BatchGetSecretValue - AWS Secrets Manager
Request SyntaxRequest ParametersResponse SyntaxResponse ElementsErrorsExamplesSee Also

BatchGetSecretValue

Retrieves the contents of the encrypted fields SecretString or SecretBinary for up to 20 secrets. To retrieve a single secret, call GetSecretValue.

To choose which secrets to retrieve, you can specify a list of secrets by name or ARN, or you can use filters. If Secrets Manager encounters errors such as AccessDeniedException while attempting to retrieve any of the secrets, you can see the errors in Errors in the response.

Secrets Manager generates CloudTrail GetSecretValue log entries for each secret you request when you call this action. Do not include sensitive information in request parameters because it might be logged. For more information, see Logging Secrets Manager events with AWS CloudTrail.

Required permissions: secretsmanager:BatchGetSecretValue, and you must have secretsmanager:GetSecretValue for each secret. If you use filters, you must also have secretsmanager:ListSecrets. If the secrets are encrypted using customer-managed keys instead of the AWS managed key aws/secretsmanager, then you also need kms:Decrypt permissions for the keys. For more information, see IAM policy actions for Secrets Manager and Authentication and access control in Secrets Manager.

Request Syntax

{
   "Filters": [ 
      { 
         "Key": "string",
         "Values": [ "string" ]
      }
   ],
   "MaxResults": number,
   "NextToken": "string",
   "SecretIdList": [ "string" ]
}

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

Filters

The filters to choose which secrets to retrieve. You must include Filters or SecretIdList, but not both.

Type: Array of Filter objects

Array Members: Maximum number of 10 items.

Required: No

MaxResults

The number of results to include in the response.

If there are more results available, in the response, Secrets Manager includes NextToken. To get the next results, call BatchGetSecretValue again with the value from NextToken. To use this parameter, you must also use the Filters parameter.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 20.

Required: No

NextToken

A token that indicates where the output should continue from, if a previous call did not show all results. To get the next results, call BatchGetSecretValue again with this value.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 4096.

Required: No

SecretIdList

The ARN or names of the secrets to retrieve. You must include Filters or SecretIdList, but not both.

Type: Array of strings

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: No

Response Syntax

{
   "Errors": [ 
      { 
         "ErrorCode": "string",
         "Message": "string",
         "SecretId": "string"
      }
   ],
   "NextToken": "string",
   "SecretValues": [ 
      { 
         "ARN": "string",
         "CreatedDate": number,
         "Name": "string",
         "SecretBinary": blob,
         "SecretString": "string",
         "VersionId": "string",
         "VersionStages": [ "string" ]
      }
   ]
}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Errors

A list of errors Secrets Manager encountered while attempting to retrieve individual secrets.

Type: Array of APIErrorType objects

NextToken

Secrets Manager includes this value if there's more output available than what is included in the current response. This can occur even when the response includes no values at all, such as when you ask for a filtered view of a long list. To get the next results, call BatchGetSecretValue again with this value.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 4096.

SecretValues

A list of secret values.

Type: Array of SecretValueEntry objects

Errors

For information about the errors that are common to all actions, see Common Errors.

DecryptionFailure

Secrets Manager can't decrypt the protected secret text using the provided KMS key.

HTTP Status Code: 400

InternalServiceError

An error occurred on the server side.

HTTP Status Code: 500

InvalidNextTokenException

The NextToken value is invalid.

HTTP Status Code: 400

InvalidParameterException

The parameter name or value is invalid.

HTTP Status Code: 400

InvalidRequestException

A parameter value is not valid for the current state of the resource.

Possible causes:

  • The secret is scheduled for deletion.

  • You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.

  • The secret is managed by another service, and you must use that service to update it. For more information, see Secrets managed by other AWS services.

HTTP Status Code: 400

ResourceNotFoundException

Secrets Manager can't find the resource that you asked for.

HTTP Status Code: 400

Examples

Example

The following example shows how to retrieve the secret values for a group of secrets listed by name. The JSON request string input and response output displays formatted code with white space and line breaks for better readability. Submit your input as a single line JSON string.

Sample Request

POST / HTTP/1.1
Host: secretsmanager.region.domain
Accept-Encoding: identity
X-Amz-Target: secretsmanager.BatchGetSecretValue
Content-Type: application/x-amz-json-1.1
User-Agent: <user-agent-string>
X-Amz-Date: <date>
Authorization: AWS4-HMAC-SHA256 Credential=<credentials>,SignedHeaders=<headers>, Signature=<signature>
Content-Length: <payload-size-bytes>

{
  "SecretIdList": ["MySecret1", "MySecret2", "MySecret3"]
}

Sample Response

HTTP/1.1 200 OK
Date: <date>
Content-Type: application/x-amz-json-1.1
Content-Length: <response-size-bytes>
Connection: keep-alive
x-amzn-RequestId: <request-id-guid>

  {
    "Errors":[],
    "SecretValues":
      [
        {
          "ARN":"arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret1-a1b2c3",
          "CreatedDate":1.700591229801E9,
          "Name":"MySecret1",
          "SecretString":"{\"username\":\"diego_ramirez\",\"password\":\"EXAMPLE-PASSWORD\",\"engine\":\"mysql\",\"host\":\"secretsmanagertutorial.cluster.us-west-2.rds.amazonaws.com\",\"port\":3306,\"dbClusterIdentifier\":\"secretsmanagertutorial\"}",
          "VersionId":"a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa",
          "VersionStages": ["AWSCURRENT"]
        },
        {
          "ARN":"arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret2-a1b2c3",
          "CreatedDate":1.699911394105E9,
          "Name":"MySecret2",
          "SecretString":"{\"username\":\"akua_mansa\",\"password\":\"EXAMPLE-PASSWORD\"",
          "VersionId":"a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb",
          "VersionStages":["AWSCURRENT"]
        },
        {
          "ARN":"arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret3-a1b2c3",
          "CreatedDate":1.699911394105E9,
          "Name":"MySecret3",
          "SecretString":"{\"username\":\"jie_liu\",\"password\":\"EXAMPLE-PASSWORD\"",
          "VersionId":"a1b2c3d4-5678-90ab-cdef-EXAMPLEccccc",
          "VersionStages":["AWSCURRENT"]
        }
      ]
    }

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: