All Products
Search

This Product

    Key Management Service:GetSecretValue

    Document Center

    Key Management Service:GetSecretValue

    Last Updated:Dec 18, 2023

    Queries a secret value.

    If you do not specify the version number or version status, KMS returns the secret value of the ACSCurrent version.

    If the secret value is encrypted by using a key, you must have the kms:Decrypt permission on the key.

    In this example, the value of the secret named secret001 is obtained. The testdata1 secret value is returned in the SecretData parameter.

    Debugging

    OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

    Request parameters

    Parameter

    Type

    Required

    Example

    Description

    Action

    String

    Yes

    GetSecretValue

    The operation that you want to perform. Set the value to GetSecretValue.

    SecretName

    String

    Yes

    secret001

    The secret name.

    VersionStage

    String

    No

    ACSCurrent

    The stage label that marks the secret version. If the parameter is specified, KMS returns the secret value of the specified version.

    Default value: ACSCurrent.

    Note

    You can only query secret values of the ACSPrevious and ACSCurrent versions for Resource Access Management (RAM) secrets, ApsaraDB RDS secrets, and Elastic Compute Service (ECS) secrets.

    VersionId

    String

    No

    00000000000000000000000000000001

    The version ID. If the parameter is specified, KMS returns the secret value with the specified version ID.

    Note

    You cannot specify VersionId for ApsaraDB RDS, RAM, or ECS secrets. If you set VersionId, the parameter is ignored.

    FetchExtendedConfig

    Boolean

    No

    true

    Specifies whether to obtain the extended configuration of the secret. Valid values:

    • true

    • false (default)

    Note

    The parameter is ignored for a generic secret.

    For more information about common request parameters, see Common parameters.

    Response parameters

    Parameter

    Type

    Example

    Description

    SecretDataType

    String

    binary

    The type of the secret value. Valid values:

    • text

    • binary

    CreateTime

    String

    2023-02-21T15:39:26Z

    The time when the secret was created.

    VersionId

    String

    00000000000000000000000000000001

    The version ID of the secret value.

    NextRotationDate

    String

    2023-07-06T18:22:03Z

    The time when the next rotation will be performed.

    Note

    This parameter is returned if automatic rotation is enabled.

    SecretData

    String

    testdata1

    The secret value. The parameter is returned after KMS decrypts the stored secret value ciphertext.

    • For a generic secret, the specified secret value is returned.

    • For an ApsaraDB RDS secret, the secret value is returned in the following format:{"AccountName":"","AccountPassword":""}.

    • For a RAM secret, the secret value is returned in the following format: {"AccessKeyId":"Adfdsfd","AccessKeySecret":"fdsfdsf","GenerateTimestamp": "2023-03-25T10:42:40Z"}.

    • For an ECS secret, the secret value is returned in the following format:

      • Password: {"UserName":"ecs-user","Password":"H5asdasdsads****"}

      • Public-private key pair: (private key in the PEM format): {"UserName":"ecs-user","PublicKey":"ssh-rsa ****mKwnVix9YTFY9Rs= imported-openssh-key","PrivateKey": "d6bee1cb-2e14-4277-ba6b-73786b21****"}

    RotationInterval

    String

    604800s

    The interval for automatic rotation.

    The value is in the integer[unit] format. integer indicates the length of time. unit: indicates the time unit. The unit field has a fixed value of s. For example, if the value is 604800s, automatic rotation is performed at a 7-day interval.

    Note

    The parameter is returned if automatic key rotation is enabled.

    ExtendedConfig

    String

    {\"SecretSubType\":\"SingleUser\", \"DBInstanceId\":\"rm-uf667446pc955****\", \"CustomData\":{} }

    The extended configuration of the secret.

    Note

    If FetchExtendedConfig is set to true, the parameter is returned only for ApsaraDB RDS secrets, RAM secrets, and ECS secrets.

    LastRotationDate

    String

    2023-07-05T08:22:03Z

    The time when the last rotation was performed.

    Note

    The parameter is returned if the secret was rotated.

    RequestId

    String

    6a3e9c36-1150-4881-84d3-eb8672fcafad

    The ID of the request, which is used to locate and troubleshoot issues.

    SecretName

    String

    secret001

    The secret name.

    AutomaticRotation

    String

    Enabled

    Specifies whether to enable automatic rotation. Valid values:

    • Enabled: indicates that automatic rotation is enabled.

    • Disabled: indicates that automatic rotation is disabled.

    • Invalid: indicates that the status of automatic rotation is abnormal. In this case, Secrets Manager cannot automatically rotate the secret.

    Note

    The parameter is returned only for ApsaraDB RDS secrets, RAM secrets, or ECS secrets.

    SecretType

    String

    Generic

    The type of the secret. Valid values:

    • Generic: generic secret

    • Generic: ApsaraDB RDS secret

    • RAMCredentials: RAM secret

    • ECS: ECS secret

    VersionStages

    Array of String

    { "VersionStage": [ "ACSCurrent" ] }

    The stage labels that mark the secret version.

    Examples

    Sample requests

    http(s)://[Endpoint]/?Action=GetSecretValue
&SecretName=secret001
&VersionStage=ACSCurrent
&VersionId=00000000000000000000000000000001
&FetchExtendedConfig=true
&<Common request parameters>

    Sample success responses

    XML format

    HTTP/1.1 200 OK
Content-Type:application/xml

<GetSecretValueResponse>
    <SecretDataType>binary</SecretDataType>
    <CreateTime>2023-02-21T15:39:26Z</CreateTime>
    <VersionId>00000000000000000000000000000001</VersionId>
    <NextRotationDate>2023-07-06T18:22:03Z</NextRotationDate>
    <SecretData>testdata1</SecretData>
    <RotationInterval>604800s</RotationInterval>
    <ExtendedConfig>{\"SecretSubType\":\"SingleUser\", \"DBInstanceId\":\"rm-uf667446pc955****\",  \"CustomData\":{} }</ExtendedConfig>
    <LastRotationDate>2023-07-05T08:22:03Z</LastRotationDate>
    <RequestId>6a3e9c36-1150-4881-84d3-eb8672fcafad</RequestId>
    <SecretName>secret001</SecretName>
    <AutomaticRotation>Enabled</AutomaticRotation>
    <SecretType>Generic</SecretType>
    <VersionStages>{ "VersionStage": [ 	"ACSCurrent" 	] }</VersionStages>
</GetSecretValueResponse>

    JSON format

    HTTP/1.1 200 OK
Content-Type:application/json

{
  "SecretDataType" : "binary",
  "CreateTime" : "2023-02-21T15:39:26Z",
  "VersionId" : "00000000000000000000000000000001",
  "NextRotationDate" : "2023-07-06T18:22:03Z",
  "SecretData" : "testdata1",
  "RotationInterval" : "604800s",
  "ExtendedConfig" : "{\\\"SecretSubType\\\":\\\"SingleUser\\\", \\\"DBInstanceId\\\":\\\"rm-uf667446pc955****\\\",  \\\"CustomData\\\":{} }",
  "LastRotationDate" : "2023-07-05T08:22:03Z",
  "RequestId" : "6a3e9c36-1150-4881-84d3-eb8672fcafad",
  "SecretName" : "secret001",
  "AutomaticRotation" : "Enabled",
  "SecretType" : "Generic",
  "VersionStages" : [ "{ \"VersionStage\": [ \t\"ACSCurrent\" \t] }" ]
}

    Error codes

    HTTP status code

    Error code

    Error message

    Description

    403

    Forbidden.DKMSInstanceStateInvalid

    The DKMS instance state is invalid.

    Your dedicated KMS instance is invalid.

    403

    Forbidden.DKMSInstanceNotFound

    The specified DKMS Instance is not found.

    Your dedicated KMS instance is not found.

    404

    Forbidden.KeyNotFound

    The specified Key is not found.

    The specified key does not exist.

    404

    Forbidden.ResourceNotFound

    Resource not found.

    The resource is not found.

    For a list of error codes, see Service error codes.