Secret
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const aws = new vault.aws.SecretBackend("aws", {
accessKey: "AKIA.....",
secretKey: "AWS secret key",
});
const role = new vault.aws.SecretBackendRole("role", {
backend: aws.path,
name: "deploy",
credentialType: "iam_user",
policyDocument: `{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}
`,
});import pulumi
import pulumi_vault as vault
aws = vault.aws.SecretBackend("aws",
access_key="AKIA.....",
secret_key="AWS secret key")
role = vault.aws.SecretBackendRole("role",
backend=aws.path,
name="deploy",
credential_type="iam_user",
policy_document="""{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}
""")using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var aws = new Vault.Aws.SecretBackend("aws", new()
{
AccessKey = "AKIA.....",
SecretKey = "AWS secret key",
});
var role = new Vault.Aws.SecretBackendRole("role", new()
{
Backend = aws.Path,
Name = "deploy",
CredentialType = "iam_user",
PolicyDocument = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Effect"": ""Allow"",
""Action"": ""iam:*"",
""Resource"": ""*""
}
]
}
",
});
});package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/aws"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
aws, err := aws.NewSecretBackend(ctx, "aws", &aws.SecretBackendArgs{
AccessKey: pulumi.String("AKIA....."),
SecretKey: pulumi.String("AWS secret key"),
})
if err != nil {
return err
}
_, err = aws.NewSecretBackendRole(ctx, "role", &aws.SecretBackendRoleArgs{
Backend: aws.Path,
Name: pulumi.String("deploy"),
CredentialType: pulumi.String("iam_user"),
PolicyDocument: pulumi.String(`{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}
`),
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.aws.SecretBackend;
import com.pulumi.vault.aws.SecretBackendArgs;
import com.pulumi.vault.aws.SecretBackendRole;
import com.pulumi.vault.aws.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var aws = new SecretBackend("aws", SecretBackendArgs.builder()
.accessKey("AKIA.....")
.secretKey("AWS secret key")
.build());
var role = new SecretBackendRole("role", SecretBackendRoleArgs.builder()
.backend(aws.path())
.name("deploy")
.credentialType("iam_user")
.policyDocument("""
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}
""")
.build());
}
}resources:
aws:
type: vault:aws:SecretBackend
properties:
accessKey: AKIA.....
secretKey: AWS secret key
role:
type: vault:aws:SecretBackendRole
properties:
backend: ${aws.path}
name: deploy
credentialType: iam_user
policyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}Import
AWS secret backend roles can be imported using the path, e.g.
$ pulumi import vault:aws/secretBackendRole:SecretBackendRole role aws/roles/deployProperties
Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.