AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.
Invoke-SECSecretRotation-SecretId <String>-RotationRules_AutomaticallyAfterDay <Int64>-ClientRequestToken <String>-RotationRules_Duration <String>-RotateImmediately <Boolean>-RotationLambdaARN <String>-RotationRules_ScheduleExpression <String>-Select <String>-PassThru <SwitchParameter>-Force <SwitchParameter>
AWSCURRENT
. Then anyone who retrieves the secret gets the new version. For more information, see How rotation works.
You can create the Lambda rotation function based on the rotation function templates that Secrets Manager provides. Choose a template that matches your Rotation strategy.
When rotation is successful, the AWSPENDING
staging label might be attached to the same version as the AWSCURRENT
version, or it might not be attached to any version. If the AWSPENDING
staging label is present but not attached to the same version as AWSCURRENT
, then any later invocation of RotateSecret
assumes that a previous rotation request is still in progress and returns an error. Required permissions: secretsmanager:RotateSecret
. For more information, see IAM policy actions for Secrets Manager and Authentication and access control in Secrets Manager. You also need lambda:InvokeFunction
permissions on the rotation function. For more information, see Permissions for rotation. VersionId
of the new version.If you use the Amazon Web Services CLI or one of the Amazon Web Services SDK to call this operation, then you can leave this parameter empty. The CLI or SDK generates a random UUID for you and includes that in the request for this parameter. If you don't use the SDK and instead generate a raw HTTP request to the Secrets Manager service endpoint, then you must generate a ClientRequestToken
yourself for new versions and include that value in the request.You only need to specify this value if you implement your own retry logic and you want to ensure that Secrets Manager doesn't attempt to create a secret version twice. We recommend that you generate a UUID-type value to ensure uniqueness within the specified secret. Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
testSecret
step of the Lambda rotation function. The test creates an AWSPENDING
version of the secret and then removes it.If you don't specify this value, then by default, Secrets Manager rotates the secret immediately. Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
DescribeSecret
and ListSecrets
, this value is calculated from the rotation schedule after every successful rotation. In RotateSecret
, you can set the rotation schedule in RotationRules
with AutomaticallyAfterDays
or ScheduleExpression
, but not both. Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Aliases | RotationRules_AutomaticallyAfterDays |
3h
for a three hour window. Secrets Manager rotates your secret at any time during this window. The window must not go into the next UTC day. If you don't specify this value, the window automatically ends at the end of the UTC day. The window begins according to the ScheduleExpression
. For more information, including examples, see Schedule expressions in Secrets Manager rotation. Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
cron()
or rate()
expression that defines the schedule for rotating your secret. Secrets Manager rotation schedules use UTC time zone. Secrets Manager rate()
expressions represent the interval in days that you want to rotate your secret, for example rate(10 days)
. If you use a rate()
expression, the rotation window opens at midnight, and Secrets Manager rotates your secret any time that day after midnight. You can set a Duration
to shorten the rotation window.You can use a cron()
expression to create rotation schedules that are more detailed than a rotation interval. For more information, including examples, see Schedule expressions in Secrets Manager rotation. If you use a cron()
expression, Secrets Manager rotates your secret any time during that day after the window opens. For example, cron(0 8 1 * ? *)
represents a rotation window that occurs on the first day of every month beginning at 8:00 AM UTC. Secrets Manager rotates the secret any time that day after 8:00 AM. You can set a Duration
to shorten the rotation window. Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Required? | True |
Position? | 1 |
Accept pipeline input? | True (ByValue, ByPropertyName) |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Aliases | AK |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByValue, ByPropertyName) |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByValue, ByPropertyName) |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Aliases | AWSProfilesLocation, ProfilesLocation |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Aliases | StoredCredentials, AWSProfileName |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Aliases | RegionToCall |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Aliases | SK, SecretAccessKey |
Required? | False |
Position? | Named |
Accept pipeline input? | True (ByPropertyName) |
Aliases | ST |
AWS Tools for PowerShell: 2.x.y.z