.DescribeSecret
* @see AWS
* API Documentation
*/
@Override
public DescribeSecretResponse describeSecret(DescribeSecretRequest describeSecretRequest) throws ResourceNotFoundException,
InternalServiceErrorException, InvalidParameterException, AwsServiceException, SdkClientException,
SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
DescribeSecretResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(describeSecretRequest, this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, describeSecretRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "DescribeSecret");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("DescribeSecret").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(describeSecretRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new DescribeSecretRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Generates a random password. We recommend that you specify the maximum length and include every character type
* that the system you are generating a password for can support. By default, Secrets Manager uses uppercase and
* lowercase letters, numbers, and the following characters in passwords:
* !\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action.
*
*
* Required permissions: secretsmanager:GetRandomPassword. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* @param getRandomPasswordRequest
* @return Result of the GetRandomPassword operation returned by the service.
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.GetRandomPassword
* @see AWS API Documentation
*/
@Override
public GetRandomPasswordResponse getRandomPassword(GetRandomPasswordRequest getRandomPasswordRequest)
throws InvalidParameterException, InvalidRequestException, InternalServiceErrorException, AwsServiceException,
SdkClientException, SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
GetRandomPasswordResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(getRandomPasswordRequest,
this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, getRandomPasswordRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "GetRandomPassword");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("GetRandomPassword").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(getRandomPasswordRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new GetRandomPasswordRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Retrieves the JSON text of the resource-based policy document attached to the secret. For more information about
* permissions policies attached to a secret, see Permissions policies attached to a secret.
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters because it might be logged. For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:GetResourcePolicy. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* @param getResourcePolicyRequest
* @return Result of the GetResourcePolicy operation returned by the service.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.GetResourcePolicy
* @see AWS API Documentation
*/
@Override
public GetResourcePolicyResponse getResourcePolicy(GetResourcePolicyRequest getResourcePolicyRequest)
throws ResourceNotFoundException, InternalServiceErrorException, InvalidRequestException, InvalidParameterException,
AwsServiceException, SdkClientException, SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
GetResourcePolicyResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(getResourcePolicyRequest,
this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, getResourcePolicyRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "GetResourcePolicy");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("GetResourcePolicy").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(getResourcePolicyRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new GetResourcePolicyRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Retrieves the contents of the encrypted fields SecretString or SecretBinary from the
* specified version of a secret, whichever contains content.
*
*
* To retrieve the values for a group of secrets, call BatchGetSecretValue.
*
*
* We recommend that you cache your secret values by using client-side caching. Caching secrets improves speed and
* reduces your costs. For more information, see Cache secrets for your
* applications.
*
*
* To retrieve the previous version of a secret, use VersionStage and specify AWSPREVIOUS. To revert to
* the previous version of a secret, call UpdateSecretVersionStage.
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters because it might be logged. For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:GetSecretValue. If the secret is encrypted using a
* customer-managed key instead of the Amazon Web Services managed key aws/secretsmanager, then you
* also need kms:Decrypt permissions for that key. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* @param getSecretValueRequest
* @return Result of the GetSecretValue operation returned by the service.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws DecryptionFailureException
* Secrets Manager can't decrypt the protected secret text using the provided KMS key.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.GetSecretValue
* @see AWS
* API Documentation
*/
@Override
public GetSecretValueResponse getSecretValue(GetSecretValueRequest getSecretValueRequest) throws ResourceNotFoundException,
InvalidParameterException, InvalidRequestException, DecryptionFailureException, InternalServiceErrorException,
AwsServiceException, SdkClientException, SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
GetSecretValueResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(getSecretValueRequest, this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, getSecretValueRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "GetSecretValue");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("GetSecretValue").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(getSecretValueRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new GetSecretValueRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Lists the versions of a secret. Secrets Manager uses staging labels to indicate the different versions of a
* secret. For more information, see Secrets
* Manager concepts: Versions.
*
*
* To list the secrets in the account, use ListSecrets.
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters because it might be logged. For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:ListSecretVersionIds. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* @param listSecretVersionIdsRequest
* @return Result of the ListSecretVersionIds operation returned by the service.
* @throws InvalidNextTokenException
* The NextToken value is invalid.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.ListSecretVersionIds
* @see AWS API Documentation
*/
@Override
public ListSecretVersionIdsResponse listSecretVersionIds(ListSecretVersionIdsRequest listSecretVersionIdsRequest)
throws InvalidNextTokenException, ResourceNotFoundException, InternalServiceErrorException,
InvalidParameterException, AwsServiceException, SdkClientException, SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, ListSecretVersionIdsResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(listSecretVersionIdsRequest,
this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, listSecretVersionIdsRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "ListSecretVersionIds");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("ListSecretVersionIds").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(listSecretVersionIdsRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new ListSecretVersionIdsRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Lists the secrets that are stored by Secrets Manager in the Amazon Web Services account, not including secrets
* that are marked for deletion. To see secrets marked for deletion, use the Secrets Manager console.
*
*
* All Secrets Manager operations are eventually consistent. ListSecrets might not reflect changes from the last
* five minutes. You can get more recent information for a specific secret by calling DescribeSecret.
*
*
* To list the versions of a secret, use ListSecretVersionIds.
*
*
* To retrieve the values for the secrets, call BatchGetSecretValue or GetSecretValue.
*
*
* For information about finding secrets in the console, see Find secrets in
* Secrets Manager.
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters because it might be logged. For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:ListSecrets. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* @param listSecretsRequest
* @return Result of the ListSecrets operation returned by the service.
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws InvalidNextTokenException
* The NextToken value is invalid.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.ListSecrets
* @see AWS
* API Documentation
*/
@Override
public ListSecretsResponse listSecrets(ListSecretsRequest listSecretsRequest) throws InvalidParameterException,
InvalidRequestException, InvalidNextTokenException, InternalServiceErrorException, AwsServiceException,
SdkClientException, SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
ListSecretsResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(listSecretsRequest, this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, listSecretsRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "ListSecrets");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("ListSecrets").withProtocolMetadata(protocolMetadata).withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withRequestConfiguration(clientConfiguration)
.withInput(listSecretsRequest).withMetricCollector(apiCallMetricCollector)
.withMarshaller(new ListSecretsRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Attaches a resource-based permission policy to a secret. A resource-based policy is optional. For more
* information, see Authentication and access
* control for Secrets Manager
*
*
* For information about attaching a policy in the console, see Attach a permissions policy to a secret.
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters because it might be logged. For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:PutResourcePolicy. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* @param putResourcePolicyRequest
* @return Result of the PutResourcePolicy operation returned by the service.
* @throws MalformedPolicyDocumentException
* The resource policy has syntax errors.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws PublicPolicyException
* The BlockPublicPolicy parameter is set to true, and the resource policy did not prevent
* broad access to the secret.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.PutResourcePolicy
* @see AWS API Documentation
*/
@Override
public PutResourcePolicyResponse putResourcePolicy(PutResourcePolicyRequest putResourcePolicyRequest)
throws MalformedPolicyDocumentException, ResourceNotFoundException, InvalidParameterException,
InternalServiceErrorException, InvalidRequestException, PublicPolicyException, AwsServiceException,
SdkClientException, SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
PutResourcePolicyResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(putResourcePolicyRequest,
this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, putResourcePolicyRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "PutResourcePolicy");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("PutResourcePolicy").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(putResourcePolicyRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new PutResourcePolicyRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Creates a new version with a new encrypted secret value and attaches it to the secret. The version can contain a
* new SecretString value or a new SecretBinary value.
*
*
* We recommend you avoid calling PutSecretValue at a sustained rate of more than once every 10
* minutes. When you update the secret value, Secrets Manager creates a new version of the secret. Secrets Manager
* removes outdated versions when there are more than 100, but it does not remove versions created less than 24
* hours ago. If you call PutSecretValue more than once every 10 minutes, you create more versions than
* Secrets Manager removes, and you will reach the quota for secret versions.
*
*
* You can specify the staging labels to attach to the new version in VersionStages. If you don't
* include VersionStages, then Secrets Manager automatically moves the staging label
* AWSCURRENT to this version. If this operation creates the first version for the secret, then Secrets
* Manager automatically attaches the staging label AWSCURRENT to it. If this operation moves the
* staging label AWSCURRENT from another version to this version, then Secrets Manager also
* automatically moves the staging label AWSPREVIOUS to the version that AWSCURRENT was
* removed from.
*
*
* This operation is idempotent. If you call this operation with a ClientRequestToken that matches an
* existing version's VersionId, and you specify the same secret data, the operation succeeds but does nothing.
* However, if the secret data is different, then the operation fails because you can't modify an existing version;
* you can only create new ones.
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters except SecretBinary, SecretString, or RotationToken
* because it might be logged. For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:PutSecretValue. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
*
* When you enter commands in a command shell, there is a risk of the command history being accessed or utilities
* having access to your command parameters. This is a concern if the command includes the value of a secret. Learn
* how to Mitigate the
* risks of using command-line tools to store Secrets Manager secrets.
*
*
*
* @param putSecretValueRequest
* @return Result of the PutSecretValue operation returned by the service.
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws LimitExceededException
* The request failed because it would exceed one of the Secrets Manager quotas.
* @throws EncryptionFailureException
* Secrets Manager can't encrypt the protected secret text using the provided KMS key. Check that the KMS
* key is available, enabled, and not in an invalid state. For more information, see Key state: Effect on your KMS
* key.
* @throws ResourceExistsException
* A resource with the ID you requested already exists.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws DecryptionFailureException
* Secrets Manager can't decrypt the protected secret text using the provided KMS key.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.PutSecretValue
* @see AWS
* API Documentation
*/
@Override
public PutSecretValueResponse putSecretValue(PutSecretValueRequest putSecretValueRequest) throws InvalidParameterException,
InvalidRequestException, LimitExceededException, EncryptionFailureException, ResourceExistsException,
ResourceNotFoundException, InternalServiceErrorException, DecryptionFailureException, AwsServiceException,
SdkClientException, SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
PutSecretValueResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(putSecretValueRequest, this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, putSecretValueRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "PutSecretValue");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("PutSecretValue").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(putSecretValueRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new PutSecretValueRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* For a secret that is replicated to other Regions, deletes the secret replicas from the Regions you specify.
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters because it might be logged. For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:RemoveRegionsFromReplication. For more information, see
* IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* @param removeRegionsFromReplicationRequest
* @return Result of the RemoveRegionsFromReplication operation returned by the service.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.RemoveRegionsFromReplication
* @see AWS API Documentation
*/
@Override
public RemoveRegionsFromReplicationResponse removeRegionsFromReplication(
RemoveRegionsFromReplicationRequest removeRegionsFromReplicationRequest) throws ResourceNotFoundException,
InvalidRequestException, InvalidParameterException, InternalServiceErrorException, AwsServiceException,
SdkClientException, SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, RemoveRegionsFromReplicationResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(removeRegionsFromReplicationRequest,
this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, removeRegionsFromReplicationRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "RemoveRegionsFromReplication");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("RemoveRegionsFromReplication").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(removeRegionsFromReplicationRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new RemoveRegionsFromReplicationRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Replicates the secret to a new Regions. See Multi-Region secrets.
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters because it might be logged. For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:ReplicateSecretToRegions. If the primary secret is
* encrypted with a KMS key other than aws/secretsmanager, you also need kms:Decrypt
* permission to the key. To encrypt the replicated secret with a KMS key other than aws/secretsmanager
* , you need kms:GenerateDataKey and kms:Encrypt to the key. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* @param replicateSecretToRegionsRequest
* @return Result of the ReplicateSecretToRegions operation returned by the service.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.ReplicateSecretToRegions
* @see AWS API Documentation
*/
@Override
public ReplicateSecretToRegionsResponse replicateSecretToRegions(
ReplicateSecretToRegionsRequest replicateSecretToRegionsRequest) throws ResourceNotFoundException,
InvalidRequestException, InvalidParameterException, InternalServiceErrorException, AwsServiceException,
SdkClientException, SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, ReplicateSecretToRegionsResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(replicateSecretToRegionsRequest,
this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, replicateSecretToRegionsRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "ReplicateSecretToRegions");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("ReplicateSecretToRegions").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(replicateSecretToRegionsRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new ReplicateSecretToRegionsRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Cancels the scheduled deletion of a secret by removing the DeletedDate time stamp. You can access a
* secret again after it has been restored.
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters because it might be logged. For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:RestoreSecret. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* @param restoreSecretRequest
* @return Result of the RestoreSecret operation returned by the service.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.RestoreSecret
* @see AWS
* API Documentation
*/
@Override
public RestoreSecretResponse restoreSecret(RestoreSecretRequest restoreSecretRequest) throws ResourceNotFoundException,
InvalidParameterException, InvalidRequestException, InternalServiceErrorException, AwsServiceException,
SdkClientException, SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
RestoreSecretResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(restoreSecretRequest, this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, restoreSecretRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "RestoreSecret");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("RestoreSecret").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(restoreSecretRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new RestoreSecretRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Configures and starts the asynchronous process of rotating the secret. For information about rotation, see Rotate secrets in
* the Secrets Manager User Guide. If you include the configuration parameters, the operation sets the values
* for the secret and then immediately starts a rotation. If you don't include the configuration parameters, the
* operation starts a rotation with the values already stored in the secret.
*
*
* When rotation is successful, the AWSPENDING staging label might be attached to the same version as
* the AWSCURRENT version, or it might not be attached to any version. If the AWSPENDING
* staging label is present but not attached to the same version as AWSCURRENT, then any later
* invocation of RotateSecret assumes that a previous rotation request is still in progress and returns
* an error. When rotation is unsuccessful, the AWSPENDING staging label might be attached to an empty
* secret version. For more information, see Troubleshoot
* rotation in the Secrets Manager User Guide.
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters because it might be logged. For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:RotateSecret. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager. You also need lambda:InvokeFunction permissions on the rotation
* function. For more information, see Permissions for rotation.
*
*
* @param rotateSecretRequest
* @return Result of the RotateSecret operation returned by the service.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.RotateSecret
* @see AWS
* API Documentation
*/
@Override
public RotateSecretResponse rotateSecret(RotateSecretRequest rotateSecretRequest) throws ResourceNotFoundException,
InvalidParameterException, InternalServiceErrorException, InvalidRequestException, AwsServiceException,
SdkClientException, SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
RotateSecretResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(rotateSecretRequest, this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, rotateSecretRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "RotateSecret");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("RotateSecret").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(rotateSecretRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new RotateSecretRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Removes the link between the replica secret and the primary secret and promotes the replica to a primary secret
* in the replica Region.
*
*
* You must call this operation from the Region in which you want to promote the replica to a primary secret.
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters because it might be logged. For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:StopReplicationToReplica. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* @param stopReplicationToReplicaRequest
* @return Result of the StopReplicationToReplica operation returned by the service.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.StopReplicationToReplica
* @see AWS API Documentation
*/
@Override
public StopReplicationToReplicaResponse stopReplicationToReplica(
StopReplicationToReplicaRequest stopReplicationToReplicaRequest) throws ResourceNotFoundException,
InvalidRequestException, InvalidParameterException, InternalServiceErrorException, AwsServiceException,
SdkClientException, SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, StopReplicationToReplicaResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(stopReplicationToReplicaRequest,
this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, stopReplicationToReplicaRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "StopReplicationToReplica");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("StopReplicationToReplica").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(stopReplicationToReplicaRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new StopReplicationToReplicaRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Attaches tags to a secret. Tags consist of a key name and a value. Tags are part of the secret's metadata. They
* are not associated with specific versions of the secret. This operation appends tags to the existing list of
* tags.
*
*
* For tag quotas and naming restrictions, see Service quotas for
* Tagging in the Amazon Web Services General Reference guide.
*
*
*
* If you use tags as part of your security strategy, then adding or removing a tag can change permissions. If
* successfully completing this operation would result in you losing your permissions for this secret, then the
* operation is blocked and returns an Access Denied error.
*
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters because it might be logged. For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:TagResource. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* @param tagResourceRequest
* @return Result of the TagResource operation returned by the service.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.TagResource
* @see AWS
* API Documentation
*/
@Override
public TagResourceResponse tagResource(TagResourceRequest tagResourceRequest) throws ResourceNotFoundException,
InvalidRequestException, InvalidParameterException, InternalServiceErrorException, AwsServiceException,
SdkClientException, SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
TagResourceResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(tagResourceRequest, this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, tagResourceRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "TagResource");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("TagResource").withProtocolMetadata(protocolMetadata).withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withRequestConfiguration(clientConfiguration)
.withInput(tagResourceRequest).withMetricCollector(apiCallMetricCollector)
.withMarshaller(new TagResourceRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Removes specific tags from a secret.
*
*
* This operation is idempotent. If a requested tag is not attached to the secret, no error is returned and the
* secret metadata is unchanged.
*
*
*
* If you use tags as part of your security strategy, then removing a tag can change permissions. If successfully
* completing this operation would result in you losing your permissions for this secret, then the operation is
* blocked and returns an Access Denied error.
*
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters because it might be logged. For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:UntagResource. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* @param untagResourceRequest
* @return Result of the UntagResource operation returned by the service.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.UntagResource
* @see AWS
* API Documentation
*/
@Override
public UntagResourceResponse untagResource(UntagResourceRequest untagResourceRequest) throws ResourceNotFoundException,
InvalidRequestException, InvalidParameterException, InternalServiceErrorException, AwsServiceException,
SdkClientException, SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
UntagResourceResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(untagResourceRequest, this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, untagResourceRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "UntagResource");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("UntagResource").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(untagResourceRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new UntagResourceRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Modifies the details of a secret, including metadata and the secret value. To change the secret value, you can
* also use PutSecretValue.
*
*
* To change the rotation configuration of a secret, use RotateSecret instead.
*
*
* To change a secret so that it is managed by another service, you need to recreate the secret in that service. See
* Secrets Manager
* secrets managed by other Amazon Web Services services.
*
*
* We recommend you avoid calling UpdateSecret at a sustained rate of more than once every 10 minutes.
* When you call UpdateSecret to update the secret value, Secrets Manager creates a new version of the
* secret. Secrets Manager removes outdated versions when there are more than 100, but it does not remove versions
* created less than 24 hours ago. If you update the secret value more than once every 10 minutes, you create more
* versions than Secrets Manager removes, and you will reach the quota for secret versions.
*
*
* If you include SecretString or SecretBinary to create a new secret version, Secrets
* Manager automatically moves the staging label AWSCURRENT to the new version. Then it attaches the
* label AWSPREVIOUS to the version that AWSCURRENT was removed from.
*
*
* If you call this operation with a ClientRequestToken that matches an existing version's
* VersionId, the operation results in an error. You can't modify an existing version, you can only
* create a new version. To remove a version, remove all staging labels from it. See
* UpdateSecretVersionStage.
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters except SecretBinary or SecretString because it might be logged.
* For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:UpdateSecret. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager. If you use a customer managed key, you must also have
* kms:GenerateDataKey, kms:Encrypt, and kms:Decrypt permissions on the key.
* If you change the KMS key and you don't have kms:Encrypt permission to the new key, Secrets Manager
* does not re-encrypt existing secret versions with the new key. For more information, see Secret encryption
* and decryption.
*
*
*
* When you enter commands in a command shell, there is a risk of the command history being accessed or utilities
* having access to your command parameters. This is a concern if the command includes the value of a secret. Learn
* how to Mitigate the
* risks of using command-line tools to store Secrets Manager secrets.
*
*
*
* @param updateSecretRequest
* @return Result of the UpdateSecret operation returned by the service.
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws LimitExceededException
* The request failed because it would exceed one of the Secrets Manager quotas.
* @throws EncryptionFailureException
* Secrets Manager can't encrypt the protected secret text using the provided KMS key. Check that the KMS
* key is available, enabled, and not in an invalid state. For more information, see Key state: Effect on your KMS
* key.
* @throws ResourceExistsException
* A resource with the ID you requested already exists.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws MalformedPolicyDocumentException
* The resource policy has syntax errors.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws PreconditionNotMetException
* The request failed because you did not complete all the prerequisite steps.
* @throws DecryptionFailureException
* Secrets Manager can't decrypt the protected secret text using the provided KMS key.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.UpdateSecret
* @see AWS
* API Documentation
*/
@Override
public UpdateSecretResponse updateSecret(UpdateSecretRequest updateSecretRequest) throws InvalidParameterException,
InvalidRequestException, LimitExceededException, EncryptionFailureException, ResourceExistsException,
ResourceNotFoundException, MalformedPolicyDocumentException, InternalServiceErrorException,
PreconditionNotMetException, DecryptionFailureException, AwsServiceException, SdkClientException,
SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
UpdateSecretResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(updateSecretRequest, this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, updateSecretRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "UpdateSecret");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("UpdateSecret").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(updateSecretRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new UpdateSecretRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Modifies the staging labels attached to a version of a secret. Secrets Manager uses staging labels to track a
* version as it progresses through the secret rotation process. Each staging label can be attached to only one
* version at a time. To add a staging label to a version when it is already attached to another version, Secrets
* Manager first removes it from the other version first and then attaches it to this one. For more information
* about versions and staging labels, see Concepts:
* Version.
*
*
* The staging labels that you specify in the VersionStage parameter are added to the existing list of
* staging labels for the version.
*
*
* You can move the AWSCURRENT staging label to this version by including it in this call.
*
*
*
* Whenever you move AWSCURRENT, Secrets Manager automatically moves the label AWSPREVIOUS
* to the version that AWSCURRENT was removed from.
*
*
*
* If this action results in the last label being removed from a version, then the version is considered to be
* 'deprecated' and can be deleted by Secrets Manager.
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters because it might be logged. For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:UpdateSecretVersionStage. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* @param updateSecretVersionStageRequest
* @return Result of the UpdateSecretVersionStage operation returned by the service.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws LimitExceededException
* The request failed because it would exceed one of the Secrets Manager quotas.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.UpdateSecretVersionStage
* @see AWS API Documentation
*/
@Override
public UpdateSecretVersionStageResponse updateSecretVersionStage(
UpdateSecretVersionStageRequest updateSecretVersionStageRequest) throws ResourceNotFoundException,
InvalidParameterException, InvalidRequestException, LimitExceededException, InternalServiceErrorException,
AwsServiceException, SdkClientException, SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, UpdateSecretVersionStageResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(updateSecretVersionStageRequest,
this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, updateSecretVersionStageRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "UpdateSecretVersionStage");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("UpdateSecretVersionStage").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(updateSecretVersionStageRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new UpdateSecretVersionStageRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Validates that a resource policy does not grant a wide range of principals access to your secret. A
* resource-based policy is optional for secrets.
*
*
* The API performs three checks when validating the policy:
*
*
* -
*
* Sends a call to Zelkova, an automated reasoning engine, to ensure your resource policy does not allow broad access to your
* secret, for example policies that use a wildcard for the principal.
*
*
* -
*
* Checks for correct syntax in a policy.
*
*
* -
*
* Verifies the policy does not lock out a caller.
*
*
*
*
* Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information
* in request parameters because it might be logged. For more information, see Logging Secrets
* Manager events with CloudTrail.
*
*
* Required permissions: secretsmanager:ValidateResourcePolicy and
* secretsmanager:PutResourcePolicy. For more information, see IAM policy actions for Secrets Manager and Authentication and access
* control in Secrets Manager.
*
*
* @param validateResourcePolicyRequest
* @return Result of the ValidateResourcePolicy operation returned by the service.
* @throws MalformedPolicyDocumentException
* The resource policy has syntax errors.
* @throws ResourceNotFoundException
* Secrets Manager can't find the resource that you asked for.
* @throws InvalidParameterException
* The parameter name or value is invalid.
* @throws InternalServiceErrorException
* An error occurred on the server side.
* @throws InvalidRequestException
* A parameter value is not valid for the current state of the resource.
*
* Possible causes:
*
*
* -
*
* The secret is scheduled for deletion.
*
*
* -
*
* You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and
* you didn't include such an ARN as a parameter in this call.
*
*
* -
*
* The secret is managed by another service, and you must use that service to update it. For more
* information, see Secrets
* managed by other Amazon Web Services services.
*
*
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws SecretsManagerException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample SecretsManagerClient.ValidateResourcePolicy
* @see AWS API Documentation
*/
@Override
public ValidateResourcePolicyResponse validateResourcePolicy(ValidateResourcePolicyRequest validateResourcePolicyRequest)
throws MalformedPolicyDocumentException, ResourceNotFoundException, InvalidParameterException,
InternalServiceErrorException, InvalidRequestException, AwsServiceException, SdkClientException,
SecretsManagerException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, ValidateResourcePolicyResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
SdkClientConfiguration clientConfiguration = updateSdkClientConfiguration(validateResourcePolicyRequest,
this.clientConfiguration);
List metricPublishers = resolveMetricPublishers(clientConfiguration, validateResourcePolicyRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "Secrets Manager");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "ValidateResourcePolicy");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("ValidateResourcePolicy").withProtocolMetadata(protocolMetadata)
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withRequestConfiguration(clientConfiguration).withInput(validateResourcePolicyRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new ValidateResourcePolicyRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
@Override
public final String serviceName() {
return SERVICE_NAME;
}
private static List resolveMetricPublishers(SdkClientConfiguration clientConfiguration,
RequestOverrideConfiguration requestOverrideConfiguration) {
List publishers = null;
if (requestOverrideConfiguration != null) {
publishers = requestOverrideConfiguration.metricPublishers();
}
if (publishers == null || publishers.isEmpty()) {
publishers = clientConfiguration.option(SdkClientOption.METRIC_PUBLISHERS);
}
if (publishers == null) {
publishers = Collections.emptyList();
}
return publishers;
}
private HttpResponseHandler createErrorResponseHandler(BaseAwsJsonProtocolFactory protocolFactory,
JsonOperationMetadata operationMetadata) {
return protocolFactory.createErrorResponseHandler(operationMetadata);
}
private void updateRetryStrategyClientConfiguration(SdkClientConfiguration.Builder configuration) {
ClientOverrideConfiguration.Builder builder = configuration.asOverrideConfigurationBuilder();
RetryMode retryMode = builder.retryMode();
if (retryMode != null) {
configuration.option(SdkClientOption.RETRY_STRATEGY, AwsRetryStrategy.forRetryMode(retryMode));
} else {
Consumer> configurator = builder.retryStrategyConfigurator();
if (configurator != null) {
RetryStrategy.Builder defaultBuilder = AwsRetryStrategy.defaultRetryStrategy().toBuilder();
configurator.accept(defaultBuilder);
configuration.option(SdkClientOption.RETRY_STRATEGY, defaultBuilder.build());
} else {
RetryStrategy retryStrategy = builder.retryStrategy();
if (retryStrategy != null) {
configuration.option(SdkClientOption.RETRY_STRATEGY, retryStrategy);
}
}
}
configuration.option(SdkClientOption.CONFIGURED_RETRY_MODE, null);
configuration.option(SdkClientOption.CONFIGURED_RETRY_STRATEGY, null);
configuration.option(SdkClientOption.CONFIGURED_RETRY_CONFIGURATOR, null);
}
private SdkClientConfiguration updateSdkClientConfiguration(SdkRequest request, SdkClientConfiguration clientConfiguration) {
List plugins = request.overrideConfiguration().map(c -> c.plugins()).orElse(Collections.emptyList());
SdkClientConfiguration.Builder configuration = clientConfiguration.toBuilder();
if (plugins.isEmpty()) {
return configuration.build();
}
SecretsManagerServiceClientConfigurationBuilder serviceConfigBuilder = new SecretsManagerServiceClientConfigurationBuilder(
configuration);
for (SdkPlugin plugin : plugins) {
plugin.configureClient(serviceConfigBuilder);
}
updateRetryStrategyClientConfiguration(configuration);
return configuration.build();
}
private > T init(T builder) {
return builder
.clientConfiguration(clientConfiguration)
.defaultServiceExceptionSupplier(SecretsManagerException::builder)
.protocol(AwsJsonProtocol.AWS_JSON)
.protocolVersion("1.1")
.registerModeledException(
ExceptionMetadata.builder().errorCode("EncryptionFailure")
.exceptionBuilderSupplier(EncryptionFailureException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("InvalidParameterException")
.exceptionBuilderSupplier(InvalidParameterException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("PublicPolicyException")
.exceptionBuilderSupplier(PublicPolicyException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("MalformedPolicyDocumentException")
.exceptionBuilderSupplier(MalformedPolicyDocumentException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("DecryptionFailure")
.exceptionBuilderSupplier(DecryptionFailureException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("InvalidRequestException")
.exceptionBuilderSupplier(InvalidRequestException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("ResourceNotFoundException")
.exceptionBuilderSupplier(ResourceNotFoundException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("InternalServiceError")
.exceptionBuilderSupplier(InternalServiceErrorException::builder).httpStatusCode(500).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("ResourceExistsException")
.exceptionBuilderSupplier(ResourceExistsException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("InvalidNextTokenException")
.exceptionBuilderSupplier(InvalidNextTokenException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("LimitExceededException")
.exceptionBuilderSupplier(LimitExceededException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("PreconditionNotMetException")
.exceptionBuilderSupplier(PreconditionNotMetException::builder).httpStatusCode(400).build());
}
@Override
public final SecretsManagerServiceClientConfiguration serviceClientConfiguration() {
return new SecretsManagerServiceClientConfigurationBuilder(this.clientConfiguration.toBuilder()).build();
}
@Override
public void close() {
clientHandler.close();
}
}