All Products
Search

This Product

    Key Management Service:Sample code for retrieving the secret value

    Document Center

    Key Management Service:Sample code for retrieving the secret value

    Last Updated:Mar 31, 2026

    Retrieves a secret value from a Key Management Service (KMS) instance by calling the GetSecretValue API. The following PHP examples show a complete runnable script and a step-by-step walkthrough.

    Prerequisites

    Before you begin, ensure that you have:

    • A KMS instance with the SDK client initialized. See Initialize client.

    • A ClientKey file obtained from KMS application management, with its encryption password stored as the CLIENT_KEY_PASSWORD environment variable.

    • A secret (credential) created in your KMS instance.

    Complete example

    <?php

if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}

use AlibabaCloud\Dkms\Gcs\OpenApi\Util\Models\RuntimeOptions;
use AlibabaCloud\Dkms\Gcs\Sdk\Client as AlibabaCloudDkmsGcsSdkClient;
use AlibabaCloud\Dkms\Gcs\OpenApi\Models\Config as AlibabaCloudDkmsGcsOpenApiConfig;
use AlibabaCloud\Dkms\Gcs\Sdk\Models\GetSecretValueRequest;

// ClientKey content obtained from KMS application management.
// To use a file path instead, uncomment the line below:
// $clientKeyFile = '<CLIENT_KEY_FILE_PATH>';
$clientKeyContent = '<CLIENT_KEY_CONTENT>';

// Encryption password set when creating the ClientKey.
$password = getenv('CLIENT_KEY_PASSWORD');

// VPC address of your KMS instance.
$endpoint = '<DKMS_INSTANCE_SERVICE_ADDRESS>';

// Name of the secret (credential) in KMS.
$secretName = '<SECRET_NAME>';

$client = getDkmsGcsSdkClient();
if (is_null($client)) exit(1);

getSecretValueSample();

function getSecretValueSample() {
    global $client, $secretName;

    $getSecretValueRequest = new GetSecretValueRequest([
        'secretName' => $secretName,
    ]);
    $runtimeOptions = new RuntimeOptions();
    // Uncomment the following line to skip server certificate verification.
    // $runtimeOptions->ignoreSSL = true;

    try {
        $getSecretValueResponse = $client->getSecretValueWithOptions($getSecretValueRequest, $runtimeOptions);

        // Extract the secret name and value from the response.
        $_secretName = $getSecretValueResponse->secretName;
        $_secretData = $getSecretValueResponse->secretData;

        var_dump($getSecretValueResponse->toMap());
    } catch (\Exception $error) {
        if ($error instanceof \AlibabaCloud\Tea\Exception\TeaError) {
            var_dump($error->getErrorInfo());
        }
        var_dump($error->getMessage());
        var_dump($error->getTraceAsString());
    }
}

/**
 * Initializes the KMS instance SDK client.
 * @return AlibabaCloudDkmsGcsSdkClient
 */
function getDkmsGcsSdkClient() {
    global $clientKeyContent, $password, $endpoint;

    $config = new AlibabaCloudDkmsGcsOpenApiConfig();
    // KMS instance service requires HTTPS.
    $config->protocol = 'https';
    $config->clientKeyContent = $clientKeyContent;
    $config->password = $password;
    // Endpoint format: <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com
    $config->endpoint = $endpoint;
    $config->caFilePath = 'path/to/caCert.pem';

    return new AlibabaCloudDkmsGcsSdkClient($config);
}

    Replace the following placeholders with your actual values:

    PlaceholderDescription
    <CLIENT_KEY_CONTENT>Content of the ClientKey file obtained from KMS application management
    <CLIENT_KEY_FILE_PATH>File path of the ClientKey (alternative to content)
    <DKMS_INSTANCE_SERVICE_ADDRESS>VPC address of your KMS instance
    <SECRET_NAME>Name of the secret (credential) in KMS

    Example walkthrough

    Initialize client

    The getDkmsGcsSdkClient() function builds and returns the KMS instance SDK client. It constructs a Config object with the ClientKey content, password, endpoint, and CA certificate path. The protocol must be set to https.

    function getDkmsGcsSdkClient() {
    global $clientKeyContent, $password, $endpoint;

    $config = new AlibabaCloudDkmsGcsOpenApiConfig();
    $config->protocol = 'https';
    $config->clientKeyContent = $clientKeyContent;
    $config->password = $password;
    // Format: <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com
    $config->endpoint = $endpoint;
    $config->caFilePath = 'path/to/caCert.pem';

    return new AlibabaCloudDkmsGcsSdkClient($config);
}

    Call the GetSecretValue API

    The getSecretValueSample() function calls getSecretValueWithOptions() with the secret name and runtime options. The response contains secretName and secretData fields.

    function getSecretValueSample() {
    global $client, $secretName;

    $getSecretValueRequest = new GetSecretValueRequest([
        'secretName' => $secretName,
    ]);
    $runtimeOptions = new RuntimeOptions();
    // Uncomment the following line to skip server certificate verification.
    // $runtimeOptions->ignoreSSL = true;

    try {
        $getSecretValueResponse = $client->getSecretValueWithOptions($getSecretValueRequest, $runtimeOptions);

        $_secretName = $getSecretValueResponse->secretName;
        $_secretData = $getSecretValueResponse->secretData;

        var_dump($getSecretValueResponse->toMap());
    } catch (\Exception $error) {
        if ($error instanceof \AlibabaCloud\Tea\Exception\TeaError) {
            var_dump($error->getErrorInfo());
        }
        var_dump($error->getMessage());
        var_dump($error->getTraceAsString());
    }
}