Help Center/ Data Encryption Workshop/ API Reference/ APIs/ Secret Management APIs/ Secret Tag Management/ Querying a Secret Instance

Updated on 2024-08-06 GMT+08:00

View PDF

Querying a Secret Instance

Function

This API is used to query secret instances. Filters user secret by tag and returns the secret list.

Calling Method

For details, see Calling APIs.

URI

POST /v1/{project_id}/csms/{resource_instances}/action

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
resource_instances	Yes	String	Its value is resource_instances.
project_id	Yes	String	Project ID

Request Parameters

**Table 2** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token.

**Table 3** Request body parameters
Parameter	Mandatory	Type	Description
limit	No	String	Specifies the number of records to be queried. This parameter does not need to be set when action is set to count. If action is set to filter, the default value is 10. The value of limit is in the ranges 1 to 1,000.
offset	No	String	The index location. The query starts from the next resource of the specified location. When querying data on the first page, set this parameter to the value in the response body of the previous page. If action is set to count, you do not need to set this parameter. If the action is set to filter, offset defaults to 0. The value of offset must be a number and cannot be negative.
action	No	String	Operation type. It can be: - filter - count: Count total records.
tags	No	Array of Tag objects	list of tags, including tag keys and tag values. The maximum number is 10.
matches	No	Array of TagItem objects	Key-value pair to be matched - key indicates the search field. Currently, its value is resource_name, indicating that only the secret name can be searched. - value indicates the field for fuzzy match. It can contain up to 255 characters. If it is left blank, a null value is returned.
sequence	No	String	36-byte sequence number of a request message. Example: 919c82d4-8046-4722-9094-35c3c6524cff.

**Table 4** Tag
Parameter	Mandatory	Type	Description
key	No	String	The tag key.
values	No	Array of strings	Indicates the tag value set. Constraints: A maximum of 10 values can be contained. Tag values in a tag list must be unique. If the value list is left empty, any tag value can be matched. Multiple values in the tag list are in the OR relationship. If the key meets the requirements, a value in the request is matched.

**Table 5** TagItem
Parameter	Mandatory	Type	Description
key	Yes	String	Name of a tag. The tag keys of a secret cannot have duplicate values. A tag key can be used for multiple secrets. You can add a maximum of 20 tags to a credential. Constraints: The value contains 1 to 128 characters and matches the regular expression "^((?!\s)(?!sys)[\p{L}\p{Z}\p{N}_.:=+\-@]*)(?<!\s)$".
value	No	String	Tag value. Constraints: The value contains a maximum of 255 characters and matches the regular expression "^([\p{L}\p{Z}\p{N}_.:\/=+\-@]*)$".

Response Parameters

Status code: 200

**Table 6** Response body parameters
Parameter	Type	Description
resources	Array of ActionResources objects	Resource instance list. For details, see the data structure of the resource field.
total_count	Integer	Total number of records.

**Table 7** ActionResources
Parameter	Type	Description
resource_id	String	Resource ID
resource_detail	Secret object	Secret object
resource_name	String	Resource name, which is a null string by default.
tags	Array of TagItem objects	Lists of tags. If there is no tag, the array is empty by default.

**Table 8** Secret
Parameter	Type	Description
id	String	Resource identifier of a secret
name	String	Secret name
state	String	Secret status. Its value can be: ENABLED DISABLED PENDING_DELETE FROZEN
kms_key_id	String	ID of the KMS CMK used to encrypt a secret value.
description	String	Description of a secret
create_time	Long	Secret creation time. The value is a timestamp, that is, the total number of seconds on January 1, 1970 to the current time.
update_time	Long	Time when a secret was last updated. The value is a timestamp, that is, the total number of seconds on January 1, 1970 to the current time.
scheduled_delete_time	Long	Time when a secret is scheduled to be deleted. The value is a timestamp, that is, the total number of seconds on January 1, 1970 to the current time. If the secret is not in the deletion plan, the value of this parameter is null.
secret_type	String	Secret type The options are as follows: COMMON: common secret (default) stores sensitive information in the application system. RDS: RDS secrets. RDS secrets are used to store RDS account information.
auto_rotation	Boolean	Automatic rotation The value can be true (enabled) or false (disabled). The default value is false.
rotation_period	String	Rotation period Constraints: 6 hours - 8,760 hours (365 days) Type: Integer[unit]. Integer indicates the time length. unit indicates the time unit, which can be d (day), h (hour), m (minute), or s (second). For example, 1d indicates one day, and 24h also indicates one day. Note: This parameter is mandatory when automatic rotation is enabled.
rotation_config	String	Rotation configuration Constraints: The value contains a maximum of 1,024 characters. If secret_type is set to RDS, set this parameter to {"RDSInstanceId":"","SecretSubType":""}. Note: This parameter is mandatory when secret_type is set to RDS. RDSInstanceId indicates the RDS DB instance ID. SecretSubType indicates the rotation subtype. The value can be SingleUser or MultiUser. SingleUser: The single-user mode is used. The password of a specified account is reset each time the account is rotated. MultiUser: The dual-user mode is used. SYSCURRENT and SYSPREVIOUS reference one of the accounts. During secret rotation, the account password referenced by SYSPREVIOUS is reset to a new random password. Subsequently, secrets exchange SYSCURRENT and SYSPREVIOUS references to the RDS account.
rotation_time	Long	Rotation timestamp
next_rotation_time	Long	Next rotation timestamp
event_subscriptions	Array of strings	List of events subscribed to by secrets. Currently, only one event can be subscribed to. When a basic event contained in an event is triggered, a notification message is sent to the notification topic corresponding to the event.
enterprise_project_id	String	Enterprise project ID

**Table 9** TagItem
Parameter	Type	Description
key	String	Name of a tag. The tag keys of a secret cannot have duplicate values. A tag key can be used for multiple secrets. You can add a maximum of 20 tags to a credential. Constraints: The value contains 1 to 128 characters and matches the regular expression "^((?!\s)(?!sys)[\p{L}\p{Z}\p{N}_.:=+\-@]*)(?<!\s)$".
value	String	Tag value. Constraints: The value contains a maximum of 255 characters and matches the regular expression "^([\p{L}\p{Z}\p{N}_.:\/=+\-@]*)$".

Status code: 400

**Table 10** Response body parameters
Parameter	Type	Description
error	ErrorDetail object	Error message.

**Table 11** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned for an error request.
error_msg	String	Error information returned for an error request.

Status code: 401

**Table 12** Response body parameters
Parameter	Type	Description
error	ErrorDetail object	Error message.

**Table 13** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned for an error request.
error_msg	String	Error information returned for an error request.

Status code: 403

**Table 14** Response body parameters
Parameter	Type	Description
error	ErrorDetail object	Error message.

**Table 15** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned for an error request.
error_msg	String	Error information returned for an error request.

Status code: 404

**Table 16** Response body parameters
Parameter	Type	Description
error	ErrorDetail object	Error message.

**Table 17** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned for an error request.
error_msg	String	Error information returned for an error request.

Status code: 500

**Table 18** Response body parameters
Parameter	Type	Description
error	ErrorDetail object	Error message.

**Table 19** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned for an error request.
error_msg	String	Error information returned for an error request.

Status code: 502

**Table 20** Response body parameters
Parameter	Type	Description
error	ErrorDetail object	Error message.

**Table 21** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned for an error request.
error_msg	String	Error information returned for an error request.

Status code: 504

**Table 22** Response body parameters
Parameter	Type	Description
error	ErrorDetail object	Error message.

**Table 23** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned for an error request.
error_msg	String	Error information returned for an error request.

Example Requests

Filters user secrets by tag and returns the secret list.

{
  "action" : "filter",
  "tags" : [ {
    "key" : "key1",
    "values" : [ "val1" ]
  } ]
}

Example Responses

Status code: 200

Request succeeded.

{
  "total_count" : 1,
  "resources" : [ {
    "resource_id" : "2d1152f2-290d-4756-a1d2-e12c14992416"
  }, {
    "resource_detail" : {
      "id" : "2d1152f2-290d-4756-a1d2-e12c14992416",
      "name" : "example_name",
      "state" : "ENABLED",
      "description" : "",
      "kms_key_id" : "1213d410-ass1-1254-1a2d-3cca2sa2w554",
      "create_time" : 1581507580000,
      "update_time" : 1581507580000,
      "scheduled_delete_time" : 1581507580000
    }
  }, {
    "tags" : [ {
      "key" : "key1",
      "value" : "value1"
    }, {
      "key" : "key2",
      "value" : "value2"
    } ]
  }, {
    "sys_tags" : null
  }, {
    "resource_name" : "example_name"
  } ]
}

SDK Sample Code

The SDK sample code is as follows.

Filters user secrets by tag and returns the secret list.

      
       
         
         
           package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.csms.v1.region.CsmsRegion;
import com.huaweicloud.sdk.csms.v1.*;
import com.huaweicloud.sdk.csms.v1.model.*;

import java.util.List;
import java.util.ArrayList;

public class ListResourceInstancesSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");

        ICredential auth = new BasicCredentials()
                .withAk(ak)
                .withSk(sk);

        CsmsClient client = CsmsClient.newBuilder()
                .withCredential(auth)
                .withRegion(CsmsRegion.valueOf("<YOUR REGION>"))
                .build();
        ListResourceInstancesRequest request = new ListResourceInstancesRequest();
        ListResourceInstancesRequestBody body = new ListResourceInstancesRequestBody();
        List<String> listTagsValues = new ArrayList<>();
        listTagsValues.add("val1");
        List<Tag> listbodyTags = new ArrayList<>();
        listbodyTags.add(
            new Tag()
                .withKey("key1")
                .withValues(listTagsValues)
        );
        body.withTags(listbodyTags);
        body.withAction("filter");
        request.withBody(body);
        try {
            ListResourceInstancesResponse response = client.listResourceInstances(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

          

        

      
     

Filters user secrets by tag and returns the secret list.

      
       
         
         
           # coding: utf-8

from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkcsms.v1.region.csms_region import CsmsRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkcsms.v1 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = __import__('os').getenv("CLOUD_SDK_AK")
    sk = __import__('os').getenv("CLOUD_SDK_SK")

    credentials = BasicCredentials(ak, sk) \

    client = CsmsClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(CsmsRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = ListResourceInstancesRequest()
        listValuesTags = [
            "val1"
        ]
        listTagsbody = [
            Tag(
                key="key1",
                values=listValuesTags
            )
        ]
        request.body = ListResourceInstancesRequestBody(
            tags=listTagsbody,
            action="filter"
        )
        response = client.list_resource_instances(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

          

        

      
     

Filters user secrets by tag and returns the secret list.

      
       
         
         
           package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    csms "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/csms/v1"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/csms/v1/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/csms/v1/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        Build()

    client := csms.NewCsmsClient(
        csms.CsmsClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.ListResourceInstancesRequest{}
	var listValuesTags = []string{
        "val1",
    }
	keyTags:= "key1"
	var listTagsbody = []model.Tag{
        {
            Key: &keyTags,
            Values: &listValuesTags,
        },
    }
	request.Body = &model.ListResourceInstancesRequestBody{
		Tags: &listTagsbody,
		Action: "filter",
	}
	response, err := client.ListResourceInstances(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

          

        

      
     

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code	Description
200	Request succeeded.
400	Invalid request parameter.
401	A username and password are required.
403	Authentication failed.
404	The requested resource does not exist or is not found.
500	Internal service error.
502	Failed to complete the request because the server receives an invalid response from an upstream server.
504	Gateway timed out.