getSecretValue method

Future<GetSecretValueResponse> getSecretValue({
  1. required String secretId,
  2. String? versionId,
  3. String? versionStage,
})

Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.

Minimum permissions

To run this command, you must have the following permissions:

  • secretsmanager:GetSecretValue
  • kms:Decrypt - required only if you use a customer-managed AWS KMS key to encrypt the secret. You do not need this permission to use the account's default AWS managed CMK for Secrets Manager.
Related operations
  • To create a new version of the secret with different encrypted information, use PutSecretValue.
  • To retrieve the non-encrypted details for the secret, use DescribeSecret.

May throw ResourceNotFoundException. May throw InvalidParameterException. May throw InvalidRequestException. May throw DecryptionFailure. May throw InternalServiceError.

Parameter secretId : Specifies the secret containing the version that you want to retrieve. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.

If you specify an incomplete ARN without the random suffix, and instead provide the 'friendly name', you must not include the random suffix. If you do include the random suffix added by Secrets Manager, you receive either a ResourceNotFoundException or an AccessDeniedException error, depending on your permissions.

Parameter versionId : Specifies the unique identifier of the version of the secret that you want to retrieve. If you specify this parameter then don't specify VersionStage. If you don't specify either a VersionStage or VersionId then the default is to perform the operation on the version with the VersionStage value of AWSCURRENT.

This value is typically a UUID-type value with 32 hexadecimal digits.

Parameter versionStage : Specifies the secret version that you want to retrieve by the staging label attached to the version.

Staging labels are used to keep track of different versions during the rotation process. If you use this parameter then don't specify VersionId. If you don't specify either a VersionStage or VersionId, then the default is to perform the operation on the version with the VersionStage value of AWSCURRENT.

Implementation

Future<GetSecretValueResponse> getSecretValue({
  required String secretId,
  String? versionId,
  String? versionStage,
}) async {
  ArgumentError.checkNotNull(secretId, 'secretId');
  _s.validateStringLength(
    'secretId',
    secretId,
    1,
    2048,
    isRequired: true,
  );
  _s.validateStringLength(
    'versionId',
    versionId,
    32,
    64,
  );
  _s.validateStringLength(
    'versionStage',
    versionStage,
    1,
    256,
  );
  final headers = <String, String>{
    'Content-Type': 'application/x-amz-json-1.1',
    'X-Amz-Target': 'secretsmanager.GetSecretValue'
  };
  final jsonResponse = await _protocol.send(
    method: 'POST',
    requestUri: '/',
    exceptionFnMap: _exceptionFns,
    // TODO queryParams
    headers: headers,
    payload: {
      'SecretId': secretId,
      if (versionId != null) 'VersionId': versionId,
      if (versionStage != null) 'VersionStage': versionStage,
    },
  );

  return GetSecretValueResponse.fromJson(jsonResponse.body);
}