Lockbox API, REST: Secret.Create

Written by

Updated at November 7, 2024

HTTP request
Body parameters
PayloadEntryChange
PasswordPayloadSpecification
Response
CreateSecretMetadata
Status
Secret
Version
PasswordPayloadSpecification

Creates a secret in the specified folder.

HTTP request

POST https://lockbox.api.cloud.yandex.net/lockbox/v1/secrets

Body parameters

{
  "folderId": "string",
  "name": "string",
  "description": "string",
  "labels": "string",
  "kmsKeyId": "string",
  "versionDescription": "string",
  "versionPayloadEntries": [
    {
      "key": "string",
      // Includes only one of the fields `textValue`, `binaryValue`
      "textValue": "string",
      "binaryValue": "string"
      // end of the list of possible fields
    }
  ],
  "deletionProtection": "boolean",
  // Includes only one of the fields `passwordPayloadSpecification`
  "passwordPayloadSpecification": {
    "passwordKey": "string",
    "length": "string",
    "includeUppercase": "boolean",
    "includeLowercase": "boolean",
    "includeDigits": "boolean",
    "includePunctuation": "boolean",
    "includedPunctuation": "string",
    "excludedPunctuation": "string"
  },
  // end of the list of possible fields
  "createVersion": "boolean"
}

Field	Description
folderId	string Required field. ID of the folder to create a secret in.
name	string Name of the secret.
description	string Description of the secret.
labels	string Custom labels for the secret as `key:value` pairs. Maximum 64 per key. For example, `"project": "mvp"` or `"source": "dictionary"`.
kmsKeyId	string Optional ID of the KMS key will be used to encrypt and decrypt the secret.
versionDescription	string Description of the first version.
versionPayloadEntries[]	PayloadEntryChange Payload entries added to the first version.
deletionProtection	boolean Flag that inhibits deletion of the secret.
passwordPayloadSpecification	PasswordPayloadSpecification Includes only one of the fields `passwordPayloadSpecification`.
createVersion	boolean If true: a version will be created with either version_payload_entries or password_payload_specification (one is required). If false: a version is NOT created, no matter version_payload_entries or password_payload_specification. Default: a version is created IF either version_payload_entries or password_payload_specification are specified. It's never allowed to set both version_payload_entries and password_payload_specification.

PayloadEntryChange

Field	Description
key	string Required field. Non-confidential key of the entry.
textValue	string Use the field to set a text value. Includes only one of the fields `textValue`, `binaryValue`. Confidential value of the entry.
binaryValue	string (bytes) Use the field to set a binary value. Includes only one of the fields `textValue`, `binaryValue`. Confidential value of the entry.

PasswordPayloadSpecification

Field	Description
passwordKey	string Required field. key of the entry to store generated password value
length	string (int64) password length; by default, a reasonable length will be decided
includeUppercase	boolean whether at least one A..Z character is included in the password, true by default
includeLowercase	boolean whether at least one a..z character is included in the password, true by default
includeDigits	boolean whether at least one 0..9 character is included in the password, true by default
includePunctuation	boolean whether at least one punctuation character is included in the password, true by default punctuation characters by default (there are 32): !"#$%&'()*+,-./:;<=>?@[]^_`{\|}~ to customize the punctuation characters, see included_punctuation and excluded_punctuation below
includedPunctuation	string If include_punctuation is true, one of these two fields (not both) may be used optionally to customize the punctuation: a string of specific punctuation characters to use (at most, all the 32)
excludedPunctuation	string a string of punctuation characters to exclude from the default (at most 31, it's not allowed to exclude all the 32)

Response

HTTP Code: 200 - OK

{
  "id": "string",
  "description": "string",
  "createdAt": "string",
  "createdBy": "string",
  "modifiedAt": "string",
  "done": "boolean",
  "metadata": {
    "secretId": "string",
    "versionId": "string"
  },
  // Includes only one of the fields `error`, `response`
  "error": {
    "code": "integer",
    "message": "string",
    "details": [
      "object"
    ]
  },
  "response": {
    "id": "string",
    "folderId": "string",
    "createdAt": "string",
    "name": "string",
    "description": "string",
    "labels": "string",
    "kmsKeyId": "string",
    "status": "string",
    "currentVersion": {
      "id": "string",
      "secretId": "string",
      "createdAt": "string",
      "destroyAt": "string",
      "description": "string",
      "status": "string",
      "payloadEntryKeys": [
        "string"
      ],
      // Includes only one of the fields `passwordPayloadSpecification`
      "passwordPayloadSpecification": {
        "passwordKey": "string",
        "length": "string",
        "includeUppercase": "boolean",
        "includeLowercase": "boolean",
        "includeDigits": "boolean",
        "includePunctuation": "boolean",
        "includedPunctuation": "string",
        "excludedPunctuation": "string"
      }
      // end of the list of possible fields
    },
    "deletionProtection": "boolean",
    // Includes only one of the fields `passwordPayloadSpecification`
    "passwordPayloadSpecification": {
      "passwordKey": "string",
      "length": "string",
      "includeUppercase": "boolean",
      "includeLowercase": "boolean",
      "includeDigits": "boolean",
      "includePunctuation": "boolean",
      "includedPunctuation": "string",
      "excludedPunctuation": "string"
    }
    // end of the list of possible fields
  }
  // end of the list of possible fields
}

An Operation resource. For more information, see Operation.

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
createdAt	string (date-time) Creation timestamp. String in RFC3339 text format. The range of possible values is from `0001-01-01T00:00:00Z` to `9999-12-31T23:59:59.999999999Z`, i.e. from 0 to 9 digits for fractions of a second. To work with values in this field, use the APIs described in the Protocol Buffers reference. In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).
createdBy	string ID of the user or service account who initiated the operation.
modifiedAt	string (date-time) The time when the Operation resource was last modified. String in RFC3339 text format. The range of possible values is from `0001-01-01T00:00:00Z` to `9999-12-31T23:59:59.999999999Z`, i.e. from 0 to 9 digits for fractions of a second. To work with values in this field, use the APIs described in the Protocol Buffers reference. In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).
done	boolean If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	CreateSecretMetadata Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
error	Status The error result of the operation in case of failure or cancellation. Includes only one of the fields `error`, `response`. The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
response	Secret The normal response of the operation in case of success. If the original method returns no data on success, such as Delete, the response is google.protobuf.Empty. If the original method is the standard Create/Update, the response should be the target resource of the operation. Any method that returns a long-running operation should document the response type, if any. Includes only one of the fields `error`, `response`. The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.

CreateSecretMetadata

Field

Description

secretId

string

ID of the secret being created.

versionId

string

ID of the current version of the secret being created.

Status

The error result of the operation in case of failure or cancellation.

Field	Description
code	integer (int32) Error code. An enum value of google.rpc.Code.
message	string An error message.
details[]	object A list of messages that carry the error details.

Secret

A secret that may contain several versions of the payload.

Field	Description
id	string ID of the secret.
folderId	string ID of the folder that the secret belongs to.
createdAt	string (date-time) Creation timestamp. String in RFC3339 text format. The range of possible values is from `0001-01-01T00:00:00Z` to `9999-12-31T23:59:59.999999999Z`, i.e. from 0 to 9 digits for fractions of a second. To work with values in this field, use the APIs described in the Protocol Buffers reference. In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).
name	string Name of the secret.
description	string Description of the secret.
labels	string Custom labels for the secret as `key:value` pairs. Maximum 64 per key.
kmsKeyId	string Optional ID of the KMS key will be used to encrypt and decrypt the secret.
status	enum (Status) Status of the secret. `STATUS_UNSPECIFIED` `CREATING`: The secret is being created. `ACTIVE`: The secret is active and the secret payload can be accessed. Can be set to INACTIVE using the SecretService.Deactivate method. `INACTIVE`: The secret is inactive and unusable. Can be set to ACTIVE using the SecretService.Deactivate method.
currentVersion	Version Current (i.e. the `latest`) version of the secret.
deletionProtection	boolean Flag that inhibits deletion of the secret.
passwordPayloadSpecification	PasswordPayloadSpecification Includes only one of the fields `passwordPayloadSpecification`.

Version

Field	Description
id	string ID of the version.
secretId	string ID of the secret that the version belongs to.
createdAt	string (date-time) Time when the version was created. String in RFC3339 text format. The range of possible values is from `0001-01-01T00:00:00Z` to `9999-12-31T23:59:59.999999999Z`, i.e. from 0 to 9 digits for fractions of a second. To work with values in this field, use the APIs described in the Protocol Buffers reference. In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).
destroyAt	string (date-time) Time when the version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`. String in RFC3339 text format. The range of possible values is from `0001-01-01T00:00:00Z` to `9999-12-31T23:59:59.999999999Z`, i.e. from 0 to 9 digits for fractions of a second. To work with values in this field, use the APIs described in the Protocol Buffers reference. In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).
description	string Description of the version.
status	enum (Status) Status of the secret. `STATUS_UNSPECIFIED` `ACTIVE`: The version is active and the secret payload can be accessed. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the `Version.destroyAt` field. `DESTROYED`: The version is destroyed and cannot be recovered.
payloadEntryKeys[]	string Keys of the entries contained in the version payload.
passwordPayloadSpecification	PasswordPayloadSpecification Includes only one of the fields `passwordPayloadSpecification`.

PasswordPayloadSpecification

Field	Description
passwordKey	string Required field. key of the entry to store generated password value
length	string (int64) password length; by default, a reasonable length will be decided
includeUppercase	boolean whether at least one A..Z character is included in the password, true by default
includeLowercase	boolean whether at least one a..z character is included in the password, true by default
includeDigits	boolean whether at least one 0..9 character is included in the password, true by default
includePunctuation	boolean whether at least one punctuation character is included in the password, true by default punctuation characters by default (there are 32): !"#$%&'()*+,-./:;<=>?@[]^_`{\|}~ to customize the punctuation characters, see included_punctuation and excluded_punctuation below
includedPunctuation	string If include_punctuation is true, one of these two fields (not both) may be used optionally to customize the punctuation: a string of specific punctuation characters to use (at most, all the 32)
excludedPunctuation	string a string of punctuation characters to exclude from the default (at most 31, it's not allowed to exclude all the 32)

Lockbox API, REST: Secret.Create

HTTP requestHTTP request

Body parametersBody parameters

PayloadEntryChangePayloadEntryChange

PasswordPayloadSpecificationPasswordPayloadSpecification

ResponseResponse

CreateSecretMetadataCreateSecretMetadata

StatusStatus

SecretSecret

VersionVersion

PasswordPayloadSpecificationPasswordPayloadSpecification

Was the article helpful?

HTTP request

Body parameters

PayloadEntryChange

PasswordPayloadSpecification

Response

CreateSecretMetadata

Status

Secret

Version

PasswordPayloadSpecification