Retrieve a Secret

Fetches the value of a secret from the specified Variable. The latest version will be retrieved unless the version parameter is specified. The twenty most recent secret versions are retained.

The secret data is returned in the response body.

Conjur allows you to add a secret to any resource, but the best practice is to store and retrieve secret data only using Variable resources.
Entity IDs must be URL-encoded.

URI

GET /secrets/{account}/{kind}/{identifier}{?version}

Any identifier included in the URL must be URL-encoded to be recognized by the Conjur API.

Examples

Identifier	URL-Encoded
`myapp-01`	`myapp-01`(no change)
`alice@devops`	`alice%40devops`
`prod/aws/db-password`	`prod%2Faws%2Fdb-password`
`research+development`	`research%2Bdevelopment`
`sales&marketing`	`sales%26marketing`

Example with curl

curl -H "$(conjur authn authenticate -H)" \
    https://eval.conjur.org/secrets/myorg/variable/prod/db/password

Response

Code	Description
200	The secret values was retrieved successfully.
401	The request lacks valid authentication credentials.
403	The authenticated user lacks the necessary privilege.
404	The variable does not exist, or it does not have any secret values.
422	A request parameter was missing or invalid.

Example URI

GET /secrets/myorg/variable/db/password?version=1

URI Parameters

Parameter	Type	Mandatory	Description
account	String	Yes	Organization account name. Example: `myorg`
kind	String	Yes	should be “variable” Example: `variable`
identifier	String	Yes	id of the variable
version	integer	No	version you want to retrieve (Conjur keeps the last 20 versions of a secret) Example: `1`

Response 200

Headers

Content-Type: application/octet-stream

The default setting for Content-type is application/octet-stream. If needed, you can overwrite the Content-type setting. See Variable for more information.

Body

c3c60d3f266074