diff --git a/apps/assets/api/account/template.py b/apps/assets/api/account/template.py
index c04fd8ab6..dd9ee1d00 100644
--- a/apps/assets/api/account/template.py
+++ b/apps/assets/api/account/template.py
@@ -1,6 +1,10 @@
-from orgs.mixins.api import OrgBulkModelViewSet
-from assets.models import AccountTemplate
 from assets import serializers
+from assets.models import AccountTemplate
+from rbac.permissions import RBACPermission
+from authentication.const import ConfirmType
+from common.mixins import RecordViewLogMixin
+from common.permissions import UserConfirmation
+from orgs.mixins.api import OrgBulkModelViewSet
 
 
 class AccountTemplateViewSet(OrgBulkModelViewSet):
@@ -10,3 +14,16 @@ class AccountTemplateViewSet(OrgBulkModelViewSet):
     serializer_classes = {
         'default': serializers.AccountTemplateSerializer
     }
+
+
+class AccountTemplateSecretsViewSet(RecordViewLogMixin, AccountTemplateViewSet):
+    serializer_classes = {
+        'default': serializers.AccountTemplateSecretSerializer,
+    }
+    http_method_names = ['get', 'options']
+    # Todo: 记得打开
+    # permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
+    rbac_perms = {
+        'list': 'assets.view_accounttemplatesecret',
+        'retrieve': 'assets.view_accounttemplatesecret',
+    }
diff --git a/apps/assets/serializers/account/template.py b/apps/assets/serializers/account/template.py
index 4599ca0e7..7a7de7f11 100644
--- a/apps/assets/serializers/account/template.py
+++ b/apps/assets/serializers/account/template.py
@@ -1,3 +1,4 @@
+from common.drf.serializers import SecretReadableMixin
 from assets.models import AccountTemplate
 from .base import BaseAccountSerializer
 
@@ -17,3 +18,10 @@ class AccountTemplateSerializer(BaseAccountSerializer):
     #     if not required_field_dict:
     #         return
     #     raise serializers.ValidationError(required_field_dict)
+
+
+class AccountTemplateSecretSerializer(SecretReadableMixin, AccountTemplateSerializer):
+    class Meta(AccountTemplateSerializer.Meta):
+        extra_kwargs = {
+            'secret': {'write_only': False},
+        }
diff --git a/apps/assets/urls/api_urls.py b/apps/assets/urls/api_urls.py
index a7077aa39..773f5c348 100644
--- a/apps/assets/urls/api_urls.py
+++ b/apps/assets/urls/api_urls.py
@@ -16,6 +16,7 @@ router.register(r'webs', api.WebViewSet, 'web')
 router.register(r'clouds', api.CloudViewSet, 'cloud')
 router.register(r'accounts', api.AccountViewSet, 'account')
 router.register(r'account-templates', api.AccountTemplateViewSet, 'account-template')
+router.register(r'account-template-secrets', api.AccountTemplateSecretsViewSet, 'account-template-secret')
 router.register(r'account-secrets', api.AccountSecretsViewSet, 'account-secret')
 router.register(r'platforms', api.AssetPlatformViewSet, 'platform')
 router.register(r'labels', api.LabelViewSet, 'label')