SecretsManager / Client / batch_get_secret_value

batch_get_secret_value#

SecretsManager.Client.batch_get_secret_value(**kwargs)#

Retrieves the contents of the encrypted fields SecretString or SecretBinary for up to 20 secrets. To retrieve a single secret, call GetSecretValue.

To choose which secrets to retrieve, you can specify a list of secrets by name or ARN, or you can use filters. If Secrets Manager encounters errors such as AccessDeniedException while attempting to retrieve any of the secrets, you can see the errors in Errors in the response.

Secrets Manager generates CloudTrail GetSecretValue log entries for each secret you request when you call this action. Do not include sensitive information in request parameters because it might be logged. For more information, see Logging Secrets Manager events with CloudTrail.

Required permissions: secretsmanager:BatchGetSecretValue, and you must have secretsmanager:GetSecretValue for each secret. If you use filters, you must also have secretsmanager:ListSecrets. If the secrets are encrypted using customer-managed keys instead of the Amazon Web Services managed key aws/secretsmanager, then you also need kms:Decrypt permissions for the keys. For more information, see IAM policy actions for Secrets Manager and Authentication and access control in Secrets Manager.

See also: AWS API Documentation

Request Syntax

response = client.batch_get_secret_value(
    SecretIdList=[
        'string',
    ],
    Filters=[
        {
            'Key': 'description'|'name'|'tag-key'|'tag-value'|'primary-region'|'owning-service'|'all',
            'Values': [
                'string',
            ]
        },
    ],
    MaxResults=123,
    NextToken='string'
)
Parameters:
  • SecretIdList (list) –

    The ARN or names of the secrets to retrieve. You must include Filters or SecretIdList, but not both.

    • (string) –

  • Filters (list) –

    The filters to choose which secrets to retrieve. You must include Filters or SecretIdList, but not both.

    • (dict) –

      Allows you to add filters when you use the search function in Secrets Manager. For more information, see Find secrets in Secrets Manager.

      • Key (string) –

        The following are keys you can use:

        • description: Prefix match, not case-sensitive.

        • name: Prefix match, case-sensitive.

        • tag-key: Prefix match, case-sensitive.

        • tag-value: Prefix match, case-sensitive.

        • primary-region: Prefix match, case-sensitive.

        • owning-service: Prefix match, case-sensitive.

        • all: Breaks the filter value string into words and then searches all attributes for matches. Not case-sensitive.

      • Values (list) –

        The keyword to filter for.

        You can prefix your search value with an exclamation mark ( !) in order to perform negation filters.

        • (string) –

  • MaxResults (integer) –

    The number of results to include in the response.

    If there are more results available, in the response, Secrets Manager includes NextToken. To get the next results, call BatchGetSecretValue again with the value from NextToken.

  • NextToken (string) – A token that indicates where the output should continue from, if a previous call did not show all results. To get the next results, call BatchGetSecretValue again with this value.

Return type:

dict

Returns:

Response Syntax

{
    'SecretValues': [
        {
            'ARN': 'string',
            'Name': 'string',
            'VersionId': 'string',
            'SecretBinary': b'bytes',
            'SecretString': 'string',
            'VersionStages': [
                'string',
            ],
            'CreatedDate': datetime(2015, 1, 1)
        },
    ],
    'NextToken': 'string',
    'Errors': [
        {
            'SecretId': 'string',
            'ErrorCode': 'string',
            'Message': 'string'
        },
    ]
}

Response Structure

  • (dict) –

    • SecretValues (list) –

      A list of secret values.

      • (dict) –

        A structure that contains the secret value and other details for a secret.

        • ARN (string) –

          The Amazon Resource Name (ARN) of the secret.

        • Name (string) –

          The friendly name of the secret.

        • VersionId (string) –

          The unique version identifier of this version of the secret.

        • SecretBinary (bytes) –

          The decrypted secret value, if the secret value was originally provided as binary data in the form of a byte array. The parameter represents the binary data as a base64-encoded string.

        • SecretString (string) –

          The decrypted secret value, if the secret value was originally provided as a string or through the Secrets Manager console.

        • VersionStages (list) –

          A list of all of the staging labels currently attached to this version of the secret.

          • (string) –

        • CreatedDate (datetime) –

          The date the secret was created.

    • NextToken (string) –

      Secrets Manager includes this value if there’s more output available than what is included in the current response. This can occur even when the response includes no values at all, such as when you ask for a filtered view of a long list. To get the next results, call BatchGetSecretValue again with this value.

    • Errors (list) –

      A list of errors Secrets Manager encountered while attempting to retrieve individual secrets.

      • (dict) –

        The error Secrets Manager encountered while retrieving an individual secret as part of BatchGetSecretValue.

        • SecretId (string) –

          The ARN or name of the secret.

        • ErrorCode (string) –

          The error Secrets Manager encountered while retrieving an individual secret as part of BatchGetSecretValue, for example ResourceNotFoundException, InvalidParameterException, InvalidRequestException, DecryptionFailure, or AccessDeniedException.

        • Message (string) –

          A message describing the error.

Exceptions

  • SecretsManager.Client.exceptions.ResourceNotFoundException

  • SecretsManager.Client.exceptions.InvalidParameterException

  • SecretsManager.Client.exceptions.InvalidRequestException

  • SecretsManager.Client.exceptions.DecryptionFailure

  • SecretsManager.Client.exceptions.InternalServiceError

  • SecretsManager.Client.exceptions.InvalidNextTokenException