Help Center/ Data Encryption Workshop/ User Guide/ Cloud Secret Management Service/ Creating a Secret
Updated on 2025-07-30 GMT+08:00
View PDF
Share

Creating a Secret

When you create a secret on CSMS for secret hosting, the secret value will be stored in the original secret version, which is marked as SYSCURRENT.

Secret value, the detailed content of a secret, is used to verify user identity or authorization during authentication. It can be of various forms, depending on the used authentication mechanism. Typical secret values include:
  • Username and password: A username is the identity of a user, and a password is the key secret value for user identity authentication.
  • Digital certificate: The public key and identity, which are the secret values of a certificate, are used to verify the identity of a user or device.
  • Key pair: The private key, which is the secret value, is used for signature and decryption.
  • Token: A token is a temporary secret value used for identity authentication.
  • Biometric recognition information: Biometric feature data, such as fingerprint, facial recognition, and iris recognition, is the secret value.
  • One-time password (OTP): An OTP generated via SMS, email, or a certain application is the secret value.

Constraints

  • At most 500 secrets can be created on CSMS.
  • A secret can be no larger than 64 KB.
  • By default, the default key csms/default created by CSMS is used as the encryption key of the current secret. You can also create a user-defined symmetric key and use a user-defined encryption key on the KMS console.
  • RDS secrets support MySQL, PostgreSQL, SQLServer, MariaDB, and TaurusDB engines.
  • TaurusDB is supported for TaurusDB secrets.
  • When the rotation function is enabled for the first time, CSMS automatically creates an agency for the user in the current project of the region after the user confirms the authorization. Therefore, users need to ensure that the account has the following IAM permissions: iam:permissions:grantRoleToAgencyOnProject, iam:agencies:listAgencies, iam:roles:listRoles, iam:agencies:createAgency, iam:permissions:checkRoleForAgencyOnProject and iam:roles:createRole.

    The agency to be created varies depending on the type of the secret to be rotated.

    • RDS secret
      • Create an agency named CSMSAccessFunctionGraph with account named op_svc_kms and permission named CSMSAccessFunctionGraph. The agency uses a project-level service policy, which includes the functiongraph:function:invoke permission for FunctionGraph.
      • Create an agency named FunctionGraphAgencyForRotateRDSByCSMSV3. The cloud service is FunctionGraph, and the permission name is FunctionGraphAgencyForRotateRDSByCSMSV3. The project-level service policy is used, including:
        • CSMS permissions: csms:secret:getVersion, csms:secret:listVersion, csms:secret:createVersion, csms:secret:getStage, csms:secret:get and csms:secret:updateStage.
        • VPC permissions: vpc:ports:create, vpc:vpcs:get, vpc:ports:get, vpc:ports:delete and vpc:subnets:get.
        • KMS permissions: kms:cmk:createDataKey and kms:cmk:decryptDataKey.
        • RDS permission: rds:password:update
    • TaurusDB secret
      • Create an agency named CSMSAccessFunctionGraph with account op_svc_kms and permission CSMSAccessFunctionGraph. The agency uses a project-level service policy, including the functiongraph:function:invoke permission for FunctionGraph to synchronously execute functions.
      • Create an agency named FunctionGraphAgencyForRotateGaussDBByCSMSV3. The cloud service is FunctionGraph, and the permission name is FunctionGraphAgencyForRotateGaussDBByCSMSV3. The project-level service policy is used, including:
        • CSMS permissions: csms:secretVersion:get, csms:secretVersion:list, csms:secretVersion:create, csms:secretStage:get, csms:secret:get and csms:secretStage:update.
        • VPC permissions: vpc:ports:create, vpc:vpcs:get, vpc:ports:get, vpc:ports:delete and vpc:subnets:get.
        • KMS permissions: kms:dek:create and kms:dek:decrypt.
        • TaurusDB permission: gaussdb:user:modify

Creating a Secret

CSMS allows you to create a shared secret or a rotated secret as required.

  1. Log in to the DEW console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation pane on the left, choose Cloud Secret Management Service > Secrets.
  4. Click Create Secret. Configure parameters in the Create Secret dialog box, as shown in Figure 1. For details about the parameters, see Table 1.

    Figure 1 Creating a Secret


    Table 1 Secret parameters

    Parameter

    Description

    Type

    Secret type. The default value is Shared secret. You can select Shared secret or Rotated secret. For details, see Overview.

    Secret Name

    Secret name

    NOTE:

    Only letters, digits, periods (.), hyphens (-), and underscores (_) are allowed.

    Enterprise Project

    This parameter is provided for enterprise users. If you are an enterprise user and have created an enterprise project, select the required enterprise project from the drop-down list. The default project is default.

    NOTE:

    If you have not enabled enterprise management, this parameter will not be displayed.

    Secret Value

    Secret key/value pair or the plaintext secret to be encrypted

    Secret value, the detailed content of a secret, is used to verify user identity or authorization during authentication. It can be of various forms, depending on the used authentication mechanism. Typical secret values include:
    • Username and password: A username is the identity of a user, and a password is the key secret value for user identity authentication.
    • Digital certificate: The public key and identity, which are the secret values of a certificate, are used to verify the identity of a user or device.
    • Key pair: The private key, which is the secret value, is used for signature and decryption.
    • Token: A token is a temporary secret value used for identity authentication.
    • Biometric recognition information: Biometric feature data, such as fingerprint, facial recognition, and iris recognition, is the secret value.
    • One-time password (OTP): An OTP generated via SMS, email, or a certain application is the secret value.

    KMS Encryption Key
    The following modes are supported:
    • Select from list: Select this if you want to use the key used or shared by the current account. Select the default key csms/default or a custom key created on KMS.
    • Enter: Enter the ID of the authorized key. Enter an encryption key if an authorized key is used. Only symmetric algorithm key IDs are supported. Do not enter an asymmetric key ID.
    NOTE:
    • CSMS encrypts secret values using the encryption key provided by KMS. When you use the KMS encryption function, KMS creates a default key csms/default for you to use.
    • For details about how to create a custom key on KMS, see Creating a Key.
    • After a grant is created, you can switch to the manual input mode, and enter the key ID to use the granted key for encryption. For details, see Creating a Grant for a Custom Key.

    Advanced settings
    • Associated events

      Select an associated event for the secret. You can check information such as secret rotation and version expiration.

    • Description

      Description of a secret

    • Tag

      You can add tags to a secret as you need.

      NOTE:

      You can add at most 20 tags to a secret.

  5. Click Next.
  6. Click Next and confirm the creation information.
  7. Click OK. In the secret list, you can view the created secrets. The default status of a secret is Enabled.
  1. Log in to the DEW console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation pane on the left, choose Cloud Secret Management Service > Secrets.
  4. Click Create Secret and set Type to Rotated secret.

    Figure 2 Creating a rotated secret

  5. On the displayed Create Secret page, set the parameters. For details about the parameters, see Table 2.

    Table 2 Parameters for rotated secrets

    Parameter

    Description

    Type

    Type of the secret to be rotated. The following secrets are supported:

    • RDS secret
    • TaurusDB secret

    Secret Name

    Secret name

    Enterprise Project

    This parameter is provided for enterprise users. If you are an enterprise user and have created an enterprise project, select the required enterprise project from the drop-down list. The default project is default.

    NOTE:

    If you have not enabled enterprise management, this parameter will not be displayed.

    Database

    This parameter is mandatory if Type is set to RDS rotated secret.

    RDS secrets support MySQL, PostgreSQL, SQLServer, MariaDB, and TaurusDB databases.

    RDS DB Instance

    Select the RDS instance corresponding to the target database type.

    TaurusDB Instance

    If Type is set to Rotated secret > TaurusDB secret, select a TaurusDB instance as needed.

    Click View TaurusDB Instances. You can buy a TaurusDB instance on the displayed console.

    Secret Value
    Account name and password to be encrypted.
    • If Single account is selected, you need to enter an available database account.
    • If Dual account is selected, after you enter an available database account, a cloned account with the same permissions will be created. Select I understand the risks.

    For details, see Rotation Policy.

    KMS Encryption Key
    The following modes are supported:
    • Select from list: Select this if you want to use the key used or shared by the current account. Select the default key csms/default or a custom key created on KMS.
    • Enter: Enter the ID of the authorized key. Enter an encryption key if an authorized key is used. Only symmetric algorithm key IDs are supported. Do not enter an asymmetric key ID.
    NOTE:
    • CSMS encrypts secret values using the encryption key provided by KMS. When you use the KMS encryption function, KMS creates a default key csms/default for you to use.
    • For details about how to create a custom key on KMS, see Creating a Key.
    • After a grant is created, you can switch to the manual input mode, and enter the key ID to use the granted key for encryption. For details, see .

    Advanced settings
    • Associated events

      Select an associated event for the secret. You can check information such as secret rotation and version expiration.

    • Description

      Description of a secret

    • Tag

      You can add tags to a secret as you need.

      NOTE:

      You can add at most 20 tags to a secret.

Related Operations

Viewing Secret Details

This section describes how to check secret names, statuses, and creation time on the CSMS console. The secret status can be Enabled or Pending deletion.

  1. In the navigation pane on the left, choose Cloud Secret Management Service > Secrets.
  2. Check the secret list. For more information, see Table 3.

    Figure 3 Secret list


    Table 3 Secret list parameters

    Parameter

    Description

    Secret Name/ID

    Secret name and ID

    Status

    Status of a secret. The value can be Enabled or Pending deletion.

    Type

    Secret type, including shared secret, RDS DB secret, and TaurusDB secret.

    Associated events

    Bound event notification when the secret was created.

    Creation Time

    Time when the secret is created

    Enterprise Project

    Enterprise project that the secret is to be bound to

  3. Click a secret to view its details, as shown in Figure 4.

    • You can click Edit to modify the encryption key and description of a secret.
    • You can click Refresh to refresh secret information.
      Figure 4 Secret details


Downloading a Secret Backup

To download a secret to a local PC for backup, perform the following steps:

  1. In the navigation pane on the left, choose Cloud Secret Management Service > Secrets.
  2. Locate the target secret in the list and click Download Backup in the Operation column.

    The secret file will be downloaded to the local host and is named Secret name.secretbackup.

Restoring a Secret from a Backup

DEW allows you to restore a secret from backup. After a secret is restored from backup, the secret ID will be changed.

Only secret backup files smaller than 5 MB can be uploaded.

  1. In the navigation pane on the left, choose Cloud Secret Management Service > Secrets.
  2. Click Restore Secret, select a backup file, and click OK.

    Figure 5 Restoring a secret backup


Deleting a Secret

Before deleting a secret, ensure that it is not in use and will not be used.

  • A secret will not be deleted until its scheduled deletion period expires. You can set the period to a value within the range 7 to 30 days. Before the specified deletion date, you can cancel the deletion if you want to use the secret. If the scheduled deletion period of a secret expires, the secret will be deleted and cannot be restored.
  • For details about the billing information about a secret to be deleted, see Are Credentials Scheduled to Be Deleted Billed?.
  • If you delete a secret immediately, you can restore it using the secret backup that you have downloaded in advance. Exercise caution when performing this operation.
  1. In the navigation pane on the left, choose Cloud Secret Management Service > Secrets.
  2. Locate the target secret and click Delete.
  3. On the displayed page, select a deletion mode. If you want to delete the secret in a specific time, set Schedule deletion.

    Figure 6 Setting schedule deletion


  4. Enter DELETE in the confirmation dialog box if deletion verification is disabled and click OK.

    If you have enabled deletion verification, select a verification mode, click Get Code, enter the code, and click OK.

    To disable operation protection, go to the Security Settings page, click Disable next to Operation Protection in the Critical Operations tab, or click Disable Operation Protection on the deletion page.

Parent Topic: Cloud Secret Management Service