# This file is automatically generated by botocraft. Do not edit directly.
# mypy: disable-error-code="index, override, assignment, union-attr, misc"
from botocraft.mixins.secretsmanager import secrets_only
from pydantic import Field
from .abstract import (
Boto3Model,
ReadonlyBoto3Model,
PrimaryBoto3Model,
ReadonlyPrimaryBoto3Model,
Boto3ModelManager,
ReadonlyBoto3ModelManager,
)
from typing import ClassVar, Literal, Any, cast
from .abstract import PrimaryBoto3ModelQuerySet
from botocraft.mixins.tags import TagsDictMixin
from datetime import datetime
import builtins
from botocraft.services.common import Tag
# ===============
# Managers
# ===============
[docs]class SecretManager(Boto3ModelManager):
service_name: str = "secretsmanager"
[docs] def create(
self,
model: "Secret",
ClientRequestToken: "str | None" = None,
SecretBinary: "bytes | None" = None,
SecretString: "str | None" = None,
AddReplicaRegions: "builtins.list[ReplicaRegionType] | None" = None,
) -> "CreateSecretResponse":
"""
Creates a new secret. A *secret* can be a password, a set of credentials such as
a user name and password, an OAuth token, or other secret information that you
store in an encrypted form in Secrets Manager. The secret also includes the
connection information to access a database or other service, which Secrets
Manager doesn't encrypt. A secret in Secrets Manager consists of both the
protected secret data and the important information needed to manage the secret.
Args:
model: The :py:class:`SecretListEntry` to create.
Keyword Args:
ClientRequestToken: If you include ``SecretString`` or ``SecretBinary``, then Secrets Manager creates an initial
version for the secret, and this parameter specifies the unique identifier for the new version.
SecretBinary: The binary data to encrypt and store in the new version of the secret. We recommend that you store
your binary data in a file and then pass the contents of the file as a parameter.
SecretString: The text data to encrypt and store in this new version of the secret. We recommend you use a JSON
structure of key/value pairs for your secret value.
AddReplicaRegions: A list of Regions and KMS keys to replicate secrets.
"""
data = model.model_dump(exclude_none=True, by_alias=True)
args = dict(
Name=data.get("Name"),
ClientRequestToken=self.serialize(ClientRequestToken),
Description=data.get("Description"),
KmsKeyId=data.get("KmsKeyId"),
SecretBinary=self.serialize(SecretBinary),
SecretString=self.serialize(SecretString),
Tags=data.get("Tags"),
AddReplicaRegions=self.serialize(AddReplicaRegions),
ForceOverwriteReplicaSecret=data.get("ForceOverwriteReplicaSecret"),
Type=data.get("Type"),
)
_response = self.client.create_secret(
**{k: v for k, v in args.items() if v is not None}
)
response = CreateSecretResponse(**_response)
self.sessionize(response)
return cast("CreateSecretResponse", response)
[docs] def update(
self,
model: "Secret",
SecretId: str,
ClientRequestToken: "str | None" = None,
SecretBinary: "bytes | None" = None,
SecretString: "str | None" = None,
) -> "UpdateSecretResponse":
"""
Modifies the details of a secret, including metadata and the secret value. To
change the secret value, you can also use PutSecretValue.
Args:
model: The :py:class:`SecretListEntry` to update.
SecretId: The ARN or name of the secret.
Keyword Args:
ClientRequestToken: If you include ``SecretString`` or ``SecretBinary``, then Secrets Manager creates a new version
for the secret, and this parameter specifies the unique identifier for the new version.
SecretBinary: The binary data to encrypt and store in the new version of the secret. We recommend that you store
your binary data in a file and then pass the contents of the file as a parameter.
SecretString: The text data to encrypt and store in the new version of the secret. We recommend you use a JSON
structure of key/value pairs for your secret value.
"""
data = model.model_dump(exclude_none=True, by_alias=True)
args = dict(
SecretId=self.serialize(SecretId),
ClientRequestToken=self.serialize(ClientRequestToken),
Description=data.get("Description"),
KmsKeyId=data.get("KmsKeyId"),
SecretBinary=self.serialize(SecretBinary),
SecretString=self.serialize(SecretString),
Type=data.get("Type"),
)
_response = self.client.update_secret(
**{k: v for k, v in args.items() if v is not None}
)
response = UpdateSecretResponse(**_response)
self.sessionize(response)
return cast("UpdateSecretResponse", response)
[docs] @secrets_only
def get(self, SecretId: str) -> "Secret | None":
"""
Retrieves the details of a secret. It does not include the encrypted secret
value. Secrets Manager only returns fields that have a value in the response.
Args:
SecretId: The ARN or name of the secret.
"""
args: dict[str, Any] = dict(SecretId=self.serialize(SecretId))
_response = self.client.describe_secret(
**{k: v for k, v in args.items() if v is not None}
)
response = Secret(**_response)
if response:
self.sessionize(response)
return response
return None
[docs] def list(
self,
*,
IncludePlannedDeletion: "bool | None" = None,
Filters: "builtins.list[SecretsFilter] | None" = None,
SortOrder: "Literal['asc', 'desc'] | None" = None,
SortBy: "Literal['created-date', 'last-accessed-date', 'last-changed-date', 'name'] | None" = None,
) -> builtins.list["Secret"]:
"""
Lists the secrets that are stored by Secrets Manager in the Amazon Web Services
account, not including secrets that are marked for deletion. To see secrets
marked for deletion, use the Secrets Manager console.
Keyword Args:
IncludePlannedDeletion: Specifies whether to include secrets scheduled for deletion. By default, secrets scheduled
for deletion aren't included.
Filters: The filters to apply to the list of secrets.
SortOrder: Secrets are listed by ``CreatedDate``.
SortBy: If not specified, secrets are listed by ``CreatedDate``.
"""
paginator = self.client.get_paginator("list_secrets")
args: dict[str, Any] = dict(
IncludePlannedDeletion=self.serialize(IncludePlannedDeletion),
Filters=self.serialize(Filters),
SortOrder=self.serialize(SortOrder),
SortBy=self.serialize(SortBy),
)
response_iterator = paginator.paginate(
**{k: v for k, v in args.items() if v is not None}
)
results = []
for _response in response_iterator:
if list(_response.keys()) == ["ResponseMetadata"]:
break
if "ResponseMetadata" in _response:
del _response["ResponseMetadata"]
response = ListSecretsResponse(**_response)
if response.SecretList:
results.extend(response.SecretList)
else:
if getattr(response, "NextToken", None):
continue
break
self.sessionize(results)
if results and isinstance(results[0], Boto3Model):
return PrimaryBoto3ModelQuerySet(results)
return results
[docs] def delete(
self,
SecretId: str,
*,
RecoveryWindowInDays: "int | None" = None,
ForceDeleteWithoutRecovery: "bool | None" = None,
) -> "Secret":
"""
Deletes a secret and all of its versions. You can specify a recovery window
during which you can restore the secret. The minimum recovery window is 7 days.
The default recovery window is 30 days. Secrets Manager attaches a
``DeletionDate`` stamp to the secret that specifies the end of the recovery
window. At the end of the recovery window, Secrets Manager deletes the secret
permanently.
Args:
SecretId: The ARN or name of the secret to delete.
Keyword Args:
RecoveryWindowInDays: The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the
secret. You can't use both this parameter and ``ForceDeleteWithoutRecovery`` in the same call. If you don't use
either, then by default Secrets Manager uses a 30 day recovery window.
ForceDeleteWithoutRecovery: Specifies whether to delete the secret without any recovery window. You can't use both
this parameter and ``RecoveryWindowInDays`` in the same call. If you don't use either, then by default Secrets
Manager uses a 30 day recovery window.
"""
args: dict[str, Any] = dict(
SecretId=self.serialize(SecretId),
RecoveryWindowInDays=self.serialize(RecoveryWindowInDays),
ForceDeleteWithoutRecovery=self.serialize(ForceDeleteWithoutRecovery),
)
_response = self.client.delete_secret(
**{k: v for k, v in args.items() if v is not None}
)
response = DeleteSecretResponse(**_response)
return response
[docs] def set_value(
self,
SecretId: str,
*,
ClientRequestToken: "str | None" = None,
SecretBinary: "bytes | None" = None,
SecretString: "str | None" = None,
VersionStages: "builtins.list[str] | None" = None,
RotationToken: "str | None" = None,
) -> "PutSecretValueResponse":
"""
Creates a new version of your secret by creating a new encrypted value and
attaching it to the secret. version can contain a new ``SecretString`` value or
a new ``SecretBinary`` value.
Args:
SecretId: The ARN or name of the secret to add a new version to.
Keyword Args:
ClientRequestToken: A unique identifier for the new version of the secret.
SecretBinary: The binary data to encrypt and store in the new version of the secret. To use this parameter in the
command-line tools, we recommend that you store your binary data in a file and then pass the contents of the file as
a parameter.
SecretString: The text to encrypt and store in the new version of the secret.
VersionStages: A list of staging labels to attach to this version of the secret. Secrets Manager uses staging labels
to track versions of a secret through the rotation process.
RotationToken: A unique identifier that indicates the source of the request. Required for secret rotations using an
IAM assumed role or cross-account rotation, in which you rotate a secret in one account by using a Lambda rotation
function in another account. In both cases, the rotation function assumes an IAM role to call Secrets Manager, and
then Secrets Manager validates the identity using the token. For more information, see `How rotation works
<https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html>`_ and `Rotation by Lambda
functions <https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_lambda>`_.
"""
args: dict[str, Any] = dict(
SecretId=self.serialize(SecretId),
ClientRequestToken=self.serialize(ClientRequestToken),
SecretBinary=self.serialize(SecretBinary),
SecretString=self.serialize(SecretString),
VersionStages=self.serialize(VersionStages),
RotationToken=self.serialize(RotationToken),
)
_response = self.client.put_secret_value(
**{k: v for k, v in args.items() if v is not None}
)
response = PutSecretValueResponse(**_response)
results: "PutSecretValueResponse" = None
if response is not None:
results = response
self.sessionize(results)
return cast("PutSecretValueResponse", results)
[docs] def get_value(
self,
SecretId: str,
*,
VersionId: "str | None" = None,
VersionStage: "str | None" = None,
) -> "GetSecretValueResponse":
"""
Retrieves the contents of the encrypted fields ``SecretString`` or
``SecretBinary`` from the specified version of a secret, whichever contains
content.
Args:
SecretId: The ARN or name of the secret to retrieve. To retrieve a secret from another account, you must use an ARN.
Keyword Args:
VersionId: The unique identifier of the version of the secret to retrieve. If you include both this parameter and
``VersionStage``, the two parameters must refer to the same secret version. If you don't specify either a
``VersionStage`` or ``VersionId``, then Secrets Manager returns the ``AWSCURRENT`` version.
VersionStage: The staging label of the version of the secret to retrieve.
"""
args: dict[str, Any] = dict(
SecretId=self.serialize(SecretId),
VersionId=self.serialize(VersionId),
VersionStage=self.serialize(VersionStage),
)
_response = self.client.get_secret_value(
**{k: v for k, v in args.items() if v is not None}
)
response = GetSecretValueResponse(**_response)
results: "GetSecretValueResponse" = None
if response is not None:
results = response
self.sessionize(results)
return cast("GetSecretValueResponse", results)
[docs] def set_resource_policy(
self,
SecretId: str,
ResourcePolicy: str,
*,
BlockPublicPolicy: "bool | None" = None,
) -> "PutResourcePolicyResponse":
"""
Attaches a resource-based permission policy to a secret. A resource-based policy is optional. For more information, see
`Authentication and access control for Secrets
Manager <https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html>`_
Args:
SecretId: The ARN or name of the secret to attach the resource-based policy.
ResourcePolicy: A JSON-formatted string for an Amazon Web Services resource-based policy. For example policies, see
`Permissions policy examples <https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-
access_examples.html>`_.
Keyword Args:
BlockPublicPolicy: Specifies whether to block resource-based policies that allow broad access to the secret, for
example those that use a wildcard for the principal. By default, public policies aren't blocked.
"""
args: dict[str, Any] = dict(
SecretId=self.serialize(SecretId),
ResourcePolicy=self.serialize(ResourcePolicy),
BlockPublicPolicy=self.serialize(BlockPublicPolicy),
)
_response = self.client.put_resource_policy(
**{k: v for k, v in args.items() if v is not None}
)
response = PutResourcePolicyResponse(**_response)
results: "PutResourcePolicyResponse" = None
if response is not None:
results = response
self.sessionize(results)
return cast("PutResourcePolicyResponse", results)
[docs] def get_resource_policy(self, SecretId: str) -> "GetResourcePolicyResponse":
"""
Retrieves the JSON text of the resource-based policy document attached to the secret. For more information about
permissions policies attached to a secret, see `Permissions policies attached to a
secret <https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html>`_.
Args:
SecretId: The ARN or name of the secret to retrieve the attached resource-based policy for.
"""
args: dict[str, Any] = dict(SecretId=self.serialize(SecretId))
_response = self.client.get_resource_policy(
**{k: v for k, v in args.items() if v is not None}
)
response = GetResourcePolicyResponse(**_response)
results: "GetResourcePolicyResponse" = None
if response is not None:
results = response
self.sessionize(results)
return cast("GetResourcePolicyResponse", results)
[docs] def delete_resource_policy(self, SecretId: str) -> "DeleteResourcePolicyResponse":
"""
Deletes the resource-based permission policy attached to the secret. To attach a
policy to a secret, use PutResourcePolicy.
Args:
SecretId: The ARN or name of the secret to delete the attached resource-based policy for.
"""
args: dict[str, Any] = dict(SecretId=self.serialize(SecretId))
_response = self.client.delete_resource_policy(
**{k: v for k, v in args.items() if v is not None}
)
response = DeleteResourcePolicyResponse(**_response)
results: "DeleteResourcePolicyResponse" = None
if response is not None:
results = response
self.sessionize(results)
return cast("DeleteResourcePolicyResponse", results)
[docs] def rotate(
self,
SecretId: str,
*,
ClientRequestToken: "str | None" = None,
RotationLambdaARN: "str | None" = None,
RotationRules: "RotationRulesType | None" = None,
ExternalSecretRotationMetadata: "builtins.list[ExternalSecretRotationMetadataItem] | None" = None,
ExternalSecretRotationRoleArn: "str | None" = None,
RotateImmediately: "bool | None" = None,
) -> "RotateSecretResponse":
"""
Configures and starts the asynchronous process of rotating the secret. For information about rotation, see `Rotate
secrets <https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html>`_ in the *Secrets Manager User
Guide*. If you include the configuration parameters, the operation sets the values for the secret and then immediately
starts a rotation. If you don't include the configuration parameters, the operation starts a rotation with the values
already stored in the secret.
Args:
SecretId: The ARN or name of the secret to rotate.
Keyword Args:
ClientRequestToken: A unique identifier for the new version of the secret. You only need to specify this value if
you implement your own retry logic and you want to ensure that Secrets Manager doesn't attempt to create a secret
version twice.
RotationLambdaARN: For secrets that use a Lambda rotation function to rotate, the ARN of the Lambda rotation
function.
RotationRules: A structure that defines the rotation configuration for this secret.
ExternalSecretRotationMetadata: The metadata needed to successfully rotate a managed external secret. A list of key
value pairs in JSON format specified by the partner. For more information about the required information, see `Using
Secrets Manager managed external secrets <https://docs.aws.amazon.com/secretsmanager/latest/userguide/managed-
external-secrets.html>`_
ExternalSecretRotationRoleArn: The Amazon Resource Name (ARN) of the role that allows Secrets Manager to rotate a
secret held by a third-party partner. For more information, see `Security and permissions
<https://docs.aws.amazon.com/secretsmanager/latest/userguide/mes- security.html>`_.
RotateImmediately: Specifies whether to rotate the secret immediately or wait until the next scheduled rotation
window. The rotation schedule is defined in RotateSecretRequest$RotationRules.
"""
args: dict[str, Any] = dict(
SecretId=self.serialize(SecretId),
ClientRequestToken=self.serialize(ClientRequestToken),
RotationLambdaARN=self.serialize(RotationLambdaARN),
RotationRules=self.serialize(RotationRules),
ExternalSecretRotationMetadata=self.serialize(
ExternalSecretRotationMetadata
),
ExternalSecretRotationRoleArn=self.serialize(ExternalSecretRotationRoleArn),
RotateImmediately=self.serialize(RotateImmediately),
)
_response = self.client.rotate_secret(
**{k: v for k, v in args.items() if v is not None}
)
response = RotateSecretResponse(**_response)
results: "RotateSecretResponse" = None
if response is not None:
results = response
self.sessionize(results)
return cast("RotateSecretResponse", results)
[docs] def cancel_rotation(self, SecretId: str) -> "CancelRotateSecretResponse":
"""
Turns off automatic rotation, and if a rotation is currently in progress,
cancels the rotation.
Args:
SecretId: The ARN or name of the secret.
"""
args: dict[str, Any] = dict(SecretId=self.serialize(SecretId))
_response = self.client.cancel_rotate_secret(
**{k: v for k, v in args.items() if v is not None}
)
response = CancelRotateSecretResponse(**_response)
results: "CancelRotateSecretResponse" = None
if response is not None:
results = response
self.sessionize(results)
return cast("CancelRotateSecretResponse", results)
[docs] def restore(self, SecretId: str) -> "RestoreSecretResponse":
"""
Cancels the scheduled deletion of a secret by removing the ``DeletedDate`` time
stamp. You can access a secret again after it has been restored.
Args:
SecretId: The ARN or name of the secret to restore.
"""
args: dict[str, Any] = dict(SecretId=self.serialize(SecretId))
_response = self.client.restore_secret(
**{k: v for k, v in args.items() if v is not None}
)
response = RestoreSecretResponse(**_response)
results: "RestoreSecretResponse" = None
if response is not None:
results = response
self.sessionize(results)
return cast("RestoreSecretResponse", results)
[docs] def random_password(
self,
*,
PasswordLength: "int | None" = None,
ExcludeCharacters: "str | None" = None,
ExcludeNumbers: "bool | None" = None,
ExcludePunctuation: "bool | None" = None,
ExcludeUppercase: "bool | None" = None,
ExcludeLowercase: "bool | None" = None,
IncludeSpace: "bool | None" = None,
RequireEachIncludedType: "bool | None" = None,
) -> str:
"""
Generates a random password. We recommend that you specify the maximum length
and include every character type that the system you are generating a password
for can support. By default, Secrets Manager uses uppercase and lowercase
letters, numbers, and the following characters in passwords: ````
!"#$%&'()*+,-./:;<=>?@[]^_``{|}~ ````
Keyword Args:
PasswordLength: The length of the password. If you don't include this parameter, the default length is 32
characters.
ExcludeCharacters: A string of the characters that you don't want in the password.
ExcludeNumbers: Specifies whether to exclude numbers from the password. If you don't include this switch, the
password can contain numbers.
ExcludePunctuation: Specifies whether to exclude the following punctuation characters from the password: ```` ! " #
$ % & ' ( ) * + , - . / : ; < = > ? @ [ ] ^ _ `` { | } ~ ````. If you don't include this switch, the password can
contain punctuation.
ExcludeUppercase: Specifies whether to exclude uppercase letters from the password. If you don't include this
switch, the password can contain uppercase letters.
ExcludeLowercase: Specifies whether to exclude lowercase letters from the password. If you don't include this
switch, the password can contain lowercase letters.
IncludeSpace: Specifies whether to include the space character. If you include this switch, the password can contain
space characters.
RequireEachIncludedType: Specifies whether to include at least one upper and lowercase letter, one number, and one
punctuation. If you don't include this switch, the password contains at least one of every character type.
"""
args: dict[str, Any] = dict(
PasswordLength=self.serialize(PasswordLength),
ExcludeCharacters=self.serialize(ExcludeCharacters),
ExcludeNumbers=self.serialize(ExcludeNumbers),
ExcludePunctuation=self.serialize(ExcludePunctuation),
ExcludeUppercase=self.serialize(ExcludeUppercase),
ExcludeLowercase=self.serialize(ExcludeLowercase),
IncludeSpace=self.serialize(IncludeSpace),
RequireEachIncludedType=self.serialize(RequireEachIncludedType),
)
_response = self.client.get_random_password(
**{k: v for k, v in args.items() if v is not None}
)
response = GetRandomPasswordResponse(**_response)
results: str = None
if response is not None:
results = response.RandomPassword
self.sessionize(results)
return cast("str", results)
[docs] def update_version_stage(
self,
SecretId: str,
VersionStage: str,
*,
RemoveFromVersionId: "str | None" = None,
MoveToVersionId: "str | None" = None,
) -> "UpdateSecretVersionStageResponse":
"""
Modifies the staging labels attached to a version of a secret. Secrets Manager uses staging labels to track a version as
it progresses through the secret rotation process. Each staging label can be attached to only one version at a time. To
add a staging label to a version when it is already attached to another version, Secrets Manager first removes it from
the other version first and then attaches it to this one. For more information about versions and staging labels, see
`Concepts: Version <https://docs.aws.amazon.com/secretsmanager/latest/userguide/getting-started.html#term_version>`_.
Args:
SecretId: The ARN or the name of the secret with the version and staging labelsto modify.
VersionStage: The staging label to add to this version.
Keyword Args:
RemoveFromVersionId: The ID of the version that the staging label is to be removed from. If the staging label you
are trying to attach to one version is already attached to a different version, then you must include this parameter
and specify the version that the label is to be removed from. If the label is attached and you either do not specify
this parameter, or the version ID does not match, then the operation fails.
MoveToVersionId: The ID of the version to add the staging label to. To remove a label from a version, then do not
specify this parameter.
"""
args: dict[str, Any] = dict(
SecretId=self.serialize(SecretId),
VersionStage=self.serialize(VersionStage),
RemoveFromVersionId=self.serialize(RemoveFromVersionId),
MoveToVersionId=self.serialize(MoveToVersionId),
)
_response = self.client.update_secret_version_stage(
**{k: v for k, v in args.items() if v is not None}
)
response = UpdateSecretVersionStageResponse(**_response)
results: "UpdateSecretVersionStageResponse" = None
if response is not None:
results = response
self.sessionize(results)
return cast("UpdateSecretVersionStageResponse", results)
[docs]class SecretVersionManager(Boto3ModelManager):
service_name: str = "secretsmanager"
[docs] def list(
self,
SecretId: str,
*,
MaxResults: "int | None" = None,
NextToken: "str | None" = None,
IncludeDeprecated: "bool | None" = None,
) -> PrimaryBoto3ModelQuerySet:
"""
Lists the versions of a secret. Secrets Manager uses staging labels to indicate the different versions of a secret. For
more information, see `Secrets Manager concepts:
Versions <https://docs.aws.amazon.com/secretsmanager/latest/userguide/getting-started.html#term_version>`_.
Args:
SecretId: The ARN or name of the secret whose versions you want to list.
Keyword Args:
MaxResults: The number of results to include in the response.
NextToken: A token that indicates where the output should continue from, if a previous call did not show all
results. To get the next results, call ``ListSecretVersionIds`` again with this value.
IncludeDeprecated: Specifies whether to include versions of secrets that don't have any staging labels attached to
them. Versions without staging labels are considered deprecated and are subject to deletion by Secrets Manager. By
default, versions without staging labels aren't included.
"""
args: dict[str, Any] = dict(
SecretId=self.serialize(SecretId),
MaxResults=self.serialize(MaxResults),
NextToken=self.serialize(NextToken),
IncludeDeprecated=self.serialize(IncludeDeprecated),
)
_response = self.client.list_secret_version_ids(
**{k: v for k, v in args.items() if v is not None}
)
response = ListSecretVersionIdsResponse(**_response)
if response and response.Versions:
self.sessionize(response.Versions)
return PrimaryBoto3ModelQuerySet(response.Versions)
return PrimaryBoto3ModelQuerySet([])
# ==============
# Service Models
# ==============
[docs]class RotationRulesType(Boto3Model):
"""
A structure that defines the rotation configuration for the secret.
"""
AutomaticallyAfterDays: "int | None" = None
"""
The number of days between rotations of the secret.
You can use this value to check that your secret meets your
compliance guidelines for how often secrets must be rotated. If you use this field to set the rotation schedule, Secrets
Manager calculates the next rotation date based on the previous rotation. Manually updating the secret value by calling
``PutSecretValue`` or ``UpdateSecret`` is considered a valid rotation.
"""
Duration: "str | None" = None
"""
The length of the rotation window in hours, for example ``3h`` for a three hour
window.
Secrets Manager rotates your
secret at any time during this window. The window must not extend into the next rotation window or the next UTC day. The
window starts according to the ``ScheduleExpression``. If you don't specify a ``Duration``, for a ``ScheduleExpression``
in hours, the window automatically closes after one hour. For a ``ScheduleExpression`` in days, the window automatically
closes at the end of the UTC day. For more information, including examples, see `Schedule expressions in Secrets Manager
rotation <https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_schedule.html>`_ in the *Secrets
Manager Users Guide*.
"""
ScheduleExpression: "str | None" = None
"""
A ``cron()`` or ``rate()`` expression that defines the schedule for rotating your
secret.
Secrets Manager rotation schedules use UTC time zone. Secrets Manager rotates your
secret any time during a rotation window.
"""
[docs]class Secret(TagsDictMixin, PrimaryBoto3Model):
"""
A structure that contains the details about a secret.
It does not include the encrypted ``SecretString`` and
``SecretBinary`` values. To get those values, use
`GetSecretValue <https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html>`_ .
"""
tag_class: ClassVar[type[Boto3Model]] = Tag
manager_class: ClassVar[type[Boto3ModelManager]] = SecretManager
Name: str
"""
The friendly name of the secret.
"""
ARN: str = Field(default=None, frozen=True)
"""
The Amazon Resource Name (ARN) of the secret.
"""
Type: "str | None" = None
"""
The exact string that identifies the third-party partner that holds the external
secret.
For more information, see
`Managed external secret partners <https://docs.aws.amazon.com/secretsmanager/latest/userguide/mes-partners.html>`_.
"""
Description: "str | None" = None
"""
The user-provided description of the secret.
"""
KmsKeyId: "str | None" = None
"""
The ARN of the KMS key that Secrets Manager uses to encrypt the secret value.
If the secret is encrypted with the Amazon
Web Services managed key ``aws/secretsmanager``, this field is omitted.
"""
RotationEnabled: bool = Field(default=None, frozen=True)
"""
Indicates whether automatic, scheduled rotation is enabled for this secret.
"""
RotationLambdaARN: str = Field(default=None, frozen=True)
"""
The ARN of an Amazon Web Services Lambda function invoked by Secrets Manager to rotate and expire the secret either
automatically per the schedule or manually by a call to
```RotateSecret`` <https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_RotateSecret.html>`_ .
"""
RotationRules: RotationRulesType = Field(default=None, frozen=True)
"""
A structure that defines the rotation configuration for the secret.
"""
ExternalSecretRotationMetadata: "builtins.list[ExternalSecretRotationMetadataItem]" = Field(
default_factory=list, frozen=True
)
"""
The metadata needed to successfully rotate a managed external secret.
A list of key value pairs in JSON format specified by the partner. For more
information about the required information, see
`Managed external secrets partners <https://docs.aws.amazon.com/secretsmanager/latest/userguide/mes-partners.html>`_.
"""
ExternalSecretRotationRoleArn: str = Field(default=None, frozen=True)
"""
The role that Secrets Manager assumes to call APIs required to perform the rotation.
For more information about the required information, see
`Managed external secrets partners <https://docs.aws.amazon.com/secretsmanager/latest/userguide/mes-partners.html>`_.
"""
LastRotatedDate: datetime = Field(default=None, frozen=True)
"""
The most recent date and time that the Secrets Manager rotation process was
successfully completed.
This value is null if the secret hasn't ever rotated.
"""
LastChangedDate: datetime = Field(default=None, frozen=True)
"""
The last date and time that this secret was modified in any way.
"""
LastAccessedDate: datetime = Field(default=None, frozen=True)
"""
The date that the secret was last accessed in the Region.
This field is omitted if the secret has never been retrieved in the Region.
"""
DeletedDate: datetime = Field(default=None, frozen=True)
"""
The date and time the deletion of the secret occurred.
Not present on active secrets. The secret can be recovered until
the number of days in the recovery window has passed, as specified in the ``RecoveryWindowInDays`` parameter of the
```DeleteSecret`` <https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html>`_ operation.
"""
NextRotationDate: datetime = Field(default=None, frozen=True)
"""
The next rotation is scheduled to occur on or before this date.
If the secret isn't configured for rotation or rotation has been disabled, Secrets
Manager returns null.
"""
Tags: "builtins.list[Tag] | None" = Field(default_factory=list)
"""
The list of user-defined tags associated with the secret.
To add tags to a secret, use
```TagResource`` <https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_TagResource.html>`_ . To remove tags,
use ```UntagResource`` <https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_UntagResource.html>`_ .
"""
SecretVersionsToStages: dict[str, builtins.list[str]] = Field(
default_factory=dict, frozen=True
)
"""
A list of all of the currently assigned ``SecretVersionStage`` staging labels and
the ``SecretVersionId`` attached to each one.
Staging labels are used to keep track of the different versions during the rotation
process.
"""
OwningService: str = Field(default=None, frozen=True)
"""
Returns the name of the service that created the secret.
"""
CreatedDate: datetime = Field(default=None, frozen=True)
"""
The date and time when a secret was created.
"""
PrimaryRegion: str = Field(default=None, frozen=True)
"""
The Region where Secrets Manager originated the secret.
"""
@property
def pk(self) -> str | None:
"""
Return the primary key of the model. This is the value of the :py:attr:`ARN`
attribute.
Returns:
The primary key of the model instance.
"""
return self.ARN
@property
def arn(self) -> str | None:
"""
Return the ARN of the model. This is the value of the :py:attr:`ARN`
attribute.
Returns:
The ARN of the model instance.
"""
return self.ARN
@property
def name(self) -> str | None:
"""
Return the name of the model. This is the value of the :py:attr:`Name`
attribute.
Returns:
The name of the model instance.
"""
return self.Name
def __hash__(self) -> int:
"""
Return the hash of the model.
This is the value of the
:py:attr:`ARN` attribute.
"""
return hash(self.ARN)
[docs] def get_value(
self, VersionId: "str | None" = None, VersionStage: "str | None" = None
) -> "GetSecretValueResponse":
"""
Get the value of the secret.
Keyword Args:
VersionId: The unique identifier of the version of the secret to retrieve. If you include both this parameter and
``VersionStage``, the two parameters must refer to the same secret version. If you don't specify either a
``VersionStage`` or ``VersionId``, then Secrets Manager returns the ``AWSCURRENT`` version.
VersionStage: The staging label of the version of the secret to retrieve.
"""
return (
cast("SecretManager", self.objects) # type: ignore[attr-defined]
.using(self.session)
.get_value(self.ARN, VersionId=VersionId, VersionStage=VersionStage)
)
[docs] def set_value(
self,
ClientRequestToken: "str | None" = None,
SecretBinary: "bytes | None" = None,
SecretString: "str | None" = None,
VersionStages: "builtins.list[str] | None" = None,
RotationToken: "str | None" = None,
) -> "PutSecretValueResponse":
"""
Set the value of the secret.
Keyword Args:
ClientRequestToken: A unique identifier for the new version of the secret.
SecretBinary: The binary data to encrypt and store in the new version of the secret. To use this parameter in the
command-line tools, we recommend that you store your binary data in a file and then pass the contents of the file as
a parameter.
SecretString: The text to encrypt and store in the new version of the secret.
VersionStages: A list of staging labels to attach to this version of the secret. Secrets Manager uses staging labels
to track versions of a secret through the rotation process.
RotationToken: A unique identifier that indicates the source of the request. Required for secret rotations using an
IAM assumed role or cross-account rotation, in which you rotate a secret in one account by using a Lambda rotation
function in another account. In both cases, the rotation function assumes an IAM role to call Secrets Manager, and
then Secrets Manager validates the identity using the token. For more information, see `How rotation works
<https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html>`_ and `Rotation by Lambda
functions <https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_lambda>`_.
"""
return (
cast("SecretManager", self.objects) # type: ignore[attr-defined]
.using(self.session)
.set_value(
self.ARN,
ClientRequestToken=ClientRequestToken,
SecretBinary=SecretBinary,
SecretString=SecretString,
VersionStages=VersionStages,
RotationToken=RotationToken,
)
)
[docs]class SecretVersion(PrimaryBoto3Model):
"""
A structure that contains information about one version of a secret.
"""
manager_class: ClassVar[type[Boto3ModelManager]] = SecretVersionManager
VersionId: "str | None" = None
"""
The unique version identifier of this version of the secret.
"""
VersionStages: "builtins.list[str] | None" = Field(default_factory=list)
"""
An array of staging labels that are currently associated with this version of the
secret.
"""
LastAccessedDate: "datetime | None" = None
"""
The date that this version of the secret was last accessed.
Note that the resolution of this field is at the date level and does not include the
time.
"""
CreatedDate: "datetime | None" = None
"""
The date and time this version of the secret was created.
"""
KmsKeyIds: "builtins.list[str] | None" = Field(default_factory=list)
"""
The KMS keys used to encrypt the secret version.
"""
@property
def pk(self) -> str | None:
"""
Return the primary key of the model. This is the value of the
:py:attr:`VersionId` attribute.
Returns:
The primary key of the model instance.
"""
return self.VersionId
@property
def name(self) -> str | None:
"""
Return the name of the model. This is the value of the :py:attr:`VersionId`
attribute.
Returns:
The name of the model instance.
"""
return self.VersionId
def __hash__(self) -> int:
"""
Return the hash of the model.
This is the value of the
:py:attr:`VersionId` attribute.
"""
return hash(self.VersionId)
# =======================
# Request/Response Models
# =======================
[docs]class ReplicaRegionType(Boto3Model):
"""
A custom type that specifies a ``Region`` and the ``KmsKeyId`` for a replica secret.
"""
Region: "str | None" = None
"""
A Region code.
For a list of Region codes, see
`Name and code of Regions <https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints>`_.
"""
KmsKeyId: "str | None" = None
"""
The ARN, key ID, or alias of the KMS key to encrypt the secret.
If you don't include this field, Secrets Manager uses
``aws/secretsmanager``.
"""
[docs]class ReplicationStatusType(Boto3Model):
"""
A replication object consisting of a ``RegionReplicationStatus`` object and includes
a Region, KMSKeyId, status, and status message.
"""
Region: "str | None" = None
"""
The Region where replication occurs.
"""
KmsKeyId: "str | None" = None
"""
Can be an ``ARN``, ``Key ID``, or ``Alias``.
"""
Status: "Literal['InSync', 'Failed', 'InProgress'] | None" = None
"""
The status can be ``InProgress``, ``Failed``, or ``InSync``.
"""
StatusMessage: "str | None" = None
"""
Status message such as "*Secret with this name already exists in this region*".
"""
LastAccessedDate: "datetime | None" = None
"""
The date that the secret was last accessed in the Region.
This field is omitted if the secret has never been retrieved in the Region.
"""
[docs]class CreateSecretResponse(Boto3Model):
ARN: "str | None" = None
"""
The ARN of the new secret.
The ARN includes the name of the secret followed by six random characters. This
ensures that if you create a new secret with the same name as a deleted secret, then
users with access to the old secret don't get access to the new secret because the
ARNs are different.
"""
Name: "str | None" = None
"""
The name of the new secret.
"""
VersionId: "str | None" = None
"""
The unique identifier associated with the version of the new secret.
"""
ReplicationStatus: "builtins.list[ReplicationStatusType] | None" = Field(
default_factory=list
)
"""
A list of the replicas of this secret and their status:
"""
[docs]class UpdateSecretResponse(Boto3Model):
ARN: "str | None" = None
"""
The ARN of the secret that was updated.
"""
Name: "str | None" = None
"""
The name of the secret that was updated.
"""
VersionId: "str | None" = None
"""
If Secrets Manager created a new version of the secret during this operation, then
``VersionId`` contains the unique identifier of the new version.
"""
[docs]class DescribeSecretResponse(TagsDictMixin, Boto3Model):
tag_class: ClassVar[type[Boto3Model]] = Tag
ARN: "str | None" = None
"""
The ARN of the secret.
"""
Name: "str | None" = None
"""
The name of the secret.
"""
Type: "str | None" = None
"""
The exact string that identifies the partner that holds the external secret.
For more information, see
`Using Secrets Manager managed external secrets <https://docs.aws.amazon.com/secretsmanager/latest/userguide/managed-external-
secrets.html>`_.
"""
Description: "str | None" = None
"""
The description of the secret.
"""
KmsKeyId: "str | None" = None
"""
The key ID or alias ARN of the KMS key that Secrets Manager uses to encrypt the
secret value.
If the secret is encrypted
with the Amazon Web Services managed key ``aws/secretsmanager``, this field is omitted. Secrets created using the
console use an KMS key ID.
"""
RotationEnabled: "bool | None" = None
"""
Specifies whether automatic rotation is turned on for this secret.
If the secret has never been configured for rotation, Secrets Manager returns null.
"""
RotationLambdaARN: "str | None" = None
"""
The ARN of the Lambda function that Secrets Manager invokes to rotate the secret.
"""
RotationRules: "RotationRulesType | None" = None
"""
The rotation schedule and Lambda function for this secret.
If the secret previously had rotation turned on, but it is now turned off, this
field shows the previous rotation schedule and rotation function. If the secret
never had rotation turned on, this field is omitted.
"""
ExternalSecretRotationMetadata: "builtins.list[ExternalSecretRotationMetadataItem] | None" = Field(
default_factory=list
)
"""
The metadata needed to successfully rotate a managed external secret.
A list of key value pairs in JSON format specified by the partner. For more
information about the required information, see
`Managed external secrets partners <https://docs.aws.amazon.com/secretsmanager/latest/userguide/mes-partners.html>`_.
"""
ExternalSecretRotationRoleArn: "str | None" = None
"""
The Amazon Resource Name (ARN) of the role that allows Secrets Manager to rotate a
secret held by a third-party partner.
For more information, see
`Security and permissions <https://docs.aws.amazon.com/secretsmanager/latest/userguide/mes-
security.html>`_.
"""
LastRotatedDate: "datetime | None" = None
"""
The last date and time that Secrets Manager rotated the secret.
If the secret isn't configured for rotation or rotation has been disabled, Secrets
Manager returns null.
"""
LastChangedDate: "datetime | None" = None
"""
The last date and time that this secret was modified in any way.
"""
LastAccessedDate: "datetime | None" = None
"""
The date that the secret was last accessed in the Region.
This field is omitted if the secret has never been retrieved in the Region.
"""
DeletedDate: "datetime | None" = None
"""
The date the secret is scheduled for deletion.
If it is not scheduled for deletion, this field is omitted. When you delete a
secret, Secrets Manager requires a recovery window of at least 7 days before
deleting the secret. Some time after the deleted date, Secrets Manager deletes the
secret, including all of its versions.
"""
NextRotationDate: "datetime | None" = None
"""
The next rotation is scheduled to occur on or before this date.
If the secret isn't configured for rotation or rotation has been disabled, Secrets
Manager returns null. If rotation fails, Secrets Manager retries the entire rotation
process multiple times. If rotation is unsuccessful, this date may be in the past.
"""
Tags: "builtins.list[Tag] | None" = Field(default_factory=list)
"""
The list of tags attached to the secret.
To add tags to a secret, use TagResource. To remove tags, use UntagResource.
"""
VersionIdsToStages: "dict[str, builtins.list[str]] | None" = Field(
default_factory=dict
)
"""
A list of the versions of the secret that have staging labels attached.
Versions that don't have staging labels are considered deprecated and Secrets
Manager can delete them.
"""
OwningService: "str | None" = None
"""
The ID of the service that created this secret.
For more information, see
`Secrets managed by other Amazon Web Services services <https://docs.aws.amazon.com/secretsmanager/latest/userguide/service-linked-secrets.html>`_.
"""
CreatedDate: "datetime | None" = None
"""
The date the secret was created.
"""
PrimaryRegion: "str | None" = None
"""
The Region the secret is in.
If a secret is replicated to other Regions, the replicas are listed in
``ReplicationStatus``.
"""
ReplicationStatus: "builtins.list[ReplicationStatusType] | None" = Field(
default_factory=list
)
"""
A list of the replicas of this secret and their status:
"""
[docs]class SecretsFilter(Boto3Model):
"""
Allows you to add filters when you use the search function in Secrets Manager.
For more information, see
`Find secrets in Secrets Manager <https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_search-secret.html>`_.
"""
Key: Literal[
"description",
"name",
"tag-key",
"tag-value",
"primary-region",
"owning-service",
"all",
]
"""
The following are keys you can use:
"""
Values: "builtins.list[str]"
"""
The keyword to filter for.
"""
[docs]class ListSecretsResponse(Boto3Model):
SecretList: "builtins.list[Secret] | None" = Field(default_factory=list)
"""
A list of the secrets in the account.
"""
NextToken: "str | None" = None
"""
Secrets Manager includes this value if there's more output available than what is
included in the current response.
This
can occur even when the response includes no values at all, such as when you ask for a filtered view of a long list. To
get the next results, call ``ListSecrets`` again with this value.
"""
[docs]class DeleteSecretResponse(Boto3Model):
ARN: "str | None" = None
"""
The ARN of the secret.
"""
Name: "str | None" = None
"""
The name of the secret.
"""
DeletionDate: "datetime | None" = None
"""
The date and time after which this secret Secrets Manager can permanently delete
this secret, and it can no longer be restored.
This value is the date and time of the delete request plus the number of days in ``RecoveryWindowInDays``.
"""
[docs]class PutSecretValueResponse(Boto3Model):
ARN: "str | None" = None
"""
The ARN of the secret.
"""
Name: "str | None" = None
"""
The name of the secret.
"""
VersionId: "str | None" = None
"""
The unique identifier of the version of the secret.
"""
VersionStages: "builtins.list[str] | None" = Field(default_factory=list)
"""
The list of staging labels that are currently attached to this version of the
secret.
Secrets Manager uses staging labels to track a version as it progresses through the
secret rotation process.
"""
[docs]class GetSecretValueResponse(Boto3Model):
ARN: "str | None" = None
"""
The ARN of the secret.
"""
Name: "str | None" = None
"""
The friendly name of the secret.
"""
VersionId: "str | None" = None
"""
The unique identifier of this version of the secret.
"""
SecretBinary: "bytes | None" = None
"""
The decrypted secret value, if the secret value was originally provided as binary
data in the form of a byte array.
When
you retrieve a ``SecretBinary`` using the HTTP API, the Python SDK, or the Amazon Web Services CLI, the value is
Base64-encoded. Otherwise, it is not encoded.
"""
SecretString: "str | None" = None
"""
The decrypted secret value, if the secret value was originally provided as a string
or through the Secrets Manager console.
"""
VersionStages: "builtins.list[str] | None" = Field(default_factory=list)
"""
A list of all of the staging labels currently attached to this version of the
secret.
"""
CreatedDate: "datetime | None" = None
"""
The date and time that this version of the secret was created.
If you don't specify which version in ``VersionId`` or
``VersionStage``, then Secrets Manager uses the ``AWSCURRENT`` version.
"""
[docs]class PutResourcePolicyResponse(Boto3Model):
ARN: "str | None" = None
"""
The ARN of the secret.
"""
Name: "str | None" = None
"""
The name of the secret.
"""
[docs]class GetResourcePolicyResponse(Boto3Model):
ARN: "str | None" = None
"""
The ARN of the secret that the resource-based policy was retrieved for.
"""
Name: "str | None" = None
"""
The name of the secret that the resource-based policy was retrieved for.
"""
ResourcePolicy: "str | None" = None
"""
A JSON-formatted string that contains the permissions policy attached to the secret.
For more information about permissions policies, see
`Authentication and access control for Secrets Manager <https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html>`_.
"""
[docs]class DeleteResourcePolicyResponse(Boto3Model):
ARN: "str | None" = None
"""
The ARN of the secret that the resource-based policy was deleted for.
"""
Name: "str | None" = None
"""
The name of the secret that the resource-based policy was deleted for.
"""
[docs]class RotateSecretResponse(Boto3Model):
ARN: "str | None" = None
"""
The ARN of the secret.
"""
Name: "str | None" = None
"""
The name of the secret.
"""
VersionId: "str | None" = None
"""
The ID of the new version of the secret.
"""
[docs]class CancelRotateSecretResponse(Boto3Model):
ARN: "str | None" = None
"""
The ARN of the secret.
"""
Name: "str | None" = None
"""
The name of the secret.
"""
VersionId: "str | None" = None
"""
The unique identifier of the version of the secret created during the rotation.
This version might not be complete, and
should be evaluated for possible deletion. We recommend that you remove the ``VersionStage`` value ``AWSPENDING`` from
this version so that Secrets Manager can delete it. Failing to clean up a cancelled rotation can block you from starting
future rotations.
"""
[docs]class RestoreSecretResponse(Boto3Model):
ARN: "str | None" = None
"""
The ARN of the secret that was restored.
"""
Name: "str | None" = None
"""
The name of the secret that was restored.
"""
[docs]class GetRandomPasswordResponse(Boto3Model):
RandomPassword: "str | None" = None
"""
A string with the password.
"""
[docs]class UpdateSecretVersionStageResponse(Boto3Model):
ARN: "str | None" = None
"""
The ARN of the secret that was updated.
"""
Name: "str | None" = None
"""
The name of the secret that was updated.
"""
[docs]class ListSecretVersionIdsResponse(Boto3Model):
Versions: "builtins.list[SecretVersion] | None" = Field(default_factory=list)
"""
A list of the versions of the secret.
"""
NextToken: "str | None" = None
"""
Secrets Manager includes this value if there's more output available than what is
included in the current response.
This
can occur even when the response includes no values at all, such as when you ask for a filtered view of a long list. To
get the next results, call ``ListSecretVersionIds`` again with this value.
"""
ARN: "str | None" = None
"""
The ARN of the secret.
"""
Name: "str | None" = None
"""
The name of the secret.
"""