SecretBackend

The AWS Access Key ID this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.

The default TTL for credentials issued by this backend.

A human-friendly description for this backend.

Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.

If set, opts out of mount migration on path updates. See here for more info on Mount Migration

Specifies a custom HTTP IAM endpoint to use.

The audience claim value. Requires Vault 1.16+.

The key to use for signing identity tokens. Requires Vault 1.16+.

The TTL of generated identity tokens in seconds. Requires Vault 1.16+.

Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.

The maximum TTL that can be requested for credentials issued by this backend.

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.

The AWS region to make API calls against. Defaults to us-east-1.

Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.

The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.

The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.

The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.

The AWS Secret Access Key to use when generating new credentials.

Specifies a custom HTTP STS endpoint to use.

Ordered list of sts_endpoints to try if the defined one fails. Requires Vault 1.19+

Ordered list of sts_regions matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+

Specifies the region of the STS endpoint. Should be included if sts_endpoint is supplied. Requires Vault 1.19+

Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: