All Products
Search

This Product

    Key Management Service:Sample code for retrieving the secret value

    Document Center

    Key Management Service:Sample code for retrieving the secret value

    Last Updated:Mar 31, 2026

    This page shows how to call the GetSecretValue API using the KMS instance SDK client in C#. Before running the examples, initialize the client.

    Prerequisites

    Before you begin, ensure that you have:

    • A KMS instance with at least one secret created

    • The KMS instance SDK installed in your C# project

    • The Client Key file and its password stored as environment variables (ClientKeyFile and Password)

    • The KMS instance CA certificate file path and endpoint (<KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com)

    Complete example

    The following is a full, runnable C# class that initializes the KMS instance SDK client and calls GetSecretValue:

    using System;
using System.Collections;
using System.Collections.Generic;
using System.IO;
using System.Threading.Tasks;

using Tea;
using Tea.Utils;


namespace AlibabaCloud.Dkms.Gcs.Sdk.Example
{
    public class GetSecretValueSample
    {

        public static AlibabaCloud.Dkms.Gcs.OpenApi.Models.Config CreateKmsInstanceConfig(string clientKeyFile, string password, string endpoint, string caFilePath)
        {
            AlibabaCloud.Dkms.Gcs.OpenApi.Models.Config config = new AlibabaCloud.Dkms.Gcs.OpenApi.Models.Config();
            config.ClientKeyFile = clientKeyFile;
            config.Password = password;
            config.Endpoint = endpoint;
            config.CaFilePath = caFilePath;
            return config;
        }

        public static async Task<AlibabaCloud.Dkms.Gcs.OpenApi.Models.Config> CreateKmsInstanceConfigAsync(string clientKeyFile, string password, string endpoint, string caFilePath)
        {
            AlibabaCloud.Dkms.Gcs.OpenApi.Models.Config config = new AlibabaCloud.Dkms.Gcs.OpenApi.Models.Config();
            config.ClientKeyFile = clientKeyFile;
            config.Password = password;
            config.Endpoint = endpoint;
            config.CaFilePath = caFilePath;
            return config;
        }

        public static AlibabaCloud.Dkms.Gcs.Sdk.Client CreateClient(AlibabaCloud.Dkms.Gcs.OpenApi.Models.Config kmsInstanceConfig)
        {
            return new AlibabaCloud.Dkms.Gcs.Sdk.Client(kmsInstanceConfig);
        }

        public static async Task<AlibabaCloud.Dkms.Gcs.Sdk.Client> CreateClientAsync(AlibabaCloud.Dkms.Gcs.OpenApi.Models.Config kmsInstanceConfig)
        {
            return new AlibabaCloud.Dkms.Gcs.Sdk.Client(kmsInstanceConfig);
        }

        public static AlibabaCloud.Dkms.Gcs.Sdk.Models.GetSecretValueResponse GetSecretValue(AlibabaCloud.Dkms.Gcs.Sdk.Client client, string secretName, string versionStage, bool? fetchExtendedConfig)
        {
            AlibabaCloud.Dkms.Gcs.Sdk.Models.GetSecretValueRequest request = new AlibabaCloud.Dkms.Gcs.Sdk.Models.GetSecretValueRequest
            {
                SecretName = secretName,
                VersionStage = versionStage,
                FetchExtendedConfig = fetchExtendedConfig,
            };
            //Ignore CA certificate authentication.
            //AlibabaCloud.Dkms.Gcs.OpenApiUtil.Models.RuntimeOptions runtime = new AlibabaCloud.Dkms.Gcs.OpenApiUtil.Models.RuntimeOptions();
            //runtime.IgnoreSSL = true;
            //return client.GetSecretValueWithOptions(request,runtime);
            return client.GetSecretValue(request);
        }

        public static async Task<AlibabaCloud.Dkms.Gcs.Sdk.Models.GetSecretValueResponse> GetSecretValueAsync(AlibabaCloud.Dkms.Gcs.Sdk.Client client, string secretName, string versionStage, bool? fetchExtendedConfig)
        {
            AlibabaCloud.Dkms.Gcs.Sdk.Models.GetSecretValueRequest request = new AlibabaCloud.Dkms.Gcs.Sdk.Models.GetSecretValueRequest
            {
                SecretName = secretName,
                VersionStage = versionStage,
                FetchExtendedConfig = fetchExtendedConfig,
            };
            //Ignore CA certificate authentication.
            //AlibabaCloud.Dkms.Gcs.OpenApiUtil.Models.RuntimeOptions runtime = new AlibabaCloud.Dkms.Gcs.OpenApiUtil.Models.RuntimeOptions();
            //runtime.IgnoreSSL = true;
            //return await client.GetSecretValueWithOptionsAsync(request,runtime);
            return await client.GetSecretValueAsync(request);
        }

        public static void Main(string[] args)
        {
            string regionId = "REGION_ID";
            // CA certificate of the KMS instance.
            string caFilePath = "CA_FILE_PATH";
            // Set the endpoint to <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com.
            string endpoint = "ENDPOINT";
            // Set the Client Key and Client Key security token.
            AlibabaCloud.Dkms.Gcs.OpenApi.Models.Config kmsInstanceConfig = CreateKmsInstanceConfig(AlibabaCloud.DarabonbaEnv.Client.GetEnv("ClientKeyFile"), AlibabaCloud.DarabonbaEnv.Client.GetEnv("Password"), endpoint, caFilePath);
            AlibabaCloud.Dkms.Gcs.Sdk.Client client = CreateClient(kmsInstanceConfig);
            //getSecretValue.
            string secretName = "SECRET_NAME";
            string versionStage = "VERSION_STAGE";
            bool? fetchExtendedConfig = true;
            AlibabaCloud.Dkms.Gcs.Sdk.Models.GetSecretValueResponse getSecretValueRes = GetSecretValue(client, secretName, versionStage, fetchExtendedConfig);
            string getSecretValueResJson = AlibabaCloud.TeaUtil.Common.ToJSONString(AlibabaCloud.TeaUtil.Common.ToMap(getSecretValueRes));
            AlibabaCloud.TeaConsole.Client.Log("getSecretValueRes:" + getSecretValueResJson);
        }


    }
}

    Example walkthrough

    Step 1: Initialize the client

    Configure the KMS instance connection using your Client Key, CA certificate, and endpoint, then create the SDK client.

    string regionId = "<REGION_ID>";

// The CA certificate of the KMS instance.
string caFilePath = "<CA_CERTIFICATE>";

// Set the endpoint to <your KMS Instance Id>.cryptoservice.kms.aliyuncs.com.
string endpoint = "<ENDPOINT>";

// Set the Client Key and the security token of the Client Key.
AlibabaCloud.Dkms.Gcs.OpenApi.Models.Config kmsInstanceConfig = CreateKmsInstanceConfig(AlibabaCloud.DarabonbaEnv.Client.GetEnv("ClientKeyFile"), AlibabaCloud.DarabonbaEnv.Client.GetEnv("Password"), endpoint, caFilePath);
AlibabaCloud.Dkms.Gcs.Sdk.Client client = CreateClient(kmsInstanceConfig);

    For the full client initialization reference, see Initialize the client.

    Step 2: Call the GetSecretValue API

    Build a GetSecretValueRequest with the secret name, version stage, and whether to fetch extended configuration, then call GetSecretValue on the client.

    public static AlibabaCloud.Dkms.Gcs.Sdk.Models.GetSecretValueResponse GetSecretValue(AlibabaCloud.Dkms.Gcs.Sdk.Client client, string secretName, string versionStage, bool? fetchExtendedConfig)
        {
            AlibabaCloud.Dkms.Gcs.Sdk.Models.GetSecretValueRequest request = new AlibabaCloud.Dkms.Gcs.Sdk.Models.GetSecretValueRequest
            {
                SecretName = secretName,
                VersionStage = versionStage,
                FetchExtendedConfig = fetchExtendedConfig,
            };
            //Ignore CA certificate authentication.
            //AlibabaCloud.Dkms.Gcs.OpenApiUtil.Models.RuntimeOptions runtime = new AlibabaCloud.Dkms.Gcs.OpenApiUtil.Models.RuntimeOptions();
            //runtime.IgnoreSSL = true;
            //return client.GetSecretValueWithOptions(request,runtime);
            return client.GetSecretValue(request);
        }

    For the full API reference, see GetSecretValue.

    Request parameters

    ParameterTypeDescription
    SecretNamestringThe name of the secret to retrieve.
    VersionStagestringThe version stage of the secret value.
    FetchExtendedConfigbool?Specifies whether to fetch the extended configuration of the secret.

    Usage notes

    • Store your Client Key file path and password as environment variables (ClientKeyFile and Password) rather than hardcoding them in source code.

    • The commented-out RuntimeOptions block shows how to skip CA certificate authentication (IgnoreSSL = true) for testing. Do not disable SSL verification in production.

    • To call the API asynchronously, use GetSecretValueAsync instead of GetSecretValue.

    What's next