Secret
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const aws = new vault.aws.SecretBackend("aws", {
path: "my-aws",
description: "Obtain AWS credentials.",
});
const role = new vault.aws.SecretBackendStaticRole("role", {
backend: aws.path,
name: "test",
username: "my-test-user",
rotationPeriod: 3600,
});Content copied to clipboard
import pulumi
import pulumi_vault as vault
aws = vault.aws.SecretBackend("aws",
path="my-aws",
description="Obtain AWS credentials.")
role = vault.aws.SecretBackendStaticRole("role",
backend=aws.path,
name="test",
username="my-test-user",
rotation_period=3600)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var aws = new Vault.Aws.SecretBackend("aws", new()
{
Path = "my-aws",
Description = "Obtain AWS credentials.",
});
var role = new Vault.Aws.SecretBackendStaticRole("role", new()
{
Backend = aws.Path,
Name = "test",
Username = "my-test-user",
RotationPeriod = 3600,
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/aws"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
aws, err := aws.NewSecretBackend(ctx, "aws", &aws.SecretBackendArgs{
Path: pulumi.String("my-aws"),
Description: pulumi.String("Obtain AWS credentials."),
})
if err != nil {
return err
}
_, err = aws.NewSecretBackendStaticRole(ctx, "role", &aws.SecretBackendStaticRoleArgs{
Backend: aws.Path,
Name: pulumi.String("test"),
Username: pulumi.String("my-test-user"),
RotationPeriod: pulumi.Int(3600),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.aws.SecretBackend;
import com.pulumi.vault.aws.SecretBackendArgs;
import com.pulumi.vault.aws.SecretBackendStaticRole;
import com.pulumi.vault.aws.SecretBackendStaticRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var aws = new SecretBackend("aws", SecretBackendArgs.builder()
.path("my-aws")
.description("Obtain AWS credentials.")
.build());
var role = new SecretBackendStaticRole("role", SecretBackendStaticRoleArgs.builder()
.backend(aws.path())
.name("test")
.username("my-test-user")
.rotationPeriod("3600")
.build());
}
}Content copied to clipboard
resources:
aws:
type: vault:aws:SecretBackend
properties:
path: my-aws
description: Obtain AWS credentials.
role:
type: vault:aws:SecretBackendStaticRole
properties:
backend: ${aws.path}
name: test
username: my-test-user
rotationPeriod: '3600'Content copied to clipboard
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const aws = new vault.aws.SecretBackend("aws", {
path: "my-aws",
description: "Obtain AWS credentials.",
});
const assume_role = new vault.aws.SecretBackendStaticRole("assume-role", {
backend: aws.path,
name: "assume-role-test",
username: "my-assume-role-user",
assumeRoleArn: "arn:aws:iam::123456789012:role/assume-role",
assumeRoleSessionName: "assume-role-session",
externalId: "test-id",
rotationPeriod: 3600,
});Content copied to clipboard
import pulumi
import pulumi_vault as vault
aws = vault.aws.SecretBackend("aws",
path="my-aws",
description="Obtain AWS credentials.")
assume_role = vault.aws.SecretBackendStaticRole("assume-role",
backend=aws.path,
name="assume-role-test",
username="my-assume-role-user",
assume_role_arn="arn:aws:iam::123456789012:role/assume-role",
assume_role_session_name="assume-role-session",
external_id="test-id",
rotation_period=3600)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var aws = new Vault.Aws.SecretBackend("aws", new()
{
Path = "my-aws",
Description = "Obtain AWS credentials.",
});
var assume_role = new Vault.Aws.SecretBackendStaticRole("assume-role", new()
{
Backend = aws.Path,
Name = "assume-role-test",
Username = "my-assume-role-user",
AssumeRoleArn = "arn:aws:iam::123456789012:role/assume-role",
AssumeRoleSessionName = "assume-role-session",
ExternalId = "test-id",
RotationPeriod = 3600,
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/aws"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
aws, err := aws.NewSecretBackend(ctx, "aws", &aws.SecretBackendArgs{
Path: pulumi.String("my-aws"),
Description: pulumi.String("Obtain AWS credentials."),
})
if err != nil {
return err
}
_, err = aws.NewSecretBackendStaticRole(ctx, "assume-role", &aws.SecretBackendStaticRoleArgs{
Backend: aws.Path,
Name: pulumi.String("assume-role-test"),
Username: pulumi.String("my-assume-role-user"),
AssumeRoleArn: pulumi.String("arn:aws:iam::123456789012:role/assume-role"),
AssumeRoleSessionName: pulumi.String("assume-role-session"),
ExternalId: pulumi.String("test-id"),
RotationPeriod: pulumi.Int(3600),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.aws.SecretBackend;
import com.pulumi.vault.aws.SecretBackendArgs;
import com.pulumi.vault.aws.SecretBackendStaticRole;
import com.pulumi.vault.aws.SecretBackendStaticRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var aws = new SecretBackend("aws", SecretBackendArgs.builder()
.path("my-aws")
.description("Obtain AWS credentials.")
.build());
var assume_role = new SecretBackendStaticRole("assume-role", SecretBackendStaticRoleArgs.builder()
.backend(aws.path())
.name("assume-role-test")
.username("my-assume-role-user")
.assumeRoleArn("arn:aws:iam::123456789012:role/assume-role")
.assumeRoleSessionName("assume-role-session")
.externalId("test-id")
.rotationPeriod("3600")
.build());
}
}Content copied to clipboard
resources:
aws:
type: vault:aws:SecretBackend
properties:
path: my-aws
description: Obtain AWS credentials.
assume-role:
type: vault:aws:SecretBackendStaticRole
properties:
backend: ${aws.path}
name: assume-role-test
username: my-assume-role-user
assumeRoleArn: arn:aws:iam::123456789012:role/assume-role
assumeRoleSessionName: assume-role-session
externalId: test-id
rotationPeriod: '3600'Content copied to clipboard
Import
AWS secret backend static role can be imported using the full path to the role of the form: <mount_path>/static-roles/<role_name> e.g.
$ pulumi import vault:aws/secretBackendStaticRole:SecretBackendStaticRole role aws/static-roles/example-roleContent copied to clipboard
Properties
Link copied to clipboard
Specifies the ARN of the role that Vault should assume. When provided, Vault will use AWS STS to assume this role and generate temporary credentials. If assume_role_arn is provided, assume_role_session_name must also be provided. Requires Vault 1.19+. Available only for Vault Enterprise.
Link copied to clipboard
Specifies the session name to use when assuming the role. If assume_role_session_name is provided, assume_role_arn must also be provided. Requires Vault 1.19+. Available only for Vault Enterprise.
Link copied to clipboard
Specifies the external ID to use when assuming the role. Requires Vault 1.19+. Available only for Vault Enterprise.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
How often Vault should rotate the password of the user entry.