Retrieves a secret - Key Management Service - Alibaba Cloud Documentation Center

Retrieves the plaintext value of a secret from a KMS Instance gateway. The response includes the decrypted secret data along with version information, rotation status, and extended configuration if requested.

Request parameters

Parameter	Type	Required	Default	Example	Description
SecretName	String	Yes	—	secret001	The name of the secret.
VersionStage	String	No	ACSCurrent	ACSCurrent	The stage label that identifies the secret version to retrieve. KMS returns the secret value of the version marked with the specified stage label. Valid values: ACSCurrent, ACSPrevious. Default value: ACSCurrent. Note For Resource Access Management (RAM) secrets, database secrets, and Elastic Compute Service (ECS) secrets, KMS returns only the versions marked with ACSCurrent or ACSPrevious. Database secrets include ApsaraDB RDS secrets, PolarDB secrets, and ApsaraDB for Redis/Tair secrets.
VersionId	String	No	—	00000000000000000000000000000001	The version ID of the secret value to retrieve. If you specify both VersionStage and VersionId, KMS checks whether the specified version exists. If it exists, the secret value is returned. If it does not exist, a parameter error is returned. Note RAM secrets, database secrets, and ECS secrets do not support this parameter. If you specify VersionId for these secret types, the parameter is ignored.
FetchExtendedConfig	Boolean	No	false	false	Specifies whether to return the extended configuration of the secret. If set to true, the response includes the ExtendedConfig field. Default value: false.

Response elements

Parameter	Type	Example	Description
SecretName	String	secret001	The name of the secret.
SecretType	String	Generic	The type of the secret. Valid values: Generic (generic secret), Rds (ApsaraDB RDS secret), Redis (ApsaraDB for Redis/Tair secret), RAMCredentials (RAM secret), ECS (ECS secret), PolarDB (PolarDB secret).
SecretData	String	testdata1	The plaintext secret value. KMS decrypts the stored ciphertext and returns the plaintext in this field.
SecretDataType	String	binary	The format of the secret value. Valid values: text, binary.
VersionId	String	00000000000000000000000000000001	The version ID of the returned secret value.
VersionStages	List	["ACSCurrent"]	The stage labels attached to the returned secret version.
CreateTime	String	2020-02-21T15:39:26Z	The time when the secret was created. The time follows the ISO 8601 standard in the `yyyy-MM-ddTHH:mm:ssZ` format. The time is displayed in UTC.
LastRotationDate	String	2020-07-05T08:22:03Z	The time when the secret was last rotated. The time follows the ISO 8601 standard in the `yyyy-MM-ddTHH:mm:ssZ` format. The time is displayed in UTC.
NextRotationDate	String	2020-07-06T18:22:03Z	The time when the secret is next scheduled to rotate. The time follows the ISO 8601 standard in the `yyyy-MM-ddTHH:mm:ssZ` format. The time is displayed in UTC.
AutomaticRotation	String	Enabled	The status of automatic secret rotation. Valid values: Enabled (automatic rotation is enabled), Disabled (automatic rotation is disabled), Invalid (the status of automatic rotation is abnormal and KMS cannot automatically rotate the secret).
RotationInterval	String	604800s	The interval between automatic rotations, in `integer[unit]` format. Currently, the only supported unit is `s` (seconds). For example, `604800s` represents a 7-day rotation interval.
ExtendedConfig	String	{"SecretSubType":"SingleUser","DBInstanceId":"rm-uf667446pc955****","CustomData":{}}	The extended configuration of the secret. This field is returned only when FetchExtendedConfig is set to true.
RequestId	String	6a3e9c36-1150-4881-84d3-eb8672fcafad	The request ID.

Error codes

HTTP status code	Error code	Error message	Description
404	Forbidden.ResourceNotFound	The resource does not exist in the system.	The specified secret does not exist.
409	Rejected.Disabled	The request was rejected because the key state is Disabled.	The encryption key used to protect the secret is disabled.

For a full list of error codes, see Service error codes.