SecretsManager / Client / replicate_secret_to_regions

replicate_secret_to_regions#

SecretsManager.Client.replicate_secret_to_regions(**kwargs)#

Replicates the secret to a new Regions. See Multi-Region secrets.

Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information in request parameters because it might be logged. For more information, see Logging Secrets Manager events with CloudTrail.

Required permissions: secretsmanager:ReplicateSecretToRegions. If the primary secret is encrypted with a KMS key other than aws/secretsmanager, you also need kms:Decrypt permission to the key. To encrypt the replicated secret with a KMS key other than aws/secretsmanager, you need kms:GenerateDataKey and kms:Encrypt to the key. For more information, see IAM policy actions for Secrets Manager and Authentication and access control in Secrets Manager.

See also: AWS API Documentation

Request Syntax

response = client.replicate_secret_to_regions(
    SecretId='string',
    AddReplicaRegions=[
        {
            'Region': 'string',
            'KmsKeyId': 'string'
        },
    ],
    ForceOverwriteReplicaSecret=True|False
)
Parameters:

  • SecretId (string) –

    [REQUIRED]

    The ARN or name of the secret to replicate.

  • AddReplicaRegions (list) –

    [REQUIRED]

    A list of Regions in which to replicate the secret.

    • (dict) –

      A custom type that specifies a Region and the KmsKeyId for a replica secret.

      • Region (string) –

        A Region code. For a list of Region codes, see Name and code of Regions.

      • KmsKeyId (string) –

        The ARN, key ID, or alias of the KMS key to encrypt the secret. If you don’t include this field, Secrets Manager uses aws/secretsmanager.

  • ForceOverwriteReplicaSecret (boolean) – Specifies whether to overwrite a secret with the same name in the destination Region. By default, secrets aren’t overwritten.

Return type:

dict

Returns:

Response Syntax

{
    'ARN': 'string',
    'ReplicationStatus': [
        {
            'Region': 'string',
            'KmsKeyId': 'string',
            'Status': 'InSync'|'Failed'|'InProgress',
            'StatusMessage': 'string',
            'LastAccessedDate': datetime(2015, 1, 1)
        },
    ]
}

Response Structure

  • (dict) –

    • ARN (string) –

      The ARN of the primary secret.

    • ReplicationStatus (list) –

      The status of replication.

      • (dict) –

        A replication object consisting of a RegionReplicationStatus object and includes a Region, KMSKeyId, status, and status message.

        • Region (string) –

          The Region where replication occurs.

        • KmsKeyId (string) –

          Can be an ARN, Key ID, or Alias.

        • Status (string) –

          The status can be InProgress, Failed, or InSync.

        • StatusMessage (string) –

          Status message such as “Secret with this name already exists in this region”.

        • LastAccessedDate (datetime) –

          The date that the secret was last accessed in the Region. This field is omitted if the secret has never been retrieved in the Region.

Exceptions

  • SecretsManager.Client.exceptions.ResourceNotFoundException

  • SecretsManager.Client.exceptions.InvalidRequestException

  • SecretsManager.Client.exceptions.InvalidParameterException

  • SecretsManager.Client.exceptions.InternalServiceError