getSecretValue method
Retrieves the contents of the encrypted fields SecretString
or SecretBinary
from the specified version of a secret,
whichever contains content.
Minimum permissions
To run this command, you must have the following permissions:
- secretsmanager:GetSecretValue
- kms:Decrypt - required only if you use a customer-managed AWS KMS key to encrypt the secret. You do not need this permission to use the account's default AWS managed CMK for Secrets Manager.
- To create a new version of the secret with different encrypted information, use PutSecretValue.
- To retrieve the non-encrypted details for the secret, use DescribeSecret.
May throw ResourceNotFoundException. May throw InvalidParameterException. May throw InvalidRequestException. May throw DecryptionFailure. May throw InternalServiceError.
Parameter secretId
:
Specifies the secret containing the version that you want to retrieve. You
can specify either the Amazon Resource Name (ARN) or the friendly name of
the secret.
If you specify an incomplete ARN without the random suffix, and instead provide the 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.
Parameter versionId
:
Specifies the unique identifier of the version of the secret that you want
to retrieve. If you specify this parameter then don't specify
VersionStage
. If you don't specify either a
VersionStage
or VersionId
then the default is to
perform the operation on the version with the VersionStage
value of AWSCURRENT
.
This value is typically a UUID-type value with 32 hexadecimal digits.
Parameter versionStage
:
Specifies the secret version that you want to retrieve by the staging
label attached to the version.
Staging labels are used to keep track of different versions during the
rotation process. If you use this parameter then don't specify
VersionId
. If you don't specify either a
VersionStage
or VersionId
, then the default is
to perform the operation on the version with the VersionStage
value of AWSCURRENT
.
Implementation
Future<GetSecretValueResponse> getSecretValue({
required String secretId,
String? versionId,
String? versionStage,
}) async {
ArgumentError.checkNotNull(secretId, 'secretId');
_s.validateStringLength(
'secretId',
secretId,
1,
2048,
isRequired: true,
);
_s.validateStringLength(
'versionId',
versionId,
32,
64,
);
_s.validateStringLength(
'versionStage',
versionStage,
1,
256,
);
final headers = <String, String>{
'Content-Type': 'application/x-amz-json-1.1',
'X-Amz-Target': 'secretsmanager.GetSecretValue'
};
final jsonResponse = await _protocol.send(
method: 'POST',
requestUri: '/',
exceptionFnMap: _exceptionFns,
// TODO queryParams
headers: headers,
payload: {
'SecretId': secretId,
if (versionId != null) 'VersionId': versionId,
if (versionStage != null) 'VersionStage': versionStage,
},
);
return GetSecretValueResponse.fromJson(jsonResponse.body);
}