Auth
Example Usage
You can setup the Azure auth engine with Workload Identity Federation (WIF) for a secret-less configuration:
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const example = new vault.AuthBackend("example", {
type: "azure",
identityTokenKey: "example-key",
});
const exampleAuthBackendConfig = new vault.azure.AuthBackendConfig("example", {
backend: example.path,
tenantId: "11111111-2222-3333-4444-555555555555",
clientId: "11111111-2222-3333-4444-555555555555",
identityTokenAudience: "<TOKEN_AUDIENCE>",
identityTokenTtl: "<TOKEN_TTL>",
rotationSchedule: "0 * * * SAT",
rotationWindow: 3600,
});Content copied to clipboard
import pulumi
import pulumi_vault as vault
example = vault.AuthBackend("example",
type="azure",
identity_token_key="example-key")
example_auth_backend_config = vault.azure.AuthBackendConfig("example",
backend=example.path,
tenant_id="11111111-2222-3333-4444-555555555555",
client_id="11111111-2222-3333-4444-555555555555",
identity_token_audience="<TOKEN_AUDIENCE>",
identity_token_ttl="<TOKEN_TTL>",
rotation_schedule="0 * * * SAT",
rotation_window=3600)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var example = new Vault.AuthBackend("example", new()
{
Type = "azure",
IdentityTokenKey = "example-key",
});
var exampleAuthBackendConfig = new Vault.Azure.AuthBackendConfig("example", new()
{
Backend = example.Path,
TenantId = "11111111-2222-3333-4444-555555555555",
ClientId = "11111111-2222-3333-4444-555555555555",
IdentityTokenAudience = "<TOKEN_AUDIENCE>",
IdentityTokenTtl = "<TOKEN_TTL>",
RotationSchedule = "0 * * * SAT",
RotationWindow = 3600,
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/azure"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := vault.NewAuthBackend(ctx, "example", &vault.AuthBackendArgs{
Type: pulumi.String("azure"),
IdentityTokenKey: pulumi.String("example-key"),
})
if err != nil {
return err
}
_, err = azure.NewAuthBackendConfig(ctx, "example", &azure.AuthBackendConfigArgs{
Backend: example.Path,
TenantId: pulumi.String("11111111-2222-3333-4444-555555555555"),
ClientId: pulumi.String("11111111-2222-3333-4444-555555555555"),
IdentityTokenAudience: pulumi.String("<TOKEN_AUDIENCE>"),
IdentityTokenTtl: pulumi.Int("<TOKEN_TTL>"),
RotationSchedule: pulumi.String("0 * * * SAT"),
RotationWindow: pulumi.Int(3600),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import com.pulumi.vault.azure.AuthBackendConfig;
import com.pulumi.vault.azure.AuthBackendConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new AuthBackend("example", AuthBackendArgs.builder()
.type("azure")
.identityTokenKey("example-key")
.build());
var exampleAuthBackendConfig = new AuthBackendConfig("exampleAuthBackendConfig", AuthBackendConfigArgs.builder()
.backend(example.path())
.tenantId("11111111-2222-3333-4444-555555555555")
.clientId("11111111-2222-3333-4444-555555555555")
.identityTokenAudience("<TOKEN_AUDIENCE>")
.identityTokenTtl("<TOKEN_TTL>")
.rotationSchedule("0 * * * SAT")
.rotationWindow(3600)
.build());
}
}Content copied to clipboard
resources:
example:
type: vault:AuthBackend
properties:
type: azure
identityTokenKey: example-key
exampleAuthBackendConfig:
type: vault:azure:AuthBackendConfig
name: example
properties:
backend: ${example.path}
tenantId: 11111111-2222-3333-4444-555555555555
clientId: 11111111-2222-3333-4444-555555555555
identityTokenAudience: <TOKEN_AUDIENCE>
identityTokenTtl: <TOKEN_TTL>
rotationSchedule: 0 * * * SAT
rotationWindow: 3600Content copied to clipboard
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const example = new vault.AuthBackend("example", {type: "azure"});
const exampleAuthBackendConfig = new vault.azure.AuthBackendConfig("example", {
backend: example.path,
tenantId: "11111111-2222-3333-4444-555555555555",
clientId: "11111111-2222-3333-4444-555555555555",
clientSecret: "01234567890123456789",
resource: "https://vault.hashicorp.com",
rotationSchedule: "0 * * * SAT",
rotationWindow: 3600,
});Content copied to clipboard
import pulumi
import pulumi_vault as vault
example = vault.AuthBackend("example", type="azure")
example_auth_backend_config = vault.azure.AuthBackendConfig("example",
backend=example.path,
tenant_id="11111111-2222-3333-4444-555555555555",
client_id="11111111-2222-3333-4444-555555555555",
client_secret="01234567890123456789",
resource="https://vault.hashicorp.com",
rotation_schedule="0 * * * SAT",
rotation_window=3600)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var example = new Vault.AuthBackend("example", new()
{
Type = "azure",
});
var exampleAuthBackendConfig = new Vault.Azure.AuthBackendConfig("example", new()
{
Backend = example.Path,
TenantId = "11111111-2222-3333-4444-555555555555",
ClientId = "11111111-2222-3333-4444-555555555555",
ClientSecret = "01234567890123456789",
Resource = "https://vault.hashicorp.com",
RotationSchedule = "0 * * * SAT",
RotationWindow = 3600,
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/azure"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := vault.NewAuthBackend(ctx, "example", &vault.AuthBackendArgs{
Type: pulumi.String("azure"),
})
if err != nil {
return err
}
_, err = azure.NewAuthBackendConfig(ctx, "example", &azure.AuthBackendConfigArgs{
Backend: example.Path,
TenantId: pulumi.String("11111111-2222-3333-4444-555555555555"),
ClientId: pulumi.String("11111111-2222-3333-4444-555555555555"),
ClientSecret: pulumi.String("01234567890123456789"),
Resource: pulumi.String("https://vault.hashicorp.com"),
RotationSchedule: pulumi.String("0 * * * SAT"),
RotationWindow: pulumi.Int(3600),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import com.pulumi.vault.azure.AuthBackendConfig;
import com.pulumi.vault.azure.AuthBackendConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new AuthBackend("example", AuthBackendArgs.builder()
.type("azure")
.build());
var exampleAuthBackendConfig = new AuthBackendConfig("exampleAuthBackendConfig", AuthBackendConfigArgs.builder()
.backend(example.path())
.tenantId("11111111-2222-3333-4444-555555555555")
.clientId("11111111-2222-3333-4444-555555555555")
.clientSecret("01234567890123456789")
.resource("https://vault.hashicorp.com")
.rotationSchedule("0 * * * SAT")
.rotationWindow(3600)
.build());
}
}Content copied to clipboard
resources:
example:
type: vault:AuthBackend
properties:
type: azure
exampleAuthBackendConfig:
type: vault:azure:AuthBackendConfig
name: example
properties:
backend: ${example.path}
tenantId: 11111111-2222-3333-4444-555555555555
clientId: 11111111-2222-3333-4444-555555555555
clientSecret: '01234567890123456789'
resource: https://vault.hashicorp.com
rotationSchedule: 0 * * * SAT
rotationWindow: 3600Content copied to clipboard
Import
Azure auth backends can be imported using auth/, the backend path, and /config e.g.
$ pulumi import vault:azure/authBackendConfig:AuthBackendConfig example auth/azure/configContent copied to clipboard
Properties
Link copied to clipboard
The client secret for credentials to query the Azure APIs.
Link copied to clipboard
Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+. Available only for Vault Enterprise
Link copied to clipboard
The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. Defaults to AzurePublicCloud.
Link copied to clipboard
The audience claim value for plugin identity tokens. Requires Vault 1.17+. Available only for Vault Enterprise
Link copied to clipboard
The TTL of generated identity tokens in seconds.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+. Available only for Vault Enterprise
Link copied to clipboard
The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+. Available only for Vault Enterprise
Link copied to clipboard
The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+. Available only for Vault Enterprise