All Products
Search
Document Center

Resource Orchestration Service:ALIYUN::KMS::Secret

更新時間:May 06, 2023

ALIYUN::KMS::Secret is used to create a secret and store the initial version of the secret.

Syntax

{
  "Type": "ALIYUN::KMS::Secret",
  "Properties": {
    "VersionId": String,
    "SecretName": String,
    "Description": String,
    "SecretDataType": String,
    "SecretData": String,
    "VersionStages": List,
    "EncryptionKeyId": String,
    "RecoveryWindowInDays": Integer,
    "ForceDeleteWithoutRecovery": Boolean,
    "SecretType": String,
		"EnableAutomaticRotation": Boolean,
		"RotationInterval": String,
		"ExtendedConfig": Map,
		"DKMSInstanceId": String
  }
}

Properties

Property

Type

Required

Editable

Description

Constraint

VersionId

String

Yes

Yes

The initial version number of the secret.

Version numbers are unique in each secret.

SecretName

String

Yes

No

The name of the secret.

None.

Description

String

No

Yes

The description of the secret.

None.

SecretDataType

String

No

No

The type of the secret value.

Valid values:

  • text

  • binary

SecretData

String

Yes

Yes

The value of the secret that you want to create. Secrets Manager encrypts the secret value and stores the encrypted value in the initial version.

None.

VersionStages

List

No

Yes

The stage labels that mark the secret version.

Default value: ACSCurrent.

You can specify up to seven labels.

EncryptionKeyId

String

No

No

The ID of the customer master key (CMK) that is used to encrypt the secret value.

If you leave this property empty, Secrets Manager uses a CMK that is created by Key Management Service (KMS) to encrypt and protect the secret value.

Note

The CMK must be a symmetric key.

RecoveryWindowInDays

Integer

No

Yes

The recovery period of the secret when the secret is deleted in a non-forceful manner.

Default value: 30.

Unit: day.

ForceDeleteWithoutRecovery

Boolean

No

Yes

Specifies whether to forcefully delete the secret. A forcefully deleted secret cannot be recovered.

Valid values:

  • true

  • false (default)

SecretType

String

No

No

The type of the secret.

Valid values:

  • Generic: generic secret

  • Rds: managed ApsaraDB RDS secret

  • RAMCredentials: managed Resource Access Management (RAM) secret

  • ECS: managed ECS secret

EnableAutomaticRotation

Boolean

No

No

Specifies whether to enable automatic key rotation.

Valid values:

  • true

  • false (default)

RotationInterval

String

No

No

The interval of automatic key rotation.

Specify the interval in the integer[unit] format. integer specifies the length of time. unit specifies the unit of time. Set unit to s. For example, if automatic rotation is performed at an interval of seven days, set RotationInterval to 604800s.

Note

This property is returned if automatic key rotation is enabled.

ExtendedConfig

Map

No

No

The extended configuration of the secret.

None.

DKMSInstanceId

String

No

No

The ID of the dedicated KMS instance.

None.

Return values

Fn::GetAtt

  • SecretName: the name of the secret.

  • Arn: the Alibaba Cloud Resource Name (ARN) of the secret.

Examples

  • YAML format

    ROSTemplateFormatVersion: '2015-09-01'
    Parameters: {}
    Resources:
      Secret:
        Type: ALIYUN::KMS::Secret
        Properties:
          VersionId: v1
          SecretName: TestSecret
          SecretData: DemoSecretData
          ForceDeleteWithoutRecovery: false
    Outputs: {}
  • JSON format

    {
      "ROSTemplateFormatVersion": "2015-09-01",
      "Parameters": {
      },
      "Resources": {
        "Secret": {
          "Type": "ALIYUN::KMS::Secret",
          "Properties": {
            "VersionId": "v1",
            "SecretName": "TestSecret",
            "SecretData": "DemoSecretData",
            "ForceDeleteWithoutRecovery": false
          }
        }
      },
      "Outputs": {
      }
    }