Retrieve a secret
Fetches the value of a secret from the specified variable. The latest version will be retrieved unless the version parameter is specified. The twenty most recent secret versions are retained.
The secret data is returned in the response body.
Conjur allows you to add a secret to any resource, but best practice is to store and retrieve secret data only using variable resources.
URI
GET /secrets/{account}/{kind}/{identifier}{?version}Example URI
GET /secrets/myorg/variable/db/password?version=1URI Parameters
|
Parameter |
Type |
Mandatory |
Description |
|---|---|---|---|
|
account |
String |
Yes |
Organization account name.
|
|
kind |
String |
Yes |
should be “variable” Example: |
|
identifier |
String |
Yes |
The ID of the variable. |
|
version |
integer |
No |
The version you want to retrieve (Conjur keeps the last 20 versions of a secret) Example: |
Any identifier included in the URL must be URL-encoded to be recognized by the Conjur API. For example:
|
Identifier |
URL-Encoded |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example with curl
curl -H "$(conjur authn authenticate -H)" \
https://eval.conjur.org/secrets/myorg/variable/prod/db/passwordResponse
|
Code |
Description |
|---|---|
|
200 |
The secret values was retrieved successfully. A response for an ephemeral secret includes the ID of the secret, the TTL value, details about the secrets, based on the type of issuer and the method used to create the secret. For AWS:
|
|
401 |
The request lacks valid authentication credentials. |
|
403 |
The authenticated user lacks the necessary privilege. |
|
404 |
The variable does not exist, or it does not have any secret values. |
|
422 |
A request parameter was missing or invalid. |
Example responses
Response 200
Headers
Content-Type: application/octet-stream
The default setting for Content-type is application/octet-stream. If needed, you can overwrite the Content-type setting. For more information, see mime_type.
Body
c3c60d3f266074
