replicate-secret-to-regions¶

Description¶

Replicates the secret to a new Regions. See Multi-Region secrets .

Required permissions: secretsmanager:ReplicateSecretToRegions . For more information, see IAM policy actions for Secrets Manager and Authentication and access control in Secrets Manager .

Synopsis¶

  replicate-secret-to-regions
--secret-id <value>
--add-replica-regions <value>
[--force-overwrite-replica-secret | --no-force-overwrite-replica-secret]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]

Options¶

--secret-id (string)

The ARN or name of the secret to replicate.

--add-replica-regions (list)

A list of Regions in which to replicate the secret.

(structure)

A custom type that specifies a Region and the KmsKeyId for a replica secret.

Region -> (string)

A Region code. For a list of Region codes, see Name and code of Regions .

KmsKeyId -> (string)

The ARN, key ID, or alias of the KMS key to encrypt the secret. If you don’t include this field, Secrets Manager uses aws/secretsmanager .

Shorthand Syntax:

Region=string,KmsKeyId=string ...

JSON Syntax:

[
  {
    "Region": "string",
    "KmsKeyId": "string"
  }
  ...
]

--force-overwrite-replica-secret | --no-force-overwrite-replica-secret (boolean)

Specifies whether to overwrite a secret with the same name in the destination Region.

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See ‘aws help’ for descriptions of global parameters.

Examples¶

To replicate a secret to another region

The following replicate-secret-to-regions example replicates a secret to eu-west-3. The replica is encrypted with the AWS managed key aws/secretsmanager.

aws secretsmanager replicate-secret-to-regions \
    --secret-id MyTestSecret \
    --add-replica-regions Region=eu-west-3

Output:

{
    "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-1a2b3c",
    "ReplicationStatus": [
        {
            "Region": "eu-west-3",
            "KmsKeyId": "alias/aws/secretsmanager",
            "Status": "InProgress"
        }
    ]
}

For more information, see Replicate a secret to another Region in the Secrets Manager User Guide.

Output¶

ARN -> (string)

The ARN of the primary secret.

ReplicationStatus -> (list)

The status of replication.

(structure)

A replication object consisting of a RegionReplicationStatus object and includes a Region, KMSKeyId, status, and status message.

Region -> (string)

The Region where replication occurs.

KmsKeyId -> (string)

Can be an ARN , Key ID , or Alias .

Status -> (string)

The status can be InProgress , Failed , or InSync .

StatusMessage -> (string)

Status message such as “Secret with this name already exists in this region “.

LastAccessedDate -> (timestamp)

The date that you last accessed the secret in the Region.

Table of Contents

Feedback

User Guide