All Products
Search

This Product

    Key Management Service:Sample code for retrieving the secret value

    Document Center

    Key Management Service:Sample code for retrieving the secret value

    Last Updated:Mar 31, 2026

    Use the Python 3 SDK to call the GetSecretValue API and retrieve a secret value from a KMS instance.

    For Python 2, see the GitHub source. For Python 3, see the GitHub source.

    Prerequisites

    Before you begin, ensure that you have an initialized KMS instance SDK client. See Initialize the client.

    Complete example

    The following example initializes a client and calls GetSecretValue to retrieve a secret by name.

    # -*- coding: utf-8 -*-
"""
Retrieve a secret value from a KMS instance using the GetSecretValue API.
"""
import os

from openapi.models import Config
from openapi_util.models import RuntimeOptions
from sdk.client import Client
from sdk.models import GetSecretValueRequest

# Configure the client
config = Config()
# KMS instance services only allow access through HTTPS.
config.protocol = "https"
# Path to your Client Key file.
config.client_key_file = "<CLIENT_KEY_FILE>"
# Client Key decryption password, read from an environment variable.
config.password = os.getenv('CLIENT_KEY_PASSWORD')
# Endpoint format: <your-kms-instance-id>.cryptoservice.kms.aliyuncs.com
config.endpoint = "<ENDPOINT>"
client = Client(config)


def get_secret_value(secret_name):
    request = GetSecretValueRequest()
    request.secret_name = secret_name

    runtime_options = RuntimeOptions()
    # Ignore server-side certificate.
    # runtime_options.ignore_ssl = True
    # Path to the KMS instance CA certificate.
    runtime_options.verify = "<CA_CERTIFICATE_FILE_PATH>"

    resp = client.get_secret_value_with_options(request, runtime_options)
    print(resp)


secret_name = "<SECRET_NAME>"
get_secret_value(secret_name)

    Replace the following placeholders with your actual values:

    PlaceholderDescriptionExample
    <CLIENT_KEY_FILE>Path to your Client Key file/etc/kms/clientKey.json
    <ENDPOINT>KMS instance endpointkms-instance-id.cryptoservice.kms.aliyuncs.com
    <CA_CERTIFICATE_FILE_PATH>Path to the KMS instance CA certificate/etc/kms/ca.pem
    <SECRET_NAME>Name of the secret to retrievemy-db-password

    Example walkthrough

    Initialize the client

    import os

from openapi.models import Config
from sdk.client import Client

config = Config()
# KMS instance services only allow access through HTTPS.
config.protocol = "https"
# Path to your Client Key file.
config.client_key_file = "<CLIENT_KEY_FILE>"
# Client Key decryption password, read from an environment variable.
config.password = os.getenv('CLIENT_KEY_PASSWORD')
# Endpoint format: <your-kms-instance-id>.cryptoservice.kms.aliyuncs.com
config.endpoint = "<ENDPOINT>"
client = Client(config)

    CLIENT_KEY_PASSWORD is read from an environment variable rather than hardcoded, keeping credentials out of your source code.

    Call the GetSecretValue API

    def get_secret_value(secret_name):
    request = GetSecretValueRequest()
    request.secret_name = secret_name

    runtime_options = RuntimeOptions()
    # Ignore server-side certificate.
    # runtime_options.ignore_ssl = True
    # Path to the KMS instance CA certificate.
    runtime_options.verify = "<CA_CERTIFICATE_FILE_PATH>"

    resp = client.get_secret_value_with_options(request, runtime_options)
    print(resp)

    get_secret_value_with_options takes a GetSecretValueRequest and a RuntimeOptions object. The verify field points to the KMS instance CA certificate, which the SDK uses to validate the server connection.