# Getting information about a secret, its contents, and access rights

You can get detailed [information about a secret](#secret-info) and [secret contents](#secret-contents) and [view access rights to a secret](#secret-access).

## Getting information about a secret {#secret-info}

{% list tabs group=instructions %}

- Management console {#console}

    1. In the [management console](https://console.yandex.cloud), select the folder the secret belongs to.
    1. Navigate to **Lockbox**.
    1. In the left-hand menu, select **Secrets**.
    1. Click the name of the secret you need.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the CLI command to get information about a [secret](../concepts/secret.md):

      ```bash
      yc lockbox secret get --help
      ```

  1. Get information about a secret by specifying its name or ID:

      ```bash
      yc lockbox secret get <secret_name>
      ```

     Result:

      ```text
      id: e6qi98vtdva1********
      folder_id: b1go79qlt1tp********
      created_at: "2023-11-03T15:28:18.909Z"
      name: test-secret
      kms_key_id: abj765aos682********
      status: ACTIVE
      current_version:
        id: e6q7nvojsgmk********
        secret_id: e6qi98vtdva1********
        created_at: "2023-11-03T15:28:18.909Z"
        status: ACTIVE
        payload_entry_keys:
          - example-key
      ```

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the relevant documentation on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../terraform/index.md).

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../terraform/authentication.md) using the appropriate method.

  To get information about a [secret](../concepts/secret.md) using Terraform:
  1. Add the `data` and `output` sections to the Terraform configuration file:

     ```hcl
     data "yandex_lockbox_secret" "my_secret" {
       secret_id = "<secret_ID>"
     }

     output "current_version" {
       value = data.yandex_lockbox_secret.my_secret.current_version
     }
     ```

     Where:
     * `data "yandex_lockbox_secret"`: Description of the secret as a data source:
       * `secret_id`: Secret ID.
     * `output "current_version"`: Output variable that contains information about the current secret version:
       * `value`: Return value.

     You can replace `current_version` with another variable to get the information you need. For more information about the `yandex_lockbox_secret` data source properties, see [this provider guide](../../terraform/data-sources/lockbox_secret.md).
  1. Create the resources:

     1. In the terminal, navigate to the configuration file directory.
     1. Make sure the configuration is correct using this command:
     
        ```bash
        terraform validate
        ```
     
        If the configuration is valid, you will get this message:
     
        ```bash
        Success! The configuration is valid.
        ```
     
     1. Run this command:
     
        ```bash
        terraform plan
        ```
     
        You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
     1. Apply the configuration changes:
     
        ```bash
        terraform apply
        ```
     
     1. Type `yes` and press **Enter** to confirm the changes.

     Terraform will create all required resources and display their output variables. To check the results, run this command:

     ```bash
     terraform output
     ```

     Result:

     ```text
     current_version = tolist([
       {
         "created_at" = "2024-03-27T02:45:05Z"
         "description" = ""
         "destroy_at" = ""
         "id" = "e6qo5a6imnm0********"
         "payload_entry_keys" = tolist([
           "key",
         ])
         "secret_id" = "e6qnva6ntl66********"
         "status" = "ACTIVE"
       },
     ])
     ```

- API {#api}

  To get information about a [secret](../concepts/secret.md), use the [get](../api-ref/Secret/get.md) REST API method for the [Secret](../api-ref/Secret/index.md) resource or the [SecretService/Get](../api-ref/grpc/Secret/get.md) gRPC API call.

{% endlist %}

## Getting the contents of a secret {#secret-contents}

{% list tabs group=instructions %}

- Management console {#console}

    1. In the [management console](https://console.yandex.cloud), select the folder the secret belongs to.
    1. Navigate to **Lockbox**.
    1. In the left-hand menu, select **Secrets**.
    1. Click the name of the secret you need.
    1. Under **Versions**, click the secret version you need.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command to get the contents of a secret:

      ```bash
      yc lockbox payload get --help
      ```

  1. Get the contents of a secret by specifying its name or ID:

      ```bash
      yc lockbox payload get <secret_name_or_ID>
      ```

     Result:

      ```text
      version_id: e6q7nvojsgmk********
      entries:
        - key: example-key
          text_value: example-value
      ```

      If a file is used as the confidential value, the returned secret content will be [Base64 encoded](https://en.wikipedia.org/wiki/Base64). To decode the file, use the Linux base64 utility:
      
      ```bash
      base64 --decode <path_to_file> > output.txt
      ```

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the relevant documentation on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../terraform/index.md).

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../terraform/authentication.md) using the appropriate method.

  To get the contents of the secret using Terraform:

  1. Add the `data` and `output` sections to the Terraform configuration file:

     ```hcl
     data "yandex_lockbox_secret_version" "my_secret_version" {
       secret_id  = "<secret_ID>"
       version_id = "<version_ID>"
     }

     output "my_secret_entries" {
       value = data.yandex_lockbox_secret_version.my_secret_version.entries
     }
     ```

     Where:
     * `data "yandex_lockbox_secret_version"`: Description of the secret as a data source:
       * `secret_id`: Secret ID.
       * `version_id`: Secret version ID. This is an optional setting. Defaults to the current secret version.
     * `output "my_secret_entries"`: Output variable which stores the contents of the secret:
       * `value`: Return value.

     For more information about the `yandex_lockbox_secret_version` data source properties, see [this provider guide](../../terraform/data-sources/lockbox_secret_version.md).

  1. Create the resources:

     1. In the terminal, navigate to the configuration file directory.
     1. Make sure the configuration is correct using this command:
     
        ```bash
        terraform validate
        ```
     
        If the configuration is valid, you will get this message:
     
        ```bash
        Success! The configuration is valid.
        ```
     
     1. Run this command:
     
        ```bash
        terraform plan
        ```
     
        You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
     1. Apply the configuration changes:
     
        ```bash
        terraform apply
        ```
     
     1. Type `yes` and press **Enter** to confirm the changes.

     Terraform will create all required resources and display their output variables. To check the results, run this command:

     ```bash
     terraform output
     ```

     Result:

     ```text
     my_secret_entries = [
       {
         key        = "example-key"
         text_value = "example-value"
       },
       {
         key        = "example-key"
         text_value = "example-value"
       },
     ]
     ```

- API {#api}

  To get the secret contents, use the [get](../api-ref/Payload/get.md) REST API method for the [Payload](../api-ref/Payload/index.md) resource or the [PayloadService/Get](../api-ref/grpc/Payload/get.md) gRPC API call.

  If a file is used as the confidential value, the returned secret content will be [Base64 encoded](https://en.wikipedia.org/wiki/Base64). To decode the file, use the [base64 Python module](https://docs.python.org/3/library/base64.html) or other suitable tools.

{% endlist %}

## Viewing permissions to a secret {#secret-access}

{% list tabs group=instructions %}

- Management console {#console}

    1. In the [management console](https://console.yandex.cloud), select the folder the secret belongs to.
    1. Navigate to **Lockbox**.
    1. In the left-hand menu, select **Secrets**.
    1. Click the name of the secret you need.
    1. In the left-hand panel, select ![image](../../_assets/console-icons/persons.svg) **Access bindings**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command to view access permissions for a secret:

      ```bash
      yc lockbox secret list-access-bindings --help
      ```

  1. View access permissions to a secret by specifying its name or ID:

      ```bash
      yc lockbox secret list-access-bindings <secret_name_or_ID>
      ```

      Result:

      ```text
      +---------+---------------+----------------------+
      | ROLE ID | SUBJECT TYPE  |      SUBJECT ID      | 
      +---------+---------------+----------------------+
      | viewer  | federatedUser | ajej2i98kcjd******** | 
      +---------+---------------+----------------------+
      ```

- API {#api}

  To view access permissions to a secret, use the [ListAccessBindings](../api-ref/Secret/listAccessBindings.md) REST API method for the [Secret](../api-ref/Secret/index.md) resource or the [SecretService/ListAccessBindings](../api-ref/grpc/Secret/listAccessBindings.md) gRPC API call.

{% endlist %}