Secrets Manager
Last updated:2026-01-27 09:52:40
Fundamental information
| Product | Abbreviation in CAM | Console | Authorization by Tag | Authorization Granularity | IP Restriction |
|---|---|---|---|---|---|
| Secrets Manager | ssm | Supported | Supported | Resource level | Supported |
Note:
The authorization granularity of cloud products is divided into three levels: service level, operation level, and resource level, based on the degree of granularity.
- Service level: It defines whether a user has the permission to access the service as a whole. A user can have either full access or no access to the service. For the authorization granularity of cloud products at service level, the authorization of specific APIs are not supported.
- Operation level: It defines whether a user has the permission to call a specific API of the service. For example, granting an account read-only access to the CVM service is an authorization at the operation level.
- Resource level: It is the finest authorization granularity which defines whether a user has the permission to access specific resources. For example, granting an account read/write access to a specific CVM instance is an authorization at the resource level.
API authorization granularity
Two authorization granularity levels of API are supported: resource level, and operation level.
- Resource level: It supports the authorization of a specific resource.
- Operation level: It does not support the authorization of a specific resource. If the policy syntax restricts a specific resource during authorization, CAM will determine that this API is not within the scope of authorization, and deem it as unauthorized.
Write operations
| API | API Description | Authorization Granularity | Six-segment Resource Description | IP Restriction |
|---|---|---|---|---|
| CreateAccessKeySecret | Create AccessKey Secret | Resource level | qcs::ssm::uin/${uin}:secret/* | Supported |
| CreateProductSecret | Create Product Secret | Resource level | qcs::ssm::uin/${uin}:secret/* | Supported |
| CreateSSHKeyPairSecret | Create SSH Key Pair Secret | Resource level | qcs::ssm::uin/${uin}:secret/* | Supported |
| CreateSecret | create secret | Resource level | qcs::ssm::uin/${uin}:secret/* | Supported |
| DeleteSecret | Delete secret information | Resource level | qcs::ssm:${region}:uin/${uin}:secret/creatorUin/$creatorUin/$secretName | Supported |
| DeleteSecretVersion | Delete secret for a specified version | Resource level | qcs::ssm:${region}:uin/${uin}:secret/creatorUin/$creatorUin/$secretName | Supported |
| DisableSecret | Disable secret | Resource level | qcs::ssm:${region}:uin/${uin}:secret/creatorUin/$creatorUin/$secretName | Supported |
| EnableSecret | EnableSecret | Resource level | qcs::ssm:${region}:uin/${uin}:secret/creatorUin/$creatorUin/$secretName | Supported |
| PutSecretValue | Add new version secret | Resource level | qcs::ssm:${region}:uin/${uin}:secret/creatorUin/$creatorUin/$secretName | Supported |
| RestoreSecret | Recover secret from scheduled deletion | Resource level | qcs::ssm:${region}:uin/${uin}:secret/creatorUin/$creatorUin/$secretName | Supported |
| RotateProductSecret | Rotate Product Secret | Resource level | qcs::ssm::uin/${uin}:secret/creatorUin/$creatorUin/$secretName | Supported |
| UpdateDescription | Update secret Description | Resource level | qcs::ssm:${region}:uin/${uin}:secret/creatorUin/$creatorUin/$secretName | Supported |
| UpdateRotationStatus | Update Rotation Status | Resource level | qcs::ssm::uin/${uin}:secret/creatorUin/$creatorUin/$secretName | Supported |
| UpdateSecret | Update secret content | Resource level | qcs::ssm:${region}:uin/${uin}:secret/creatorUin/$creatorUin/$secretName | Supported |
Read operations
| API | API Description | Authorization Granularity | Six-segment Resource Description | IP Restriction |
|---|---|---|---|---|
| DescribeAccessKeyRotateResult | Describe AccessKey Rotate Result | Resource level | qcs::ssm:${region}:uin/${uin}:secret/creatorUin/$creatorUin/$secretName | Supported |
| DescribeAsyncRequestInfo | Describe Async Request Info | Operation level | * | Supported |
| DescribeRotationDetail | Describe Product Secret Rotation Detail | Resource level | qcs::ssm::uin/${uin}:secret/creatorUin/$creatorUin/$secretName | Supported |
| DescribeRotationHistory | Describe Product Secret Rotation History | Resource level | qcs::ssm::uin/${uin}:secret/creatorUin/$creatorUin/$secretName | Supported |
| DescribeSecret | get secret details | Resource level | qcs::ssm:${region}:uin/${uin}:secret/creatorUin/$creatorUin/$secretName | Supported |
| DescribeSupportedProducts | Describe Supported Products | Operation level | * | Supported |
| GetSSHKeyPairValue | Get SSH Key Pair Value | Resource level | qcs::ssm:${region}:uin/${uin}:secret/creatorUin/$creatorUin/$secretName | Supported |
| GetSecretValue | get plain text of secret | Resource level | qcs::ssm:${region}:uin/${uin}:secret/creatorUin/$creatorUin/$secretName | Supported |
| GetServiceStatus | GetServiceStatus | Operation level | * | Supported |
| ListSecretVersionIds | get version list information under specified secret | Resource level | qcs::ssm:${region}:uin/${uin}:secret/creatorUin/$creatorUin/$secretName | Supported |
| ListSecrets | get list of secret details | Operation level | * | Supported |
List Operations
| API | API Description | Authorization Granularity | Six-segment Resource Description | IP Restriction |
|---|---|---|---|---|
| DescribeResourceIds | Describe ResourceIds | Operation level | * | Supported |
| GetRegions | Get region display list in console | Operation level | * | Supported |
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback