All Products
Search
Document Center

Key Management Service:RotateSecret

Last Updated:May 16, 2024

Immediately rotates a secret.

Limits:

• A secret of each Alibaba Cloud account can be rotated for up to 50 times per hour.

• The RotateSecret operation does not support generic secrets.

Note

Call the operation only for secret types that support automatic rotation. To rotate a generic secret, call the PutSecretValue operation.

In the following example, a secret named RdsSecret/Mysql5.4/MyCred is manually rotated. The new version of the secret is 000000123.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter

Type

Required

Example

Description

Action

String

Yes

RotateSecret

The operation that you want to perform. Set the value to RotateSecret.

SecretName

String

Yes

RdsSecret/Mysql5.4/MyCred

The Alibaba Cloud Resource Name (ARN) of the secret or secret resource.

Note

When you access a secret within another Alibaba Cloud account, you must enter the ARN of the secret. The ARN is in the acs:kms:${region}:${account}:secret/${secret-name} format.

VersionId

String

Yes

000000123

The version number of the new secret version after rotation.

Note

The version number is used to ensure the idempotence of the request. Key Management Service (KMS) uses version numbers to prevent accidental duplication of versions. This happens when your application retries a request after a failure. If a version number already exists, KMS ignores the request for rotation and returns a success message.

Response parameters

Parameter

Type

Example

Description

VersionId

String

000000123

The version number of the new secret version after rotation.

SecretName

String

RdsSecret/Mysql5.4/MyCred

The secret name.

RequestId

String

10257c86-269d-43aa-aaf3-90ed4144bb7c

The ID of the request, which is used to locate and troubleshoot issues.

Arn

String

acs:kms:cn-hangzhou:154035569884****:secret/RdsSecret/Mysql5.4/MyCred

The Alibaba Cloud Resource Name (ARN) of the secret.

For more information about common request parameters, see Common parameters.

Examples

Sample requests

http(s)://[Endpoint]/?Action=RotateSecret
&SecretName=RdsSecret/Mysql5.4/MyCred
&VersionId=000000123
&Common request parameters

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<RotateSecretResponse>
    <VersionId>000000123</VersionId>
    <SecretName>RdsSecret/Mysql5.4/MyCred</SecretName>
    <RequestId>10257c86-269d-43aa-aaf3-90ed4144bb7c</RequestId>
    <Arn>acs:kms:cn-hangzhou:154035569884****:secret/RdsSecret/Mysql5.4/MyCred</Arn>
</RotateSecretResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "VersionId" : "000000123",
  "SecretName" : "RdsSecret/Mysql5.4/MyCred",
  "RequestId" : "10257c86-269d-43aa-aaf3-90ed4144bb7c",
  "Arn" : "acs:kms:cn-hangzhou:154035569884****:secret/RdsSecret/Mysql5.4/MyCred"
}

Error codes

HTTP status code

Error code

Error message

Description

400

InvalidParameter

The specified parameter is not valid.

The specified parameter is invalid.

For a list of error codes, see Service error codes.