Help Center/ Data Encryption Workshop/ API Reference/ APIs/ Secret Management APIs/ Secret Version Management/ Creating a Secret Version
Updated on 2026-06-09 GMT+08:00
View PDF
Share

Creating a Secret Version

Function

This API is used to create a version for a specified secret to encrypt and store the new secret value. By default, the latest secret version is marked as SYSCURRENT, and the previous secret version is marked as SYSPREVIOUS. You can configure VersionStage to overwrite the default settings.

Constraints

  • On the CSMS console, only the secret_string field can be configured. To add binary secrets to the secret_binary field, use an SDK or API.

  • A secret can have up to 20 versions.

  • You can only add versions to enabled secrets.

  • Secret versions are numbered v1, v2, v3, and so on based on their creation time.

Calling Method

For details, see Calling APIs.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

  • If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.
  • If you are using identity policy-based authorization, the following identity policy-based permissions are required.

    Action

    Access Level

    Resource Type (*: required)

    Condition Key

    Alias

    Dependencies

    csms:secret:createVersion

    Write

    secretName *

    • csms:Type

    • g:EnterpriseProjectId

    • g:ResourceTag/<tag-key>

    csms:secretVersion:create

    kms:cmk:createDataKey

URI

POST /v1/{project_id}/secrets/{secret_name}/versions

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Definition

Project ID. For details, see Obtaining a Project ID.

Constraints

N/A

Range

The value returned by the IAM API is used, which contains 32 characters.

Default Value

N/A

secret_name

Yes

String

Definition

Secret name.

Constraints

N/A

Range

The value must match the regular expression ^[a-zA-Z0-9_-]{1,64}$.

Default Value

N/A

Request Parameters

Table 2 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

Definition

User token. It can be obtained by calling the IAM API. The value of X-Subject-Token in the response header is the user token. This parameter is optional if AK/SK authentication is used.

Constraints

N/A

Range

Obtain the value by calling the IAM API for obtaining the user token.

Default Value

N/A
Table 3 Request body parameters

Parameter

Mandatory

Type

Description

secret_binary

No

String

Definition

Plaintext of a binary secret encoded using Base64. CSMS encrypts the plaintext and stores it in the initial version of the secret.

Constraints

Either secret_binary or secret_string must be configured. The maximum size is 64 KB.

Range

N/A

Default Value

N/A

secret_string

No

String

Definition

Plaintext of a text secret. CSMS encrypts the plaintext and stores it in the initial version of the secret.

Constraints

Either secret_binary or secret_string must be configured. The maximum size is 64 KB.

Range

N/A

Default Value

N/A

version_stages

No

Array of strings

Definition

Version status added to a secret version when the version is stored. If this parameter is not specified, the SYSCURRENT status is used for the new version.

Constraints

Array. The value ranges from 1 to 12.

Range

N/A

Default Value

N/A

expire_time

No

Long

Definition

Timestamp when a secret version expired, that is, the total seconds since January 1, 1970. This parameter is left blank by default. When version expiration events are subscribed to, the validity period is determined based on this parameter.

Constraints

N/A

Range

N/A

Default Value

N/A

Response Parameters

Status code: 200

Table 4 Response body parameters

Parameter

Type

Description

version_metadata

VersionMetadata object

Definition

Secret version metadata.

Range

N/A
Table 5 VersionMetadata

Parameter

Type

Description

id

String

Definition

Secret version ID, which is unique under a secret object.

Range

N/A

create_time

Long

Definition

Timestamp when a secret version was created, that is, total number of seconds since January 1, 1970.

Range

N/A

expire_time

Long

Definition

Timestamp when a secret version expired, that is, the total seconds since January 1, 1970. This parameter is left blank by default. When version expiration events are subscribed to, the validity period is determined based on this parameter.

Range

N/A

kms_key_id

String

Definition

ID of the KMS CMK used to encrypt secret values

Range

N/A

secret_name

String

Definition

Secret name

Range

N/A

version_stages

Array of strings

Definition

Secret version status list. Each status tag is unique for a secret version. If a status tag in use is added to a new version, the tag will be automatically removed from the original version.

If version_stage is not specified, the temporary tag SYSCURRENT will be added to this version.

Range

N/A

Example Requests

Create a secret version with the secret value set to secret_string.

{
  "secret_string" : "secret_string"
}

Example Responses

Status code: 200

Request succeeded.

{
  "version_metadata" : {
    "id" : "v1",
    "kms_key_id" : "b168fe00ff56492495a7d22974df2d0b",
    "create_time" : 1581507580000,
    "secret_name" : "secret-name-demo",
    "version_stages" : [ "SYSCURRENT" ]
  }
}

Status Codes

Status Code

Description

200

Request succeeded.

Error Codes

See Error Codes.

Parent Topic: Secret Version Management