All Products
Search
Document Center

Key Management Service:GetSecretValue

Last Updated:Nov 26, 2024

Queries a secret value by using a KMS Instance gateway.

Request parameters

Parameter

Type

Required

Example

Description

SecretName

string

Yes

secret001

The secret name.

VersionStage

String

No

ACSCurrent

The stage label that marks the secret version. If you specify this parameter, KMS returns the secret value of the version that is marked with the specified stage label.

Default value: ACSCurrent.

Note
  • For Resource Access Management (RAM) secrets, database secrets, and Elastic Compute Service (ECS) secrets, KMS returns only the secret values of the versions marked with ACSPrevious and ACSCurrent. Database secrets include ApsaraDB RDS secrets, PolarDB secrets and ApsaraDB for Redis/Tair secrets.

  • If you configure VersionStage and VersionId, the system checks whether the secret values that are specified by the parameters exist. If the secret values exist, the secret values are returned. If the secret values do not exist, a parameter error is returned.

VersionId

String

No

00000000000000000000000000000001

The version ID. If you configure this parameter, KMS returns the secret value of the specified version.

Note
  • RAM secrets, database secrets, and ECS secrets do not support this parameter. If you configure this parameter for RAM secrets, database secrets, and ECS secrets, the configuration is ignored.

  • If you configure VersionStage and VersionId, the system checks whether the secret values that are specified by the parameters exist. If the secret values exist, the secret values are returned. If the secret values do not exist, a parameter error is returned.

FetchExtendedConfig

Boolean

No

false

Specifies whether to obtain the extended configuration of the secret.

  • true (default): yes

  • false

Response parameters

Parameter

Type

Example

Description

SecretName

String

secret001

The secret name.

SecretType

String

Generic

The type of the secret. Valid values:

  • Generic: indicates a generic secret.

  • Rds: indicates an ApsaraDB RDS secret.

  • Redis: indicates an ApsaraDB Redis/Tair secret.

  • RAMCredentials: indicates a RAM secret.

  • ECS: indicates an ECS secret.

  • PolarDB: indicates a PolarDB secret.

SecretData

String

testdata1

The secret value. KMS decrypts the ciphertext of the secret value and returns the plaintext of the secret value for this parameter.

SecretDataType

String

binary

The type of the secret value. Valid values:

  • text

  • binary

VersionId

String

00000000000000000000000000000001

The version number of the secret value.

VersionStages

List

[ "ACSCurrent" ]

The stage label that marks the secret version.

CreateTime

String

2020-02-21T15:39:26Z

The time when the secret is created.

RequestId

String

6a3e9c36-1150-4881-84d3-eb8672fcafad

The ID of the request, which is used to locate and troubleshoot issues.

LastRotationDate

String

2020-07-05T08:22:03Z

The time when the last rotation is performed.

NextRotationDate

String

2020-07-06T18:22:03Z

The time when the next rotation is performed.

ExtendedConfig

String

{\"SecretSubType\":\"SingleUser\",\"DBInstanceId\":\"rm-uf667446pc955****\",\"CustomData\":{}}

The extended configuration of the secret.

AutomaticRotation

String

Enabled

Indicates whether automatic rotation is enabled. Valid values:

  • Enabled: indicates that automatic rotation is enabled.

  • Disabled: indicates that automatic rotation is disabled.

  • Invalid: indicates that the status of automatic rotation is abnormal. In this case, KMS cannot automatically rotate the secret.

RotationInterval

String

604800s

The interval for automatic rotation. The value must be in the integer[unit] format.

  • integer: indicates the length of time.

  • [unit]: indicates the time unit. Valid values: s (seconds).

For example, if the rotation period is 7 days, this parameter is set to 604800s.

Error codes

HTTP status code

Error code

Error message

Description

404

Forbidden.ResourceNotFound

The resource does not exist in the system.

The secret does not exist.

409

Rejected.Disabled

The request was rejected because the key state is Disabled.

The key that is used to encrypt secrets is disabled.

For a list of error codes, see Service error codes.