Puppet Task: secretsmanager_aws_create_secret

Defined in:: tasks/secretsmanager_aws_create_secret.json,
tasks/secretsmanager_aws_create_secret.rb

Overview

Creates a new secret. A secret in Secrets Manager consists of both the protected secret data and the important information needed to manage the secret. Secrets Manager stores the encrypted secret data in one of a collection of 'versions' associated with the secret. Each version contains a copy of the encrypted secret data. Each version is associated with one or more 'staging labels' that identify where the version is in the rotation cycle. The SecretVersionsToStages field of the secret contains the mapping of staging labels to the active versions of the secret. Versions without a staging label are considered deprecated and are not included in the list. You provide the secret data to be encrypted by putting text in either the SecretString parameter or binary data in the SecretBinary parameter, but not both. If you include SecretString or SecretBinary then Secrets Manager also creates an initial secret version and automatically attaches the staging label AWSCURRENT to the new version. If you call an operation that needs to encrypt or decrypt the SecretString or SecretBinary for a secret in the same account as the calling user and that secret doesn't specify a AWS KMS encryption key, Secrets Manager uses the account's default AWS managed customer master key (CMK) with the alias aws/secretsmanager. If this key doesn't already exist in your account then Secrets Manager creates it for you automatically. All users and roles in the same AWS account automatically have access to use the default CMK. Note that if an Secrets Manager API call results in AWS having to create the account's AWS-managed CMK, it can result in a one-time significant delay in returning the result. If the secret is in a different AWS account from the credentials calling an API that requires encryption or decryption of the secret value then you must create and use a custom AWS KMS CMK because you can't access the default CMK for the account using credentials from a different AWS account. Store the ARN of the CMK in the secret when you create the secret or when you update it by including it in the KMSKeyId. If you call an API that must encrypt or decrypt SecretString or SecretBinary using credentials from a different account then the AWS KMS key policy must grant cross-account access to that other account's user or role for both the kms:GenerateDataKey and kms:Decrypt operations. Minimum permissions To run this command, you must have the following permissions: secretsmanager:CreateSecret kms:GenerateDataKey - needed only if you use a customer-managed AWS KMS key to encrypt the secret. You do not need this permission to use the account's default AWS managed CMK for Secrets Manager. kms:Decrypt - needed only if you use a customer-managed AWS KMS key to encrypt the secret. You do not need this permission to use the account's default AWS managed CMK for Secrets Manager. secretsmanager:TagResource - needed only if you include the Tags parameter. Related operations To delete a secret, use DeleteSecret. To modify an existing secret, use UpdateSecret. To create a new version of a secret, use PutSecretValue. To retrieve the encrypted secure string and secure binary values, use GetSecretValue. To retrieve all other details for a secret, use DescribeSecret. This does not include the encrypted secure string and secure binary values. To retrieve the list of secret versions associated with the current secret, use DescribeSecret and examine the SecretVersionsToStages response value.

Supports noop? false

Parameters

tags (Optional[String[1]]) —
client_request_token (Optional[String[1]]) —
description (Optional[String[1]]) —
kms_key_id (Optional[String[1]]) —
name (Optional[String[1]]) —
secret_binary (Optional[String[1]]) —
secret_string (Optional[String[1]]) —