+ "smithy.api#documentation": "<p>Creates a new secret. A <i>secret</i> can be a password, a set of \n credentials such as a user name and password, an OAuth token, or other secret information \n that you store in an encrypted form in Secrets Manager. The secret also \n includes the connection information to access a database or other service, which Secrets Manager \n doesn't encrypt. A secret in Secrets Manager consists of both the protected secret data and the\n important information needed to manage the secret.</p>\n <p>For secrets that use <i>managed rotation</i>, you need to create the secret through the managing service. For more information, see <a href=\"https://docs.aws.amazon.com/secretsmanager/latest/userguide/service-linked-secrets.html\">Secrets Manager secrets managed by other Amazon Web Services services</a>.\n\n </p>\n <p>For information about creating a secret in the console, see <a href=\"https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html\">Create a secret</a>.</p>\n <p>To create a secret, you can provide the secret value to be encrypted in either the\n <code>SecretString</code> parameter or the <code>SecretBinary</code> parameter, but not both. \n If you include <code>SecretString</code> or <code>SecretBinary</code>\n then Secrets Manager creates an initial secret version and automatically attaches the staging\n label <code>AWSCURRENT</code> to it.</p>\n <p>For database credentials you want to rotate, for Secrets Manager to be able to rotate the secret,\n you must make sure the JSON you store in the <code>SecretString</code> matches the <a href=\"https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html\">JSON structure of\n a database secret</a>.</p>\n <p>If you don't specify an KMS encryption key, Secrets Manager uses the Amazon Web Services managed key \n <code>aws/secretsmanager</code>. If this key \n doesn't already exist in your account, then Secrets Manager creates it for you automatically. All\n users and roles in the Amazon Web Services account automatically have access to use <code>aws/secretsmanager</code>. \n Creating <code>aws/secretsmanager</code> can result in a one-time significant delay in returning the \n result.</p>\n <p>If the secret is in a different Amazon Web Services account from the credentials calling the API, then \n you can't use <code>aws/secretsmanager</code> to encrypt the secret, and you must create \n and use a customer managed KMS key. </p>\n <p>Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information in request parameters except <code>SecretBinary</code> or <code>SecretString</code> because it might be logged. For more information, see <a href=\"https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieve-ct-entries.html\">Logging Secrets Manager events with CloudTrail</a>.</p>\n <p>\n <b>Required permissions: </b>\n <code>secretsmanager:CreateSecret</code>. If you \n include tags in the secret, you also need <code>secretsmanager:TagResource</code>. To add replica Regions, you must also have <code>secretsmanager:ReplicateSecretToRegions</code>.\n For more information, see <a href=\"https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html#reference_iam-permissions_actions\">\n IAM policy actions for Secrets Manager</a> and <a href=\"https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html\">Authentication \n and access control in Secrets Manager</a>. </p>\n <p>To encrypt the secret with a KMS key other than <code>aws/secretsmanager</code>, you need <code>kms:GenerateDataKey</code> and <code>kms:Decrypt</code> permission to the key. </p>",
0 commit comments