Secrets
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const db = new vault.database.SecretsMount("db", {
path: "db",
mssqls: [{
name: "db1",
username: "sa",
password: "super_secret_1",
connectionUrl: "sqlserver://{{username}}:{{password}}@127.0.0.1:1433",
allowedRoles: ["dev1"],
rotationSchedule: "0 * * * SAT",
rotationWindow: 3600,
}],
postgresqls: [{
name: "db2",
username: "postgres",
password: "super_secret_2",
connectionUrl: "postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres",
verifyConnection: true,
allowedRoles: ["dev2"],
rotationSchedule: "0 * * * SAT",
rotationWindow: 3600,
}],
});
const dev1 = new vault.database.SecretBackendRole("dev1", {
name: "dev1",
backend: db.path,
dbName: db.mssqls.apply(mssqls => mssqls?.[0]?.name),
creationStatements: [
"CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';",
"CREATE USER [{{name}}] FOR LOGIN [{{name}}];",
"GRANT SELECT ON SCHEMA::dbo TO [{{name}}];",
],
});
const dev2 = new vault.database.SecretBackendRole("dev2", {
name: "dev2",
backend: db.path,
dbName: db.postgresqls.apply(postgresqls => postgresqls?.[0]?.name),
creationStatements: [
"CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
"GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";",
],
});import pulumi
import pulumi_vault as vault
db = vault.database.SecretsMount("db",
path="db",
mssqls=[{
"name": "db1",
"username": "sa",
"password": "super_secret_1",
"connection_url": "sqlserver://{{username}}:{{password}}@127.0.0.1:1433",
"allowed_roles": ["dev1"],
"rotation_schedule": "0 * * * SAT",
"rotation_window": 3600,
}],
postgresqls=[{
"name": "db2",
"username": "postgres",
"password": "super_secret_2",
"connection_url": "postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres",
"verify_connection": True,
"allowed_roles": ["dev2"],
"rotation_schedule": "0 * * * SAT",
"rotation_window": 3600,
}])
dev1 = vault.database.SecretBackendRole("dev1",
name="dev1",
backend=db.path,
db_name=db.mssqls[0].name,
creation_statements=[
"CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';",
"CREATE USER [{{name}}] FOR LOGIN [{{name}}];",
"GRANT SELECT ON SCHEMA::dbo TO [{{name}}];",
])
dev2 = vault.database.SecretBackendRole("dev2",
name="dev2",
backend=db.path,
db_name=db.postgresqls[0].name,
creation_statements=[
"CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
"GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";",
])using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var db = new Vault.Database.SecretsMount("db", new()
{
Path = "db",
Mssqls = new[]
{
new Vault.Database.Inputs.SecretsMountMssqlArgs
{
Name = "db1",
Username = "sa",
Password = "super_secret_1",
ConnectionUrl = "sqlserver://{{username}}:{{password}}@127.0.0.1:1433",
AllowedRoles = new[]
{
"dev1",
},
RotationSchedule = "0 * * * SAT",
RotationWindow = 3600,
},
},
Postgresqls = new[]
{
new Vault.Database.Inputs.SecretsMountPostgresqlArgs
{
Name = "db2",
Username = "postgres",
Password = "super_secret_2",
ConnectionUrl = "postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres",
VerifyConnection = true,
AllowedRoles = new[]
{
"dev2",
},
RotationSchedule = "0 * * * SAT",
RotationWindow = 3600,
},
},
});
var dev1 = new Vault.Database.SecretBackendRole("dev1", new()
{
Name = "dev1",
Backend = db.Path,
DbName = db.Mssqls.Apply(mssqls => mssqls[0]?.Name),
CreationStatements = new[]
{
"CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';",
"CREATE USER [{{name}}] FOR LOGIN [{{name}}];",
"GRANT SELECT ON SCHEMA::dbo TO [{{name}}];",
},
});
var dev2 = new Vault.Database.SecretBackendRole("dev2", new()
{
Name = "dev2",
Backend = db.Path,
DbName = db.Postgresqls.Apply(postgresqls => postgresqls[0]?.Name),
CreationStatements = new[]
{
"CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
"GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";",
},
});
});package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/database"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
db, err := database.NewSecretsMount(ctx, "db", &database.SecretsMountArgs{
Path: pulumi.String("db"),
Mssqls: database.SecretsMountMssqlArray{
&database.SecretsMountMssqlArgs{
Name: pulumi.String("db1"),
Username: pulumi.String("sa"),
Password: pulumi.String("super_secret_1"),
ConnectionUrl: pulumi.String("sqlserver://{{username}}:{{password}}@127.0.0.1:1433"),
AllowedRoles: pulumi.StringArray{
pulumi.String("dev1"),
},
RotationSchedule: pulumi.String("0 * * * SAT"),
RotationWindow: pulumi.Int(3600),
},
},
Postgresqls: database.SecretsMountPostgresqlArray{
&database.SecretsMountPostgresqlArgs{
Name: pulumi.String("db2"),
Username: pulumi.String("postgres"),
Password: pulumi.String("super_secret_2"),
ConnectionUrl: pulumi.String("postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres"),
VerifyConnection: pulumi.Bool(true),
AllowedRoles: pulumi.StringArray{
pulumi.String("dev2"),
},
RotationSchedule: pulumi.String("0 * * * SAT"),
RotationWindow: pulumi.Int(3600),
},
},
})
if err != nil {
return err
}
_, err = database.NewSecretBackendRole(ctx, "dev1", &database.SecretBackendRoleArgs{
Name: pulumi.String("dev1"),
Backend: db.Path,
DbName: pulumi.String(db.Mssqls.ApplyT(func(mssqls []database.SecretsMountMssql) (*string, error) {
return &mssqls[0].Name, nil
}).(pulumi.StringPtrOutput)),
CreationStatements: pulumi.StringArray{
pulumi.String("CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';"),
pulumi.String("CREATE USER [{{name}}] FOR LOGIN [{{name}}];"),
pulumi.String("GRANT SELECT ON SCHEMA::dbo TO [{{name}}];"),
},
})
if err != nil {
return err
}
_, err = database.NewSecretBackendRole(ctx, "dev2", &database.SecretBackendRoleArgs{
Name: pulumi.String("dev2"),
Backend: db.Path,
DbName: pulumi.String(db.Postgresqls.ApplyT(func(postgresqls []database.SecretsMountPostgresql) (*string, error) {
return &postgresqls[0].Name, nil
}).(pulumi.StringPtrOutput)),
CreationStatements: pulumi.StringArray{
pulumi.String("CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"),
pulumi.String("GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"),
},
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.database.SecretsMount;
import com.pulumi.vault.database.SecretsMountArgs;
import com.pulumi.vault.database.inputs.SecretsMountMssqlArgs;
import com.pulumi.vault.database.inputs.SecretsMountPostgresqlArgs;
import com.pulumi.vault.database.SecretBackendRole;
import com.pulumi.vault.database.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var db = new SecretsMount("db", SecretsMountArgs.builder()
.path("db")
.mssqls(SecretsMountMssqlArgs.builder()
.name("db1")
.username("sa")
.password("super_secret_1")
.connectionUrl("sqlserver://{{username}}:{{password}}@127.0.0.1:1433")
.allowedRoles("dev1")
.rotationSchedule("0 * * * SAT")
.rotationWindow(3600)
.build())
.postgresqls(SecretsMountPostgresqlArgs.builder()
.name("db2")
.username("postgres")
.password("super_secret_2")
.connectionUrl("postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres")
.verifyConnection(true)
.allowedRoles("dev2")
.rotationSchedule("0 * * * SAT")
.rotationWindow(3600)
.build())
.build());
var dev1 = new SecretBackendRole("dev1", SecretBackendRoleArgs.builder()
.name("dev1")
.backend(db.path())
.dbName(db.mssqls().applyValue(mssqls -> mssqls[0].name()))
.creationStatements(
"CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';",
"CREATE USER [{{name}}] FOR LOGIN [{{name}}];",
"GRANT SELECT ON SCHEMA::dbo TO [{{name}}];")
.build());
var dev2 = new SecretBackendRole("dev2", SecretBackendRoleArgs.builder()
.name("dev2")
.backend(db.path())
.dbName(db.postgresqls().applyValue(postgresqls -> postgresqls[0].name()))
.creationStatements(
"CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
"GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";")
.build());
}
}resources:
db:
type: vault:database:SecretsMount
properties:
path: db
mssqls:
- name: db1
username: sa
password: super_secret_1
connectionUrl: sqlserver://{{username}}:{{password}}@127.0.0.1:1433
allowedRoles:
- dev1
rotationSchedule: 0 * * * SAT
rotationWindow: 3600
postgresqls:
- name: db2
username: postgres
password: super_secret_2
connectionUrl: postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres
verifyConnection: true
allowedRoles:
- dev2
rotationSchedule: 0 * * * SAT
rotationWindow: 3600
dev1:
type: vault:database:SecretBackendRole
properties:
name: dev1
backend: ${db.path}
dbName: ${db.mssqls[0].name}
creationStatements:
- CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';
- CREATE USER [{{name}}] FOR LOGIN [{{name}}];
- GRANT SELECT ON SCHEMA::dbo TO [{{name}}];
dev2:
type: vault:database:SecretBackendRole
properties:
name: dev2
backend: ${db.path}
dbName: ${db.postgresqls[0].name}
creationStatements:
- CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
- GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";Import
Database secret backend connections can be imported using the path e.g.
$ pulumi import vault:database/secretsMount:SecretsMount db dbProperties
Set of managed key registry entry names that the mount in question is allowed to access The following arguments are common to all database engines:
List of headers to allow and pass from the request to the plugin
Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
A nested block containing configuration options for Cassandra connections. See Configuration Options for more info
A nested block containing configuration options for Couchbase connections. See Configuration Options for more info
Default lease duration for tokens and secrets in seconds
List of headers to allow and pass from the request to the plugin
Human-friendly description of the mount
A nested block containing configuration options for Elasticsearch connections. See Configuration Options for more info
The total number of database secrets engines configured.
Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
A nested block containing configuration options for SAP HanaDB connections. See Configuration Options for more info
The key to use for signing plugin workload identity tokens
A nested block containing configuration options for InfluxDB connections. See Configuration Options for more info
Specifies whether to show this mount in the UI-specific listing endpoint
Maximum possible lease duration for tokens and secrets in seconds
A nested block containing configuration options for MongoDB Atlas connections. See Configuration Options for more info
A nested block containing configuration options for MongoDB connections. See Configuration Options for more info
A nested block containing configuration options for MSSQL connections. See Configuration Options for more info
A nested block containing configuration options for Aurora MySQL connections. See Configuration Options for more info
A nested block containing configuration options for legacy MySQL connections. See Configuration Options for more info
A nested block containing configuration options for RDS MySQL connections. See Configuration Options for more info
A nested block containing configuration options for MySQL connections. See Configuration Options for more info
A nested block containing configuration options for Oracle connections. See Configuration Options for more info
List of headers to allow and pass from the request to the plugin
Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
A nested block containing configuration options for PostgreSQL connections. See Configuration Options for more info
A nested block containing configuration options for Redis connections. See Configuration Options for more info
A nested block containing configuration options for Redis ElastiCache connections. See Configuration Options for more info
A nested block containing configuration options for AWS Redshift connections. See Configuration Options for more info
A nested block containing configuration options for Snowflake connections. See Configuration Options for more info