1// Code generated by smithy-go-codegen DO NOT EDIT. 2 3package secretsmanager 4 5import ( 6 "context" 7 awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" 8 "github.com/aws/aws-sdk-go-v2/aws/signer/v4" 9 "github.com/aws/aws-sdk-go-v2/service/secretsmanager/types" 10 "github.com/aws/smithy-go/middleware" 11 smithyhttp "github.com/aws/smithy-go/transport/http" 12) 13 14// Validates that the resource policy does not grant a wide range of IAM principals 15// access to your secret. The JSON request string input and response output 16// displays formatted code with white space and line breaks for better readability. 17// Submit your input as a single line JSON string. A resource-based policy is 18// optional for secrets. The API performs three checks when validating the 19// secret: 20// 21// * Sends a call to Zelkova 22// (https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/), 23// an automated reasoning engine, to ensure your Resource Policy does not allow 24// broad access to your secret. 25// 26// * Checks for correct syntax in a policy. 27// 28// * 29// Verifies the policy does not lock out a caller. 30// 31// Minimum Permissions You must 32// have the permissions required to access the following APIs: 33// 34// * 35// secretsmanager:PutResourcePolicy 36// 37// * secretsmanager:ValidateResourcePolicy 38func (c *Client) ValidateResourcePolicy(ctx context.Context, params *ValidateResourcePolicyInput, optFns ...func(*Options)) (*ValidateResourcePolicyOutput, error) { 39 if params == nil { 40 params = &ValidateResourcePolicyInput{} 41 } 42 43 result, metadata, err := c.invokeOperation(ctx, "ValidateResourcePolicy", params, optFns, c.addOperationValidateResourcePolicyMiddlewares) 44 if err != nil { 45 return nil, err 46 } 47 48 out := result.(*ValidateResourcePolicyOutput) 49 out.ResultMetadata = metadata 50 return out, nil 51} 52 53type ValidateResourcePolicyInput struct { 54 55 // A JSON-formatted string constructed according to the grammar and syntax for an 56 // Amazon Web Services resource-based policy. The policy in the string identifies 57 // who can access or manage this secret and its versions. For information on how to 58 // format a JSON parameter for the various command line tool environments, see 59 // Using JSON for Parameters 60 // (http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json) 61 // in the CLI User Guide.publi 62 // 63 // This member is required. 64 ResourcePolicy *string 65 66 // (Optional) The identifier of the secret with the resource-based policy you want 67 // to validate. You can specify either the Amazon Resource Name (ARN) or the 68 // friendly name of the secret. If you specify an ARN, we generally recommend that 69 // you specify a complete ARN. You can specify a partial ARN too—for example, if 70 // you don’t include the final hyphen and six random characters that Secrets 71 // Manager adds at the end of the ARN when you created the secret. A partial ARN 72 // match can work as long as it uniquely matches only one secret. However, if your 73 // secret has a name that ends in a hyphen followed by six characters (before 74 // Secrets Manager adds the hyphen and six characters to the ARN) and you try to 75 // use that as a partial ARN, then those characters cause Secrets Manager to assume 76 // that you’re specifying a complete ARN. This confusion can cause unexpected 77 // results. To avoid this situation, we recommend that you don’t create secret 78 // names ending with a hyphen followed by six characters. If you specify an 79 // incomplete ARN without the random suffix, and instead provide the 'friendly 80 // name', you must not include the random suffix. If you do include the random 81 // suffix added by Secrets Manager, you receive either a ResourceNotFoundException 82 // or an AccessDeniedException error, depending on your permissions. 83 SecretId *string 84 85 noSmithyDocumentSerde 86} 87 88type ValidateResourcePolicyOutput struct { 89 90 // Returns a message stating that your Reource Policy passed validation. 91 PolicyValidationPassed bool 92 93 // Returns an error message if your policy doesn't pass validatation. 94 ValidationErrors []types.ValidationErrorsEntry 95 96 // Metadata pertaining to the operation's result. 97 ResultMetadata middleware.Metadata 98 99 noSmithyDocumentSerde 100} 101 102func (c *Client) addOperationValidateResourcePolicyMiddlewares(stack *middleware.Stack, options Options) (err error) { 103 err = stack.Serialize.Add(&awsAwsjson11_serializeOpValidateResourcePolicy{}, middleware.After) 104 if err != nil { 105 return err 106 } 107 err = stack.Deserialize.Add(&awsAwsjson11_deserializeOpValidateResourcePolicy{}, middleware.After) 108 if err != nil { 109 return err 110 } 111 if err = addSetLoggerMiddleware(stack, options); err != nil { 112 return err 113 } 114 if err = awsmiddleware.AddClientRequestIDMiddleware(stack); err != nil { 115 return err 116 } 117 if err = smithyhttp.AddComputeContentLengthMiddleware(stack); err != nil { 118 return err 119 } 120 if err = addResolveEndpointMiddleware(stack, options); err != nil { 121 return err 122 } 123 if err = v4.AddComputePayloadSHA256Middleware(stack); err != nil { 124 return err 125 } 126 if err = addRetryMiddlewares(stack, options); err != nil { 127 return err 128 } 129 if err = addHTTPSignerV4Middleware(stack, options); err != nil { 130 return err 131 } 132 if err = awsmiddleware.AddRawResponseToMetadata(stack); err != nil { 133 return err 134 } 135 if err = awsmiddleware.AddRecordResponseTiming(stack); err != nil { 136 return err 137 } 138 if err = addClientUserAgent(stack); err != nil { 139 return err 140 } 141 if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil { 142 return err 143 } 144 if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { 145 return err 146 } 147 if err = addOpValidateResourcePolicyValidationMiddleware(stack); err != nil { 148 return err 149 } 150 if err = stack.Initialize.Add(newServiceMetadataMiddleware_opValidateResourcePolicy(options.Region), middleware.Before); err != nil { 151 return err 152 } 153 if err = addRequestIDRetrieverMiddleware(stack); err != nil { 154 return err 155 } 156 if err = addResponseErrorMiddleware(stack); err != nil { 157 return err 158 } 159 if err = addRequestResponseLogging(stack, options); err != nil { 160 return err 161 } 162 return nil 163} 164 165func newServiceMetadataMiddleware_opValidateResourcePolicy(region string) *awsmiddleware.RegisterServiceMetadata { 166 return &awsmiddleware.RegisterServiceMetadata{ 167 Region: region, 168 ServiceID: ServiceID, 169 SigningName: "secretsmanager", 170 OperationName: "ValidateResourcePolicy", 171 } 172} 173