Querying a Secret Instance

Function

This API is used to query a secret instance. Filter user secrets by tag and return the secret list.

Calling Method

For details, see Calling APIs.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.
If you are using identity policy-based authorization, the following identity policy-based permissions are required.

Action

Access Level

Resource Type (*: required)

Condition Key

Alias

Dependencies

csms:secret:getSecretsByTag

List

secretName *

-

csms:tag:getSecretByTag

-

Action	Access Level	Resource Type (*: required)	Condition Key	Alias	Dependencies
csms:secret:getSecretsByTag	List	secretName *	-	csms:tag:getSecretByTag	-

URI

POST /v1/{project_id}/csms/{resource_instances}/action

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
resource_instances	Yes	String	Definition Resource instance. The value is resource_instances. Constraints N/A Range Resource instance. The value is resource_instances. Default Value N/A
project_id	Yes	String	Definition Project ID. For details, see Obtaining a Project ID. Constraints N/A Range The value returned by the IAM API is used, which contains 32 characters. Default Value N/A

Request Parameters

**Table 2** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	Definition User token. It can be obtained by calling the IAM API. The value of X-Subject-Token in the response header is the user token. This parameter is optional if AK/SK authentication is used. Constraints N/A Range Obtain the value by calling the IAM API for obtaining the user token. Default Value N/A

**Table 3** Request body parameters
Parameter	Mandatory	Type	Description
limit	No	String	Definition Number of records to be queried. If action is set to filter, the default value is 10. The value of limit ranges from 1 to 1000. Constraints This parameter is not required when action is set to count. Range N/A Default Value N/A
offset	No	String	Definition Index location. The query starts from the next data specified by offset. When you query resources on subsequent pages, set offset to the location returned in the response body for the previous query. If the action is set to filter, offset is set to 0 by default. The value of offset must be a non-negative number. Constraints This parameter is not required when action is set to count. Range N/A Default Value N/A
action	Yes	String	Definition Operation type, which can be: filter: Filter records. count: Count all records. Constraints N/A Range N/A Default Value N/A
tags	No	Array of Tag objects	Definition Tag list, which is the value pairs of tag keys and values. There can be at most 10 value pairs on one page. Constraints N/A Range N/A Default Value N/A
matches	No	Array of TagMatches objects	Definition Search field. key: Search field. Currently, the value can only be resource_name, indicating that only the credential name can be searched. value: Field for fuzzy match. The value can contain a maximum of 255 characters. If this parameter is not specified, an empty value will be returned. Constraints N/A Range N/A Default Value N/A
sequence	No	String	Definition A 36-byte serial number of a request message, for example, 919c82d4-8046-4722-9094-35c3c6524cff. Constraints N/A Range N/A Default Value N/A

**Table 4** Tag
Parameter	Mandatory	Type	Description
key	No	String	Definition Tag key Constraints N/A Range N/A Default Value N/A
values	No	Array of strings	Definition Tag value set. There can be at most 10 tag values. Tag values in the tag list must be unique. If the value list is empty, any tag value is matched. When there are multiple values in the tag list and the key requirements are met, a value in the request is matched. Constraints N/A Range N/A Default Value N/A

**Table 5** TagMatches
Parameter	Mandatory	Type	Description
key	No	String	Definition Field to be matched Constraints The value can only be a secret name. Range N/A Default Value N/A
value	No	String	Definition Tag value Constraints N/A Range The value can contain at most 255 characters and must match the regular expression *^([\p{L}\p{Z}\p{N}_.:\/=+\-@])$. Default Value** N/A

Response Parameters

Status code: 200

**Table 6** Response body parameters
Parameter	Type	Description
resources	Array of ActionResources objects	Definition Resource instance list. For details, see the data structure description of the resource field. Range N/A
total_count	Integer	Definition Total number of records Range N/A

**Table 7** ActionResources
Parameter	Type	Description
resource_id	String	Definition Secret resource ID Range N/A
resource_detail	Secret object	Secret object
resource_name	String	Definition Resource name. This parameter is an empty string by default. Range N/A
tags	Array of TagItem objects	Definition Tag list. If there is no tag in the list, an empty array is returned by default. Definition N/A
sys_tags	Array of SysTag objects	Definition System tag list. If there is no tag in the list, an empty array is returned by default. Range N/A

**Table 8** Secret
Parameter	Type	Description
id	String	Definition Secret ID Range N/A
name	String	Definition Secret name Range N/A
state	String	Definition Secret status Range ENABLED DISABLED PENDING_DELETE FROZEN
kms_key_id	String	Definition ID of the KMS CMK used to encrypt secret values Range N/A
description	String	Definition Secret description Range N/A
create_time	Long	Definition Timestamp when a secret was created, that is, total number of seconds since January 1, 1970. Range N/A
update_time	Long	Definition Timestamp when a secret was last updated, that is, the total number of seconds since January 1, 1970. Range N/A
scheduled_delete_time	Long	Definition Timestamp when a secret is to be deleted as scheduled, that is, total number of seconds since January 1, 1970. If a secret is not in the Pending deletion state, the value of this parameter is null. Range N/A
secret_type	String	Definition Secret type Range COMMON: shared secret (default). It is used to store sensitive information in an application system. RDS: RDS secret. It is used to store RDS account information. (This value is no longer supported and is replaced by RDS-FG.) RDS-FG: RDS secret. It is used to store RDS account information. GaussDB-FG: TaurusDB secret. It is used to store TaurusDB account information.
auto_rotation	Boolean	Definition Automatic rotation Range true: enabled, false: disabled (default)
rotation_period	String	Definition Rotation period Range 4 hours to 8,760 hours (365 days)
rotation_config	String	Definition Rotation configuration Range The value can contain at most 1,024 characters. If secret_type is set to RDS-FG or GaussDB-FG, set this parameter to {"InstanceId":"","SecretSubType":""}. Note: This parameter is mandatory when secret_type is set to RDS-FG or GaussDB-FG. InstanceId indicates the instance ID, and SecretSubType indicates the rotation subtype. The value can be SingleUser or MultiUser. SingleUser: Single-user rotation is used. A new password is created for the account for each rotation. MultiUser: Multi-user rotation is used. The users are labeled as SYSCURRENT and SYSPREVIOUS, respectively. During secret rotation, the password of the user labeled by SYSPREVIOUS will be reset to a random one. Then, the user labels of SYSCURRENT and SYSPREVIOUS are exchanged.
rotation_time	Long	Definition Rotation timestamp. Range N/A
next_rotation_time	Long	Definition Next rotation timestamp. Range N/A
last_used_time	Long	Definition Time when the secret value was last obtained. Range N/A
event_subscriptions	Array of strings	Definition Events to which a secret is subscribed. Currently, only one event can be subscribed to. When a basic event is triggered, a message is sent to the topic corresponding to the event. Range N/A
enterprise_project_id	String	Definition Enterprise project ID. Range N/A
rotation_func_urn	String	Definition URN of the FunctionGraph function Range N/A
domain_id	String	Definition ID of the tenant to which the secret belongs. Range N/A
replica_type	String	Definition Multi-region secret type Range STANDALONE: There is no multi-region replica for the current secret. PRIMARY: There are multi-region replicas for the current secret. This secret is the primary one. REPLICA: There are multi-region replicas for the current secret. This secret is the replica one.
replicas	Array of Replica objects	Definition Replica secret information. Range N/A

**Table 9** Replica
Parameter	Type	Description
id	String	Definition Secret ID Range N/A
kms_key_id	String	Definition ID of the KMS key used to encrypt secret values Range N/A
project_id	String	Definition ID of the project to which the secret belongs Range N/A
region	String	Definition Name of the region to which the secret belongs Range N/A
replica_type	String	Definition Multi-region secret type Range PRIMARY: primary secret REPLICA: replica secret
status	String	Definition Replica secret synchronization status Range IN_PROGRESS: The replica secret is to be synchronized. IN_SYNC: The replica secret is synchronized with the primary secret. FAILED: The replica secret fails to be synchronized with the primary secret.
created_at	Long	Definition Creation timestamp. Range N/A
updated_at	Long	Definition Update timestamp. Range N/A

**Table 10** TagItem
Parameter	Type	Description
key	String	Definition Tag name Constraints The tag keys of a secret cannot have duplicate values. A tag key can be used for multiple secrets. A secret can have up to 20 tags. Range The value can contain 1 to 128 characters and must match the regular expression *^((?!\s)(?!sys)[\p{L}\p{Z}\p{N}_.:=+\-@])(?<!\s)$. Default Value** N/A
value	String	Definition Tag value Constraints N/A Range The value can contain at most 255 characters and must match the regular expression *^([\p{L}\p{Z}\p{N}_.:\/=+\-@])$. Default Value** N/A

**Table 11** SysTag
Parameter	Type	Description
key	String	Definition Tag key Constraints N/A Range The value can contain 1 to 128 characters and must match the regular expression *"^((?!\\s)(?!_sys_)[\\p{L}\\p{Z}\\p{N}_.:=+\\-@])(?<!\\s)$". Default Value** N/A
value	String	Definition Tag value Constraints N/A Range The value can contain at most 255 characters and must match the regular expression *"^([\\p{L}\\p{Z}\\p{N}_.:\\/=+\\-@])$" Default Value** N/A

Example Requests

Filter user secrets by tag and return the secret list.

{
  "action" : "filter",
  "tags" : [ {
    "key" : "key1",
    "values" : [ "val1" ]
  } ]
}

Example Responses

Status code: 200

Request succeeded.

{
  "total_count" : 1,
  "resources" : [ {
    "resource_id" : "2d1152f2-290d-4756-a1d2-e12c14992416"
  }, {
    "resource_detail" : {
      "id" : "2d1152f2-290d-4756-a1d2-e12c14992416",
      "name" : "example_name",
      "state" : "ENABLED",
      "description" : "",
      "kms_key_id" : "1213d410-ass1-1254-1a2d-3cca2sa2w554",
      "create_time" : 1581507580000,
      "update_time" : 1581507580000,
      "scheduled_delete_time" : 1581507580000
    }
  }, {
    "tags" : [ {
      "key" : "key1",
      "value" : "value1"
    }, {
      "key" : "key2",
      "value" : "value2"
    } ]
  }, {
    "sys_tags" : null
  }, {
    "resource_name" : "example_name"
  } ]
}