{ "description": "Secret is the Schema for the Secrets API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "SecretSpec defines the desired state of Secret.", "properties": { "description": { "description": "The description of the secret.", "type": "string" }, "forceOverwriteReplicaSecret": { "description": "Specifies whether to overwrite a secret with the same name in the destination\nRegion. By default, secrets aren't overwritten.", "type": "boolean" }, "kmsKeyID": { "description": "The ARN, key ID, or alias of the KMS key that Secrets Manager uses to encrypt\nthe secret value in the secret. An alias is always prefixed by alias/, for\nexample alias/aws/secretsmanager. For more information, see About aliases\n(https://docs.aws.amazon.com/kms/latest/developerguide/alias-about.html).\n\nTo use a KMS key in a different account, use the key ARN or the alias ARN.\n\nIf you don't specify this value, then Secrets Manager uses the key aws/secretsmanager.\nIf that key doesn't yet exist, then Secrets Manager creates it for you automatically\nthe first time it encrypts the secret value.\n\nIf the secret is in a different Amazon Web Services account from the credentials\ncalling the API, then you can't use aws/secretsmanager to encrypt the secret,\nand you must create and use a customer managed KMS key.", "type": "string" }, "kmsKeyRef": { "description": "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t name: my-api", "properties": { "from": { "description": "AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)", "properties": { "name": { "type": "string" }, "namespace": { "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "name": { "description": "The name of the new secret.\n\nThe secret name can contain ASCII letters, numbers, and the following characters:\n/_+=.@-\n\nDo not end your secret name with a hyphen followed by six characters. If\nyou do so, you risk confusion and unexpected results when searching for a\nsecret by partial ARN. Secrets Manager automatically adds a hyphen and six\nrandom characters after the secret name at the end of the ARN.", "type": "string", "x-kubernetes-validations": [ { "message": "Value is immutable once set", "rule": "self == oldSelf" } ] }, "replicaRegions": { "description": "A list of Regions and KMS keys to replicate secrets.", "items": { "description": "A custom type that specifies a Region and the KmsKeyId for a replica secret.", "properties": { "kmsKeyID": { "type": "string" }, "region": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "secretString": { "description": "The text data to encrypt and store in this new version of the secret. We\nrecommend you use a JSON structure of key/value pairs for your secret value.\n\nEither SecretString or SecretBinary must have a value, but not both.\n\nIf you create a secret by using the Secrets Manager console then Secrets\nManager puts the protected secret text in only the SecretString parameter.\nThe Secrets Manager console stores the information as a JSON structure of\nkey/value pairs that a Lambda rotation function can parse.\n\nSensitive: This field contains sensitive information, so the service does\nnot include it in CloudTrail log entries. If you create your own log entries,\nyou must also avoid logging the information in this field.", "properties": { "key": { "description": "Key is the key within the secret", "type": "string" }, "name": { "description": "name is unique within a namespace to reference a secret resource.", "type": "string" }, "namespace": { "description": "namespace defines the space within which the secret name must be unique.", "type": "string" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "tags": { "description": "A list of tags to attach to the secret. Each tag is a key and value pair\nof strings in a JSON text string, for example:\n\n[{\"Key\":\"CostCenter\",\"Value\":\"12345\"},{\"Key\":\"environment\",\"Value\":\"production\"}]\n\nSecrets Manager tag key names are case sensitive. A tag with the key \"ABC\"\nis a different tag from one with key \"abc\".\n\nIf you check tags in permissions policies as part of your security strategy,\nthen adding or removing a tag can change permissions. If the completion of\nthis operation would result in you losing your permissions for this secret,\nthen Secrets Manager blocks the operation and returns an Access Denied error.\nFor more information, see Control access to secrets using tags (https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#tag-secrets-abac)\nand Limit access to identities with tags that match secrets' tags (https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#auth-and-access_tags2).\n\nFor information about how to format a JSON parameter for the various command\nline tool environments, see Using JSON for Parameters (https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json).\nIf your command-line tool or SDK requires quotation marks around the parameter,\nyou should use single quotes to avoid confusion with the double quotes required\nin the JSON text.\n\nFor tag quotas and naming restrictions, see Service quotas for Tagging (https://docs.aws.amazon.com/general/latest/gr/arg.html#taged-reference-quotas)\nin the Amazon Web Services General Reference guide.", "items": { "description": "A structure that contains information about a tag.", "properties": { "key": { "type": "string" }, "value": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "status": { "description": "SecretStatus defines the observed state of Secret", "properties": { "ackResourceMetadata": { "description": "All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource", "properties": { "arn": { "description": "ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270", "type": "string" }, "ownerAccountID": { "description": "OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.", "type": "string" }, "region": { "description": "Region is the AWS region in which the resource exists or will exist.", "type": "string" } }, "required": [ "ownerAccountID", "region" ], "type": "object", "additionalProperties": false }, "conditions": { "description": "All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource", "items": { "description": "Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states of the CR and its backend AWS\nservice API resource", "properties": { "lastTransitionTime": { "description": "Last time the condition transitioned from one status to another.", "format": "date-time", "type": "string" }, "message": { "description": "A human readable message indicating details about the transition.", "type": "string" }, "reason": { "description": "The reason for the condition's last transition.", "type": "string" }, "status": { "description": "Status of the condition, one of True, False, Unknown.", "type": "string" }, "type": { "description": "Type is the type of the Condition", "type": "string" } }, "required": [ "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "id": { "description": "The ARN of the secret.", "type": "string" }, "replicationStatus": { "description": "A list of the replicas of this secret and their status:\n\n * Failed, which indicates that the replica was not created.\n\n * InProgress, which indicates that Secrets Manager is in the process of\n creating the replica.\n\n * InSync, which indicates that the replica was created.", "items": { "description": "A replication object consisting of a RegionReplicationStatus object and includes\na Region, KMSKeyId, status, and status message.", "properties": { "kmsKeyID": { "type": "string" }, "lastAccessedDate": { "format": "date-time", "type": "string" }, "region": { "type": "string" }, "status": { "type": "string" }, "statusMessage": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "versionID": { "description": "The unique identifier associated with the version of the new secret.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object" }