This topic describes how to use Alibaba Cloud CLI to manage generic secrets. You can also manage generic secrets in the Key Management Service (KMS) console or by calling API operations.
Create a generic secret
- Example 1: Create a generic secret with no encryption key specified
Run the following command to call the CreateSecret operation to create a generic secret with no encryption key specified. Secrets Manager uses the default customer master key (CMK) to encrypt the secret value.
aliyun kms CreateSecret \ --SecretName db_cred \ --SecretData "{\"uname\": \"alice\", \"pwd\": \"12****\"}" \ --VersionId v1
KMS returns the following result:
{ "Arn": "acs:kms:cn-shanghai:111760096384****:secret/db_cred", "RequestId": "ef0e4234-085c-4676-9ab6-159f2338aaf0", "SecretName": "db_cred", "SecretType": "Generic", "VersionId": "v1" }
- Example 2: Create a generic secret with an encryption key specified
Run the following command to call the CreateSecret operation to create a generic secret with an encryption key specified. Secrets Manager uses the specified CMK to encrypt the secret value.
aliyun kms CreateSecret \ --SecretName ssh_key \ --SecretData ssh-key-blob \ --VersionId v1 \ --EncryptionKeyId Example-CMK-Id
Note- Secrets Manager uses the specified CMK to generate a data key. The data key is used to encrypt the plaintext of the secret value.
- If you want to specify a CMK when you create a generic secret by calling the CreateSecret operation, you must have the kms:GenerateDataKey permission on the specified CMK.
KMS returns the following result:
{ "Arn": "acs:kms:cn-shanghai:111760096384****:secret/ssh_key", "RequestId": "ef0e4234-085c-4676-9ab6-159f2338aaf0", "SecretName": "ssh_key", "SecretType": "Generic", "VersionId": "v1" }
Query generic secrets
Run the following command to call the ListSecrets operation to query generic secrets:
aliyun kms ListSecrets
KMS returns the following result:
{
"SecretList": {
"Secret": [
{
"SecretName": "db_cred",
"SecretType": "Generic",
"CreateTime": "2020-01-22T03:55:18Z",
"UpdateTime": "2020-01-22T03:55:18Z"
},
{
"SecretName": "ssh_key",
"SecretType": "Generic",
"CreateTime": "2020-01-22T03:57:09Z",
"UpdateTime": "2020-01-22T03:57:09Z"
}
]
},
"RequestId": "75aebbde-be68-4cab-ba6e-e4925b61****",
"PageNumber": 1,
"PageSize": 10,
"TotalCount": 2
}
Query the value of a generic secret
Run the following command to call the GetSecretValue operation to query the value of a generic secret:
aliyun kms GetSecretValue --SecretName ssh_key
KMS returns the following result:
{
"CreateTime": "2021-07-08T05:51:50Z",
"RequestId": "1415f5c7-ecb2-495e-8051-4cd466022c1f",
"SecretData": "{\"test\":\"test\"}",
"SecretDataType": "text",
"SecretName": "ssh_key",
"SecretType": "Generic",
"VersionId": "v1",
"VersionStages": {
"VersionStage": [
"ACSCurrent"
]
}
}
Query the metadata of a generic secret
Run the following command to call the DescribeSecret operation to query the metadata of a generic secret:
aliyun kms DescribeSecret --SecretName ssh_key
KMS returns the following result:
{
"Arn": "acs:kms:cn-shanghai:111760096384****:secret/ssh_key",
"SecretName": "ssh_key",
"SecretType": "Generic",
"EncryptionKeyId": "Example-CMK-Id",
"Description": "",
"CreateTime": "2020-01-22T03:57:09Z",
"UpdateTime": "2020-01-22T03:57:09Z",
"RequestId": "ca61398f-e61e-4552-aa7e-957955f6125s"
}
Delete a generic secret
- Run one of the following commands to call the DeleteSecret operation to delete a generic secret.
- Delete a generic secret with no recovery window specified. By default, you can recover
the secret within 30 days after the secret is deleted.
aliyun kms DeleteSecret --SecretName ssh_key
KMS returns the following result:
{ "SecretName": "ssh_key", "RequestId": "3e54b02b-6461-46bb-afd5-dbd29d96eead", "PlannedDeleteTime": "2020-02-21T04:24:04.58616562Z" }
- Delete a generic secret and specify a recovery window of seven days. You can recover
the secret within seven days after the secret is deleted.
aliyun kms DeleteSecret --SecretName ssh_key --RecoveryWindowInDays 7
KMS returns the following result:
{ "SecretName": "ssh_key", "RequestId": "95ec4f18-8f97-4fd5-b7c6-1588979dse4s", "PlannedDeleteTime": "2020-01-29T04:25:14.165242211Z" }
- Force delete a generic secret. The secret cannot be recovered.
aliyun kms DeleteSecret --SecretName ssh_key --ForceDeleteWithoutRecovery true
KMS returns the following result:
{ "SecretName": "ssh_key", "RequestId": "75efc9c3-8e21-4e38-b6e4-486886be1546", "PlannedDeleteTime": "2020-01-22T12:28:22.006884739+08:00" }
- Delete a generic secret with no recovery window specified. By default, you can recover
the secret within 30 days after the secret is deleted.
- Run the following command to call the RestoreSecret operation to recover a secret within the recovery window:
aliyun kms RestoreSecret --SecretName ssh_key
KMS returns the following result:
{ "RequestId": "12770cee-92af-42f5-88e0-cbaa7e0c1254", "SecretName": "ssh_key" }
Rotate a generic secret
For more information about how to rotate a generic secret, see Rotate generic secrets.