Obtains a secret value.

If you do not specify a version number or stage label, Secrets Manager returns the secret value of the version marked with ACSCurrent.

If a customer master key (CMK) is specified to encrypt the secret value, you must also have the kms:Decrypt permission on the CMK to call the GetSecretValue operation.

In this example, the value of the secret named secret001 is obtained. The secret value is returned in the SecretData parameter. The secret value is testdata1.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes GetSecretValue

The operation that you want to perform. Set the value to GetSecretValue.

SecretName String Yes secret001

The name of the secret.

VersionStage String No ACSCurrent

The stage label that marks the secret version. If you specify this parameter, Secrets Manager returns the secret value of the version that is marked with the specified stage label.

Default value: ACSCurrent.

Note For a managed ApsaraDB RDS secret, a managed RAM secret, or a managed ECS secret, Secrets Manager can return only the secret value of the version marked with ACSPrevious or ACSCurrent.
VersionId String No 00000000000000000000000000000001

The version number of the secret value. If you specify this parameter, Secrets Manager returns the secret value of the specified version.

Note This parameter is ignored for a managed ApsaraDB RDS secret, a managed RAM secret, or a managed ECS secret.
FetchExtendedConfig Boolean No true

Specifies whether to obtain the extended configuration of the secret. Valid values:

  • true
  • false: This is the default value.
Note This parameter is ignored for a generic secret.

For more information about common request parameters, see Common parameters.

Response parameters

Parameter Type Example Description
AutomaticRotation String Enabled

Indicates whether automatic rotation is enabled. Valid values:

  • Enabled: indicates that automatic rotation is enabled.
  • Disabled: indicates that automatic rotation is disabled.
  • Invalid: indicates that the status of automatic rotation is abnormal. In this case, Secrets Manager cannot automatically rotate the secret.
Note This parameter is returned only for a managed ApsaraDB RDS secret, a managed RAM secret, or a managed ECS secret.
CreateTime String 2020-02-21T15:39:26Z

The time when the secret was created.

ExtendedConfig String {\"SecretSubType\":\"SingleUser\", \"DBInstanceId\":\"rm-uf667446pc955****\", \"CustomData\":{} }

The extended configuration of the secret.

Note This parameter is returned if you set the FetchExtendedConfig parameter to true. This parameter is returned only for a managed ApsaraDB RDS secret, a managed RAM secret, or a managed ECS secret.
LastRotationDate String 2020-07-05T08:22:03Z

The time when the last rotation was performed.

Note This parameter is returned if the secret was rotated.
NextRotationDate String 2020-07-06T18:22:03Z

The time when the next rotation will be performed.

Note This parameter is returned if automatic rotation is enabled.
RequestId String 6a3e9c36-1150-4881-84d3-eb8672fcafad

The ID of the request.

RotationInterval String 604800s

The interval for automatic rotation.

The value is in the integer[unit] format. The unit field has a fixed value of s. For example, if the value is 604800s, automatic rotation is performed at a 7-day interval.

Note This parameter is returned if automatic rotation is enabled.
SecretData String testdata1

The secret value. Secrets Manager decrypts the ciphertext of the secret value and returns the plaintext of the secret value in this parameter.

  • For a generic secret, the secret value of the specified version is returned.
  • For a managed ApsaraDB RDS secret, the value is returned in the following format:{"AccountName":"","AccountPassword":""} .
  • For a managed RAM secret, the secret value is returned in the following format: {"AccessKeyId":"Adfdsfd","AccessKeySecret":"fdsfdsf","GenerateTimestamp": "2016-03-25T10:42:40Z"}.
  • For a managed ECS secret, the secret value is returned in one of the following formats:
    • {"UserName":"root","Password":"H5asdasdsads****"}: The secret value is returned in this format if the ECS secret is a password.
    • {"UserName":"root","PublicKey":"ssh-rsa ****mKwnVix9YTFY9Rs= imported-openssh-key","PrivateKey": "d6bee1cb-2e14-4277-ba6b-73786b21****"}: The secret value is returned in this format is the ECS secret is a pair of SSH keys. The private key is in the Privacy Enhanced Mail (PEM) format.
SecretDataType String binary

The type of the secret value. Valid values:

  • text
  • binary
SecretName String secret001

The name of the secret.

SecretType String Generic

The type of the secret. Valid values:

  • Generic: indicates a generic secret.
  • Rds: indicates a managed ApsaraDB RDS secret.
  • RAMCredentials: indicates a managed RAM secret.
  • ECS: indicates a managed ECS secret.
VersionId String 00000000000000000000000000000001

The version number of the secret value.

VersionStages List { "VersionStage": [ "ACSCurrent" ] }

The stage labels that mark the secret versions.

Examples

Sample requests

http(s)://[Endpoint]/?Action=GetSecretValue
&SecretName=secret001
&<Common request parameters>

Sample success responses

XML format

<KMS>
      <SecretName>secret001</SecretName>
      <VersionId>00000000000000000000000000000001</VersionId>
      <SecretData>testdata1</SecretData>
      <SecretType>Generic</SecretType>
      <SecretDataType>binary</SecretDataType>
      <VersionStages>
            <VersionStage>ACSCurrent</VersionStage>
      </VersionStages>
      <CreateTime>2020-07-23T11:56:29Z</CreateTime>
      <RequestId>6a3e9c36-1150-4881-84d3-eb8672fcafad</RequestId>
</KMS>

JSON format

{
    "SecretName": "secret001",
    "VersionId": "00000000000000000000000000000001",
    "SecretData": "testdata1",
    "SecretType": "Generic",
    "SecretDataType": "binary",
    "VersionStages": {
        "VersionStage": [
            "ACSCurrent"
        ]
    },
    "CreateTime": "2020-07-23T11:56:29Z",
    "RequestId": "6a3e9c36-1150-4881-84d3-eb8672fcafad"
}

Error codes

For a list of error codes, visit the API Error Center.