Updated on 2025-07-30 GMT+08:00

Creating a Secret

When you create a secret on CSMS for secret hosting, the secret value will be stored in the original secret version, which is marked as SYSCURRENT.

Secret value, the detailed content of a secret, is used to verify user identity or authorization during authentication. It can be of various forms, depending on the used authentication mechanism. Typical secret values include:
  • Username and password: A username is the identity of a user, and a password is the key secret value for user identity authentication.
  • Digital certificate: The public key and identity, which are the secret values of a certificate, are used to verify the identity of a user or device.
  • Key pair: The private key, which is the secret value, is used for signature and decryption.
  • Token: A token is a temporary secret value used for identity authentication.
  • Biometric recognition information: Biometric feature data, such as fingerprint, facial recognition, and iris recognition, is the secret value.
  • One-time password (OTP): An OTP generated via SMS, email, or a certain application is the secret value.

Constraints

  • At most 500 secrets can be created on CSMS.
  • A secret can be no larger than 64 KB.
  • By default, the default key csms/default created by CSMS is used as the encryption key of the current secret. You can also create a user-defined symmetric key and use a user-defined encryption key on the KMS console.
  • RDS secrets support MySQL, PostgreSQL, SQLServer, MariaDB, and TaurusDB engines.
  • TaurusDB is supported for TaurusDB secrets.
  • When the rotation function is enabled for the first time, CSMS automatically creates an agency for the user in the current project of the region after the user confirms the authorization. Therefore, users need to ensure that the account has the following IAM permissions: iam:permissions:grantRoleToAgencyOnProject, iam:agencies:listAgencies, iam:roles:listRoles, iam:agencies:createAgency, iam:permissions:checkRoleForAgencyOnProject and iam:roles:createRole.

    The agency to be created varies depending on the type of the secret to be rotated.

    • RDS secret
      • Create an agency named CSMSAccessFunctionGraph with account named op_svc_kms and permission named CSMSAccessFunctionGraph. The agency uses a project-level service policy, which includes the functiongraph:function:invoke permission for FunctionGraph.
      • Create an agency named FunctionGraphAgencyForRotateRDSByCSMSV3. The cloud service is FunctionGraph, and the permission name is FunctionGraphAgencyForRotateRDSByCSMSV3. The project-level service policy is used, including:
        • CSMS permissions: csms:secret:getVersion, csms:secret:listVersion, csms:secret:createVersion, csms:secret:getStage, csms:secret:get and csms:secret:updateStage.
        • VPC permissions: vpc:ports:create, vpc:vpcs:get, vpc:ports:get, vpc:ports:delete and vpc:subnets:get.
        • KMS permissions: kms:cmk:createDataKey and kms:cmk:decryptDataKey.
        • RDS permission: rds:password:update
    • TaurusDB secret
      • Create an agency named CSMSAccessFunctionGraph with account op_svc_kms and permission CSMSAccessFunctionGraph. The agency uses a project-level service policy, including the functiongraph:function:invoke permission for FunctionGraph to synchronously execute functions.
      • Create an agency named FunctionGraphAgencyForRotateGaussDBByCSMSV3. The cloud service is FunctionGraph, and the permission name is FunctionGraphAgencyForRotateGaussDBByCSMSV3. The project-level service policy is used, including:
        • CSMS permissions: csms:secretVersion:get, csms:secretVersion:list, csms:secretVersion:create, csms:secretStage:get, csms:secret:get and csms:secretStage:update.
        • VPC permissions: vpc:ports:create, vpc:vpcs:get, vpc:ports:get, vpc:ports:delete and vpc:subnets:get.
        • KMS permissions: kms:dek:create and kms:dek:decrypt.
        • TaurusDB permission: gaussdb:user:modify

Creating a Secret

CSMS allows you to create a shared secret or a rotated secret as required.

  1. Log in to the DEW console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation pane on the left, choose Cloud Secret Management Service > Secrets.
  4. Click Create Secret. Configure parameters in the Create Secret dialog box, as shown in Figure 1. For details about the parameters, see Table 1.

    Figure 1 Creating a Secret


    Table 1 Secret parameters

    Parameter

    Description

    Type

    Secret type. The default value is Shared secret. You can select Shared secret or Rotated secret. For details, see Overview.

    Secret Name

    Secret name

    NOTE:

    Only letters, digits, periods (.), hyphens (-), and underscores (_) are allowed.

    Enterprise Project

    This parameter is provided for enterprise users. If you are an enterprise user and have created an enterprise project, select the required enterprise project from the drop-down list. The default project is default.

    NOTE:

    If you have not enabled enterprise management, this parameter will not be displayed.

    Secret Value

    Secret key/value pair or the plaintext secret to be encrypted

    Secret value, the detailed content of a secret, is used to verify user identity or authorization during authentication. It can be of various forms, depending on the used authentication mechanism. Typical secret values include:
    • Username and password: A username is the identity of a user, and a password is the key secret value for user identity authentication.
    • Digital certificate: The public key and identity, which are the secret values of a certificate, are used to verify the identity of a user or device.
    • Key pair: The private key, which is the secret value, is used for signature and decryption.
    • Token: A token is a temporary secret value used for identity authentication.
    • Biometric recognition information: Biometric feature data, such as fingerprint, facial recognition, and iris recognition, is the secret value.
    • One-time password (OTP): An OTP generated via SMS, email, or a certain application is the secret value.

    KMS Encryption Key

    The following modes are supported:
    • Select from list: Select this if you want to use the key used or shared by the current account. Select the default key csms/default or a custom key created on KMS.
    • Enter: Enter the ID of the authorized key. Enter an encryption key if an authorized key is used. Only symmetric algorithm key IDs are supported. Do not enter an asymmetric key ID.
    NOTE:
    • CSMS encrypts secret values using the encryption key provided by KMS. When you use the KMS encryption function, KMS creates a default key csms/default for you to use.
    • For details about how to create a custom key on KMS, see Creating a Key.
    • After a grant is created, you can switch to the manual input mode, and enter the key ID to use the granted key for encryption. For details, see Creating a Grant for a Custom Key.

    Advanced settings

    • Associated events

      Select an associated event for the secret. You can check information such as secret rotation and version expiration.

    • Description

      Description of a secret

    • Tag

      You can add tags to a secret as you need.

      NOTE:

      You can add at most 20 tags to a secret.

  5. Click Next.
  6. Click Next and confirm the creation information.
  7. Click OK. In the secret list, you can view the created secrets. The default status of a secret is Enabled.
  1. Log in to the DEW console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation pane on the left, choose Cloud Secret Management Service > Secrets.
  4. Click Create Secret and set Type to Rotated secret.

    Figure 2 Creating a rotated secret

  5. On the displayed Create Secret page, set the parameters. For details about the parameters, see Table 2.

    Table 2 Parameters for rotated secrets

    Parameter

    Description

    Type

    Type of the secret to be rotated. The following secrets are supported:

    • RDS secret
    • TaurusDB secret

    Secret Name

    Secret name

    Enterprise Project

    This parameter is provided for enterprise users. If you are an enterprise user and have created an enterprise project, select the required enterprise project from the drop-down list. The default project is default.

    NOTE:

    If you have not enabled enterprise management, this parameter will not be displayed.

    Database

    This parameter is mandatory if Type is set to RDS rotated secret.

    RDS secrets support MySQL, PostgreSQL, SQLServer, MariaDB, and TaurusDB databases.

    RDS DB Instance

    Select the RDS instance corresponding to the target database type.

    TaurusDB Instance

    If Type is set to Rotated secret > TaurusDB secret, select a TaurusDB instance as needed.

    Click View TaurusDB Instances. You can buy a TaurusDB instance on the displayed console.

    Secret Value

    Account name and password to be encrypted.
    • If Single account is selected, you need to enter an available database account.
    • If Dual account is selected, after you enter an available database account, a cloned account with the same permissions will be created. Select I understand the risks.

    For details, see Rotation Policy.

    KMS Encryption Key

    The following modes are supported:
    • Select from list: Select this if you want to use the key used or shared by the current account. Select the default key csms/default or a custom key created on KMS.
    • Enter: Enter the ID of the authorized key. Enter an encryption key if an authorized key is used. Only symmetric algorithm key IDs are supported. Do not enter an asymmetric key ID.
    NOTE:
    • CSMS encrypts secret values using the encryption key provided by KMS. When you use the KMS encryption function, KMS creates a default key csms/default for you to use.
    • For details about how to create a custom key on KMS, see Creating a Key.
    • After a grant is created, you can switch to the manual input mode, and enter the key ID to use the granted key for encryption. For details, see .

    Advanced settings

    • Associated events

      Select an associated event for the secret. You can check information such as secret rotation and version expiration.

    • Description

      Description of a secret

    • Tag

      You can add tags to a secret as you need.

      NOTE:

      You can add at most 20 tags to a secret.

Related Operations