All Products
Search

This Product

    Key Management Service:GetSecretPolicy

    Document Center

    Key Management Service:GetSecretPolicy

    Last Updated:Jul 29, 2025

    Queries the access policy of a specified credential.

    Operation description

    • For information about the access policy required for a RAM user or RAM role to call this OpenAPI, see Resource Access Management.

    • A credential policy name can be set only to default. Therefore, you must set the PolicyName parameter to default when you query the credential policy. Otherwise, a Not Found error is returned.

    Try it now

    Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

    Test

    RAM authorization

    No authorization for this operation. If you encounter issues with this operation, contact technical support.

    Request parameters

    Parameter

    Type

    Required

    Description

    Example
    SecretName

    string

    Yes

    The name or Alibaba Cloud Resource Name (ARN) of the credential.

    Note

    If you access a credential that belongs to another Alibaba Cloud account, you must specify the ARN of the credential. The ARN of a credential must be in the acs:kms:${region}:${account}:secret/${secret-name} format.

    secret_test
    PolicyName

    string

    No

    The name of the credential policy. Only the static field default is supported.

    default

    Response parameters

    Parameter

    Type

    Description

    Example

    object

    RequestId

    string

    The ID of the request. This ID is a unique identifier generated by Alibaba Cloud for the request. You can use the ID to troubleshoot and locate issues.

    381D5D33-BB8F-395F-8EE4-AE3BB4B523C8
    Policy

    string

    The credential policy.

    {"Version":"1","Statement": [{"Sid":"kms default secret policy","Effect":"Allow","Principal":{"RAM": ["acs:ram::119285303511****:*"]},"Action":["kms:*"],"Resource": ["*"] }] }

    Examples

    Success response

    JSON format

    {
  "RequestId": "381D5D33-BB8F-395F-8EE4-AE3BB4B523C8",
  "Policy": "{\"Version\":\"1\",\"Statement\": [{\"Sid\":\"kms default secret policy\",\"Effect\":\"Allow\",\"Principal\":{\"RAM\": [\"acs:ram::119285303511****:*\"]},\"Action\":[\"kms:*\"],\"Resource\": [\"*\"] }] }"
}

    Error codes

    HTTP status code

    Error code

    Error message

    Description
    400 InvalidParameter The specified parameter is not valid. An invalid value is specified for the parameter.
    400 MissingParameter The parameter needed but no provided. The required parameters are not specified.
    400 Forbidden.NoPermission This operation is forbidden by permission system. You are not authorized to perform this operation.
    400 Forbidden.KeyPolicyUnSupported The specified key does not support key policy. The specified key does not support key policies.
    403 Forbidden.DKMSInstanceStateInvalid The DKMS instance state is invalid. Your dedicated KMS instance is invalid.
    404 Forbidden.ResourceNotFound Resource not found. The resource is not found.
    404 Forbidden.KeyNotFound The specified Key is not found. The error message returned because the specified CMK does not exist.
    503 SerivceUnvailableTemporary Service Unvailable Temporary The service is temporarily unavailable.

    See Error Codes for a complete list.

    Release notes

    See Release Notes for a complete list.