CreateSecret - Key Management Service - Alibaba Cloud Documentation Center

Creates a secret and stores its initial version.

Operation description

For information about the access policy required for a Resource Access Management (RAM) user or RAM role to call this operation, see Resource Access Management.
Specify the secret name, the secret value for the initial version, and the version number. The initial version is marked with the ACSCurrent stage label.
Key Management Service (KMS) uses the key that you specify to encrypt the secret value. The key and the secret must be in the same KMS instance. The key must be a symmetric key.

Note
KMS encrypts the secret value of each version. Metadata such as the secret name, version number, and version stage labels are not encrypted.
Before you encrypt the secret value, you must have the kms:GenerateDataKey permission on the key.

This topic provides an example of how to create an RDS secret. The secret is named mydbconninfo. The VersionId of the initial version is v1. The SecretData is {"Accounts":[{"AccountName":"user1","AccountPassword":"****"}]}.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

No authorization for this operation. If you encounter issues with this operation, contact technical support.

Request parameters

Parameter	Type	Required	Description	Example
SecretName	string	Yes	The name of the secret. The name must be unique in the same region. The name can be up to 192 characters in length and can contain letters, digits, underscores (_), forward slashes (/), plus signs (+), equal signs (=), periods (.), hyphens (-), and at signs (@). The following limits apply to secret names for different types of secrets: If SecretType is set to Generic, Rds, or Redis, the name cannot start with `acs/`. If SecretType is set to RAMCredentials, set this parameter to the fixed value `$Auto`. In this case, KMS automatically generates a secret name that starts with `acs/ram/user/` and contains the display name of the RAM user. If SecretType is set to ECS, the name must start with `acs/ecs/`.	mydbconninfo
VersionId	string	Yes	The version number of the initial version. The version number must be unique within the secret. The version number can be up to 64 characters in length.	v1
EncryptionKeyId	string	No	The ID of the key used to encrypt the secret value. Note The key and the secret must be in the same KMS instance. The key must be a symmetric key.	key-gzz63ff0db5hg3qje****
SecretData	string	Yes	The value of the secret. The value can be up to 30,720 bytes (30 KB) in length. KMS encrypts the secret value with the specified key and stores the encrypted value in the initial version. If SecretType is set to Generic, you can specify a custom secret value. If SecretType is set to Rds, the secret value must be in the following format: `{"Accounts":[{"AccountName":"","AccountPassword":""}]}`. In the format, `AccountName` specifies the username of the account for the RDS instance and `AccountPassword` specifies the password of the account. If SecretType is set to Redis, set this parameter to `$Auto`. If SecretType is set to RAMCredentials, the secret value must be in the following format: `{"AccessKeys":[{"AccessKeyId":"","AccessKeySecret":""}]}`. In the format, `AccessKeyId` specifies the AccessKey ID and `AccessKeySecret` specifies the AccessKey secret. You must specify all AccessKey pairs of the RAM user. If SecretType is set to PolarDB, set this parameter to `$Auto`. If SecretType is set to ECS, the secret value must be in one of the following formats: If SecretSubType in the ExtendedConfig parameter is set to Password: `{"UserName":"","Password": ""}`. In the format, `UserName` specifies the username used to log on to the ECS instance and `Password` specifies the password used to log on to the ECS instance. If SecretSubType in the ExtendedConfig parameter is set to SSHKey: `{"UserName":"","PublicKey": "", "PrivateKey": ""}`. In the format, `PublicKey` specifies the SSH-formatted public key used to log on to the ECS instance and `PrivateKey` specifies the private key used to log on to the ECS instance.	{"Accounts":[{"AccountName":"user1","AccountPassword":"****"}]}
SecretDataType	string	No	The type of the secret value. Valid values: text (default): The secret value is a text string. binary: The secret value is a binary string. Note If SecretType is set to Rds, Redis, PolarDB, RAMCredentials, or ECS, SecretDataType must be set to text.	text
Description	string	No	The description of the secret.	mydbinfo
Tags	string	No	The tags of the secret. Each tag consists of a key-value pair. A tag consists of a tag key and a tag value. The tag key and tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal signs (=), colons (:), and at signs (@). The tag key cannot start with aliyun or acs:. You can specify up to 20 key-value pairs for each secret.	[{\"TagKey\":\"key1\",\"TagValue\":\"val1\"},{\"TagKey\":\"key2\",\"TagValue\":\"val2\"}]
SecretType	string	No	The type of the secret. Valid values: Generic (default): a generic secret. Rds: an RDS secret. Redis: a Redis secret. RAMCredentials: a RAM secret. ECS: an ECS secret. PolarDB: a PolarDB secret.	Rds
ExtendedConfig	object	No	The extended configuration of the secret. This parameter specifies the properties of the secret of a specific type. The value can be up to 1,024 characters in length. If SecretType is set to Generic, this parameter is ignored. If SecretType is set to Rds, you must specify the following parameters in ExtendedConfig: SecretSubType (Required): The subtype of the secret. Valid values: SingleUser: Secrets Manager manages the RDS secret in single-account mode. When the secret is rotated, the password of the specified account is reset to a new random password. DoubleUsers: Secrets Manager manages the RDS secret in double-account mode. ACSCurrent and ACSPrevious point to one of the accounts. When the secret is rotated, the password of the account pointed to by ACSPrevious is reset to a new random password. Then, Secrets Manager swaps the accounts that ACSCurrent and ACSPrevious point to. DBInstanceId (Required): The ID of the RDS instance to which the account belongs. CustomData (Optional): The custom data. The value is a key-value pair in the JSON format. You can specify up to 10 key-value pairs. Separate multiple key-value pairs with commas (,). Example: `{"Key1": "v1", "fds":"fdsf"}`. The default value is `{}`. If SecretType is set to Redis, you must specify the following parameters in ExtendedConfig: SecretSubType (Required): The subtype of the secret. Valid values: DoubleUsers: Secrets Manager manages the Redis secret in double-account mode. ACSCurrent and ACSPrevious point to one of the accounts. When the secret is rotated, the password of the account pointed to by ACSPrevious is reset to a new random password. Then, Secrets Manager swaps the accounts that ACSCurrent and ACSPrevious point to. AccountName (Required): The database username. CloneAccountName (Required): The database username, which is the value of AccountName with the `_clone` suffix. AccountPrivilege (Required): The permissions to access the database. InstanceId (Required): The ID of the Redis instance. RegionId (Required): The ID of the region where the Redis instance resides. CustomData (Optional): The custom data. The value is a key-value pair in the JSON format. You can specify up to 10 key-value pairs. Separate multiple key-value pairs with commas (,). Example: `{"Key1": "v1", "fds":"fdsf"}`. The default value is `{}`. If SecretType is set to RAMCredentials, you must specify the following parameters in ExtendedConfig: SecretSubType (Required): The subtype of the secret. The value is RamUserAccessKey. UserName (Required): The name of the RAM user. CustomData (Optional): The custom data. The value is a key-value pair in the JSON format. You can specify up to 10 key-value pairs. Separate multiple key-value pairs with commas (,). The default value is `{}`. If SecretType is set to ECS, you must specify the following parameters in ExtendedConfig: SecretSubType (Required): The subtype of the secret. Valid values: Password: an ECS password. SSHKey: an ECS SSH key pair. RegionId (Required): The ID of the region where the ECS instance resides. InstanceId (Required): The ID of the ECS instance. CustomData (Optional): The custom data. The value is a key-value pair in the JSON format. You can specify up to 10 key-value pairs. Separate multiple key-value pairs with commas (,). The default value is `{}`. If SecretType is set to PolarDB, you must specify the following parameters in ExtendedConfig: SecretSubType (Required): The fixed value is DoubleUsers. RegionId (Required): The region. DBClusterId (Required): The ID of the PolarDB instance. DBType (Required): MySQL or PostgreSQL. AccountName (Required): The account name. CloneAccountName: The value is AccountName_clone. AccountType: Only Normal is supported. AccountPrivilege: This parameter is available only for MySQL. DBName: This parameter is available only for MySQL. CustomData (Optional): The custom data. The value is a key-value pair in the JSON format. You can specify up to 10 key-value pairs. Separate multiple key-value pairs with commas (,). Example: {"Key1": "v1", "fds":"fdsf"}. The default value is {}. Note If SecretType is set to Rds, Redis, PolarDB, RAMCredentials, or ECS, you must configure this parameter.	{"SecretSubType":"SingleUser", "DBInstanceId":"rm-bp1b3dd3a506e****" ,"CustomData":{"Key1": "v1", "fds":"fdsf"}}
EnableAutomaticRotation	boolean	No	Specifies whether to enable automatic rotation. Valid values: true: enables automatic rotation. false (default): disables automatic rotation. Note This parameter is valid only if SecretType is set to Rds, PolarDB, Redis, RAMCredentials, or ECS. If SecretType is set to Generic, automatic rotation is not supported. You can call the PutSecretValue operation to manually rotate the secret.	true
RotationInterval	string	No	The interval for automatic rotation. The value is in the range of 6 hours to 8,760 hours (365 days). The value is in the `integer[unit]` format. `integer` indicates the interval. `unit` indicates the unit of time. Valid values for unit: d (day), h (hour), m (minute), and s (second). For example, both 7d and 604,800s indicate a rotation interval of 7 days. Note You must specify this parameter if you set EnableAutomaticRotation to true. You do not need to specify this parameter if you set EnableAutomaticRotation to false.	30d
DKMSInstanceId	string	No	The ID of the KMS instance.	kst-bjj62d8f5e0sgtx8h****
Policy	string	No	The content of the secret policy. The value is in the JSON format. The value can be up to 32,768 bytes in length. For more information about secret policies, see Overview of secret policies. If you do not specify this parameter, the default secret policy is used. A secret policy contains the following parts: Version: The version of the secret policy. Only 1 is supported. Statement: The statements of the secret policy. Each secret policy can contain one or more statements. The following is the format of a secret policy: `{ "Version": "1", "Statement": [ { "Sid": "Enable RAM User Permissions", "Effect": "Allow", "Principal": { "RAM": ["acs:ram::12345678***:"] }, "Action": [ "kms:" ], "Resource": [ "" ] } ] }` Details about a statement: Sid: (Optional) The custom identifier of the statement. The value can be up to 128 characters in length and can contain uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), and special characters, including underscores (_), forward slashes (/), plus signs (+), equal signs (=), periods (.), at signs (@), and hyphens (-). Effect: (Required) The effect of the policy statement. Valid values: Allow and Deny. Principal: (Required) The principal that is authorized by the policy. You can specify the current Alibaba Cloud account (the account to which the secret belongs), a RAM user or RAM role of the current Alibaba Cloud account, or a RAM user or RAM role of another Alibaba Cloud account. Action: (Required) The API operations that are allowed or denied. The value must start with "kms:". For the list of supported operations, see Overview of secret policies. If you specify an operation that is not in the list, the setting does not take effect. Resource: (Required) The resource. The value can only be , which indicates the current KMS secret. Condition: (Optional) The conditions for the authorization to take effect. You can use conditions to evaluate the context of an API request to determine whether to apply the policy statement. The format is `"Condition": {"condition operator": {"condition key": "condition value"}}`. For more information, see Overview of secret policies. Note* After you grant permissions to a RAM user or RAM role of another Alibaba Cloud account, you must use the Alibaba Cloud account to which the RAM user or RAM role belongs to grant the RAM user or RAM role the permissions to use the secret in the RAM console. Then, the RAM user or RAM role can use the secret. For more information, see Custom policies for KMS, Grant permissions to a RAM user, and Grant permissions to a RAM role.	{"Version":"1","Statement": [{"Sid":"kms default secret policy","Effect":"Allow","Principal":{"RAM": ["acs:ram::119285303511***:"]},"Action":["kms:"],"Resource": [""] }] }

For information about common request parameters, see Common parameters.

Response elements

Parameter	Type	Description	Example
	object
RequestId	string	The ID of the request, which is a unique identifier generated by Alibaba Cloud. You can use this ID to troubleshoot issues.	3bf02f7a-015b-4f93-be0f-cc043fda2dd3
AutomaticRotation	string	Indicates whether automatic rotation is enabled. Valid values: Enabled: Automatic rotation is enabled. Disabled: Automatic rotation is disabled. Invalid: The rotation status is abnormal. Secrets Manager cannot automatically rotate the secret for you. Note This parameter is returned if SecretType is set to Rds, Redis, PolarDB, RAMCredentials, or ECS.	Enabled
SecretName	string	The name of the secret.	mydbconninfo
VersionId	string	The version number of the secret.	v1
NextRotationDate	string	The time when the secret is next rotated. Note This parameter is returned if automatic rotation is enabled.	2023-07-06T18:22:03Z
SecretType	string	The type of the secret. Valid values: Generic: a generic secret. Rds: an RDS secret. Redis: a Redis secret. RAMCredentials: a RAM secret. ECS: an ECS secret. PolarDB: a PolarDB secret.	Rds
RotationInterval	string	The interval for automatic rotation. The value is in the `integer[unit]` format. `integer` indicates the interval. `unit` indicates the unit of time. The unit is s (second). For example, a rotation interval of 7 days is 604800s. Note This parameter is returned if automatic rotation is enabled.	604800s
Arn	string	The Alibaba Cloud Resource Name (ARN) of the secret.	acs:kms:cn-hangzhou:154035569884****:secret/mydbconninfo
ExtendedConfig	string	The extended configuration of the secret. Note This parameter is returned if SecretType is set to Rds, Redis, PolarDB, RAMCredentials, or ECS.	{\"SecretSubType\":\"SingleUser\", \"DBInstanceId\":\"rm-uf667446pc955****\", \"CustomData\":"Key1": "v1", "fds":"fdsf"} }
DKMSInstanceId	string	The ID of the KMS instance.	kst-bjj62d8f5e0sgtx8h****

Examples

Success response

JSON format

{
  "RequestId": "3bf02f7a-015b-4f93-be0f-cc043fda2dd3",
  "AutomaticRotation": "Enabled",
  "SecretName": "mydbconninfo",
  "VersionId": "v1",
  "NextRotationDate": "2023-07-06T18:22:03Z",
  "SecretType": "Rds",
  "RotationInterval": "604800s",
  "Arn": "acs:kms:cn-hangzhou:154035569884****:secret/mydbconninfo",
  "ExtendedConfig": "{\\\"SecretSubType\\\":\\\"SingleUser\\\", \\\"DBInstanceId\\\":\\\"rm-uf667446pc955****\\\",  \\\"CustomData\\\":\"Key1\": \"v1\", \"fds\":\"fdsf\"} }",
  "DKMSInstanceId": "kst-bjj62d8f5e0sgtx8h****"
}

Error codes

HTTP status code	Error code	Error message	Description
400	UnsupportedOperation	This action is not supported.	The operation is not supported.
400	Rejected.LimitExceeded	The request was rejected because user create resource limit was exceeded	The request is rejected because the number of created resources reaches the upper limit.
400	InvalidParameter	The specified parameter is not valid.	An invalid value is specified for the parameter.
400	Rejected.ShareQuotaExceedLimit	Instance Share Quota Exceed Limit.	The instance share quota exceeds the limit.
500	InternalFailure	Internal Failure	An internal error occurred.
403	Forbidden.DKMSInstanceNotFound	The specified DKMS Instance is not found.	Your dedicated KMS instance is not found.
404	Forbidden.ResourceNotFound	The resource is not found.	The resource does not exist.
409	Rejected.ResourceExist	The resource already exists.	The resource already exists.
409	Rejected.ResourceInDeleteWindow	The secret is planned to be deleted.	The secret is to be deleted.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.