Generic secrets let you store and manage sensitive data — such as passwords, AccessKey secrets, OAuth tokens, and API keys — in Secrets Manager. Each secret supports multiple versions so you can update its value without disrupting applications that rely on it.
How generic secrets work
A generic secret has three components: metadata, secret versions, and stage labels.
Metadata
Each secret's metadata includes:
Name — identifies the secret when calling Secrets Manager API operations.
Encryption key identifier — specifies the identifier of your user-managed customer master key (CMK) used to encrypt the secret value.
Description and resource tags — optional fields for organization and access control.
Secret versions
Every time you write a secret value, Secrets Manager stores it as a new secret version:
Each version is identified by a version number.
The secret value is encrypted and treated as sensitive data.
A version can be written only once and cannot be modified after creation.
To retrieve a secret value, specify the secret name and version number, or use a stage label.
Stage labels
Stage labels are pointers that mark specific versions, letting you retrieve a version by label instead of by version number. Secrets Manager has two built-in stage labels: ACSCurrent and ACSPrevious. You can also create custom stage labels.
How built-in labels shift when you call PutSecretValue:
| Before the call | Action | After the call |
|---|---|---|
Version 1 is marked ACSCurrent | Call PutSecretValue to create Version 2 | Version 2 is marked ACSCurrent; Version 1 is marked ACSPrevious |
Version 2 is marked ACSCurrent, Version 1 is marked ACSPrevious | Call PutSecretValue to create Version 3 | Version 3 is marked ACSCurrent; Version 2 is marked ACSPrevious; Version 1 has no stage label |
Call GetSecretValue to retrieve the version currently marked ACSCurrent.
Stage label rules:
Each stage label points to exactly one version at a time.
A version can have zero or more stage labels.
When the number of versions in a secret reaches the upper limit, the oldest version with no stage labels is automatically deleted.
What's next
| Task | Description |
|---|---|
| Manage generic secrets | Create, update, and delete generic secrets using the KMS console, Alibaba Cloud CLI, or API operations. |
| Rotate generic secrets | Set up rotation policies to automatically replace secret values on a schedule. |
| Allow applications to access Secrets Manager | Connect your application to Secrets Manager so it can retrieve dynamic secrets at runtime. |