Yandex Cloud
Search
Discuss with expertTry it for free
  • Customer Stories
  • Documentation
  • Blog
  • All Services
  • System Status
  • Marketplace
    • Featured
    • Infrastructure & Network
    • Data Platform
    • AI for business
    • Security
    • DevOps tools
    • Serverless
    • Monitoring & Resources
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Center for Technologies and Society
    • Yandex Cloud Partner program
    • Price calculator
    • Pricing plans
  • Customer Stories
  • Documentation
  • Blog
© 2026 Direct Cursus Technology L.L.C.
Yandex Lockbox
  • Getting started
  • Quotas and limits
  • Access management
  • Pricing policy
  • Terraform reference
    • API authentication
      • Overview
        • Overview
        • Get
        • List
        • Create
        • Update
        • Delete
        • Activate
        • Deactivate
        • ListVersions
        • AddVersion
        • ScheduleVersionDestruction
        • CancelVersionDestruction
        • ListOperations
        • ListAccessBindings
        • SetAccessBindings
        • UpdateAccessBindings
  • Monitoring metrics
  • Audit Trails events
  • Release notes
  • FAQ

In this article:

  • HTTP request
  • Body parameters
  • PasswordPayloadSpecification
  • PayloadEntryChange
  • Response
  • Status
  1. API reference
  2. REST
  3. Secret
  4. Create

Lockbox API, REST: Secret.Create

Written by
Yandex Cloud
Updated at July 1, 2026
View in Markdown
  • HTTP request
  • Body parameters
  • PasswordPayloadSpecification
  • PayloadEntryChange
  • Response
  • Status

Creates a secret in the specified folder.

HTTP requestHTTP request

POST https://lockbox.api.cloud.yandex.net/lockbox/v1/secrets

Body parametersBody parameters

{
  // Includes only one of the fields `passwordPayloadSpecification`
  "passwordPayloadSpecification": {
    "passwordKey": "string",
    "length": "string",
    "includeUppercase": "boolean",
    "includeLowercase": "boolean",
    "includeDigits": "boolean",
    "includePunctuation": "boolean",
    "includedPunctuation": "string",
    "excludedPunctuation": "string"
  },
  // end of the list of possible fields
  "folderId": "string",
  "name": "string",
  "description": "string",
  "labels": "object",
  "kmsKeyId": "string",
  "versionDescription": "string",
  "versionPayloadEntries": [
    {
      // Includes only one of the fields `textValue`, `binaryValue`
      "textValue": "string",
      "binaryValue": "string",
      // end of the list of possible fields
      "key": "string"
    }
  ],
  "deletionProtection": "boolean",
  "createVersion": "boolean"
}

Field

Description

passwordPayloadSpecification

PasswordPayloadSpecification

Includes only one of the fields passwordPayloadSpecification.

folderId

string

Required field. ID of the folder to create a secret in.

The maximum string length in characters is 50.

name

string

Name of the secret.

The maximum string length in characters is 100.

description

string

Description of the secret.

The maximum string length in characters is 1024.

labels

object (map<string, string>)

Custom labels for the secret as key:value pairs. Maximum 64 per key.
For example, "project": "mvp" or "source": "dictionary".

The maximum string length in characters for each value is 63. The maximum string length in characters for each key is 63. Each key must match the regular expression [a-z][-_0-9a-z]*. Each value must match the regular expression [-_0-9a-z]*. No more than 64 per resource.

kmsKeyId

string

Optional ID of the KMS key will be used to encrypt and decrypt the secret.

The maximum string length in characters is 50.

versionDescription

string

Description of the first version.

The maximum string length in characters is 256.

versionPayloadEntries[]

PayloadEntryChange

Payload entries added to the first version.

deletionProtection

boolean

Flag that inhibits deletion of the secret.

createVersion

boolean

If true: a version will be created with either version_payload_entries or password_payload_specification (one is required).
If false: a version is NOT created, no matter version_payload_entries or password_payload_specification.
Default: a version is created IF either version_payload_entries or password_payload_specification are specified.
It's never allowed to set both version_payload_entries and password_payload_specification.

PasswordPayloadSpecificationPasswordPayloadSpecification

Field

Description

passwordKey

string

Required field. key of the entry to store generated password value

Value must match the regular expression [-_./\\@0-9a-zA-Z]+.

length

string (int64)

password length; by default, a reasonable length will be decided

The maximum value is 256.

includeUppercase

boolean

whether at least one A..Z character is included in the password, true by default

includeLowercase

boolean

whether at least one a..z character is included in the password, true by default

includeDigits

boolean

whether at least one 0..9 character is included in the password, true by default

includePunctuation

boolean

whether at least one punctuation character is included in the password, true by default
punctuation characters by default (there are 32): !"#$%&'()*+,-./:;<=>?@[]^_`{|}~
to customize the punctuation characters, see included_punctuation and excluded_punctuation below

includedPunctuation

string

If include_punctuation is true, one of these two fields (not both) may be used optionally to customize the punctuation:
a string of specific punctuation characters to use (at most, all the 32)

excludedPunctuation

string

a string of punctuation characters to exclude from the default (at most 31, it's not allowed to exclude all the 32)

PayloadEntryChangePayloadEntryChange

Field

Description

textValue

string

Use the field to set a text value.

The maximum string length in characters is 65536.

Includes only one of the fields textValue, binaryValue.

Confidential value of the entry.

binaryValue

string (bytes)

Use the field to set a binary value.

The maximum string length in characters is 65536.

Includes only one of the fields textValue, binaryValue.

Confidential value of the entry.

key

string

Required field. Non-confidential key of the entry.

The maximum string length in characters is 256. Value must match the regular expression [-_./\\@0-9a-zA-Z]+.

ResponseResponse

HTTP Code: 200 - OK

{
  "id": "string",
  "description": "string",
  "createdAt": "string",
  "createdBy": "string",
  "modifiedAt": "string",
  "done": "boolean",
  "metadata": "object",
  // Includes only one of the fields `error`, `response`
  "error": {
    "code": "integer",
    "message": "string",
    "details": [
      "object"
    ]
  },
  "response": "object"
  // end of the list of possible fields
}

An Operation resource. For more information, see Operation.

Field

Description

id

string

ID of the operation.

description

string

Description of the operation. 0-256 characters long.

createdAt

string (date-time)

Creation timestamp.

String in RFC3339 text format. The range of possible values is from
0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z, i.e. from 0 to 9 digits for fractions of a second.

To work with values in this field, use the APIs described in the
Protocol Buffers reference.
In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).

createdBy

string

ID of the user or service account who initiated the operation.

modifiedAt

string (date-time)

The time when the Operation resource was last modified.

String in RFC3339 text format. The range of possible values is from
0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z, i.e. from 0 to 9 digits for fractions of a second.

To work with values in this field, use the APIs described in the
Protocol Buffers reference.
In some languages, built-in datetime utilities do not support nanosecond precision (9 digits).

done

boolean

If the value is false, it means the operation is still in progress.
If true, the operation is completed, and either error or response is available.

metadata

object

Service-specific metadata associated with the operation.
It typically contains the ID of the target resource that the operation is performed on.
Any method that returns a long-running operation should document the metadata type, if any.

error

Status

The error result of the operation in case of failure or cancellation.

Includes only one of the fields error, response.

The operation result.
If done == false and there was no failure detected, neither error nor response is set.
If done == false and there was a failure detected, error is set.
If done == true, exactly one of error or response is set.

response

object

The normal response of the operation in case of success.
If the original method returns no data on success, such as Delete,
the response is google.protobuf.Empty.
If the original method is the standard Create/Update,
the response should be the target resource of the operation.
Any method that returns a long-running operation should document the response type, if any.

Includes only one of the fields error, response.

The operation result.
If done == false and there was no failure detected, neither error nor response is set.
If done == false and there was a failure detected, error is set.
If done == true, exactly one of error or response is set.

StatusStatus

The error result of the operation in case of failure or cancellation.

Field

Description

code

integer (int32)

Error code. An enum value of google.rpc.Code.

message

string

An error message.

details[]

object

A list of messages that carry the error details.

Was the article helpful?

Previous
List
Next
Update
© 2026 Direct Cursus Technology L.L.C.