Creates a secret and stores the initial version of the secret.
You must specify a secret name, a secret value, and a version number. The initial version of the secret is labeled as ACSCurrent.
Key Management Service (KMS) uses a key to encrypt the secret value. The key and the secret must belong to the same KMS instance, and the key must be a symmetric key.
Before you can encrypt a secret value, you must have the kms:GenerateDataKey
permission on the key that is used to encrypt the secret value.
This topic provides an example on how to create an ApsaraDB RDS secret whose name is mydbconninfo
, initial version VersionId
is v1
, and secret value SecretData
is {"Accounts":[{"AccountName":"user1","AccountPassword":"****"}]}
.
Debugging
Request parameters
Parameter |
Type |
Required |
Example |
Description |
Action | String | Yes | CreateSecret | The operation that you want to perform. Set the value to CreateSecret. |
SecretName | String | Yes | mydbconninfo | The name of the secret. The name must be unique in the current region. The name can be up to 192 characters in length, and can contain letters, digits, and the following special characters: _ / + = . - @. The following list describes the naming conventions for different types of secrets:
|
VersionId | String | Yes | v1 | The initial version number. The version number must be unique within the secret. The version number can be up to 64 characters in length. |
EncryptionKeyId | String | No | key-gzz63ff0db5hg3qje**** | The ID of the key that is used to encrypt the secret value. Note The key and the secret must belong to the same KMS instance, and the key must be a symmetric key. |
SecretData | String | Yes | {"Accounts":[{"AccountName":"user1","AccountPassword":"****"}]} | The secret value. The value can be up to 30,720 bytes in length, which is equivalent to 30 KB in size. KMS uses the specified key to encrypt the secret value and then stores the secret value in the initial version.
|
SecretDataType | String | No | text | The type of the secret value. Valid values:
Note If you set SecretType to Rds, Redis, RAMCredentials, or ECS, you must set SecretDataType to text. |
Description | String | No | mydbinfo | The description of the secret. |
Tags | String | No | [{\"TagKey\":\"key1\",\"TagValue\":\"val1\"},{\"TagKey\":\"key2\",\"TagValue\":\"val2\"}] | The tags of the secret. A tag consists of a key-value pair. A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, and the following special characters: / \ _ - . + = : @
|
SecretType | String | No | Rds | The type of the secret. Valid values:
|
ExtendedConfig | Map | No | {"SecretSubType":"SingleUser", "DBInstanceId":"rm-bp1b3dd3a506e****" ,"CustomData":{"Key1": "v1", "fds":"fdsf"}} | The extended configuration of the secret. This parameter specifies the properties of the secret of the specific type. The value can be up to 1,024 characters in length.
Note If you set SecretType to Rds, Redis, RAMCredentials, or ECS, this parameter is required. |
EnableAutomaticRotation | Boolean | No | true | Specifies whether to enable automatic rotation. Valid values:
Note This parameter takes effect only when you set SecretType to Rds, Redis, RAMCredentials, or ECS. If you set SecretType to Generic, automatic rotation is not supported. You can call the PutSecretValue operation to manually rotate a generic secret. |
RotationInterval | String | No | 30d | The interval for automatic rotation. Valid values: 6 hours to 8,760 hours (365 days). The value is in the The unit can be d (day), h (hour), m (minute), or s (second). If the value is 7d or 604800s, automatic rotation is performed at a 7-day interval. Note This parameter is required only when EnableAutomaticRotation is set to true. |
DKMSInstanceId | String | No | kst-bjj62d8f5e0sgtx8h**** | The ID of the KMS instance. |
Policy | String | No | {"Version":"1","Statement": [{"Sid":"kms default secret policy","Effect":"Allow","Principal":{"RAM": ["acs:ram::119285303511****:*"]},"Action":["kms:*"],"Resource": ["*"] }] } | The content of the secret policy. The value is in the JSON format. The value can be up to 32,768 bytes in length. For more information about secret policies, see Overview. If you do not configure this parameter, the default secret policy is used. A secret policy contains the following content:
Example:
Statement description:
Note If you grant a RAM user or RAM role of other Alibaba Cloud accounts permissions to use a secret, you must use the Alibaba Cloud account of the RAM user or RAM role to grant the RAM user or RAM role permissions to use the secret in RAM. For more information, see Custom policies, Grant permissions to a RAM user, and Grant permissions to a RAM role. |
For more information about common request parameters, see Common parameters.
Response parameters
Parameter |
Type |
Example |
Description |
RequestId | String | 3bf02f7a-015b-4f93-be0f-cc043fda2dd3 | The request ID. |
AutomaticRotation | String | Enabled | Indicates whether automatic rotation is enabled. Valid values:
Note If SecretType is set to Rds, Redis, RAMCredentials, or ECS, this parameter is returned. |
SecretName | String | mydbconninfo | The secret name. |
VersionId | String | v1 | The version number of the secret. |
NextRotationDate | String | 2023-07-06T18:22:03Z | The time when the next rotation is performed. Note If automatic rotation is enabled, this parameter is returned. |
SecretType | String | Rds | The type of the secret. Valid values:
|
RotationInterval | String | 604800s | The interval for automatic rotation. The value is in the Note If automatic rotation is enabled, this parameter is returned. |
Arn | String | acs:kms:cn-hangzhou:154035569884****:secret/mydbconninfo | The Alibaba Cloud Resource Name (ARN) of the secret. |
ExtendedConfig | String | {\"SecretSubType\":\"SingleUser\", \"DBInstanceId\":\"rm-uf667446pc955****\", \"CustomData\":"Key1": "v1", "fds":"fdsf"} } | The extended configuration of the secret. Note If SecretType is set to Rds, Redis, RAMCredentials, or ECS, this parameter is returned. |
DKMSInstanceId | String | kst-bjj62d8f5e0sgtx8h**** | The ID of the KMS instance. |
Examples
Sample requests
http(s)://[Endpoint]/?Action=CreateSecret
&SecretName=mydbconninfo
&VersionId=v1
&EncryptionKeyId=key-gzz63ff0db5hg3qje****
&SecretData={"Accounts":[{"AccountName":"user1","AccountPassword":"****"}]}
&SecretDataType=text
&Description=mydbinfo
&Tags=[{\"TagKey\":\"key1\",\"TagValue\":\"val1\"},{\"TagKey\":\"key2\",\"TagValue\":\"val2\"}]
&SecretType=Rds
&EnableAutomaticRotation=true
&RotationInterval=30d
&DKMSInstanceId=kst-bjj62d8f5e0sgtx8h****
&Policy={"Version":"1","Statement": [{"Sid":"kms default secret policy","Effect":"Allow","Principal":{"RAM": ["acs:ram::119285303511****:*"]},"Action":["kms:*"],"Resource": ["*"] }] }
&<Common request parameters>
Sample success responses
XML
format
HTTP/1.1 200 OK
Content-Type:application/xml
<CreateSecretResponse>
<RequestId>3bf02f7a-015b-4f93-be0f-cc043fda2dd3</RequestId>
<AutomaticRotation>Enabled</AutomaticRotation>
<SecretName>mydbconninfo</SecretName>
<VersionId>v1</VersionId>
<NextRotationDate>2023-07-06T18:22:03Z</NextRotationDate>
<SecretType>Rds</SecretType>
<RotationInterval>604800s</RotationInterval>
<Arn>acs:kms:cn-hangzhou:154035569884****:secret/mydbconninfo</Arn>
<ExtendedConfig>{\"SecretSubType\":\"SingleUser\", \"DBInstanceId\":\"rm-uf667446pc955****\", \"CustomData\":"Key1": "v1", "fds":"fdsf"} }</ExtendedConfig>
<DKMSInstanceId>kst-bjj62d8f5e0sgtx8h****</DKMSInstanceId>
</CreateSecretResponse>
JSON
format
HTTP/1.1 200 OK
Content-Type:application/json
{
"RequestId" : "3bf02f7a-015b-4f93-be0f-cc043fda2dd3",
"AutomaticRotation" : "Enabled",
"SecretName" : "mydbconninfo",
"VersionId" : "v1",
"NextRotationDate" : "2023-07-06T18:22:03Z",
"SecretType" : "Rds",
"RotationInterval" : "604800s",
"Arn" : "acs:kms:cn-hangzhou:154035569884****:secret/mydbconninfo",
"ExtendedConfig" : "{\\\"SecretSubType\\\":\\\"SingleUser\\\", \\\"DBInstanceId\\\":\\\"rm-uf667446pc955****\\\", \\\"CustomData\\\":\"Key1\": \"v1\", \"fds\":\"fdsf\"} }",
"DKMSInstanceId" : "kst-bjj62d8f5e0sgtx8h****"
}
Error codes
HttpCode |
Error code |
Error message |
Description |
400 | UnsupportedOperation | This action is not supported. | The operation is not supported. |
400 | Rejected.LimitExceeded | The request was rejected because user create resource limit was exceeded | The request is rejected because the number of created resources reaches the upper limit. |
400 | InvalidParameter | The specified parameter is not valid. | An invalid value is specified for the parameter. |
400 | Rejected.ShareQuotaExceedLimit | Instance Share Quota Exceed Limit. | The access management quota is exceeded. |
403 | Forbidden.DKMSInstanceNotFound | The specified DKMS Instance is not found. | Your dedicated KMS instance is not found. |
404 | Forbidden.ResourceNotFound | The resource is not found. | The specified resource does not exist. |
409 | Rejected.ResourceExist | The resource already exists. | The specified resource already exists. |
409 | Rejected.ResourceInDeleteWindow | The secret is planned to be deleted. | The secret is to be deleted. |
500 | InternalFailure | Internal Failure | An internal error has occurred. |
For a list of error codes, see Service error codes.