Secrets
data class SecretsMountArgs(val allowedManagedKeys: Output<List<String>>? = null, val allowedResponseHeaders: Output<List<String>>? = null, val auditNonHmacRequestKeys: Output<List<String>>? = null, val auditNonHmacResponseKeys: Output<List<String>>? = null, val cassandras: Output<List<SecretsMountCassandraArgs>>? = null, val couchbases: Output<List<SecretsMountCouchbaseArgs>>? = null, val defaultLeaseTtlSeconds: Output<Int>? = null, val delegatedAuthAccessors: Output<List<String>>? = null, val description: Output<String>? = null, val elasticsearches: Output<List<SecretsMountElasticsearchArgs>>? = null, val externalEntropyAccess: Output<Boolean>? = null, val hanas: Output<List<SecretsMountHanaArgs>>? = null, val identityTokenKey: Output<String>? = null, val influxdbs: Output<List<SecretsMountInfluxdbArgs>>? = null, val listingVisibility: Output<String>? = null, val local: Output<Boolean>? = null, val maxLeaseTtlSeconds: Output<Int>? = null, val mongodbatlas: Output<List<SecretsMountMongodbatlaArgs>>? = null, val mongodbs: Output<List<SecretsMountMongodbArgs>>? = null, val mssqls: Output<List<SecretsMountMssqlArgs>>? = null, val mysqlAuroras: Output<List<SecretsMountMysqlAuroraArgs>>? = null, val mysqlLegacies: Output<List<SecretsMountMysqlLegacyArgs>>? = null, val mysqlRds: Output<List<SecretsMountMysqlRdArgs>>? = null, val mysqls: Output<List<SecretsMountMysqlArgs>>? = null, val namespace: Output<String>? = null, val options: Output<Map<String, String>>? = null, val oracles: Output<List<SecretsMountOracleArgs>>? = null, val passthroughRequestHeaders: Output<List<String>>? = null, val path: Output<String>? = null, val pluginVersion: Output<String>? = null, val postgresqls: Output<List<SecretsMountPostgresqlArgs>>? = null, val redis: Output<List<SecretsMountRediArgs>>? = null, val redisElasticaches: Output<List<SecretsMountRedisElasticachArgs>>? = null, val redshifts: Output<List<SecretsMountRedshiftArgs>>? = null, val sealWrap: Output<Boolean>? = null, val snowflakes: Output<List<SecretsMountSnowflakeArgs>>? = null) : ConvertibleToJava<SecretsMountArgs>
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const db = new vault.database.SecretsMount("db", {
path: "db",
mssqls: [{
name: "db1",
username: "sa",
password: "super_secret_1",
connectionUrl: "sqlserver://{{username}}:{{password}}@127.0.0.1:1433",
allowedRoles: ["dev1"],
rotationSchedule: "0 * * * SAT",
rotationWindow: 3600,
}],
postgresqls: [{
name: "db2",
username: "postgres",
password: "super_secret_2",
connectionUrl: "postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres",
verifyConnection: true,
allowedRoles: ["dev2"],
rotationSchedule: "0 * * * SAT",
rotationWindow: 3600,
}],
});
const dev1 = new vault.database.SecretBackendRole("dev1", {
name: "dev1",
backend: db.path,
dbName: db.mssqls.apply(mssqls => mssqls?.[0]?.name),
creationStatements: [
"CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';",
"CREATE USER [{{name}}] FOR LOGIN [{{name}}];",
"GRANT SELECT ON SCHEMA::dbo TO [{{name}}];",
],
});
const dev2 = new vault.database.SecretBackendRole("dev2", {
name: "dev2",
backend: db.path,
dbName: db.postgresqls.apply(postgresqls => postgresqls?.[0]?.name),
creationStatements: [
"CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
"GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";",
],
});Content copied to clipboard
import pulumi
import pulumi_vault as vault
db = vault.database.SecretsMount("db",
path="db",
mssqls=[{
"name": "db1",
"username": "sa",
"password": "super_secret_1",
"connection_url": "sqlserver://{{username}}:{{password}}@127.0.0.1:1433",
"allowed_roles": ["dev1"],
"rotation_schedule": "0 * * * SAT",
"rotation_window": 3600,
}],
postgresqls=[{
"name": "db2",
"username": "postgres",
"password": "super_secret_2",
"connection_url": "postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres",
"verify_connection": True,
"allowed_roles": ["dev2"],
"rotation_schedule": "0 * * * SAT",
"rotation_window": 3600,
}])
dev1 = vault.database.SecretBackendRole("dev1",
name="dev1",
backend=db.path,
db_name=db.mssqls[0].name,
creation_statements=[
"CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';",
"CREATE USER [{{name}}] FOR LOGIN [{{name}}];",
"GRANT SELECT ON SCHEMA::dbo TO [{{name}}];",
])
dev2 = vault.database.SecretBackendRole("dev2",
name="dev2",
backend=db.path,
db_name=db.postgresqls[0].name,
creation_statements=[
"CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
"GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";",
])Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var db = new Vault.Database.SecretsMount("db", new()
{
Path = "db",
Mssqls = new[]
{
new Vault.Database.Inputs.SecretsMountMssqlArgs
{
Name = "db1",
Username = "sa",
Password = "super_secret_1",
ConnectionUrl = "sqlserver://{{username}}:{{password}}@127.0.0.1:1433",
AllowedRoles = new[]
{
"dev1",
},
RotationSchedule = "0 * * * SAT",
RotationWindow = 3600,
},
},
Postgresqls = new[]
{
new Vault.Database.Inputs.SecretsMountPostgresqlArgs
{
Name = "db2",
Username = "postgres",
Password = "super_secret_2",
ConnectionUrl = "postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres",
VerifyConnection = true,
AllowedRoles = new[]
{
"dev2",
},
RotationSchedule = "0 * * * SAT",
RotationWindow = 3600,
},
},
});
var dev1 = new Vault.Database.SecretBackendRole("dev1", new()
{
Name = "dev1",
Backend = db.Path,
DbName = db.Mssqls.Apply(mssqls => mssqls[0]?.Name),
CreationStatements = new[]
{
"CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';",
"CREATE USER [{{name}}] FOR LOGIN [{{name}}];",
"GRANT SELECT ON SCHEMA::dbo TO [{{name}}];",
},
});
var dev2 = new Vault.Database.SecretBackendRole("dev2", new()
{
Name = "dev2",
Backend = db.Path,
DbName = db.Postgresqls.Apply(postgresqls => postgresqls[0]?.Name),
CreationStatements = new[]
{
"CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
"GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";",
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/database"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
db, err := database.NewSecretsMount(ctx, "db", &database.SecretsMountArgs{
Path: pulumi.String("db"),
Mssqls: database.SecretsMountMssqlArray{
&database.SecretsMountMssqlArgs{
Name: pulumi.String("db1"),
Username: pulumi.String("sa"),
Password: pulumi.String("super_secret_1"),
ConnectionUrl: pulumi.String("sqlserver://{{username}}:{{password}}@127.0.0.1:1433"),
AllowedRoles: pulumi.StringArray{
pulumi.String("dev1"),
},
RotationSchedule: pulumi.String("0 * * * SAT"),
RotationWindow: pulumi.Int(3600),
},
},
Postgresqls: database.SecretsMountPostgresqlArray{
&database.SecretsMountPostgresqlArgs{
Name: pulumi.String("db2"),
Username: pulumi.String("postgres"),
Password: pulumi.String("super_secret_2"),
ConnectionUrl: pulumi.String("postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres"),
VerifyConnection: pulumi.Bool(true),
AllowedRoles: pulumi.StringArray{
pulumi.String("dev2"),
},
RotationSchedule: pulumi.String("0 * * * SAT"),
RotationWindow: pulumi.Int(3600),
},
},
})
if err != nil {
return err
}
_, err = database.NewSecretBackendRole(ctx, "dev1", &database.SecretBackendRoleArgs{
Name: pulumi.String("dev1"),
Backend: db.Path,
DbName: pulumi.String(db.Mssqls.ApplyT(func(mssqls []database.SecretsMountMssql) (*string, error) {
return &mssqls[0].Name, nil
}).(pulumi.StringPtrOutput)),
CreationStatements: pulumi.StringArray{
pulumi.String("CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';"),
pulumi.String("CREATE USER [{{name}}] FOR LOGIN [{{name}}];"),
pulumi.String("GRANT SELECT ON SCHEMA::dbo TO [{{name}}];"),
},
})
if err != nil {
return err
}
_, err = database.NewSecretBackendRole(ctx, "dev2", &database.SecretBackendRoleArgs{
Name: pulumi.String("dev2"),
Backend: db.Path,
DbName: pulumi.String(db.Postgresqls.ApplyT(func(postgresqls []database.SecretsMountPostgresql) (*string, error) {
return &postgresqls[0].Name, nil
}).(pulumi.StringPtrOutput)),
CreationStatements: pulumi.StringArray{
pulumi.String("CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"),
pulumi.String("GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.database.SecretsMount;
import com.pulumi.vault.database.SecretsMountArgs;
import com.pulumi.vault.database.inputs.SecretsMountMssqlArgs;
import com.pulumi.vault.database.inputs.SecretsMountPostgresqlArgs;
import com.pulumi.vault.database.SecretBackendRole;
import com.pulumi.vault.database.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var db = new SecretsMount("db", SecretsMountArgs.builder()
.path("db")
.mssqls(SecretsMountMssqlArgs.builder()
.name("db1")
.username("sa")
.password("super_secret_1")
.connectionUrl("sqlserver://{{username}}:{{password}}@127.0.0.1:1433")
.allowedRoles("dev1")
.rotationSchedule("0 * * * SAT")
.rotationWindow(3600)
.build())
.postgresqls(SecretsMountPostgresqlArgs.builder()
.name("db2")
.username("postgres")
.password("super_secret_2")
.connectionUrl("postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres")
.verifyConnection(true)
.allowedRoles("dev2")
.rotationSchedule("0 * * * SAT")
.rotationWindow(3600)
.build())
.build());
var dev1 = new SecretBackendRole("dev1", SecretBackendRoleArgs.builder()
.name("dev1")
.backend(db.path())
.dbName(db.mssqls().applyValue(mssqls -> mssqls[0].name()))
.creationStatements(
"CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';",
"CREATE USER [{{name}}] FOR LOGIN [{{name}}];",
"GRANT SELECT ON SCHEMA::dbo TO [{{name}}];")
.build());
var dev2 = new SecretBackendRole("dev2", SecretBackendRoleArgs.builder()
.name("dev2")
.backend(db.path())
.dbName(db.postgresqls().applyValue(postgresqls -> postgresqls[0].name()))
.creationStatements(
"CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
"GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";")
.build());
}
}Content copied to clipboard
resources:
db:
type: vault:database:SecretsMount
properties:
path: db
mssqls:
- name: db1
username: sa
password: super_secret_1
connectionUrl: sqlserver://{{username}}:{{password}}@127.0.0.1:1433
allowedRoles:
- dev1
rotationSchedule: 0 * * * SAT
rotationWindow: 3600
postgresqls:
- name: db2
username: postgres
password: super_secret_2
connectionUrl: postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres
verifyConnection: true
allowedRoles:
- dev2
rotationSchedule: 0 * * * SAT
rotationWindow: 3600
dev1:
type: vault:database:SecretBackendRole
properties:
name: dev1
backend: ${db.path}
dbName: ${db.mssqls[0].name}
creationStatements:
- CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';
- CREATE USER [{{name}}] FOR LOGIN [{{name}}];
- GRANT SELECT ON SCHEMA::dbo TO [{{name}}];
dev2:
type: vault:database:SecretBackendRole
properties:
name: dev2
backend: ${db.path}
dbName: ${db.postgresqls[0].name}
creationStatements:
- CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
- GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";Content copied to clipboard
Import
Database secret backend connections can be imported using the path e.g.
$ pulumi import vault:database/secretsMount:SecretsMount db dbContent copied to clipboard
Constructors
Link copied to clipboard
constructor(allowedManagedKeys: Output<List<String>>? = null, allowedResponseHeaders: Output<List<String>>? = null, auditNonHmacRequestKeys: Output<List<String>>? = null, auditNonHmacResponseKeys: Output<List<String>>? = null, cassandras: Output<List<SecretsMountCassandraArgs>>? = null, couchbases: Output<List<SecretsMountCouchbaseArgs>>? = null, defaultLeaseTtlSeconds: Output<Int>? = null, delegatedAuthAccessors: Output<List<String>>? = null, description: Output<String>? = null, elasticsearches: Output<List<SecretsMountElasticsearchArgs>>? = null, externalEntropyAccess: Output<Boolean>? = null, hanas: Output<List<SecretsMountHanaArgs>>? = null, identityTokenKey: Output<String>? = null, influxdbs: Output<List<SecretsMountInfluxdbArgs>>? = null, listingVisibility: Output<String>? = null, local: Output<Boolean>? = null, maxLeaseTtlSeconds: Output<Int>? = null, mongodbatlas: Output<List<SecretsMountMongodbatlaArgs>>? = null, mongodbs: Output<List<SecretsMountMongodbArgs>>? = null, mssqls: Output<List<SecretsMountMssqlArgs>>? = null, mysqlAuroras: Output<List<SecretsMountMysqlAuroraArgs>>? = null, mysqlLegacies: Output<List<SecretsMountMysqlLegacyArgs>>? = null, mysqlRds: Output<List<SecretsMountMysqlRdArgs>>? = null, mysqls: Output<List<SecretsMountMysqlArgs>>? = null, namespace: Output<String>? = null, options: Output<Map<String, String>>? = null, oracles: Output<List<SecretsMountOracleArgs>>? = null, passthroughRequestHeaders: Output<List<String>>? = null, path: Output<String>? = null, pluginVersion: Output<String>? = null, postgresqls: Output<List<SecretsMountPostgresqlArgs>>? = null, redis: Output<List<SecretsMountRediArgs>>? = null, redisElasticaches: Output<List<SecretsMountRedisElasticachArgs>>? = null, redshifts: Output<List<SecretsMountRedshiftArgs>>? = null, sealWrap: Output<Boolean>? = null, snowflakes: Output<List<SecretsMountSnowflakeArgs>>? = null)
Properties
Link copied to clipboard
Set of managed key registry entry names that the mount in question is allowed to access The following arguments are common to all database engines:
Link copied to clipboard
List of headers to allow and pass from the request to the plugin
Link copied to clipboard
Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
Link copied to clipboard
Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
Link copied to clipboard
A nested block containing configuration options for Cassandra connections. See Configuration Options for more info
Link copied to clipboard
A nested block containing configuration options for Couchbase connections. See Configuration Options for more info
Link copied to clipboard
Default lease duration for tokens and secrets in seconds
Link copied to clipboard
List of headers to allow and pass from the request to the plugin
Link copied to clipboard
Human-friendly description of the mount
Link copied to clipboard
A nested block containing configuration options for Elasticsearch connections. See Configuration Options for more info
Link copied to clipboard
Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
Link copied to clipboard
A nested block containing configuration options for SAP HanaDB connections. See Configuration Options for more info
Link copied to clipboard
The key to use for signing plugin workload identity tokens
Link copied to clipboard
A nested block containing configuration options for InfluxDB connections. See Configuration Options for more info
Link copied to clipboard
Specifies whether to show this mount in the UI-specific listing endpoint
Link copied to clipboard
Maximum possible lease duration for tokens and secrets in seconds
Link copied to clipboard
A nested block containing configuration options for MongoDB Atlas connections. See Configuration Options for more info
Link copied to clipboard
A nested block containing configuration options for MongoDB connections. See Configuration Options for more info
Link copied to clipboard
A nested block containing configuration options for MSSQL connections. See Configuration Options for more info
Link copied to clipboard
A nested block containing configuration options for Aurora MySQL connections. See Configuration Options for more info
Link copied to clipboard
A nested block containing configuration options for legacy MySQL connections. See Configuration Options for more info
Link copied to clipboard
A nested block containing configuration options for RDS MySQL connections. See Configuration Options for more info
Link copied to clipboard
A nested block containing configuration options for MySQL connections. See Configuration Options for more info
Link copied to clipboard
A nested block containing configuration options for Oracle connections. See Configuration Options for more info
Link copied to clipboard
List of headers to allow and pass from the request to the plugin
Link copied to clipboard
Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
Link copied to clipboard
A nested block containing configuration options for PostgreSQL connections. See Configuration Options for more info
Link copied to clipboard
A nested block containing configuration options for Redis connections. See Configuration Options for more info
Link copied to clipboard
A nested block containing configuration options for Redis ElastiCache connections. See Configuration Options for more info
Link copied to clipboard
A nested block containing configuration options for AWS Redshift connections. See Configuration Options for more info
Link copied to clipboard
A nested block containing configuration options for Snowflake connections. See Configuration Options for more info