Help Center/ Data Encryption Workshop/ API Reference/ APIs/ Secret Management APIs/ Secret Tag Management/ Querying a Secret Instance

Updated on 2025-05-20 GMT+08:00

View PDF

Querying a Secret Instance

Function

This API is used to query secret instances. Filters user secret by tag and returns the secret list.

Calling Method

For details, see Calling APIs.

URI

POST /v1/{project_id}/csms/{resource_instances}/action

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
resource_instances	Yes	String	Its value is resource_instances.
project_id	Yes	String	Project ID

Request Parameters

**Table 2** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token.

**Table 3** Request body parameters
Parameter	Mandatory	Type	Description
limit	No	String	Specifies the number of records to be queried. This parameter does not need to be set when action is set to count. If action is set to filter, the default value is 10. The value of limit is in the ranges 1 to 1,000.
offset	No	String	The index location. The query starts from the next resource of the specified location. When querying data on the first page, set this parameter to the value in the response body of the previous page. If action is set to count, you do not need to set this parameter. If the action is set to filter, offset defaults to 0. The value of offset must be a number and cannot be negative.
action	Yes	String	Operation type. It can be: - filter - count: Count total records.
tags	No	Array of Tag objects	Tag list, which is the value pairs of tag keys and values. There can be at most 10 value pairs on one page.
matches	No	Array of TagMatches objects	Key-value pair to be matched - key indicates the search field. Currently, its value is resource_name, indicating that only the secret name can be searched. - value indicates the field for fuzzy match. It can contain up to 255 characters. If it is left blank, a null value is returned.
sequence	No	String	36-byte sequence number of a request message. Example: 919c82d4-8046-4722-9094-35c3c6524cff.

**Table 4** Tag
Parameter	Mandatory	Type	Description
key	No	String	Tag key
values	No	Array of strings	Tag value set. Constraints: A tag can contain at most 10 values, which are unique. If the tag list is empty, any value can be matched. A search result matches only one value.

**Table 5** TagMatches
Parameter	Mandatory	Type	Description
key	No	String	Is the field to be matched. Constraints: The value can only be resource_name.
value	No	String	Value for fuzzy match. Constraints: The value can contain a maximum of 255 characters. If the value is empty, an empty value is returned.

Response Parameters

Status code: 200

**Table 6** Response body parameters
Parameter	Type	Description
resources	Array of ActionResources objects	Resource instance list. For details, see the data structure of the resource field.
total_count	Integer	Total number of records.

**Table 7** ActionResources
Parameter	Type	Description
resource_id	String	Resource ID
resource_detail	Secret object	Secret object
resource_name	String	Resource name, which is a null string by default.
tags	Array of TagItem objects	Lists of tags. If there is no tag, the array is empty by default.
sys_tags	Array of SysTag objects	System tag list. If there is no tag, the list is empty by default.

**Table 8** Secret
Parameter	Type	Description
id	String	Resource identifier of a secret
name	String	Secret name
state	String	Secret status. Its value can be: ENABLED DISABLED PENDING_DELETE FROZEN
kms_key_id	String	ID of the KMS CMK used to encrypt a secret value.
description	String	Description of a secret
create_time	Long	Secret creation time. The value is a timestamp, that is, the total number of seconds on January 1, 1970 to the current time.
update_time	Long	Time when a secret was last updated. The value is a timestamp, that is, the total number of seconds on January 1, 1970 to the current time.
scheduled_delete_time	Long	Time when a secret is scheduled to be deleted. The value is a timestamp, that is, the total number of seconds on January 1, 1970 to the current time. If the secret is not in the deletion plan, the value of this parameter is null.
secret_type	String	Secret type COMMON: shared secret (default), which is used to store sensitive information in an application system. RDS: RDS secret, which is used to store RDS account information. (no longer supported, replaced by RDS-FG) RDS-FG: RDS secret, which is used to store RDS account information. GaussDB-FG: TaurusDB secret, which is used to store TaurusDB account information.
auto_rotation	Boolean	Automatic rotation The value can be true (enabled) or false (disabled). The default value is false.
rotation_period	String	Rotation period Constraints: 6 hours - 8,760 hours (365 days) Type: Integer[unit]. Integer indicates the time length. unit indicates the time unit, which can be d (day), h (hour), m (minute), or s (second). For example, 1d indicates one day, and 24h also indicates one day. Note: This parameter is mandatory when automatic rotation is enabled.
rotation_config	String	Rotation configuration Constraints: The value can contain a maximum of 1,024 characters. If secret_type is set to RDS-FG or GaussDB-FG, set this parameter to {"InstanceId":"","SecretSubType":""}. Note: This parameter is mandatory when secret_type is set to RDS-FG or GaussDB-FG. InstanceId indicates the instance ID, and SecretSubType indicates the rotation subtype. The value can be SingleUser or MultiUser. SingleUser: Single-user rotation is used. A new password is created for the account for each rotation. MultiUser: Dual-user rotation is used. The users are labeled as SYSCURRENT and SYSPREVIOUS, respectively. During secret rotation, the password of the account who is labeled as SYSPREVIOUS is reset, and a random password is generated. Then, the labels are switched for the users.
rotation_time	Long	Rotation timestamp
next_rotation_time	Long	Next rotation timestamp
event_subscriptions	Array of strings	List of events subscribed to by secrets. Currently, only one event can be subscribed to. When a basic event contained in an event is triggered, a notification message is sent to the notification topic corresponding to the event.
enterprise_project_id	String	Enterprise project ID
rotation_func_urn	String	URN of the FunctionGraph function

**Table 9** TagItem
Parameter	Type	Description
key	String	Tag name The tag keys of a secret cannot have duplicate values. A tag key can be used for multiple secrets. A secret can have up to 20 tags. Constraints: The value can contain 1 to 128 characters and must match the regular expression *^((?!\s)(?!sys)[\p{L}\p{Z}\p{N}_.:=+\-@])(?<!\s)$**.
value	String	Tag value. Constraints: The value can contain a maximum of 255 characters and must match the regular expression *^ ([\p{L}\p{Z}\p{N}_.:\/=+\-@]) $**.

**Table 10** SysTag
Parameter	Type	Description
key	String	The tag key.
value	String	Tag value

Status code: 400

**Table 11** Response body parameters
Parameter	Type	Description
error	ErrorDetail object	Error message

**Table 12** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned for an error request.
error_msg	String	Error information returned for an error request.

Status code: 401

**Table 13** Response body parameters
Parameter	Type	Description
error	ErrorDetail object	Error message

**Table 14** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned for an error request.
error_msg	String	Error information returned for an error request.

Status code: 403

**Table 15** Response body parameters
Parameter	Type	Description
error	ErrorDetail object	Error message

**Table 16** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned for an error request.
error_msg	String	Error information returned for an error request.

Status code: 404

**Table 17** Response body parameters
Parameter	Type	Description
error	ErrorDetail object	Error message

**Table 18** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned for an error request.
error_msg	String	Error information returned for an error request.

Status code: 500

**Table 19** Response body parameters
Parameter	Type	Description
error	ErrorDetail object	Error message

**Table 20** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned for an error request.
error_msg	String	Error information returned for an error request.

Status code: 502

**Table 21** Response body parameters
Parameter	Type	Description
error	ErrorDetail object	Error message

**Table 22** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned for an error request.
error_msg	String	Error information returned for an error request.

Status code: 504

**Table 23** Response body parameters
Parameter	Type	Description
error	ErrorDetail object	Error message

**Table 24** ErrorDetail
Parameter	Type	Description
error_code	String	Error code returned for an error request.
error_msg	String	Error information returned for an error request.

Example Requests

Filters user secrets by tag and returns the secret list.

{
  "action" : "filter",
  "tags" : [ {
    "key" : "key1",
    "values" : [ "val1" ]
  } ]
}

Example Responses

Status code: 200

Request succeeded.

{
  "total_count" : 1,
  "resources" : [ {
    "resource_id" : "2d1152f2-290d-4756-a1d2-e12c14992416"
  }, {
    "resource_detail" : {
      "id" : "2d1152f2-290d-4756-a1d2-e12c14992416",
      "name" : "example_name",
      "state" : "ENABLED",
      "description" : "",
      "kms_key_id" : "1213d410-ass1-1254-1a2d-3cca2sa2w554",
      "create_time" : 1581507580000,
      "update_time" : 1581507580000,
      "scheduled_delete_time" : 1581507580000
    }
  }, {
    "tags" : [ {
      "key" : "key1",
      "value" : "value1"
    }, {
      "key" : "key2",
      "value" : "value2"
    } ]
  }, {
    "sys_tags" : null
  }, {
    "resource_name" : "example_name"
  } ]
}

SDK Sample Code

The SDK sample code is as follows.

Filters user secrets by tag and returns the secret list.

      
       
         
         
           package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.csms.v1.region.CsmsRegion;
import com.huaweicloud.sdk.csms.v1.*;
import com.huaweicloud.sdk.csms.v1.model.*;

import java.util.List;
import java.util.ArrayList;

public class ListResourceInstancesSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        CsmsClient client = CsmsClient.newBuilder()
                .withCredential(auth)
                .withRegion(CsmsRegion.valueOf("<YOUR REGION>"))
                .build();
        ListResourceInstancesRequest request = new ListResourceInstancesRequest();
        request.withResourceInstances("{resource_instances}");
        ListResourceInstancesRequestBody body = new ListResourceInstancesRequestBody();
        List<String> listTagsValues = new ArrayList<>();
        listTagsValues.add("val1");
        List<Tag> listbodyTags = new ArrayList<>();
        listbodyTags.add(
            new Tag()
                .withKey("key1")
                .withValues(listTagsValues)
        );
        body.withTags(listbodyTags);
        body.withAction("filter");
        request.withBody(body);
        try {
            ListResourceInstancesResponse response = client.listResourceInstances(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

          

        

      
     

Filters user secrets by tag and returns the secret list.

      
       
         
         
           # coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkcsms.v1.region.csms_region import CsmsRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkcsms.v1 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = CsmsClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(CsmsRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = ListResourceInstancesRequest()
        request.resource_instances = "{resource_instances}"
        listValuesTags = [
            "val1"
        ]
        listTagsbody = [
            Tag(
                key="key1",
                values=listValuesTags
            )
        ]
        request.body = ListResourceInstancesRequestBody(
            tags=listTagsbody,
            action="filter"
        )
        response = client.list_resource_instances(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

          

        

      
     

Filters user secrets by tag and returns the secret list.

      
       
         
         
           package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    csms "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/csms/v1"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/csms/v1/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/csms/v1/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        Build()

    client := csms.NewCsmsClient(
        csms.CsmsClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.ListResourceInstancesRequest{}
	request.ResourceInstances = "{resource_instances}"
	var listValuesTags = []string{
        "val1",
    }
	keyTags:= "key1"
	var listTagsbody = []model.Tag{
        {
            Key: &keyTags,
            Values: &listValuesTags,
        },
    }
	request.Body = &model.ListResourceInstancesRequestBody{
		Tags: &listTagsbody,
		Action: "filter",
	}
	response, err := client.ListResourceInstances(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

          

        

      
     

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code	Description
200	Request succeeded.
400	Invalid request parameter.
401	A username and password are required.
403	Authentication failed.
404	The requested resource does not exist or is not found.
500	Internal service error.
502	Failed to complete the request because the server receives an invalid response from an upstream server.
504	Gateway timed out.