rotateSecret method
Configures and starts the asynchronous process of rotating the secret. For information about rotation, see Rotate secrets in the Secrets Manager User Guide. If you include the configuration parameters, the operation sets the values for the secret and then immediately starts a rotation. If you don't include the configuration parameters, the operation starts a rotation with the values already stored in the secret.
When rotation is successful, the AWSPENDING staging label
might be attached to the same version as the AWSCURRENT
version, or it might not be attached to any version. If the
AWSPENDING staging label is present but not attached to the
same version as AWSCURRENT, then any later invocation of
RotateSecret assumes that a previous rotation request is
still in progress and returns an error. When rotation is unsuccessful, the
AWSPENDING staging label might be attached to an empty secret
version. For more information, see Troubleshoot
rotation in the Secrets Manager User Guide.
Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information in request parameters because it might be logged. For more information, see Logging Secrets Manager events with CloudTrail.
Required permissions: secretsmanager:RotateSecret.
For more information, see
IAM policy actions for Secrets Manager and Authentication
and access control in Secrets Manager. You also need
lambda:InvokeFunction permissions on the rotation function.
For more information, see
Permissions for rotation.
May throw InternalServiceError.
May throw InvalidParameterException.
May throw InvalidRequestException.
May throw ResourceNotFoundException.
Parameter secretId :
The ARN or name of the secret to rotate.
For an ARN, we recommend that you specify a complete ARN rather than a partial ARN. See Finding a secret from a partial ARN.
Parameter clientRequestToken :
A unique identifier for the new version of the secret. You only need to
specify this value if you implement your own retry logic and you want to
ensure that Secrets Manager doesn't attempt to create a secret version
twice.
If you generate a raw HTTP request to the Secrets Manager service
endpoint, then you must generate a ClientRequestToken and
include it in the request.
This value helps ensure idempotency. Secrets Manager uses this value to prevent the accidental creation of duplicate versions if there are failures and retries during a rotation. We recommend that you generate a UUID-type value to ensure uniqueness of your versions within the specified secret.
Parameter externalSecretRotationMetadata :
The metadata needed to successfully rotate a managed external secret. A
list of key value pairs in JSON format specified by the partner. For more
information about the required information, see Using
Secrets Manager managed external secrets
Parameter externalSecretRotationRoleArn :
The Amazon Resource Name (ARN) of the role that allows Secrets Manager to
rotate a secret held by a third-party partner. For more information, see
Security
and permissions.
Parameter rotateImmediately :
Specifies whether to rotate the secret immediately or wait until the next
scheduled rotation window. The rotation schedule is defined in
RotateSecretRequest$RotationRules.
The default for RotateImmediately is true. If
you don't specify this value, Secrets Manager rotates the secret
immediately.
If you set RotateImmediately to false, Secrets
Manager tests the rotation configuration by running the
testSecret step of the Lambda rotation function. This
test creates an AWSPENDING version of the secret and then
removes it.
When changing an existing rotation schedule and setting
RotateImmediately to false:
-
If using
AutomaticallyAfterDaysor aScheduleExpressionwithrate(), the previously scheduled rotation might still occur. -
To prevent unintended rotations, use a
ScheduleExpressionwithcron()for granular control over rotation windows.
Parameter rotationLambdaARN :
For secrets that use a Lambda rotation function to rotate, the ARN of the
Lambda rotation function.
For secrets that use managed rotation, omit this field. For more information, see Managed rotation in the Secrets Manager User Guide.
Parameter rotationRules :
A structure that defines the rotation configuration for this secret.
-
If using
AutomaticallyAfterDaysor aScheduleExpressionwithrate(), the previously scheduled rotation might still occur. -
To prevent unintended rotations, use a
ScheduleExpressionwithcron()for granular control over rotation windows.
Implementation
Future<RotateSecretResponse> rotateSecret({
required String secretId,
String? clientRequestToken,
List<ExternalSecretRotationMetadataItem>? externalSecretRotationMetadata,
String? externalSecretRotationRoleArn,
bool? rotateImmediately,
String? rotationLambdaARN,
RotationRulesType? rotationRules,
}) async {
final headers = <String, String>{
'Content-Type': 'application/x-amz-json-1.1',
'X-Amz-Target': 'secretsmanager.RotateSecret'
};
final jsonResponse = await _protocol.send(
method: 'POST',
requestUri: '/',
exceptionFnMap: _exceptionFns,
// TODO queryParams
headers: headers,
payload: {
'SecretId': secretId,
'ClientRequestToken':
clientRequestToken ?? _s.generateIdempotencyToken(),
if (externalSecretRotationMetadata != null)
'ExternalSecretRotationMetadata': externalSecretRotationMetadata,
if (externalSecretRotationRoleArn != null)
'ExternalSecretRotationRoleArn': externalSecretRotationRoleArn,
if (rotateImmediately != null) 'RotateImmediately': rotateImmediately,
if (rotationLambdaARN != null) 'RotationLambdaARN': rotationLambdaARN,
if (rotationRules != null) 'RotationRules': rotationRules,
},
);
return RotateSecretResponse.fromJson(jsonResponse.body);
}