Table: alicloud_kms_secret - Query Alicloud Key Management Service Secrets using SQL

Alicloud Key Management Service (KMS) Secrets is a feature of the Alicloud KMS that helps manage the lifecycle of secrets. It provides a secure and convenient method to create, use, and manage secrets, including database passwords, API keys, and other sensitive information. It also supports secret versioning and rotation to enhance the security of applications.

Table Usage Guide

The alicloud_kms_secret table provides insights into secrets within Alicloud Key Management Service (KMS). As a security engineer, explore secret-specific details through this table, including their lifecycle stages, rotation configurations, and recovery windows. Utilize it to uncover information about secrets, such as their current status, the last time they were accessed, and whether they are scheduled for deletion.

Examples

Basic info

Explore the basic information of your encrypted data keys in Alibaba Cloud's Key Management Service. This allows you to understand the type of secrets you have, when they were created, and their overall descriptions, aiding in efficient key management.

select
  name,
  description,
  arn,
  secret_type,
  create_time
from
  alicloud_kms_secret;

select
  name,
  description,
  arn,
  secret_type,
  create_time
from
  alicloud_kms_secret;

List secrets that do not have automatic rotation enabled

Uncover the details of encryption secrets that are not set to auto-renew, potentially exposing your system to security risks. This is useful for identifying and rectifying weak points in your security infrastructure.

select
  name,
  secret_type automatic_rotation
from
  alicloud_kms_secret
where
  automatic_rotation <> 'Enabled';

select
  name,
  secret_type as automatic_rotation
from
  alicloud_kms_secret
where
  automatic_rotation != 'Enabled';

List secrets that have not been rotated within the last 30 days

Explore which secrets have not been updated in the last month. This is useful for maintaining security standards and ensuring that sensitive information is regularly updated.

select
  name,
  secret_type,
  automatic_rotation
from
  alicloud_kms_secret
where
  last_rotation_date < (current_date - interval '30' day);

select
  name,
  secret_type,
  automatic_rotation
from
  alicloud_kms_secret
where
  last_rotation_date < date('now', '-30 day');

Get the extended configuration info for each secret

This query is useful for gaining insights into the extended configuration details of each secret, such as the associated database name and instance ID, as well as the secret subtype. It can help in understanding and managing the security aspects of your cloud resources.

select
  name,
  extended_config -> 'CustomData' ->> 'DBName' as db_name,
  extended_config ->> 'DBInstanceId' as db_instance_id,
  extended_config ->> 'SecretSubType' as secret_sub_type
from
  alicloud_kms_secret;

select
  name,
  json_extract(
    json_extract(extended_config, '$.CustomData'),
    '$.DBName'
  ) as db_name,
  json_extract(extended_config, '$.DBInstanceId') as db_instance_id,
  json_extract(extended_config, '$.SecretSubType') as secret_sub_type
from
  alicloud_kms_secret;

List secrets without application tag key

Discover the segments that have secrets without an application tag key. This is useful to identify and manage secrets that may not be associated with a specific application.

select
  name,
  tags
from
  alicloud_kms_secret
where
  not tags :: JSONB ? 'application';

select
  name,
  tags
from
  alicloud_kms_secret
where
  json_extract(tags, '$.application') is null;

Query examples

kms_secrets_for_kms_key

Schema for alicloud_kms_secret

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form, e.g. connection_name.
account_id	text		The Alicloud Account ID in which the resource is located.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
arn	text		The Alibaba Cloud Resource Name (ARN).
automatic_rotation	text		Specifies whether automatic key rotation is enabled.
create_time	timestamp with time zone		The time when the KMS Secret was created.
description	text		The description of the secret.
encryption_key_id	text		The ID of the KMS customer master key (CMK) that is used to encrypt the secret value.
extended_config	jsonb		The extended configuration of Secret.
last_rotation_date	timestamp with time zone		Date of last rotation of Secret.
name	text	=	The name of the secret.
next_rotation_date	timestamp with time zone		The date of next rotation of Secret.
planned_delete_time	timestamp with time zone		The time when the KMS Secret is planned to delete.
region	text		The Alicloud region in which the resource is located.
rotation_interval	text		The rotation perion of Secret.
secret_type	text		The type of the secret.
tags	jsonb		A map of tags for the resource.
tags_src	jsonb		A list of tags attached with the resource.
title	text		Title of the resource.
update_time	timestamp with time zone		The time when the KMS Secret was modifies.
version_ids	jsonb		The list of secret versions.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- alicloud

You can pass the configuration to the command with the --config argument:

steampipe_export_alicloud --config '<your_config>' alicloud_kms_secret