Restoring a Secret Object

Function

Restore the secret object by uploading the secret backup file.

Constraints

The information returned by this API is the metadata of the secret and does not contain the secret value.

Calling Method

For details, see Calling APIs.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.

If you are using identity policy-based authorization, the following identity policy-based permissions are required.

Action	Access Level	Resource Type (*: required)	Condition Key	Alias	Dependencies
csms:secret:create	Write	secretName *	csms:Type csms:KmsKeyId	-	kms:cmk:decryptDataKey
csms:secret:create	Write	-	g:EnterpriseProjectId g:RequestTag/<tag-key> g:TagKeys	-	kms:cmk:decryptDataKey

URI

POST /v1/{project_id}/secrets/restore

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Definition Project ID. For details, see Obtaining a Project ID. Constraints N/A Range The value returned by the IAM API is used, which contains 32 characters. Default Value N/A

Request Parameters

**Table 2** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	Definition User token. It can be obtained by calling the IAM API. The value of X-Subject-Token in the response header is the user token. This parameter is optional if AK/SK authentication is used. Constraints N/A Range Obtain the value by calling the IAM API for obtaining the user token. Default Value N/A

**Table 3** Request body parameters
Parameter	Mandatory	Type	Description
secret_blob	Yes	String	Definition Backup file of a secret. The file contains information about all the versions of the secret. The backup file is encrypted and encoded, and cannot be directly read. Constraints Only backup files downloaded by the same account in the same region can be restored. Range N/A Default Value N/A

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
secret	Secret object	Definition Secret details. Range N/A

**Table 5** Secret
Parameter	Type	Description
id	String	Definition Secret ID Range N/A
name	String	Definition Secret name Range N/A
state	String	Definition Secret status Range ENABLED DISABLED PENDING_DELETE FROZEN
kms_key_id	String	Definition ID of the KMS CMK used to encrypt secret values Range N/A
description	String	Definition Secret description Range N/A
create_time	Long	Definition Timestamp when a secret was created, that is, total number of seconds since January 1, 1970. Range N/A
update_time	Long	Definition Timestamp when a secret was last updated, that is, the total number of seconds since January 1, 1970. Range N/A
scheduled_delete_time	Long	Definition Timestamp when a secret is to be deleted as scheduled, that is, total number of seconds since January 1, 1970. If a secret is not in the Pending deletion state, the value of this parameter is null. Range N/A
secret_type	String	Definition Secret type Range COMMON: shared secret (default). It is used to store sensitive information in an application system. RDS: RDS secret. It is used to store RDS account information. (This value is no longer supported and is replaced by RDS-FG.) RDS-FG: RDS secret. It is used to store RDS account information. GaussDB-FG: TaurusDB secret. It is used to store TaurusDB account information.
auto_rotation	Boolean	Definition Automatic rotation Range true: enabled, false: disabled (default)
rotation_period	String	Definition Rotation period Range 4 hours to 8,760 hours (365 days)
rotation_config	String	Definition Rotation configuration Range The value can contain at most 1,024 characters. If secret_type is set to RDS-FG or GaussDB-FG, set this parameter to {"InstanceId":"","SecretSubType":""}. Note: This parameter is mandatory when secret_type is set to RDS-FG or GaussDB-FG. InstanceId indicates the instance ID, and SecretSubType indicates the rotation subtype. The value can be SingleUser or MultiUser. SingleUser: Single-user rotation is used. A new password is created for the account for each rotation. MultiUser: Multi-user rotation is used. The users are labeled as SYSCURRENT and SYSPREVIOUS, respectively. During secret rotation, the password of the user labeled by SYSPREVIOUS will be reset to a random one. Then, the user labels of SYSCURRENT and SYSPREVIOUS are exchanged.
rotation_time	Long	Definition Rotation timestamp. Range N/A
next_rotation_time	Long	Definition Next rotation timestamp. Range N/A
last_used_time	Long	Definition Time when the secret value was last obtained. Range N/A
event_subscriptions	Array of strings	Definition Events to which a secret is subscribed. Currently, only one event can be subscribed to. When a basic event is triggered, a message is sent to the topic corresponding to the event. Range N/A
enterprise_project_id	String	Definition Enterprise project ID. Range N/A
rotation_func_urn	String	Definition URN of the FunctionGraph function Range N/A
domain_id	String	Definition ID of the tenant to which the secret belongs. Range N/A
replica_type	String	Definition Multi-region secret type Range STANDALONE: There is no multi-region replica for the current secret. PRIMARY: There are multi-region replicas for the current secret. This secret is the primary one. REPLICA: There are multi-region replicas for the current secret. This secret is the replica one.
replicas	Array of Replica objects	Definition Replica secret information. Range N/A

**Table 6** Replica
Parameter	Type	Description
id	String	Definition Secret ID Range N/A
kms_key_id	String	Definition ID of the KMS key used to encrypt secret values Range N/A
project_id	String	Definition ID of the project to which the secret belongs Range N/A
region	String	Definition Name of the region to which the secret belongs Range N/A
replica_type	String	Definition Multi-region secret type Range PRIMARY: primary secret REPLICA: replica secret
status	String	Definition Replica secret synchronization status Range IN_PROGRESS: The replica secret is to be synchronized. IN_SYNC: The replica secret is synchronized with the primary secret. FAILED: The replica secret fails to be synchronized with the primary secret.
created_at	Long	Definition Creation timestamp. Range N/A
updated_at	Long	Definition Update timestamp. Range N/A

Example Requests

Upload the secret backup file.

{
  "secret_blob" : ")CloudSecretManagementBackupV1.comeyJraWQiOiI5ZjNlZmRjNS0zZjVlLTRiZWQtYThkMS05NjE2ZTUwNDQzYWIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.CtrOcFMSeW_qMdQjgKzNaWtC6hkSTdjOSMSr2IOKNa8OpbJH8rOaCt9l4LYLHKw8CF70YLWOODgaYrLiWuHgdR-O9hlALkT6CbXxJ-Cbmf6qpJF61kXKHX4TBe6-oV8t4PaPaSDDR_oeyt4Xl2EOOlHxs9PnU1st9Fkd7wOHNa4ueM16Ze5ICEdQK3cN1hnelid0zlb1qq58KhsSroNeI8B5RnoYDB-0eiFWD0XWJLppgkLnewXpuPLmLN_c558yUQ0u0VoUyBGB6EFePPbbT-Z1_LUCSRyiP9Y2S0Vz5jzzeabWZ4vZkW8JX57Wc-onHplUpsUUpIqcdHLjp40NEQ.VtA6Sg--jeA1QavYxY9z7Q.Mr6dLyontoJCaDaRFMAYg_qUdEPzd-aIIrCHWH7wvYayNpSFUjR5QJd3XPpGGy93y22jN-DoHZHclgMeureQwKq39QQF0xIdRqhOR2Lxy69PkgRaNtpz7ikLOlsbjh1wd7mbSmyolsK_0t1X9OlvOSmUMjxUXpXLzqLXxPY0R_MUxEanHb3V_vsLArF9sN1X7Km-fdUKXTV1EzVUq1eC5aSYqg3rGkLHPHG6lPXOetPWNsVCE1bX0Voh0XnlyFLSSoYzX45l04hR8JXgcP42FXfD7GugcNi7jTKuvxu4l2Q2v7wnk"
}

Example Responses

Status code: 200

Request succeeded.

{
  "secret" : {
    "id" : "bb6a3d22-dc93-47ac-b5bd-88df7ad35f1e",
    "name" : "test",
    "state" : "ENABLED",
    "kms_key_id" : "b168fe00ff56492495a7d22974df2d0b",
    "description" : "description",
    "create_time" : 1581507580000,
    "update_time" : 1581507580000,
    "scheduled_delete_time" : 1581507580000
  }
}