Queries a secret value.
If you do not specify the version number or version status, KMS returns the secret value of the ACSCurrent version.
If the secret value is encrypted by using a key, you must have the kms:Decrypt
permission on the key.
In this example, the value of the secret named secret001
is obtained. The testdata1
secret value is returned in the SecretData
parameter.
Debugging
Request parameters
Parameter | Type | Required | Example | Description |
Action | String | Yes | GetSecretValue | The operation that you want to perform. Set the value to GetSecretValue. |
SecretName | String | Yes | secret001 | The secret name. |
VersionStage | String | No | ACSCurrent | The stage label that marks the secret version. If the parameter is specified, KMS returns the secret value of the specified version. Default value: ACSCurrent. Note You can only query secret values of the ACSPrevious and ACSCurrent versions for Resource Access Management (RAM) secrets, ApsaraDB RDS secrets, and Elastic Compute Service (ECS) secrets. |
VersionId | String | No | 00000000000000000000000000000001 | The version ID. If the parameter is specified, KMS returns the secret value with the specified version ID. Note You cannot specify VersionId for ApsaraDB RDS, RAM, or ECS secrets. If you set VersionId, the parameter is ignored. |
FetchExtendedConfig | Boolean | No | true | Specifies whether to obtain the extended configuration of the secret. Valid values:
Note The parameter is ignored for a generic secret. |
For more information about common request parameters, see Common parameters.
Response parameters
Parameter | Type | Example | Description |
SecretDataType | String | binary | The type of the secret value. Valid values:
|
CreateTime | String | 2023-02-21T15:39:26Z | The time when the secret was created. |
VersionId | String | 00000000000000000000000000000001 | The version ID of the secret value. |
NextRotationDate | String | 2023-07-06T18:22:03Z | The time when the next rotation will be performed. Note This parameter is returned if automatic rotation is enabled. |
SecretData | String | testdata1 | The secret value. The parameter is returned after KMS decrypts the stored secret value ciphertext.
|
RotationInterval | String | 604800s | The interval for automatic rotation. The value is in the Note The parameter is returned if automatic key rotation is enabled. |
ExtendedConfig | String | {\"SecretSubType\":\"SingleUser\", \"DBInstanceId\":\"rm-uf667446pc955****\", \"CustomData\":{} } | The extended configuration of the secret. Note If FetchExtendedConfig is set to true, the parameter is returned only for ApsaraDB RDS secrets, RAM secrets, and ECS secrets. |
LastRotationDate | String | 2023-07-05T08:22:03Z | The time when the last rotation was performed. Note The parameter is returned if the secret was rotated. |
RequestId | String | 6a3e9c36-1150-4881-84d3-eb8672fcafad | The ID of the request, which is used to locate and troubleshoot issues. |
SecretName | String | secret001 | The secret name. |
AutomaticRotation | String | Enabled | Specifies whether to enable automatic rotation. Valid values:
Note The parameter is returned only for ApsaraDB RDS secrets, RAM secrets, or ECS secrets. |
SecretType | String | Generic | The type of the secret. Valid values:
|
VersionStages | Array of String | { "VersionStage": [ "ACSCurrent" ] } | The stage labels that mark the secret version. |
Examples
Sample requests
http(s)://[Endpoint]/?Action=GetSecretValue
&SecretName=secret001
&VersionStage=ACSCurrent
&VersionId=00000000000000000000000000000001
&FetchExtendedConfig=true
&<Common request parameters>
Sample success responses
XML
format
HTTP/1.1 200 OK
Content-Type:application/xml
<GetSecretValueResponse>
<SecretDataType>binary</SecretDataType>
<CreateTime>2023-02-21T15:39:26Z</CreateTime>
<VersionId>00000000000000000000000000000001</VersionId>
<NextRotationDate>2023-07-06T18:22:03Z</NextRotationDate>
<SecretData>testdata1</SecretData>
<RotationInterval>604800s</RotationInterval>
<ExtendedConfig>{\"SecretSubType\":\"SingleUser\", \"DBInstanceId\":\"rm-uf667446pc955****\", \"CustomData\":{} }</ExtendedConfig>
<LastRotationDate>2023-07-05T08:22:03Z</LastRotationDate>
<RequestId>6a3e9c36-1150-4881-84d3-eb8672fcafad</RequestId>
<SecretName>secret001</SecretName>
<AutomaticRotation>Enabled</AutomaticRotation>
<SecretType>Generic</SecretType>
<VersionStages>{ "VersionStage": [ "ACSCurrent" ] }</VersionStages>
</GetSecretValueResponse>
JSON
format
HTTP/1.1 200 OK
Content-Type:application/json
{
"SecretDataType" : "binary",
"CreateTime" : "2023-02-21T15:39:26Z",
"VersionId" : "00000000000000000000000000000001",
"NextRotationDate" : "2023-07-06T18:22:03Z",
"SecretData" : "testdata1",
"RotationInterval" : "604800s",
"ExtendedConfig" : "{\\\"SecretSubType\\\":\\\"SingleUser\\\", \\\"DBInstanceId\\\":\\\"rm-uf667446pc955****\\\", \\\"CustomData\\\":{} }",
"LastRotationDate" : "2023-07-05T08:22:03Z",
"RequestId" : "6a3e9c36-1150-4881-84d3-eb8672fcafad",
"SecretName" : "secret001",
"AutomaticRotation" : "Enabled",
"SecretType" : "Generic",
"VersionStages" : [ "{ \"VersionStage\": [ \t\"ACSCurrent\" \t] }" ]
}
Error codes
HTTP status code | Error code | Error message | Description |
403 | Forbidden.DKMSInstanceStateInvalid | The DKMS instance state is invalid. | Your dedicated KMS instance is invalid. |
403 | Forbidden.DKMSInstanceNotFound | The specified DKMS Instance is not found. | Your dedicated KMS instance is not found. |
404 | Forbidden.KeyNotFound | The specified Key is not found. | The specified key does not exist. |
404 | Forbidden.ResourceNotFound | Resource not found. | The resource is not found. |
For a list of error codes, see Service error codes.