Help Center/ Data Encryption Workshop/ API Reference/ APIs/ Secret Management APIs/ Secret Version Management/ Querying the Secret Version and Value
Updated on 2026-06-09 GMT+08:00
View PDF
Share

Querying the Secret Version and Value

Function

This API is used to query a specified secret version and its plaintext secret value. Only enabled secrets can be queried.

You can obtain the value of the latest secret version via /v1/{project_id}/secrets/{secret_name}/versions/latest. Set {version_id} in the URL of the current API to latest.

Calling Method

For details, see Calling APIs.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

  • If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.
  • If you are using identity policy-based authorization, the following identity policy-based permissions are required.

    Action

    Access Level

    Resource Type (*: required)

    Condition Key

    Alias

    Dependencies

    csms:secret:getVersion

    Read

    secretName *

    • csms:Type

    • csms:VersionId

    • g:EnterpriseProjectId

    • g:ResourceTag/<tag-key>

    csms:secretVersion:get

    kms:cmk:decryptDataKey

URI

GET /v1/{project_id}/secrets/{secret_name}/versions/{version_id}

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Definition

Project ID. For details, see Obtaining a Project ID.

Constraints

N/A

Range

The value returned by the IAM API is used, which contains 32 characters.

Default Value

N/A

secret_name

Yes

String

Definition

Secret name.

Constraints

N/A

Range

The value must match the regular expression ^[a-zA-Z0-9_-]{1,64}$.

Default Value

N/A

version_id

Yes

String

Definition

Secret version, which stores the secret version content. Secret versions are numbered v1, v2, v3, and so on based on their creation time.

Constraints

A secret can have up to 20 versions.

Range

The value must match the regular expression v[0-9]{1,10}|latest.

Default Value

latest

Request Parameters

Table 2 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

Definition

User token. It can be obtained by calling the IAM API. The value of X-Subject-Token in the response header is the user token. This parameter is optional if AK/SK authentication is used.

Constraints

N/A

Range

Obtain the value by calling the IAM API for obtaining the user token.

Default Value

N/A

Response Parameters

Status code: 200

Table 3 Response body parameters

Parameter

Type

Description

version

Version object

Definition

Secret version.

Range

N/A
Table 4 Version

Parameter

Type

Description

version_metadata

VersionMetadata object

Definition

Secret version metadata.

Range

N/A

secret_binary

String

Definition

Plaintext of a binary secret encoded using Base64. CSMS encrypts the plaintext and stores it in the initial version of the secret.

Type: Base64-encoded binary data object.

Range

N/A

secret_string

String

Definition

Plaintext of a text secret. CSMS encrypts the plaintext and stores it in the initial version of the secret.

Range

N/A
Table 5 VersionMetadata

Parameter

Type

Description

id

String

Definition

Secret version ID, which is unique under a secret object.

Range

N/A

create_time

Long

Definition

Timestamp when a secret version was created, that is, total number of seconds since January 1, 1970.

Range

N/A

expire_time

Long

Definition

Timestamp when a secret version expired, that is, the total seconds since January 1, 1970. This parameter is left blank by default. When version expiration events are subscribed to, the validity period is determined based on this parameter.

Range

N/A

kms_key_id

String

Definition

ID of the KMS CMK used to encrypt secret values

Range

N/A

secret_name

String

Definition

Secret name

Range

N/A

version_stages

Array of strings

Definition

Secret version status list. Each status tag is unique for a secret version. If a status tag in use is added to a new version, the tag will be automatically removed from the original version.

If version_stage is not specified, the temporary tag SYSCURRENT will be added to this version.

Range

N/A

Example Requests

None

Example Responses

Status code: 200

Request succeeded.

{
  "version" : {
    "version_metadata" : {
      "id" : "v6",
      "kms_key_id" : "b168fe00ff56492495a7d22974df2d0b",
      "create_time" : 1581507580000,
      "secret_name" : "secret-name-demo",
      "version_stages" : [ "SYSCURRENT" ]
    },
    "secret_string" : "\\\"demo_key\\\":\\\"demo_value\\\""
  }
}

Status Codes

Status Code

Description

200

Request succeeded.

Error Codes

See Error Codes.

Parent Topic: Secret Version Management