CreateSecret - API Reference| Alibaba Cloud Documentation Center

You must specify the secret name, the secret value stored in the initial version, and the version number. The initial version is marked with ACSCurrent.

You can specify a symmetric customer master key (CMK) as the encryption key to encrypt the secret value. If you do not specify an encryption key, Secrets Manager creates a CMK to encrypt the secret value. This CMK is used as the default encryption key for all the secrets that are created by your Alibaba Cloud account in the current region. Secrets Manager encrypts only the secret value of each version. Secrets Manager does not encrypt the metadata such as the secret name, version number, or state label.

To use a specified CMK to encrypt the secret value, you must have the kms:GenerateDataKey permission on the CMK.

In this example, a generic secret whose name is mydbconninfo is created. The initial version number of the secret is specified in the VersionId parameter, and the value is v1. The secret value is specified in the SecretData parameter, and the value is {"user":"root","passwd":"****"}.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters


Parameter	Type	Required	Example	Description
Action	String	Yes	CreateSecret	The operation that you want to perform. Set the value to CreateSecret.
SecretData	String	Yes	null	The value of the secret to be created. Secrets Manager encrypts the secret value and stores the encrypted value in the initial version. If you set the SecretType parameter to Generic that indicates a generic secret, you can customize the secret value. If you set the SecretType parameter to Rds that indicates a managed ApsaraDB RDS secret, the secret value must be in the format of `{"Accounts":[{"AccountName":"","AccountPassword":""}]}`. In the preceding format, `AccountName` indicates the username of the account that is used to connect to your ApsaraDB RDS instance, and `AccountPassword` indicates the password of the account. If you set the SecretType parameter to RAMCredentials that indicates a managed RAM secret, the secret value must be in the format of `{"AccessKeys":[{"AccessKeyId":"","AccessKeySecret":"",}]}`. In the preceding format, `AccessKeyId` indicates the AccessKey ID of the RAM user and `AccessKeySecret` indicates the AccessKey secret of the RAM user. You must specify all the AccessKey pairs of the RAM user. If you set the SecretType parameter to ECS that indicates a managed ECS secret, the secret value must be in one of the following formats: `{"UserName":"","Password": ""}`: In the format, `UserName` indicates the username that is used to log on to the ECS instance, and `Password` indicates the password that is used to log on to the ECS instance. `{"UserName":"","PublicKey": "", "PrivateKey": ""}`: In the format, `PublicKey` indicates the SSH public key that is used to log on to the ECS instance, and `PrivateKey` indicates the SSH private key that is used to log on to the ECS instance.
SecretName	String	Yes	mydbconninfo	The name of the secret. The name must be 1 to 64 characters in length and can contain letters, digits, and the following special characters: `_/+=.@-`. The following list describes the name requirements for different types of secrets: If the SecretType parameter is set to Generic or Rds, the name cannot start with `acs/`. If the SecretType parameter is set to RAMCredentials, the value of the SecretName parameter is fixed as `$Auto`. In this case, KMS automatically generates a secret name that starts with `acs/ram/user/`. The name includes the display name of RAM user. If the SecretType parameter is set to ECS, the name must start with `acs/ecs/`.
VersionId	String	Yes	v1	The initial version number. Version numbers are unique in each secret object.
EncryptionKeyId	String	No	00aa68af-2c02-4f68-95fe-3435d330****	The ID of the CMK that is used to encrypt the secret value. If you do not specify this parameter, Secrets Manager automatically creates a CMK to encrypt the secret value. Note The CMK must be a symmetric key.
SecretDataType	String	No	text	The type of the secret value. Valid values: text binary Note If you set the SecretType parameter to Rds, RAMCredentials, or ECS, the SecretDataType parameter must be set to text.
Description	String	No	mydbinfo	The description of the secret.
Tags	String	No	[{\"TagKey\":\"key1\",\"TagValue\":\"val1\"},{\"TagKey\":\"key2\",\"TagValue\":\"val2\"}]	The tags of the secret.
SecretType	String	No	Rds	The type of the secret. Valid values: Generic: indicates a generic secret. Rds: indicates a managed ApsaraDB RDS secret. RAMCredentials: indicates a managed RAM secret. ECS: indicates a managed ECS secret.
ExtendedConfig	Json	No	null	The extended configuration of the secret. This parameter specifies the properties of the secret of the specific type. The description can be up to 1,024 characters in length. If you set the SecretType parameter to Generic, you do not need to specify this parameter. If you set the SecretType parameter to Rds, you must specify the following fields in the ExtendedConfig parameter: SecretSubType: required. The subtype of the secret. Valid values: SingleUser: Secrets Manager manages the ApsaraDB RDS secret in single-account mode. When the secret is rotated, the password of the specified account is reset to a new random password. DoubleUsers: Secrets Manager manages the ApsaraDB RDS secret in dual-account mode. One account is referenced by the ACSCurrent version, and the other account is referenced by the ACSPrevious version. When the secret is rotated, the password of the account referenced by the ACSPrevious version is reset to a new random password. Then, Secrets Manager switches the referenced accounts between the ACSCurrent and ACSPrevious versions. DBInstanceId: required. The ApsaraDB RDS instance to which the ApsaraDB RDS account belongs. CustomData: optional. The custom data. The value is a collection of key-value pairs in the JSON format. A maximum of 10 key-value pairs can be specified. Separate multiple key-value pairs with commas (,). Example: `{"Key1": "v1", "fds":"fdsf"}`. The default value is a pair of empty braces (`{}`). If you set the SecretType parameter to RAMCredentials, you must specify the following fields in the ExtendedConfig parameter: SecretSubType: required. The subtype of the secret. Set the value to RamUserAccessKey. UserName: required. The name of the RAM user. CustomData: optional. The custom data. The value is a collection of key-value pairs in the JSON format. A maximum of 10 key-value pairs can be specified. Separate multiple key-value pairs with commas (,). The default value is a pair of empty braces (`{}`). If you set the SecretType parameter to ECS, you must specify the following fields in the ExtendedConfig parameter: SecretSubType: required. The subtype of the secret. Valid values: Password: the password that is used to log on to the ECS instance. SSHKey: the SSH public and private keys that are used to log on to the ECS instance. RegionId: required. The ID of the region in which the ECS instance resides. InstanceId: required. The ID of the ECS instance. CustomData: optional. The custom data. The value is a collection of key-value pairs in the JSON format. A maximum of 10 key-value pairs can be specified. Separate multiple key-value pairs with commas (,). The default value is a pair of empty braces (`{}`). Note This parameter is required if you set the SecretType parameter to Rds, RAMCredentials, or ECS.
EnableAutomaticRotation	Boolean	No	true	Specifies whether to enable automatic rotation. Valid values: true: indicates that automatic rotation is enabled. false: indicates that automatic rotation is disabled. This is the default value. Note This parameter is valid if you set the SecretType parameter to Rds, RAMCredentials, or ECS.
RotationInterval	String	No	30d	The interval for automatic rotation. Valid values: 6 hours to 8,760 hours (365 days). The value is in the `integer[unit]` format. The unit can be d (day), h (hour), m (minute), or s (second). For example, both 7d and 604800s indicate a seven-day interval. Note This parameter is required if you set the EnableAutomaticRotation parameter to true. This parameter is ignored if you set the EnableAutomaticRotation parameter to false or does not specify the EnableAutomaticRotation parameter.

For more information about common request parameters, see Common parameters.

Response parameters


Parameter	Type	Example	Description
Arn	String	acs:kms:cn-hangzhou:154035569884****:secret/mydbconninfo	The Alibaba Cloud Resource Name (ARN) of the secret.
AutomaticRotation	String	Enabled	Indicates whether automatic rotation is enabled. Valid values: Enabled: indicates that automatic rotation is enabled. Disabled: indicates that automatic rotation is disabled. Invalid: indicates that the status of automatic rotation is abnormal. In this case, Secrets Manager cannot automatically rotate the secret. Note This parameter is returned if you set the SecretType parameter to Rds, RAMCredentials, or ECS.
ExtendedConfig	String	{\"SecretSubType\":\"SingleUser\", \"DBInstanceId\":\"rm-uf667446pc955****\", \"CustomData\":{} }	The extended configuration of the secret. Note This parameter is returned if you set the SecretType parameter to Rds, RAMCredentials, or ECS.
NextRotationDate	String	2020-07-06T18:22:03Z	The time when the next rotation will be performed. Note This parameter is returned if automatic rotation is enabled.
RequestId	String	3bf02f7a-015b-4f93-be0f-cc043fda2dd3	The ID of the request.
RotationInterval	String	604800s	The interval for automatic rotation. The value is in the `integer[unit]` format. The `unit` field has a fixed value of s. For example, if the value is 604800s, automatic rotation is performed at a 7-day interval. Note This parameter is returned if automatic rotation is enabled.
SecretName	String	mydbconninfo	The name of the secret.
SecretType	String	Rds	The type of the secret. Valid values: Generic: indicates a generic secret. Rds: indicates a managed ApsaraDB RDS secret. RAMCredentials: indicates a managed RAM secret. ECS: indicates a managed ECS secret.
VersionId	String	v1	The version number of the secret.

Examples

Sample requests

http(s)://[Endpoint]/?Action=CreateSecret
&SecretData={"user":"root","passwd":"****"}
&SecretName=mydbconninfo
&VersionId=v1
&<Common request parameters>

Sample success responses

XML format

<KMS>
      <Arn>acs:kms:cn-hangzhou:154035569884****:secret/mydbconninfo</Arn>
      <SecretName>mydbconninfo</SecretName>
      <VersionId>v1</VersionId>
      <RequestId>3bf02f7a-015b-4f93-be0f-cc043fda2dd3</RequestId>
      <SecretType>Generic</SecretType>
 </KMS>

JSON format

{
    "Arn": "acs:kms:cn-hangzhou:154035569884****:secret/mydbconninfo",
    "SecretName": "mydbconninfo",
    "VersionId": "v1",
    "RequestId": "3bf02f7a-015b-4f93-be0f-cc043fda2dd3",
    "SecretType": "Generic"
}

Error codes


HttpCode	Error code	Error message	Description
400	InvalidParameter	The specified parameter is invalid.	The error message returned because the format of the specified parameter is invalid.
400	Rejected.LimitExceeded	The secret quota is exceeded.	The error message returned because the secret quota is used up.
403	Forbidden.NoPermission	You are not authorized to perform the operation.	The error message returned because you are not authorized to perform the operation.
404	Forbidden.ResourceNotFound	The resource is not found.	The error message returned because the specified resource does not exist.
409	Rejected.ResourceExist	The resource already exists.	The error message returned because the specified resource already exists.
409	Rejected.ResourceInDeleteWindow	The secret is planned to be deleted.	The error message returned because the secret is to be deleted.
500	InternalFailure	An internal error occurred.	The error message returned because an internal error occurred.
429	Rejected.Throttling	The QPS upper limit is exceeded.	The error message returned because the queries per second (QPS) has reached the upper limit.

For a list of error codes, visit the API Error Center.