All Products
Search
Document Center

Key Management Service:DescribeSecret

Last Updated:Dec 12, 2024

Queries the metadata of a secret.

This operation returns the metadata of a secret. This operation does not return the secret value.

In this example, the metadata of the secret named secret001 is queried.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter

Type

Required

Example

Description

Action String Yes DescribeSecret

The operation that you want to perform. Set the value to DescribeSecret.

SecretName String Yes secret001

The name or Alibaba Cloud Resource Name (ARN) of the secret.

Note When you access a secret within another Alibaba Cloud account, you must enter the ARN of the secret. The ARN is in the acs:kms:${region}:${account}:secret/${secret-name} format.
FetchTags String No true

Specifies whether to return the resource tags of the secret. Valid values:

  • true: The resource tags are returned.
  • false: The resource tags are not returned. This is the default value.

For more information about common request parameters, see Common parameters.

Response parameters

Parameter

Type

Example

Description

UpdateTime String 2024-02-21T15:39:26Z

The time when the secret is updated.

CreateTime String 2024-02-21T15:39:26Z

The time when the secret is created.

NextRotationDate String 2024-07-06T18:22:03Z

The time when the next rotation is performed.

Note This parameter is returned when automatic rotation is enabled.
EncryptionKeyId String key-hzz63ca8cbe3hefht****

The ID of the key that is used to encrypt the secret value.

RotationInterval String 3153600s

The interval for automatic rotation.

The value is in the integer[unit] format. integer indicates the time period, and unit indicates the unit of the time period. The value of unit is fixed as s, which indicates seconds. For example, if the value is 604800s, automatic rotation is performed at a 7-day interval.

Note This parameter is returned when automatic rotation is enabled.
Arn String acs:kms:cn-hangzhou:154035569884****:secret/secret001

The ARN of the secret.

ExtendedConfig String {\"AccountName\":\"kms\",\"Database\":\"kmsdata\",\"AccountPrivilege\":\"RoleReadOnly\",\"CloneAccountName\":\"kms_clone\",\"CustomData\":{},\"InstanceId\":\"pc-bp134f7hnijoey****\",\"RegionId\":\"cn-hangzhou\",\"SecretSubType\":\"DoubleUsers\"}"

The extended configuration of the secret.

Note The parameter is returned only for ApsaraDB RDS secrets, Resource Access Management (RAM) secrets, PolarDB secrets, or Elastic Compute Service (ECS) secrets.
LastRotationDate String 2022-07-05T08:22:03Z

The time when the last rotation is performed.

Note The parameter is returned if the secret is rotated.
RequestId String 93348dfb-3627-4417-8d90-487a76a909c9

The request ID.

Description String userinfo

The description of the secret.

SecretName String secret001

The name of the secret.

AutomaticRotation String Enabled

Indicates whether automatic rotation is enabled. Valid values:

  • Enabled: indicates that automatic rotation is enabled.
  • Disabled: indicates that automatic rotation is disabled.
  • Invalid: indicates that the status of automatic rotation is abnormal. In this case, Key Management Service (KMS) cannot automatically rotate the secret.
Note The parameter is returned only for ApsaraDB RDS secrets, PolarDB secrets, RAM secrets, or ECS secrets.
SecretType String Rds

The type of the secret. Valid values:

  • Generic: generic secret.
  • Rds: ApsaraDB RDS secret.
  • RAMCredentials: RAM secret.
  • ECS: ECS secret.
  • PolarDB: PolarDB secret.
PlannedDeleteTime String 2025-03-21T15:45:12Z

The time when the secret is scheduled to be deleted.

DKMSInstanceId String kst-bjj62d8f5e0sgtx8h****

The ID of the KMS instance.

Tags Array of Tag

The resource tag of the secret.

This parameter is not returned if you set FetchTags to false or you do not specify FetchTags.

Tag
TagValue String val1

The tag value.

TagKey String key1

The tag key.

Examples

Sample requests

http(s)://[Endpoint]/?Action=DescribeSecret
&SecretName=secret001
&FetchTags=true
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<DescribeSecretResponse>
    <UpdateTime>2024-02-21T15:39:26Z</UpdateTime>
    <CreateTime>2024-02-21T15:39:26Z</CreateTime>
    <NextRotationDate>2024-07-06T18:22:03Z</NextRotationDate>
    <EncryptionKeyId>key-hzz63ca8cbe3hefht****</EncryptionKeyId>
    <RotationInterval>3153600s</RotationInterval>
    <Arn>acs:kms:cn-hangzhou:154035569884****:secret/secret001</Arn>
    <ExtendedConfig>{\"SecretSubType\":\"SingleUser\", \"DBInstanceId\":\"rm-uf667446pc955****\",  \"CustomData\":{} }</ExtendedConfig>
    <LastRotationDate>2022-07-05T08:22:03Z</LastRotationDate>
    <RequestId>93348dfb-3627-4417-8d90-487a76a909c9</RequestId>
    <Description>userinfo</Description>
    <SecretName>secret001</SecretName>
    <AutomaticRotation>Enabled</AutomaticRotation>
    <SecretType>Rds</SecretType>
    <PlannedDeleteTime>2025-03-21T15:45:12Z</PlannedDeleteTime>
    <DKMSInstanceId>kst-bjj62d8f5e0sgtx8h****</DKMSInstanceId>
    <Tags>
        <TagValue>val1</TagValue>
        <TagKey>key1</TagKey>
    </Tags>
</DescribeSecretResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "UpdateTime" : "2024-02-21T15:39:26Z",
  "CreateTime" : "2024-02-21T15:39:26Z",
  "NextRotationDate" : "2024-07-06T18:22:03Z",
  "EncryptionKeyId" : "key-hzz63ca8cbe3hefht****",
  "RotationInterval" : "3153600s",
  "Arn" : "acs:kms:cn-hangzhou:154035569884****:secret/secret001",
  "ExtendedConfig" : "{\\\"SecretSubType\\\":\\\"SingleUser\\\", \\\"DBInstanceId\\\":\\\"rm-uf667446pc955****\\\",  \\\"CustomData\\\":{} }",
  "LastRotationDate" : "2022-07-05T08:22:03Z",
  "RequestId" : "93348dfb-3627-4417-8d90-487a76a909c9",
  "Description" : "userinfo",
  "SecretName" : "secret001",
  "AutomaticRotation" : "Enabled",
  "SecretType" : "Rds",
  "PlannedDeleteTime" : "2025-03-21T15:45:12Z",
  "DKMSInstanceId" : "kst-bjj62d8f5e0sgtx8h****",
  "Tags" : [ {
    "TagValue" : "val1",
    "TagKey" : "key1"
  } ]
}

Error codes

HTTP status code

Error code

Error message

Description

400 IllegalTimestamp The input parameter Timestamp that is mandatory for processing this request is not supplied. The input parameter timestamp indicates that the request is outside the processing time range.
400 InvalidParameter The specified parameter is not valid. An invalid value is specified for the parameter.
403 Forbidden.NoPermission You are not authorized to perform the operation. You are not authorized to perform the operation.

For a list of error codes, see Service error codes.