Retrieve a Secret

Fetches the value of a secret from the specified Variable. The latest version will be retrieved unless the version parameter is specified. The twenty most recent secret versions are retained.

The secret data is returned in the response body.

 
  • Conjur allows you to add a secret to any resource, but the best practice is to store and retrieve secret data only using Variable resources.
  • Entity IDs must be URL-encoded.

URI

 
GET /secrets/{account}/{kind}/{identifier}{?version}

Any identifier included in the URL must be URL-encoded to be recognized by the Conjur API.

Examples

Identifier

URL-Encoded

myapp-01

myapp-01(no change)

alice@devops

alice%40devops

prod/aws/db-password

prod%2Faws%2Fdb-password

research+development

research%2Bdevelopment

sales&marketing

sales%26marketing

Example with curl

 
curl -H "$(conjur authn authenticate -H)" \
    https://eval.conjur.org/secrets/myorg/variable/prod/db/password

Response

Code

Description

200

The secret values was retrieved successfully.

401

The request lacks valid authentication credentials.

403

The authenticated user lacks the necessary privilege.

404

The variable does not exist, or it does not have any secret values.

422

A request parameter was missing or invalid.

Example URI

 
GET /secrets/myorg/variable/db/password?version=1

URI Parameters

Parameter

Type

Mandatory

Description

account

String

Yes

Organization account name

Example: myorg

kind

String

Yes

should be “variable”

Example: variable

identifier

String

Yes

id of the variable

Example: db/password

version

integer

No

version you want to retrieve (Conjur keeps the last 20 versions of a secret)

Example: 1

Response 200

Headers

 
Content-Type: application/octet-stream

The default setting for Content-type is application/octet-stream. If needed, you can overwrite the Content-type setting. See Variable for more information.

Body

 
c3c60d3f266074