Creates a secret and stores its initial version.
You must specify the secret name, the secret value stored in the initial version, and the version number. The initial version is marked with ACSCurrent.
You can specify a symmetric customer master key (CMK) as the encryption key to encrypt the secret value. If you do not specify an encryption key, Secrets Manager creates a CMK to encrypt the secret value. This CMK is used as the default encryption key for all the secrets that are created by your Alibaba Cloud account in the current region. Secrets Manager encrypts only the secret value of each version. Secrets Manager does not encrypt the metadata such as the secret name, version number, or state label.
To use a specified CMK to encrypt the secret value, you must have the kms:GenerateDataKey
permission on the CMK.
In this example, a generic secret whose name is mydbconninfo
is created. The initial version number of the secret is specified in the VersionId
parameter, and the value is v1
. The secret value is specified in the SecretData
parameter, and the value is {"user":"root","passwd":"****"}
.
Debugging
Request parameters
Parameter | Type | Required | Example | Description |
---|---|---|---|---|
Action | String | Yes | CreateSecret |
The operation that you want to perform. Set the value to CreateSecret. |
SecretData | String | Yes | null |
The value of the secret to be created. Secrets Manager encrypts the secret value and stores the encrypted value in the initial version.
|
SecretName | String | Yes | mydbconninfo |
The name of the secret. The name must be 1 to 64 characters in length and can contain letters, digits, and
the following special characters:
|
VersionId | String | Yes | v1 |
The initial version number. Version numbers are unique in each secret object. |
EncryptionKeyId | String | No | 00aa68af-2c02-4f68-95fe-3435d330**** |
The ID of the CMK that is used to encrypt the secret value. If you do not specify this parameter, Secrets Manager automatically creates a CMK to encrypt the secret value. Note The CMK must be a symmetric key.
|
SecretDataType | String | No | text |
The type of the secret value. Valid values:
Note If you set the SecretType parameter to Rds, RAMCredentials, or ECS, the SecretDataType
parameter must be set to text.
|
Description | String | No | mydbinfo |
The description of the secret. |
Tags | String | No | [{\"TagKey\":\"key1\",\"TagValue\":\"val1\"},{\"TagKey\":\"key2\",\"TagValue\":\"val2\"}] |
The tags of the secret. |
SecretType | String | No | Rds |
The type of the secret. Valid values:
|
ExtendedConfig | Json | No | null |
The extended configuration of the secret. This parameter specifies the properties of the secret of the specific type. The description can be up to 1,024 characters in length.
Note This parameter is required if you set the SecretType parameter to Rds, RAMCredentials,
or ECS.
|
EnableAutomaticRotation | Boolean | No | true |
Specifies whether to enable automatic rotation. Valid values:
Note This parameter is valid if you set the SecretType parameter to Rds, RAMCredentials,
or ECS.
|
RotationInterval | String | No | 30d |
The interval for automatic rotation. Valid values: 6 hours to 8,760 hours (365 days). The value is in the The unit can be d (day), h (hour), m (minute), or s (second). For example, both 7d and 604800s indicate a seven-day interval. Note This parameter is required if you set the EnableAutomaticRotation parameter to true.
This parameter is ignored if you set the EnableAutomaticRotation parameter to false
or does not specify the EnableAutomaticRotation parameter.
|
For more information about common request parameters, see Common parameters.
Response parameters
Parameter | Type | Example | Description |
---|---|---|---|
Arn | String | acs:kms:cn-hangzhou:154035569884****:secret/mydbconninfo |
The Alibaba Cloud Resource Name (ARN) of the secret. |
AutomaticRotation | String | Enabled |
Indicates whether automatic rotation is enabled. Valid values:
Note This parameter is returned if you set the SecretType parameter to Rds, RAMCredentials,
or ECS.
|
ExtendedConfig | String | {\"SecretSubType\":\"SingleUser\", \"DBInstanceId\":\"rm-uf667446pc955****\", \"CustomData\":{} } |
The extended configuration of the secret. Note This parameter is returned if you set the SecretType parameter to Rds, RAMCredentials,
or ECS.
|
NextRotationDate | String | 2020-07-06T18:22:03Z |
The time when the next rotation will be performed. Note This parameter is returned if automatic rotation is enabled.
|
RequestId | String | 3bf02f7a-015b-4f93-be0f-cc043fda2dd3 |
The ID of the request. |
RotationInterval | String | 604800s |
The interval for automatic rotation. The value is in the Note This parameter is returned if automatic rotation is enabled.
|
SecretName | String | mydbconninfo |
The name of the secret. |
SecretType | String | Rds |
The type of the secret. Valid values:
|
VersionId | String | v1 |
The version number of the secret. |
Examples
Sample requests
http(s)://[Endpoint]/?Action=CreateSecret
&SecretData={"user":"root","passwd":"****"}
&SecretName=mydbconninfo
&VersionId=v1
&<Common request parameters>
Sample success responses
XML
format
<KMS>
<Arn>acs:kms:cn-hangzhou:154035569884****:secret/mydbconninfo</Arn>
<SecretName>mydbconninfo</SecretName>
<VersionId>v1</VersionId>
<RequestId>3bf02f7a-015b-4f93-be0f-cc043fda2dd3</RequestId>
<SecretType>Generic</SecretType>
</KMS>
JSON
format
{
"Arn": "acs:kms:cn-hangzhou:154035569884****:secret/mydbconninfo",
"SecretName": "mydbconninfo",
"VersionId": "v1",
"RequestId": "3bf02f7a-015b-4f93-be0f-cc043fda2dd3",
"SecretType": "Generic"
}
Error codes
HttpCode | Error code | Error message | Description |
---|---|---|---|
400 | InvalidParameter | The specified parameter is invalid. | The error message returned because the format of the specified parameter is invalid. |
400 | Rejected.LimitExceeded | The secret quota is exceeded. | The error message returned because the secret quota is used up. |
403 | Forbidden.NoPermission | You are not authorized to perform the operation. | The error message returned because you are not authorized to perform the operation. |
404 | Forbidden.ResourceNotFound | The resource is not found. | The error message returned because the specified resource does not exist. |
409 | Rejected.ResourceExist | The resource already exists. | The error message returned because the specified resource already exists. |
409 | Rejected.ResourceInDeleteWindow | The secret is planned to be deleted. | The error message returned because the secret is to be deleted. |
500 | InternalFailure | An internal error occurred. | The error message returned because an internal error occurred. |
429 | Rejected.Throttling | The QPS upper limit is exceeded. | The error message returned because the queries per second (QPS) has reached the upper limit. |
For a list of error codes, visit the API Error Center.