SecretBackend

The AWS Access Key ID this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.

The default TTL for credentials issued by this backend.

A human-friendly description for this backend.

If set, opts out of mount migration on path updates. See here for more info on Mount Migration

Specifies a custom HTTP IAM endpoint to use.

The audience claim value. Requires Vault 1.16+.

The key to use for signing identity tokens. Requires Vault 1.16+.

The TTL of generated identity tokens in seconds. Requires Vault 1.16+.

Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.

The maximum TTL that can be requested for credentials issued by this backend.

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.

The AWS region to make API calls against. Defaults to us-east-1.

Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.

The AWS Secret Access Key to use when generating new credentials.

Specifies a custom HTTP STS endpoint to use.

Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: