GetSecretValue
Retrieves the contents of the encrypted fields SecretString
or
SecretBinary
from the specified version of a secret, whichever contains
content.
Minimum permissions
To run this command, you must have the following permissions:
-
secretsmanager:GetSecretValue
-
kms:Decrypt - required only if you use a customer-managed AWS KMS key to encrypt the secret. You do not need this permission to use the account's default AWS managed CMK for Secrets Manager.
Related operations
-
To create a new version of the secret with different encrypted information, use PutSecretValue.
-
To retrieve the non-encrypted details for the secret, use DescribeSecret.
Request Syntax
{ "SecretId": "
string
", "VersionId": "string
", "VersionStage": "string
" }
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- SecretId
-
Specifies the secret containing the version that you want to retrieve. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
Note
If you specify an ARN, we generally recommend that you specify a complete ARN. You can specify a partial ARN too—for example, if you don’t include the final hyphen and six random characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN match can work as long as it uniquely matches only one secret. However, if your secret has a name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six characters to the ARN) and you try to use that as a partial ARN, then those characters cause Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected results. To avoid this situation, we recommend that you don’t create secret names that end with a hyphen followed by six characters.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 2048.
Required: Yes
- VersionId
-
Specifies the unique identifier of the version of the secret that you want to retrieve. If you specify this parameter then don't specify
VersionStage
. If you don't specify either aVersionStage
orVersionId
then the default is to perform the operation on the version with theVersionStage
value ofAWSCURRENT
.This value is typically a UUID-type value with 32 hexadecimal digits.
Type: String
Length Constraints: Minimum length of 32. Maximum length of 64.
Required: No
- VersionStage
-
Specifies the secret version that you want to retrieve by the staging label attached to the version.
Staging labels are used to keep track of different versions during the rotation process. If you use this parameter then don't specify
VersionId
. If you don't specify either aVersionStage
orVersionId
, then the default is to perform the operation on the version with theVersionStage
value ofAWSCURRENT
.Type: String
Length Constraints: Minimum length of 1. Maximum length of 256.
Required: No
Response Syntax
{ "ARN": "string", "CreatedDate": number, "Name": "string", "SecretBinary": blob, "SecretString": "string", "VersionId": "string", "VersionStages": [ "string" ] }
Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- ARN
-
The ARN of the secret.
Type: String
Length Constraints: Minimum length of 20. Maximum length of 2048.
- CreatedDate
-
The date and time that this version of the secret was created.
Type: Timestamp
- Name
-
The friendly name of the secret.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 256.
- SecretBinary
-
The decrypted part of the protected secret information that was originally provided as binary data in the form of a byte array. The response parameter represents the binary data as a base64-encoded string.
This parameter is not used if the secret is created by the Secrets Manager console.
If you store custom information in this field of the secret, then you must code your Lambda rotation function to parse and interpret whatever you store in the
SecretString
orSecretBinary
fields.Type: Base64-encoded binary data object
Length Constraints: Minimum length of 0. Maximum length of 4096.
- SecretString
-
The decrypted part of the protected secret information that was originally provided as a string.
If you create this secret by using the Secrets Manager console then only the
SecretString
parameter contains data. Secrets Manager stores the information as a JSON structure of key/value pairs that the Lambda rotation function knows how to parse.If you store custom information in the secret by using the CreateSecret, UpdateSecret, or PutSecretValue API operations instead of the Secrets Manager console, or by using the Other secret type in the console, then you must code your Lambda rotation function to parse and interpret those values.
Type: String
Length Constraints: Minimum length of 0. Maximum length of 4096.
- VersionId
-
The unique identifier of this version of the secret.
Type: String
Length Constraints: Minimum length of 32. Maximum length of 64.
- VersionStages
-
A list of all of the staging labels currently attached to this version of the secret.
Type: Array of strings
Array Members: Minimum number of 1 item. Maximum number of 20 items.
Length Constraints: Minimum length of 1. Maximum length of 256.
Errors
For information about the errors that are common to all actions, see Common Errors.
- DecryptionFailure
-
Secrets Manager can't decrypt the protected secret text using the provided KMS key.
HTTP Status Code: 400
- InternalServiceError
-
An error occurred on the server side.
HTTP Status Code: 500
- InvalidParameterException
-
You provided an invalid value for a parameter.
HTTP Status Code: 400
- InvalidRequestException
-
You provided a parameter value that is not valid for the current state of the resource.
Possible causes:
-
You tried to perform the operation on a secret that's currently marked deleted.
-
You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.
HTTP Status Code: 400
-
- ResourceNotFoundException
-
We can't find the resource that you asked for.
HTTP Status Code: 400
Example
The following example shows how to retrieve the secret string value from the version
of the secret that has the AWSPREVIOUS
staging label attached. If you want to retrieve
the AWSCURRENT
version of the secret, then omit the VersionStage
parameter
because it defaults to AWSCURRENT
. The JSON request string input and response output are shown formatted
with white space and line breaks for better readability. Submit your input as a single
line
JSON string.
Sample Request
POST / HTTP/1.1 Host: secretsmanager.region.domain Accept-Encoding: identity X-Amz-Target: secretsmanager.GetSecretValue Content-Type: application/x-amz-json-1.1 User-Agent: <user-agent-string> X-Amz-Date: <date> Authorization: AWS4-HMAC-SHA256 Credential=<credentials>,SignedHeaders=<headers>, Signature=<signature> Content-Length: <payload-size-bytes> { "SecretId": "MyTestDatabaseSecret", "VersionStage": "AWSPREVIOUS" }
Sample Response
HTTP/1.1 200 OK Date: <date> Content-Type: application/x-amz-json-1.1 Content-Length: <response-size-bytes> Connection: keep-alive x-amzn-RequestId: <request-id-guid> { "ARN":"arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestDatabaseSecret-a1b2c3", "CreatedDate":1.523477145713E9, "Name":"MyTestDatabaseSecret", "SecretString":"{\n \"username\":\"david\",\n \"password\":\"BnQw&XDWgaEeT9XGTT29\"\n}\n", "VersionId":"EXAMPLE1-90ab-cdef-fedc-ba987SECRET1", "VersionStages":["AWSPREVIOUS"] }
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: