All Products
Search

This Product

    Key Management Service:CreateSecret

    Document Center

    Key Management Service:CreateSecret

    Last Updated:Dec 12, 2024

    Creates a secret and stores the initial version of the secret.

    You must specify the secret name, the secret value that is stored in the initial version, and the version number. The initial version of the secret is labeled as ACSCurrent.

    Key Management Service (KMS) uses a key to encrypt the secret value. The key and the secret must belong to the same KMS instance, and the key must be a symmetric key.

    Note

    KMS encrypts the secret value of each version. Metadata such as the secret name, version number, and stage label of the version are not encrypted.

    Before you can encrypt a secret value, you must have the kms:GenerateDataKey permission on the key that is used to encrypt the secret value.

    This topic provides an example on how to create an ApsaraDB RDS secret whose name is mydbconninfo, initial version VersionId is v1, and secret value SecretData is {"Accounts":[{"AccountName":"user1","AccountPassword":"****"}]}.

    Debugging

    OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

    Request parameters

    Parameter

    Type

    Required

    Example

    Description

    Action

    String

    Yes

    CreateSecret

    The operation that you want to perform. Set the value to CreateSecret.

    SecretName

    String

    Yes

    mydbconninfo

    The name of the secret. The name must be unique in the current region.

    The name can be up to 192 characters in length, and can contain letters, digits, and the following special characters: _ / + = . - @. The following list describes the naming conventions for different types of secrets:

    • If you set SecretType to Generic, Rds, or Redis, the name cannot start with acs/. The value Generic specifies a generic secret, Rds an ApsaraDB RDS secret, and Redis an ApsaraDB for Redis or Tair secret.

    • If you set SecretType to RAMCredentials, the value $Auto is used. In this case, KMS automatically generates a secret name that starts with acs/ram/user/. The name includes the display name of a required Resource Access Management (RAM) user.

    • If you set SecretType to ECS, the name must start with acs/ecs/.

    VersionId

    String

    Yes

    v1

    The initial version number. The version number must be unique within the secret.

    The version number can be up to 64 characters in length.

    EncryptionKeyId

    String

    No

    key-gzz63ff0db5hg3qje****

    The ID of the key that is used to encrypt the secret value.

    Note

    The key and the secret must belong to the same KMS instance, and the key must be a symmetric key.

    SecretData

    String

    Yes

    {"Accounts":[{"AccountName":"user1","AccountPassword":"****"}]}

    The secret value. The value can be up to 30,720 bytes in length, which is equivalent to 30 KB in size. KMS uses the specified key to encrypt the secret value and then stores the secret value in the initial version.

    • If you set SecretType to Generic, you can configure a custom secret value.

    • If you set SecretType to Rds, the secret value is in the {"Accounts":[{"AccountName":"","AccountPassword":""}]} format. AccountName specifies the username of the account for the ApsaraDB RDS instance, and AccountPassword specifies the password of the account.

    • If you set SecretType to Redis, the secret value is $Auto.

    • If you set SecretType to RAMCredentials, the secret value is in the {"AccessKeys":[{"AccessKeyId":"","AccessKeySecret":""}]} format. AccessKeyId specifies the AccessKey ID of the RAM user and AccessKeySecret specifies the AccessKey secret of the RAM user. You must specify all the AccessKey pairs of the RAM user.

    • If you set SecretType to PolarDB, the secret value is $Auto.

    • If you set SecretType to ECS, the secret value must be in one of the following formats:

      • {"UserName":"","Password": ""}: This format is used when you set the value of SecretSubType to Password in the ExtendedConfig parameter. UserName specifies the username that is used to log on to the Elastic Compute Service (ECS) instance, and Password specifies the password that is used to log on to the ECS instance.

      • {"UserName":"","PublicKey": "", "PrivateKey": ""}: This format is used when you set the value of SecretSubType to SSHKey in the ExtendedConfig parameter. PublicKey specifies the SSH public key that is used to log on to the ECS instance, and PrivateKey specifies the SSH private key that is used to log on to the ECS instance.

    SecretDataType

    String

    No

    text

    The type of the secret value. Valid values:

    • text (default)

    • binary

    Note

    If you set SecretType to Rds, Redis, PolarDB, RAMCredentials, or ECS, you must set SecretDataType to text.

    Description

    String

    No

    mydbinfo

    The description of the secret.

    Tags

    String

    No

    [{\"TagKey\":\"key1\",\"TagValue\":\"val1\"},{\"TagKey\":\"key2\",\"TagValue\":\"val2\"}]

    The tags of the secret. A tag consists of a key-value pair.

    A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, and the following special characters: / \ _ - . + = : @

    • A tag key cannot start with aliyun or acs:.

    • You can specify up to 20 key-value pairs for each secret.

    SecretType

    String

    No

    Rds

    The type of the secret. Valid values:

    • Generic (default): generic secret.

    • Rds: ApsaraDB RDS secret.

    • Redis: ApsaraDB for Redis secret.

    • RAMCredentials: RAM secret.

    • ECS: ECS secret.

    • PolarDB: PolarDB secret.

    ExtendedConfig

    Map

    No

    {"SecretSubType":"SingleUser", "DBInstanceId":"rm-bp1b3dd3a506e****" ,"CustomData":{"Key1": "v1", "fds":"fdsf"}}

    The extended configuration of the secret. This parameter specifies the properties of the secret of the specific type. The value can be up to 1,024 characters in length.

    • If you set SecretType to Generic, you do not need to configure this parameter.

    • If you set SecretType to Rds, you must configure the following fields in the ExtendedConfig parameter:

      • SecretSubType: required. The subtype of the secret. Valid values:

        • SingleUser: KMS manages the ApsaraDB RDS secret in single-account mode. When the secret is rotated, the password of the specified account is reset to a new random password.

        • DoubleUsers: KMS manages the ApsaraDB RDS secret in dual-account mode. One account is referenced by the ACSCurrent version, and the other account is referenced by the ACSPrevious version. When the secret is rotated, the password of the account referenced by the ACSPrevious version is reset to a new random password. Then, KMS switches the referenced accounts between the ACSCurrent and ACSPrevious versions.

      • DBInstanceId: required. The ID of the ApsaraDB RDS instance to which the ApsaraDB RDS account belongs.

      • CustomData: optional. The custom data. The value is a collection of key-value pairs in the JSON format. You can specify up to 10 key-value pairs. Separate multiple key-value pairs with commas (,). Example: {"Key1": "v1", "fds":"fdsf"}. The default value is a pair of empty braces ({}).

    • If you set SecretType to Redis, you must configure the following fields in the ExtendedConfig parameter:

      • SecretSubType: required. The subtype of the secret. Valid values:

        • DoubleUsers: KMS manages the ApsaraDB for Redis secret in dual-account mode. One account is referenced by the ACSCurrent version, and the other account is referenced by the ACSPrevious version. When the secret is rotated, the password of the account referenced by the ACSPrevious version is reset to a new random password. Then, KMS switches the referenced accounts between the ACSCurrent and ACSPrevious versions.

      • AccountName: required. The username of the account that is used to log on to the ApsaraDB for Redis database.

      • CloneAccountName: required. The username of the account for the ApsaraDB for Redis database, which is the value of AccountName appended with the _clone suffix.

      • AccountPrivilege: required. The permissions to access the ApsaraDB for Redis database.

      • InstanceId: required. The ID of the ApsaraDB for Redis instance.

      • RegionId: required. The ID of the region where the ApsaraDB for Redis instance resides.

      • CustomData: optional. The custom data. The value is a collection of key-value pairs in the JSON format. You can specify up to 10 key-value pairs. Separate multiple key-value pairs with commas (,). Example: {"Key1": "v1", "fds":"fdsf"}. The default value is a pair of empty braces ({}).

    • If you set SecretType to RAMCredentials, you must configure the following fields in the ExtendedConfig parameter:

      • SecretSubType: required. The subtype of the secret. Set the value to RamUserAccessKey.

      • UserName: required. The name of the RAM user.

      • CustomData: optional. The custom data. The value is a collection of key-value pairs in the JSON format. You can specify up to 10 key-value pairs. Separate multiple key-value pairs with commas (,). The default value is a pair of empty braces ({}).

    • If you set SecretType to ECS, you must configure the following fields in the ExtendedConfig parameter:

      • SecretSubType: required. The subtype of the secret. Valid values:

        • Password: the password that is used to log on to the ECS instance.

        • SSHKey: the SSH public key and private key that are used to log on to the ECS instance.

      • RegionId: required. The ID of the region in which the ECS instance resides.

      • InstanceId: required. The ID of the ECS instance.

      • CustomData: optional. The custom data. The value is a collection of key-value pairs in the JSON format. You can specify up to 10 key-value pairs. Separate multiple key-value pairs with commas (,). The default value is a pair of empty braces ({}).

    • If you set SecretType to PolarDB, you must configure the following fields in the ExtendedConfig parameter:

      • SecretSubType: required. Set the value to DoubleUsers.

      • RegionId: required. The ID of the region where the PolarDB cluster resides.

      • DBClusterId: required. The ID of the PolarDB cluster.

      • DBType: required. The database engine of the PolarDB cluster. Set the value to MySQL or PostgreSQL.

      • AccountName: required. The username of the account that is used for logon.

      • CloneAccountName: the username of the account, which is the value of AccountName appended with the _clone suffix.

      • AccountType: the type of the account. Set the value to Normal.

      • AccountPrivilege: the permissions of the account. You can specify this field only when the DBType field is set to MySQL.

      • DBName: the name of the database. You can specify this field only when the DBType field is set to MySQL.

      • CustomData: optional. The custom data. The value is a collection of key-value pairs in the JSON format. You can specify up to 10 key-value pairs. Separate multiple key-value pairs with commas (,). Example: {"Key1": "v1", "fds":"fdsf"}. The default value is a pair of empty braces ({}).

    Note

    If you set SecretType to Rds, Redis, PolarDB, RAMCredentials, or ECS, this parameter is required.

    EnableAutomaticRotation

    Boolean

    No

    true

    Specifies whether to enable automatic rotation. Valid values:

    • true

    • false (default)

    Note

    This parameter takes effect only when you set SecretType to Rds, PolarDB, Redis, RAMCredentials, or ECS. If you set SecretType to Generic, automatic rotation is not supported. You can call the PutSecretValue operation to manually rotate a generic secret.

    RotationInterval

    String

    No

    30d

    The interval for automatic rotation. Valid values: 6 hours to 8,760 hours (365 days).

    The value is in the integer[unit] format. integer indicates the time period. unit indicates the unit of the time period.

    The unit can be d (day), h (hour), m (minute), or s (second). If the value is 7d or 604800s, automatic rotation is performed at a 7-day interval.

    Note

    This parameter is required only when EnableAutomaticRotation is set to true.

    DKMSInstanceId

    String

    No

    kst-bjj62d8f5e0sgtx8h****

    The ID of the KMS instance.

    Policy

    String

    No

    {"Version":"1","Statement": [{"Sid":"kms default secret policy","Effect":"Allow","Principal":{"RAM": ["acs:ram::119285303511****:*"]},"Action":["kms:*"],"Resource": ["*"] }] }

    The content of the secret policy. The value is in the JSON format. The value can be up to 32,768 bytes in length.

    For more information about secret policies, see Overview. If you do not configure this parameter, the default secret policy is used.

    A secret policy contains the following content:

    • Version: the version of the secret policy. Set the value to 1.

    • Statement: the statement of the secret policy. Each secret policy contains one or more statements.

    Example:

    {
    "Version": "1",
    "Statement": [
        {
            "Sid": "Enable RAM User Permissions",
            "Effect": "Allow",
            "Principal": {
              "RAM": ["acs:ram::12345678****:*"]
            },
            "Action": [
                "kms:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

    Statement description:

    • Sid: optional. The statement identifier of a custom statement. The value can be up to 128 characters in length and can contain letters, digits, and the following special characters: _ / + = . @ -

    • Effect: required. Specifies whether the permissions in a policy statement are allowed or denied. Valid values: Allow and Deny.

    • Principal: required. The authorization principal of the policy. The following principals are supported: the current Alibaba Cloud account to which the secret belongs, RAM users and RAM roles of the current Alibaba Cloud account, and RAM users and RAM roles of other Alibaba Cloud accounts.

    • Action: required. The API operation that you want to allow or deny. The value must start with kms:. For more information about the API operation scope, see Overview. If you specify an API operation outside the scope, the policy does not take effect.

    • Resource: required. Set the value to an asterisk (*), which specifies the current secret.

    • Condition: optional. Specify the conditions that are required for a policy to take effect. Conditions allow you to evaluate the context of an API request to determine whether a policy statement applies. Format: "Condition": {"condition operator": {"condition key": "condition value"}}. For more information, see Overview.

    Note

    If you grant a RAM user or RAM role of other Alibaba Cloud accounts the permissions to use a secret, you must use the Alibaba Cloud account of the RAM user or RAM role to grant the RAM user or RAM role the permissions to use the secret in RAM. For more information, see Custom policies, Grant permissions to a RAM user, and Grant permissions to a RAM role.

    For more information about common request parameters, see Common parameters.

    Response parameters

    Parameter

    Type

    Example

    Description

    RequestId

    String

    3bf02f7a-015b-4f93-be0f-cc043fda2dd3

    The request ID.

    AutomaticRotation

    String

    Enabled

    Indicates whether automatic rotation is enabled. Valid values:

    • Enabled: indicates that automatic rotation is enabled.

    • Disabled: indicates that automatic rotation is disabled.

    • Invalid: indicates that the status of automatic rotation is abnormal. In this case, Secrets Manager cannot automatically rotate the secret.

    Note

    If SecretType is set to Rds, Redis, PolarDB, RAMCredentials, or ECS, this parameter is returned.

    SecretName

    String

    mydbconninfo

    The name of the secret.

    VersionId

    String

    v1

    The version number of the secret.

    NextRotationDate

    String

    2023-07-06T18:22:03Z

    The time when the next rotation is performed.

    Note

    If automatic rotation is enabled, this parameter is returned.

    SecretType

    String

    Rds

    The type of the secret. Valid values:

    • Generic: generic secret.

    • Rds: ApsaraDB RDS secret.

    • Redis: ApsaraDB for Redis secret.

    • RAMCredentials: RAM secret.

    • ECS: ECS secret.

    • PolarDB: PolarDB secret.

    RotationInterval

    String

    604800s

    The interval for automatic rotation.

    The value is in the integer[unit] format. integer indicates the time period. unit indicates the unit of the time period. The value of unit is fixed as s, which indicates seconds. If the value is 604800s, automatic rotation is performed at a 7-day interval.

    Note

    If automatic rotation is enabled, this parameter is returned.

    Arn

    String

    acs:kms:cn-hangzhou:154035569884****:secret/mydbconninfo

    The Alibaba Cloud Resource Name (ARN) of the secret.

    ExtendedConfig

    String

    {\"SecretSubType\":\"SingleUser\", \"DBInstanceId\":\"rm-uf667446pc955****\", \"CustomData\":"Key1": "v1", "fds":"fdsf"} }

    The extended configuration of the secret.

    Note

    If SecretType is set to Rds, Redis, PolarDB, RAMCredentials, or ECS, this parameter is returned.

    DKMSInstanceId

    String

    kst-bjj62d8f5e0sgtx8h****

    The ID of the KMS instance.

    Examples

    Sample requests

    http(s)://[Endpoint]/?Action=CreateSecret
&SecretName=mydbconninfo
&VersionId=v1
&EncryptionKeyId=key-gzz63ff0db5hg3qje****
&SecretData={"Accounts":[{"AccountName":"user1","AccountPassword":"****"}]}
&SecretDataType=text
&Description=mydbinfo
&Tags=[{\"TagKey\":\"key1\",\"TagValue\":\"val1\"},{\"TagKey\":\"key2\",\"TagValue\":\"val2\"}]
&SecretType=Rds
&EnableAutomaticRotation=true
&RotationInterval=30d
&DKMSInstanceId=kst-bjj62d8f5e0sgtx8h****
&Policy={"Version":"1","Statement": [{"Sid":"kms default secret policy","Effect":"Allow","Principal":{"RAM": ["acs:ram::119285303511****:*"]},"Action":["kms:*"],"Resource": ["*"] }] }
&<Common request parameters>

    Sample success responses

    XML format

    HTTP/1.1 200 OK
Content-Type:application/xml

<CreateSecretResponse>
    <RequestId>3bf02f7a-015b-4f93-be0f-cc043fda2dd3</RequestId>
    <AutomaticRotation>Enabled</AutomaticRotation>
    <SecretName>mydbconninfo</SecretName>
    <VersionId>v1</VersionId>
    <NextRotationDate>2023-07-06T18:22:03Z</NextRotationDate>
    <SecretType>Rds</SecretType>
    <RotationInterval>604800s</RotationInterval>
    <Arn>acs:kms:cn-hangzhou:154035569884****:secret/mydbconninfo</Arn>
    <ExtendedConfig>{\"SecretSubType\":\"SingleUser\", \"DBInstanceId\":\"rm-uf667446pc955****\",  \"CustomData\":"Key1": "v1", "fds":"fdsf"} }</ExtendedConfig>
    <DKMSInstanceId>kst-bjj62d8f5e0sgtx8h****</DKMSInstanceId>
</CreateSecretResponse>

    JSON format

    HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "3bf02f7a-015b-4f93-be0f-cc043fda2dd3",
  "AutomaticRotation" : "Enabled",
  "SecretName" : "mydbconninfo",
  "VersionId" : "v1",
  "NextRotationDate" : "2023-07-06T18:22:03Z",
  "SecretType" : "Rds",
  "RotationInterval" : "604800s",
  "Arn" : "acs:kms:cn-hangzhou:154035569884****:secret/mydbconninfo",
  "ExtendedConfig" : "{\\\"SecretSubType\\\":\\\"SingleUser\\\", \\\"DBInstanceId\\\":\\\"rm-uf667446pc955****\\\",  \\\"CustomData\\\":\"Key1\": \"v1\", \"fds\":\"fdsf\"} }",
  "DKMSInstanceId" : "kst-bjj62d8f5e0sgtx8h****"
}

    Error codes

    HTTP status code

    Error code

    Error message

    Description

    400

    UnsupportedOperation

    This action is not supported.

    The operation is not supported.

    400

    Rejected.LimitExceeded

    The request was rejected because user create resource limit was exceeded

    The request is rejected because the number of created resources reaches the upper limit.

    400

    InvalidParameter

    The specified parameter is not valid.

    An invalid value is specified for the parameter.

    400

    Rejected.ShareQuotaExceedLimit

    Instance Share Quota Exceed Limit.

    The access management quota is exceeded.

    403

    Forbidden.DKMSInstanceNotFound

    The specified DKMS Instance is not found.

    Your dedicated KMS instance is not found.

    404

    Forbidden.ResourceNotFound

    The resource is not found.

    The specified resource does not exist.

    409

    Rejected.ResourceExist

    The resource already exists.

    The specified resource already exists.

    409

    Rejected.ResourceInDeleteWindow

    The secret is planned to be deleted.

    The secret is to be deleted.

    500

    InternalFailure

    Internal Failure

    An internal error has occurred.

    For a list of error codes, see Service error codes.