Help Center/ Data Encryption Workshop/ API Reference/ APIs/ Secret Management APIs/ Multi-Region Secret Management/ Creating a Replica Secret in a Specified Region
Updated on 2026-06-09 GMT+08:00
View PDF
Share

Creating a Replica Secret in a Specified Region

Function

This API is used to create a replica secret for the current secret in a specified region. The replica secret information is synchronized with the primary secret information.

The replica secret uses the specified KMS encryption key for encryption.

After the replica secret is created, the primary secret is marked as PRIMARY and the replica secret is marked as REPLICA.

Constraints

You can specify a symmetric CMK to encrypt a replica secret. If kms_key_id is not specified, CSMS uses the default CMK csms/default to encrypt replica secrets by default. If the CMK you specified does not exist under your account, it will be automatically created.

You must have the kms:dek:create permission to create a CMK to encrypt the replica secret values.

Calling Method

For details, see Calling APIs.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

  • If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.
  • If you are using identity policy-based authorization, the following identity policy-based permissions are required.

    Action

    Access Level

    Resource Type (*: required)

    Condition Key

    Alias

    Dependencies

    csms:secret:createReplica

    Write

    secretName *

    • csms:Type

    • g:EnterpriseProjectId

    • g:ResourceTag/<tag-key>

    -

    -

URI

POST /v1/{project_id}/secrets/{secret_name}/replicas

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Definition

Project ID. For details, see Obtaining a Project ID.

Constraints

N/A

Range

The value returned by the IAM API is used, which contains 32 characters.

Default Value

N/A

secret_name

Yes

String

Definition

Secret name.

Constraints

N/A

Range

The value must match the regular expression ^[a-zA-Z0-9_-]{1,64}$.

Default Value

N/A

Request Parameters

Table 2 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

Definition

User token. It can be obtained by calling the IAM API. The value of X-Subject-Token in the response header is the user token. This parameter is optional if AK/SK authentication is used.

Constraints

N/A

Range

Obtain the value by calling the IAM API for obtaining the user token.

Default Value

N/A
Table 3 Request body parameters

Parameter

Mandatory

Type

Description

region

Yes

String

Definition

Name of the region where the replica secret is created

Constraints

N/A

Range

N/A

Default Value

N/A

kms_key_id

Yes

String

Definition

ID of the KMS CMK used to encrypt secrets. If this parameter is not specified, the default master key csms/default will be used. If the CMK you specified does not exist under your account, it will be automatically created.

Constraints

N/A

Range

The value must match the regular expression ^[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}$.

Default Value

N/A

Response Parameters

Status code: 200

Table 4 Response body parameters

Parameter

Type

Description

replica_id

String

Definition

ID of the multi-region replica secret

Range

N/A

Example Requests

Create a replica secret with the same name in the cn-text-x region and encrypt the replica secret values using the KMS key whose ID is 0d0466b0-e727-xxxx-xxxx-f84bb474a37f.

{
  "region" : "cn-text-x",
  "kms_key_id" : "0d0466b0-e727-xxxx-xxxx-f84bb474a37f"
}

Example Responses

Status code: 200

Request succeeded.

{
  "replica_id" : "bb6a3d22-dc93-47ac-b5bd-88df7ad35f1e"
}

Status Codes

Status Code

Description

200

Request succeeded.

Error Codes

See Error Codes.

Parent Topic: Multi-Region Secret Management