feat(client-secrets-manager): AWS Secrets Manager has released the Ba…

…tchGetSecretValue API, which allows customers to fetch up to 20 Secrets with a single request using a list of secret names or filters.
aws · Nov 27, 2023 · 95b2429 · 95b2429
1 parent 09743d7
commit 95b2429
Show file tree

Hide file tree

Showing 12 changed files with 934 additions and 139 deletions.
diff --git a/clients/client-secrets-manager/README.md b/clients/client-secrets-manager/README.md
@@ -229,6 +229,14 @@ see LICENSE for more information.
 
 ## Client Commands (Operations List)
 
+<details>
+<summary>
+BatchGetSecretValue
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/secrets-manager/command/BatchGetSecretValueCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-secrets-manager/Interface/BatchGetSecretValueCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-secrets-manager/Interface/BatchGetSecretValueCommandOutput/)
+
+</details>
 <details>
 <summary>
 CancelRotateSecret

diff --git a/clients/client-secrets-manager/src/SecretsManager.ts b/clients/client-secrets-manager/src/SecretsManager.ts
@@ -2,6 +2,11 @@
 import { createAggregatedClient } from "@smithy/smithy-client";
 import { HttpHandlerOptions as __HttpHandlerOptions } from "@smithy/types";
 
+import {
+  BatchGetSecretValueCommand,
+  BatchGetSecretValueCommandInput,
+  BatchGetSecretValueCommandOutput,
+} from "./commands/BatchGetSecretValueCommand";
 import {
   CancelRotateSecretCommand,
   CancelRotateSecretCommandInput,
@@ -107,6 +112,7 @@ import {
 import { SecretsManagerClient, SecretsManagerClientConfig } from "./SecretsManagerClient";
 
 const commands = {
+  BatchGetSecretValueCommand,
   CancelRotateSecretCommand,
   CreateSecretCommand,
   DeleteResourcePolicyCommand,
@@ -132,6 +138,23 @@ const commands = {
 };
 
 export interface SecretsManager {
+  /**
+   * @see {@link BatchGetSecretValueCommand}
+   */
+  batchGetSecretValue(
+    args: BatchGetSecretValueCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<BatchGetSecretValueCommandOutput>;
+  batchGetSecretValue(
+    args: BatchGetSecretValueCommandInput,
+    cb: (err: any, data?: BatchGetSecretValueCommandOutput) => void
+  ): void;
+  batchGetSecretValue(
+    args: BatchGetSecretValueCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: BatchGetSecretValueCommandOutput) => void
+  ): void;
+
   /**
    * @see {@link CancelRotateSecretCommand}
    */

diff --git a/clients/client-secrets-manager/src/SecretsManagerClient.ts b/clients/client-secrets-manager/src/SecretsManagerClient.ts
@@ -50,6 +50,10 @@ import {
   UserAgent as __UserAgent,
 } from "@smithy/types";
 
+import {
+  BatchGetSecretValueCommandInput,
+  BatchGetSecretValueCommandOutput,
+} from "./commands/BatchGetSecretValueCommand";
 import { CancelRotateSecretCommandInput, CancelRotateSecretCommandOutput } from "./commands/CancelRotateSecretCommand";
 import { CreateSecretCommandInput, CreateSecretCommandOutput } from "./commands/CreateSecretCommand";
 import {
@@ -108,6 +112,7 @@ export { __Client };
  * @public
  */
 export type ServiceInputTypes =
+  | BatchGetSecretValueCommandInput
   | CancelRotateSecretCommandInput
   | CreateSecretCommandInput
   | DeleteResourcePolicyCommandInput
@@ -135,6 +140,7 @@ export type ServiceInputTypes =
  * @public
  */
 export type ServiceOutputTypes =
+  | BatchGetSecretValueCommandOutput
   | CancelRotateSecretCommandOutput
   | CreateSecretCommandOutput
   | DeleteResourcePolicyCommandOutput

diff --git a/clients/client-secrets-manager/src/commands/BatchGetSecretValueCommand.ts b/clients/client-secrets-manager/src/commands/BatchGetSecretValueCommand.ts
@@ -0,0 +1,217 @@
+// smithy-typescript generated code
+import { EndpointParameterInstructions, getEndpointPlugin } from "@smithy/middleware-endpoint";
+import { getSerdePlugin } from "@smithy/middleware-serde";
+import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@smithy/protocol-http";
+import { Command as $Command } from "@smithy/smithy-client";
+import {
+  FinalizeHandlerArguments,
+  Handler,
+  HandlerExecutionContext,
+  HttpHandlerOptions as __HttpHandlerOptions,
+  MetadataBearer as __MetadataBearer,
+  MiddlewareStack,
+  SerdeContext as __SerdeContext,
+  SMITHY_CONTEXT_KEY,
+} from "@smithy/types";
+
+import {
+  BatchGetSecretValueRequest,
+  BatchGetSecretValueResponse,
+  BatchGetSecretValueResponseFilterSensitiveLog,
+} from "../models/models_0";
+import { de_BatchGetSecretValueCommand, se_BatchGetSecretValueCommand } from "../protocols/Aws_json1_1";
+import { SecretsManagerClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../SecretsManagerClient";
+
+/**
+ * @public
+ */
+export { __MetadataBearer, $Command };
+/**
+ * @public
+ *
+ * The input for {@link BatchGetSecretValueCommand}.
+ */
+export interface BatchGetSecretValueCommandInput extends BatchGetSecretValueRequest {}
+/**
+ * @public
+ *
+ * The output of {@link BatchGetSecretValueCommand}.
+ */
+export interface BatchGetSecretValueCommandOutput extends BatchGetSecretValueResponse, __MetadataBearer {}
+
+/**
+ * @public
+ * <p>Retrieves the contents of the encrypted fields <code>SecretString</code> or <code>SecretBinary</code> for up to 20 secrets.  To retrieve a single secret, call <a>GetSecretValue</a>. </p>
+ *          <p>To choose which secrets to retrieve, you can specify a list of secrets by name or ARN, or you can use filters. If Secrets Manager encounters errors such as <code>AccessDeniedException</code> while attempting to retrieve any of the secrets, you can see the errors in <code>Errors</code> in the response.</p>
+ *          <p>Secrets Manager generates CloudTrail <code>GetSecretValue</code> log entries for each secret you request when you call this action. Do not include sensitive information in request parameters because it might be logged. For more information, see <a href="https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieve-ct-entries.html">Logging Secrets Manager events with CloudTrail</a>.</p>
+ *          <p>
+ *             <b>Required permissions: </b>
+ *             <code>secretsmanager:BatchGetSecretValue</code>, and you must have <code>secretsmanager:GetSecretValue</code> for each secret. If you use filters, you must also have <code>secretsmanager:ListSecrets</code>. If the secrets are encrypted using customer-managed keys instead of the Amazon Web Services managed key
+ *       <code>aws/secretsmanager</code>, then you also need <code>kms:Decrypt</code> permissions for the keys.
+ *       For more information, see <a href="https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html#reference_iam-permissions_actions">
+ *       IAM policy actions for Secrets Manager</a> and <a href="https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html">Authentication
+ *       and access control in Secrets Manager</a>. </p>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { SecretsManagerClient, BatchGetSecretValueCommand } from "@aws-sdk/client-secrets-manager"; // ES Modules import
+ * // const { SecretsManagerClient, BatchGetSecretValueCommand } = require("@aws-sdk/client-secrets-manager"); // CommonJS import
+ * const client = new SecretsManagerClient(config);
+ * const input = { // BatchGetSecretValueRequest
+ *   SecretIdList: [ // SecretIdListType
+ *     "STRING_VALUE",
+ *   ],
+ *   Filters: [ // FiltersListType
+ *     { // Filter
+ *       Key: "description" || "name" || "tag-key" || "tag-value" || "primary-region" || "owning-service" || "all",
+ *       Values: [ // FilterValuesStringList
+ *         "STRING_VALUE",
+ *       ],
+ *     },
+ *   ],
+ *   MaxResults: Number("int"),
+ *   NextToken: "STRING_VALUE",
+ * };
+ * const command = new BatchGetSecretValueCommand(input);
+ * const response = await client.send(command);
+ * // { // BatchGetSecretValueResponse
+ * //   SecretValues: [ // SecretValuesType
+ * //     { // SecretValueEntry
+ * //       ARN: "STRING_VALUE",
+ * //       Name: "STRING_VALUE",
+ * //       VersionId: "STRING_VALUE",
+ * //       SecretBinary: "BLOB_VALUE",
+ * //       SecretString: "STRING_VALUE",
+ * //       VersionStages: [ // SecretVersionStagesType
+ * //         "STRING_VALUE",
+ * //       ],
+ * //       CreatedDate: new Date("TIMESTAMP"),
+ * //     },
+ * //   ],
+ * //   NextToken: "STRING_VALUE",
+ * //   Errors: [ // APIErrorListType
+ * //     { // APIErrorType
+ * //       SecretId: "STRING_VALUE",
+ * //       ErrorCode: "STRING_VALUE",
+ * //       Message: "STRING_VALUE",
+ * //     },
+ * //   ],
+ * // };
+ *
+ * ```
+ *
+ * @param BatchGetSecretValueCommandInput - {@link BatchGetSecretValueCommandInput}
+ * @returns {@link BatchGetSecretValueCommandOutput}
+ * @see {@link BatchGetSecretValueCommandInput} for command's `input` shape.
+ * @see {@link BatchGetSecretValueCommandOutput} for command's `response` shape.
+ * @see {@link SecretsManagerClientResolvedConfig | config} for SecretsManagerClient's `config` shape.
+ *
+ * @throws {@link DecryptionFailure} (client fault)
+ *  <p>Secrets Manager can't decrypt the protected secret text using the provided KMS key. </p>
+ *
+ * @throws {@link InternalServiceError} (server fault)
+ *  <p>An error occurred on the server side.</p>
+ *
+ * @throws {@link InvalidNextTokenException} (client fault)
+ *  <p>The <code>NextToken</code> value is invalid.</p>
+ *
+ * @throws {@link InvalidParameterException} (client fault)
+ *  <p>The parameter name or value is invalid.</p>
+ *
+ * @throws {@link InvalidRequestException} (client fault)
+ *  <p>A parameter value is not valid for the current state of the
+ *       resource.</p>
+ *          <p>Possible causes:</p>
+ *          <ul>
+ *             <li>
+ *                <p>The secret is scheduled for deletion.</p>
+ *             </li>
+ *             <li>
+ *                <p>You tried to enable rotation on a secret that doesn't already have a Lambda function
+ *           ARN configured and you didn't include such an ARN as a parameter in this call. </p>
+ *             </li>
+ *             <li>
+ *                <p>The secret is managed by another service, and you must use that service to update it.
+ *           For more information, see <a href="https://docs.aws.amazon.com/secretsmanager/latest/userguide/service-linked-secrets.html">Secrets managed by other Amazon Web Services services</a>.</p>
+ *             </li>
+ *          </ul>
+ *
+ * @throws {@link ResourceNotFoundException} (client fault)
+ *  <p>Secrets Manager can't find the resource that you asked for.</p>
+ *
+ * @throws {@link SecretsManagerServiceException}
+ * <p>Base exception class for all service exceptions from SecretsManager service.</p>
+ *
+ */
+export class BatchGetSecretValueCommand extends $Command<
+  BatchGetSecretValueCommandInput,
+  BatchGetSecretValueCommandOutput,
+  SecretsManagerClientResolvedConfig
+> {
+  public static getEndpointParameterInstructions(): EndpointParameterInstructions {
+    return {
+      UseFIPS: { type: "builtInParams", name: "useFipsEndpoint" },
+      Endpoint: { type: "builtInParams", name: "endpoint" },
+      Region: { type: "builtInParams", name: "region" },
+      UseDualStack: { type: "builtInParams", name: "useDualstackEndpoint" },
+    };
+  }
+
+  /**
+   * @public
+   */
+  constructor(readonly input: BatchGetSecretValueCommandInput) {
+    super();
+  }
+
+  /**
+   * @internal
+   */
+  resolveMiddleware(
+    clientStack: MiddlewareStack<ServiceInputTypes, ServiceOutputTypes>,
+    configuration: SecretsManagerClientResolvedConfig,
+    options?: __HttpHandlerOptions
+  ): Handler<BatchGetSecretValueCommandInput, BatchGetSecretValueCommandOutput> {
+    this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
+    this.middlewareStack.use(
+      getEndpointPlugin(configuration, BatchGetSecretValueCommand.getEndpointParameterInstructions())
+    );
+
+    const stack = clientStack.concat(this.middlewareStack);
+
+    const { logger } = configuration;
+    const clientName = "SecretsManagerClient";
+    const commandName = "BatchGetSecretValueCommand";
+    const handlerExecutionContext: HandlerExecutionContext = {
+      logger,
+      clientName,
+      commandName,
+      inputFilterSensitiveLog: (_: any) => _,
+      outputFilterSensitiveLog: BatchGetSecretValueResponseFilterSensitiveLog,
+      [SMITHY_CONTEXT_KEY]: {
+        service: "secretsmanager",
+        operation: "BatchGetSecretValue",
+      },
+    };
+    const { requestHandler } = configuration;
+    return stack.resolve(
+      (request: FinalizeHandlerArguments<any>) =>
+        requestHandler.handle(request.request as __HttpRequest, options || {}),
+      handlerExecutionContext
+    );
+  }
+
+  /**
+   * @internal
+   */
+  private serialize(input: BatchGetSecretValueCommandInput, context: __SerdeContext): Promise<__HttpRequest> {
+    return se_BatchGetSecretValueCommand(input, context);
+  }
+
+  /**
+   * @internal
+   */
+  private deserialize(output: __HttpResponse, context: __SerdeContext): Promise<BatchGetSecretValueCommandOutput> {
+    return de_BatchGetSecretValueCommand(output, context);
+  }
+}
diff --git a/clients/client-secrets-manager/src/commands/GetSecretValueCommand.ts b/clients/client-secrets-manager/src/commands/GetSecretValueCommand.ts
@@ -44,6 +44,7 @@ export interface GetSecretValueCommandOutput extends GetSecretValueResponse, __M
  * <p>Retrieves the contents of the encrypted fields <code>SecretString</code> or
  *         <code>SecretBinary</code> from the specified version of a secret, whichever contains
  *       content.</p>
+ *          <p>To retrieve the values for a group of secrets, call <a>BatchGetSecretValue</a>.</p>
  *          <p>We recommend that you cache your secret values by using client-side caching.
  *       Caching secrets improves speed and reduces your costs. For more information, see <a href="https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html">Cache secrets for
  *         your applications</a>.</p>

diff --git a/clients/client-secrets-manager/src/commands/ListSecretsCommand.ts b/clients/client-secrets-manager/src/commands/ListSecretsCommand.ts
@@ -42,8 +42,7 @@ export interface ListSecretsCommandOutput extends ListSecretsResponse, __Metadat
  *          <p>ListSecrets is eventually consistent, however it might not reflect changes from the last five minutes.
  *       To get the latest information for a specific secret, use <a>DescribeSecret</a>.</p>
  *          <p>To list the versions of a secret, use <a>ListSecretVersionIds</a>.</p>
- *          <p>To get the secret value from <code>SecretString</code> or <code>SecretBinary</code>,
- *       call <a>GetSecretValue</a>.</p>
+ *          <p>To retrieve the values for the secrets, call <a>BatchGetSecretValue</a> or <a>GetSecretValue</a>.</p>
  *          <p>For information about finding secrets in the console, see <a href="https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_search-secret.html">Find secrets in Secrets Manager</a>.</p>
  *          <p>Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information in request parameters because it might be logged. For more information, see <a href="https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieve-ct-entries.html">Logging Secrets Manager events with CloudTrail</a>.</p>
  *          <p>

diff --git a/clients/client-secrets-manager/src/commands/index.ts b/clients/client-secrets-manager/src/commands/index.ts
@@ -1,4 +1,5 @@
 // smithy-typescript generated code
+export * from "./BatchGetSecretValueCommand";
 export * from "./CancelRotateSecretCommand";
 export * from "./CreateSecretCommand";
 export * from "./DeleteResourcePolicyCommand";