Creates a secret and stores its initial version.

You must specify the secret name, the secret value stored in the initial version, and the version number. The initial version is marked with ACSCurrent.

You can specify a symmetric customer master key (CMK) as the encryption key to encrypt the secret value. If you do not specify an encryption key, Secrets Manager creates a CMK to encrypt the secret value. This CMK is used as the default encryption key for all the secrets that are created by your Alibaba Cloud account in the current region. Secrets Manager encrypts only the secret value of each version. Secrets Manager does not encrypt the metadata such as the secret name, version number, or state label.

To use a specified CMK to encrypt the secret value, you must have the kms:GenerateDataKey permission on the CMK.

In this example, a generic secret whose name is mydbconninfo is created. The initial version number of the secret is specified in the VersionId parameter, and the value is v1. The secret value is specified in the SecretData parameter, and the value is {"user":"root","passwd":"****"}.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes CreateSecret

The operation that you want to perform. Set the value to CreateSecret.

SecretData String Yes {"user":"root","passwd":"****"}

The value of the secret to be created. Secrets Manager encrypts the secret value and stores the encrypted value in the initial version.

  • If you set the SecretType parameter to Generic that indicates a generic secret, you can customize the secret value.
  • If you set the SecretType parameter to Rds that indicates a managed ApsaraDB RDS secret, the secret value must be in the format of {"Accounts":[{"AccountName":"","AccountPassword":""}]}. In the preceding format, AccountName indicates the username of the account that is used to connect to your ApsaraDB RDS instance, and AccountPassword indicates the password of the account.
  • If you set the SecretType parameter to RAMCredentials that indicates a managed RAM secret, the secret value must be in the format of {"AccessKeys":[{"AccessKeyId":"","AccessKeySecret":"",}]}. In the preceding format, AccessKeyId indicates the AccessKey ID of the RAM user and AccessKeySecret indicates the AccessKey secret of the RAM user. You must specify all the AccessKey pairs of the RAM user.
  • If you set the SecretType parameter to ECS that indicates a managed ECS secret, the secret value must be in one the following formats:
    • {"UserName":"","Password": ""}. This format is required if you set the SecretSubType field in the ExtendedConfig parameter to Password. In the preceding format, UserName indicates the username that is used to log on to the ECS instance, and Password indicates the password that is used to log on to the ECS instance.
    • {"UserName":"","PublicKey": "", "PrivateKey": ""}. This format is required if you set the SecretSubType field in the ExtendedConfig parameter to SSHKey. In the preceding format, PublicKey indicates the SSH public key that is used to log on to the ECS instance, and PrivateKey indicates the SSH private key that is used to log on to the ECS instance.
SecretName String Yes mydbconninfo

The name of the secret.

VersionId String Yes v1

The initial version number. Version numbers are unique in each secret object.

EncryptionKeyId String No 00aa68af-2c02-4f68-95fe-3435d330****

The ID of the CMK that is used to encrypt the secret value.

If you do not specify this parameter, Secrets Manager automatically creates a CMK to encrypt the secret value.

Note The CMK must be a symmetric key.
SecretDataType String No text

The type of the secret value. Valid values:

  • text
  • binary
Note If you set the SecretType parameter to Rds, RAMCredentials, or ECS, the SecretDataType parameter must be set to text.
Description String No mydbinfo

The description of the secret.

Tags String No [{\"TagKey\":\"key1\",\"TagValue\":\"val1\"},{\"TagKey\":\"key2\",\"TagValue\":\"val2\"}]

The tags of the secret.

SecretType String No Rds

The type of the secret. Valid values:

  • Generic: indicates a generic secret.
  • Rds: indicates a managed ApsaraDB RDS secret.
  • RAMCredentials: indicates a managed RAM secret.
  • ECS: indicates a managed ECS secret.
ExtendedConfig Json No {"SecretSubType":"SingleUser", "DBInstanceId":"rm-bp1b3dd3a506e****" ,"CustomData":{}}

The extended configuration of the secret. This parameter specifies the properties of the secret of the specific type. The description can be up to 1,024 characters in length.

  • If you set the SecretType parameter to Generic that indicates a generic secret, you do not need to specify this parameter.
  • If you set the SecretType parameter to Rds that indicates a managed ApsaraDB RDS secret, you must specify the following fields in the ExtendedConfig parameter:
    • SecretSubType: required. The subtype of the secret. Valid values:
      • SingleUser: Secrets Manager manages the ApsaraDB RDS secret in single-account mode. When the secret is rotated, the password of the specified account is reset to a new random password.
      • DoubleUsers: Secrets Manager manages the ApsaraDB RDS secret in dual-account mode. One account is referenced by the ACSCurrent version, and the other account is referenced by the ACSPrevious version. When the secret is rotated, the password of the account referenced by the ACSPrevious version is reset to a new random password. Then, Secrets Manager switches the referenced accounts between the ACSCurrent and ACSPrevious versions.
    • DBInstanceId: required. The ApsaraDB RDS instance to which the ApsaraDB RDS account belongs.
    • CustomData: optional. The custom data. The value is a collection of key-value pairs in the JSON format. A maximum of 10 key-value pairs can be specified. Separate multiple key-value pairs with commas (,). Example: {"Key1": "v1", "fds":"fdsf"}. The default value is a pair of empty braces ({}).
  • If you set the SecretType parameter to RAMCredentials that indicates a managed RAM secret, you must specify the following fields in the ExtendedConfig parameter:
    • SecretSubType: required. The subtype of the secret. Set the value to RamUserAccessKey.
    • UserName: required. The name of the RAM user.
    • CustomData: optional. The custom data. The value is a collection of key-value pairs in the JSON format. A maximum of 10 key-value pairs can be specified. Separate multiple key-value pairs with commas (,). The default value is a pair of empty braces ({}).
  • If you set the SecretType parameter to ECS that indicates a managed ECS secret, you must specify the following fields in the ExtendedConfig parameter:
    • SecretSubType: required. The subtype of the secret. Valid values:
      • Password: the password that is used to log on to the ECS instance.
      • SSHKey: the SSH public and private keys that are used to log on to the ECS instance.
    • RegionId: required. The ID of the region in which the ECS instance resides.
    • InstanceId: required. The ID of the ECS instance.
    • CustomData: optional. The custom data. The value is a collection of key-value pairs in the JSON format. A maximum of 10 key-value pairs can be specified. Separate multiple key-value pairs with commas (,). The default value is a pair of empty braces ({}).
Note This parameter is required if you set the SecretType parameter to Rds, RAMCredentials, or ECS.
EnableAutomaticRotation Boolean No true

Specifies whether to enable automatic rotation. Valid values:

  • true: indicates that automatic rotation is enabled.
  • false: indicates that automatic rotation is disabled. This is the default value.
Note This parameter is valid if you set the SecretType parameter to Rds, RAMCredentials, or ECS.
RotationInterval String No 30d

The interval for automatic rotation. Valid values: 6 hours to 8,760 hours (365 days).

Specify the value in the integer[unit] format.

The unit can be d (day), h (hour), m (minute), or s (second). For example, both 7d and 604800s indicate a seven-day interval.

Note This parameter is required if you set the EnableAutomaticRotation parameter to true. This parameter is ignored if you set the EnableAutomaticRotation parameter to false or does not specify the EnableAutomaticRotation parameter.

For more information about common request parameters, see Common parameters.

Response parameters

Parameter Type Example Description
Arn String acs:kms:cn-hangzhou:154035569884****:secret/mydbconninfo

The Alibaba Cloud Resource Name (ARN) of the secret.

AutomaticRotation String Enabled

Indicates whether automatic rotation is enabled. Valid values:

  • Enabled: indicates that automatic rotation is enabled.
  • Disabled: indicates that automatic rotation is disabled.
  • Invalid: indicates that the status of automatic rotation is abnormal. In this case, Secrets Manager cannot automatically rotate the secret.
Note This parameter is returned if you set the SecretType parameter to Rds, RAMCredentials, or ECS.
ExtendedConfig String {\"SecretSubType\":\"SingleUser\", \"DBInstanceId\":\"rm-uf667446pc955****\", \"CustomData\":{} }

The extended configuration of the secret.

Note This parameter is returned if you set the SecretType parameter to Rds, RAMCredentials, or ECS.
NextRotationDate String 2020-07-06T18:22:03Z

The time when the next rotation will be performed.

Note This parameter is returned if automatic rotation is enabled.
RequestId String 3bf02f7a-015b-4f93-be0f-cc043fda2dd3

The ID of the request.

RotationInterval String 604800s

The interval for automatic rotation.

The value is in the integer[unit] format. The unit field has a fixed value of s. For example, if the value is 604800s, automatic rotation is performed at a 7-day interval.

Note This parameter is returned if automatic rotation is enabled.
SecretName String mydbconninfo

The name of the secret.

SecretType String Rds

The type of the secret. Valid values:

  • Generic: indicates a generic secret.
  • Rds: indicates a managed ApsaraDB RDS secret.
  • RAMCredentials: indicates a managed RAM secret.
  • ECS: indicates a managed ECS secret.
VersionId String v1

The version number of the secret.

Examples

Sample requests

http(s)://[Endpoint]/?Action=CreateSecret
&SecretData={"user":"root","passwd":"****"}
&SecretName=mydbconninfo
&VersionId=v1
&<Common request parameters>

Sample success responses

XML format

<KMS>
      <Arn>acs:kms:cn-hangzhou:154035569884****:secret/mydbconninfo</Arn>
      <SecretName>mydbconninfo</SecretName>
      <VersionId>v1</VersionId>
      <RequestId>3bf02f7a-015b-4f93-be0f-cc043fda2dd3</RequestId>
      <SecretType>Generic</SecretType>
 </KMS>

JSON format

{
    "Arn": "acs:kms:cn-hangzhou:154035569884****:secret/mydbconninfo",
    "SecretName": "mydbconninfo",
    "VersionId": "v1",
    "RequestId": "3bf02f7a-015b-4f93-be0f-cc043fda2dd3",
    "SecretType": "Generic"
}

Error codes

HTTP status code Error code Error message Description
400 InvalidParameter The specified parameter is invalid. The error message returned because the values of one or more parameters are invalid.
400 Rejected.LimitExceeded The secret quota is exceeded. The error message returned because the secret quota is used up.
403 Forbidden.NoPermission You are not authorized to perform the operation. The error message returned because you are not authorized to perform the operation.
404 Forbidden.ResourceNotFound The resource is not found. The error message returned because the specified resource does not exist.
409 Rejected.ResourceExist The resource already exists. The error message returned because the specified resource already exists.
409 Rejected.ResourceInDeleteWindow The secret is planned to be deleted. The error message returned because the secret is to be deleted.
500 InternalFailure An internal error occurred. The error message returned because an internal error has occurred.
429 Rejected.Throttling The QPS upper limit is exceeded. The error message returned because the queries per second (QPS) has reached the upper limit.

For a list of error codes, visit the API Error Center.