RotateSecret - Key Management Service

Immediately rotates a secret.

Limits:

• A secret of each Alibaba Cloud account can be rotated for up to 50 times per hour.

• The RotateSecret operation does not support generic secrets.

Note

Call the operation only for secret types that support automatic rotation. To rotate a generic secret, call the PutSecretValue operation.

In the following example, a secret named RdsSecret/Mysql5.4/MyCred is manually rotated. The new version of the secret is 000000123.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter	Type	Required	Example	Description
Action	String	Yes	RotateSecret	The operation that you want to perform. Set the value to RotateSecret.
SecretName	String	Yes	RdsSecret/Mysql5.4/MyCred	The Alibaba Cloud Resource Name (ARN) of the secret or secret resource. Note When you access a secret within another Alibaba Cloud account, you must enter the ARN of the secret. The ARN is in the `acs:kms:${region}:${account}:secret/${secret-name}` format.
VersionId	String	Yes	000000123	The version number of the new secret version after rotation. Note The version number is used to ensure the idempotence of the request. Key Management Service (KMS) uses version numbers to prevent accidental duplication of versions. This happens when your application retries a request after a failure. If a version number already exists, KMS ignores the request for rotation and returns a success message.

Response parameters

Parameter	Type	Example	Description
VersionId	String	000000123	The version number of the new secret version after rotation.
SecretName	String	RdsSecret/Mysql5.4/MyCred	The secret name.
RequestId	String	10257c86-269d-43aa-aaf3-90ed4144bb7c	The ID of the request, which is used to locate and troubleshoot issues.
Arn	String	acs:kms:cn-hangzhou:154035569884****:secret/RdsSecret/Mysql5.4/MyCred	The Alibaba Cloud Resource Name (ARN) of the secret.

For more information about common request parameters, see Common parameters.

Examples

Sample requests

http(s)://[Endpoint]/?Action=RotateSecret
&SecretName=RdsSecret/Mysql5.4/MyCred
&VersionId=000000123
&Common request parameters

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<RotateSecretResponse>
    <VersionId>000000123</VersionId>
    <SecretName>RdsSecret/Mysql5.4/MyCred</SecretName>
    <RequestId>10257c86-269d-43aa-aaf3-90ed4144bb7c</RequestId>
    <Arn>acs:kms:cn-hangzhou:154035569884****:secret/RdsSecret/Mysql5.4/MyCred</Arn>
</RotateSecretResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "VersionId" : "000000123",
  "SecretName" : "RdsSecret/Mysql5.4/MyCred",
  "RequestId" : "10257c86-269d-43aa-aaf3-90ed4144bb7c",
  "Arn" : "acs:kms:cn-hangzhou:154035569884****:secret/RdsSecret/Mysql5.4/MyCred"
}

Error codes

HTTP status code	Error code	Error message	Description
400	InvalidParameter	The specified parameter is not valid.	The specified parameter is invalid.

For a list of error codes, see Service error codes.