1// Code generated by smithy-go-codegen DO NOT EDIT. 2 3package secretsmanager 4 5import ( 6 "context" 7 "fmt" 8 awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" 9 "github.com/aws/aws-sdk-go-v2/aws/signer/v4" 10 "github.com/aws/smithy-go/middleware" 11 smithyhttp "github.com/aws/smithy-go/transport/http" 12) 13 14// Modifies many of the details of the specified secret. If you include a 15// ClientRequestToken and either SecretString or SecretBinary then it also creates 16// a new version attached to the secret. To modify the rotation configuration of a 17// secret, use RotateSecret instead. The Secrets Manager console uses only the 18// SecretString parameter and therefore limits you to encrypting and storing only a 19// text string. To encrypt and store binary data as part of the version of a 20// secret, you must use either the AWS CLI or one of the AWS SDKs. 21// 22// * If a version 23// with a VersionId with the same value as the ClientRequestToken parameter already 24// exists, the operation results in an error. You cannot modify an existing 25// version, you can only create a new version. 26// 27// * If you include SecretString or 28// SecretBinary to create a new secret version, Secrets Manager automatically 29// attaches the staging label AWSCURRENT to the new version. 30// 31// * If you call an 32// operation to encrypt or decrypt the SecretString or SecretBinary for a secret in 33// the same account as the calling user and that secret doesn't specify a AWS KMS 34// encryption key, Secrets Manager uses the account's default AWS managed customer 35// master key (CMK) with the alias aws/secretsmanager. If this key doesn't already 36// exist in your account then Secrets Manager creates it for you automatically. All 37// users and roles in the same AWS account automatically have access to use the 38// default CMK. Note that if an Secrets Manager API call results in AWS creating 39// the account's AWS-managed CMK, it can result in a one-time significant delay in 40// returning the result. 41// 42// * If the secret resides in a different AWS account from 43// the credentials calling an API that requires encryption or decryption of the 44// secret value then you must create and use a custom AWS KMS CMK because you can't 45// access the default CMK for the account using credentials from a different AWS 46// account. Store the ARN of the CMK in the secret when you create the secret or 47// when you update it by including it in the KMSKeyId. If you call an API that must 48// encrypt or decrypt SecretString or SecretBinary using credentials from a 49// different account then the AWS KMS key policy must grant cross-account access to 50// that other account's user or role for both the kms:GenerateDataKey and 51// kms:Decrypt operations. 52// 53// Minimum permissions To run this command, you must have 54// the following permissions: 55// 56// * secretsmanager:UpdateSecret 57// 58// * kms:GenerateDataKey 59// - needed only if you use a custom AWS KMS key to encrypt the secret. You do not 60// need this permission to use the account's AWS managed CMK for Secrets 61// Manager. 62// 63// * kms:Decrypt - needed only if you use a custom AWS KMS key to encrypt 64// the secret. You do not need this permission to use the account's AWS managed CMK 65// for Secrets Manager. 66// 67// Related operations 68// 69// * To create a new secret, use 70// CreateSecret. 71// 72// * To add only a new version to an existing secret, use 73// PutSecretValue. 74// 75// * To get the details for a secret, use DescribeSecret. 76// 77// * To 78// list the versions contained in a secret, use ListSecretVersionIds. 79func (c *Client) UpdateSecret(ctx context.Context, params *UpdateSecretInput, optFns ...func(*Options)) (*UpdateSecretOutput, error) { 80 if params == nil { 81 params = &UpdateSecretInput{} 82 } 83 84 result, metadata, err := c.invokeOperation(ctx, "UpdateSecret", params, optFns, addOperationUpdateSecretMiddlewares) 85 if err != nil { 86 return nil, err 87 } 88 89 out := result.(*UpdateSecretOutput) 90 out.ResultMetadata = metadata 91 return out, nil 92} 93 94type UpdateSecretInput struct { 95 96 // Specifies the secret that you want to modify or to which you want to add a new 97 // version. You can specify either the Amazon Resource Name (ARN) or the friendly 98 // name of the secret. If you specify an ARN, we generally recommend that you 99 // specify a complete ARN. You can specify a partial ARN too—for example, if you 100 // don’t include the final hyphen and six random characters that Secrets Manager 101 // adds at the end of the ARN when you created the secret. A partial ARN match can 102 // work as long as it uniquely matches only one secret. However, if your secret has 103 // a name that ends in a hyphen followed by six characters (before Secrets Manager 104 // adds the hyphen and six characters to the ARN) and you try to use that as a 105 // partial ARN, then those characters cause Secrets Manager to assume that you’re 106 // specifying a complete ARN. This confusion can cause unexpected results. To avoid 107 // this situation, we recommend that you don’t create secret names ending with a 108 // hyphen followed by six characters. If you specify an incomplete ARN without the 109 // random suffix, and instead provide the 'friendly name', you must not include the 110 // random suffix. If you do include the random suffix added by Secrets Manager, you 111 // receive either a ResourceNotFoundException or an AccessDeniedException error, 112 // depending on your permissions. 113 // 114 // This member is required. 115 SecretId *string 116 117 // (Optional) If you want to add a new version to the secret, this parameter 118 // specifies a unique identifier for the new version that helps ensure idempotency. 119 // If you use the AWS CLI or one of the AWS SDK to call this operation, then you 120 // can leave this parameter empty. The CLI or SDK generates a random UUID for you 121 // and includes that in the request. If you don't use the SDK and instead generate 122 // a raw HTTP request to the Secrets Manager service endpoint, then you must 123 // generate a ClientRequestToken yourself for new versions and include that value 124 // in the request. You typically only need to interact with this value if you 125 // implement your own retry logic and want to ensure that a given secret is not 126 // created twice. We recommend that you generate a UUID-type 127 // (https://wikipedia.org/wiki/Universally_unique_identifier) value to ensure 128 // uniqueness within the specified secret. Secrets Manager uses this value to 129 // prevent the accidental creation of duplicate versions if there are failures and 130 // retries during the Lambda rotation function's processing. 131 // 132 // * If the 133 // ClientRequestToken value isn't already associated with a version of the secret 134 // then a new version of the secret is created. 135 // 136 // * If a version with this value 137 // already exists and that version's SecretString and SecretBinary values are the 138 // same as those in the request then the request is ignored (the operation is 139 // idempotent). 140 // 141 // * If a version with this value already exists and that version's 142 // SecretString and SecretBinary values are different from the request then an 143 // error occurs because you cannot modify an existing secret value. 144 // 145 // This value 146 // becomes the VersionId of the new version. 147 ClientRequestToken *string 148 149 // (Optional) Specifies an updated user-provided description of the secret. 150 Description *string 151 152 // (Optional) Specifies an updated ARN or alias of the AWS KMS customer master key 153 // (CMK) to be used to encrypt the protected text in new versions of this secret. 154 // You can only use the account's default CMK to encrypt and decrypt if you call 155 // this operation using credentials from the same account that owns the secret. If 156 // the secret is in a different account, then you must create a custom CMK and 157 // provide the ARN of that CMK in this field. The user making the call must have 158 // permissions to both the secret and the CMK in their respective accounts. 159 KmsKeyId *string 160 161 // (Optional) Specifies updated binary data that you want to encrypt and store in 162 // the new version of the secret. To use this parameter in the command-line tools, 163 // we recommend that you store your binary data in a file and then use the 164 // appropriate technique for your tool to pass the contents of the file as a 165 // parameter. Either SecretBinary or SecretString must have a value, but not both. 166 // They cannot both be empty. This parameter is not accessible using the Secrets 167 // Manager console. 168 SecretBinary []byte 169 170 // (Optional) Specifies updated text data that you want to encrypt and store in 171 // this new version of the secret. Either SecretBinary or SecretString must have a 172 // value, but not both. They cannot both be empty. If you create this secret by 173 // using the Secrets Manager console then Secrets Manager puts the protected secret 174 // text in only the SecretString parameter. The Secrets Manager console stores the 175 // information as a JSON structure of key/value pairs that the default Lambda 176 // rotation function knows how to parse. For storing multiple values, we recommend 177 // that you use a JSON text string argument and specify key/value pairs. For 178 // information on how to format a JSON parameter for the various command line tool 179 // environments, see Using JSON for Parameters 180 // (https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json) 181 // in the AWS CLI User Guide. For example: 182 // [{"username":"bob"},{"password":"abc123xyz456"}] If your command-line tool or 183 // SDK requires quotation marks around the parameter, you should use single quotes 184 // to avoid confusion with the double quotes required in the JSON text. You can 185 // also 'escape' the double quote character in the embedded JSON text by prefacing 186 // each with a backslash. For example, the following string is surrounded by 187 // double-quotes. All of the embedded double quotes are escaped: 188 // "[{\"username\":\"bob\"},{\"password\":\"abc123xyz456\"}]" 189 SecretString *string 190} 191 192type UpdateSecretOutput struct { 193 194 // The ARN of the secret that was updated. Secrets Manager automatically adds 195 // several random characters to the name at the end of the ARN when you initially 196 // create a secret. This affects only the ARN and not the actual friendly name. 197 // This ensures that if you create a new secret with the same name as an old secret 198 // that you previously deleted, then users with access to the old secret don't 199 // automatically get access to the new secret because the ARNs are different. 200 ARN *string 201 202 // The friendly name of the secret that was updated. 203 Name *string 204 205 // If a new version of the secret was created by this operation, then VersionId 206 // contains the unique identifier of the new version. 207 VersionId *string 208 209 // Metadata pertaining to the operation's result. 210 ResultMetadata middleware.Metadata 211} 212 213func addOperationUpdateSecretMiddlewares(stack *middleware.Stack, options Options) (err error) { 214 err = stack.Serialize.Add(&awsAwsjson11_serializeOpUpdateSecret{}, middleware.After) 215 if err != nil { 216 return err 217 } 218 err = stack.Deserialize.Add(&awsAwsjson11_deserializeOpUpdateSecret{}, middleware.After) 219 if err != nil { 220 return err 221 } 222 if err = addSetLoggerMiddleware(stack, options); err != nil { 223 return err 224 } 225 if err = awsmiddleware.AddClientRequestIDMiddleware(stack); err != nil { 226 return err 227 } 228 if err = smithyhttp.AddComputeContentLengthMiddleware(stack); err != nil { 229 return err 230 } 231 if err = addResolveEndpointMiddleware(stack, options); err != nil { 232 return err 233 } 234 if err = v4.AddComputePayloadSHA256Middleware(stack); err != nil { 235 return err 236 } 237 if err = addRetryMiddlewares(stack, options); err != nil { 238 return err 239 } 240 if err = addHTTPSignerV4Middleware(stack, options); err != nil { 241 return err 242 } 243 if err = awsmiddleware.AddRawResponseToMetadata(stack); err != nil { 244 return err 245 } 246 if err = awsmiddleware.AddRecordResponseTiming(stack); err != nil { 247 return err 248 } 249 if err = addClientUserAgent(stack); err != nil { 250 return err 251 } 252 if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil { 253 return err 254 } 255 if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { 256 return err 257 } 258 if err = addIdempotencyToken_opUpdateSecretMiddleware(stack, options); err != nil { 259 return err 260 } 261 if err = addOpUpdateSecretValidationMiddleware(stack); err != nil { 262 return err 263 } 264 if err = stack.Initialize.Add(newServiceMetadataMiddleware_opUpdateSecret(options.Region), middleware.Before); err != nil { 265 return err 266 } 267 if err = addRequestIDRetrieverMiddleware(stack); err != nil { 268 return err 269 } 270 if err = addResponseErrorMiddleware(stack); err != nil { 271 return err 272 } 273 if err = addRequestResponseLogging(stack, options); err != nil { 274 return err 275 } 276 return nil 277} 278 279type idempotencyToken_initializeOpUpdateSecret struct { 280 tokenProvider IdempotencyTokenProvider 281} 282 283func (*idempotencyToken_initializeOpUpdateSecret) ID() string { 284 return "OperationIdempotencyTokenAutoFill" 285} 286 287func (m *idempotencyToken_initializeOpUpdateSecret) HandleInitialize(ctx context.Context, in middleware.InitializeInput, next middleware.InitializeHandler) ( 288 out middleware.InitializeOutput, metadata middleware.Metadata, err error, 289) { 290 if m.tokenProvider == nil { 291 return next.HandleInitialize(ctx, in) 292 } 293 294 input, ok := in.Parameters.(*UpdateSecretInput) 295 if !ok { 296 return out, metadata, fmt.Errorf("expected middleware input to be of type *UpdateSecretInput ") 297 } 298 299 if input.ClientRequestToken == nil { 300 t, err := m.tokenProvider.GetIdempotencyToken() 301 if err != nil { 302 return out, metadata, err 303 } 304 input.ClientRequestToken = &t 305 } 306 return next.HandleInitialize(ctx, in) 307} 308func addIdempotencyToken_opUpdateSecretMiddleware(stack *middleware.Stack, cfg Options) error { 309 return stack.Initialize.Add(&idempotencyToken_initializeOpUpdateSecret{tokenProvider: cfg.IdempotencyTokenProvider}, middleware.Before) 310} 311 312func newServiceMetadataMiddleware_opUpdateSecret(region string) *awsmiddleware.RegisterServiceMetadata { 313 return &awsmiddleware.RegisterServiceMetadata{ 314 Region: region, 315 ServiceID: ServiceID, 316 SigningName: "secretsmanager", 317 OperationName: "UpdateSecret", 318 } 319} 320