pulumi-vault-kotlin/com.pulumi.vault.gcp.kotlin/SecretBackendArgs

SecretBackendArgs

data class SecretBackendArgs(val credentials: Output<String>? = null, val defaultLeaseTtlSeconds: Output<Int>? = null, val description: Output<String>? = null, val disableAutomatedRotation: Output<Boolean>? = null, val disableRemount: Output<Boolean>? = null, val identityTokenAudience: Output<String>? = null, val identityTokenKey: Output<String>? = null, val identityTokenTtl: Output<Int>? = null, val local: Output<Boolean>? = null, val maxLeaseTtlSeconds: Output<Int>? = null, val namespace: Output<String>? = null, val path: Output<String>? = null, val rotationPeriod: Output<Int>? = null, val rotationSchedule: Output<String>? = null, val rotationWindow: Output<Int>? = null, val serviceAccountEmail: Output<String>? = null) : ConvertibleToJava<SecretBackendArgs>

Example Usage

You can setup the GCP secret backend with Workload Identity Federation (WIF) for a secret-less configuration:

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const gcp = new vault.gcp.SecretBackend("gcp", {
    identityTokenKey: "example-key",
    identityTokenTtl: 1800,
    identityTokenAudience: "<TOKEN_AUDIENCE>",
    serviceAccountEmail: "<SERVICE_ACCOUNT_EMAIL>",
    rotationSchedule: "0 * * * SAT",
    rotationWindow: 3600,
});
Content copied to clipboard
import pulumi
import pulumi_vault as vault
gcp = vault.gcp.SecretBackend("gcp",
    identity_token_key="example-key",
    identity_token_ttl=1800,
    identity_token_audience="<TOKEN_AUDIENCE>",
    service_account_email="<SERVICE_ACCOUNT_EMAIL>",
    rotation_schedule="0 * * * SAT",
    rotation_window=3600)
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
    var gcp = new Vault.Gcp.SecretBackend("gcp", new()
    {
        IdentityTokenKey = "example-key",
        IdentityTokenTtl = 1800,
        IdentityTokenAudience = "<TOKEN_AUDIENCE>",
        ServiceAccountEmail = "<SERVICE_ACCOUNT_EMAIL>",
        RotationSchedule = "0 * * * SAT",
        RotationWindow = 3600,
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := gcp.NewSecretBackend(ctx, "gcp", &gcp.SecretBackendArgs{
			IdentityTokenKey:      pulumi.String("example-key"),
			IdentityTokenTtl:      pulumi.Int(1800),
			IdentityTokenAudience: pulumi.String("<TOKEN_AUDIENCE>"),
			ServiceAccountEmail:   pulumi.String("<SERVICE_ACCOUNT_EMAIL>"),
			RotationSchedule:      pulumi.String("0 * * * SAT"),
			RotationWindow:        pulumi.Int(3600),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.gcp.SecretBackend;
import com.pulumi.vault.gcp.SecretBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var gcp = new SecretBackend("gcp", SecretBackendArgs.builder()
            .identityTokenKey("example-key")
            .identityTokenTtl(1800)
            .identityTokenAudience("<TOKEN_AUDIENCE>")
            .serviceAccountEmail("<SERVICE_ACCOUNT_EMAIL>")
            .rotationSchedule("0 * * * SAT")
            .rotationWindow(3600)
            .build());
    }
}
Content copied to clipboard
resources:
  gcp:
    type: vault:gcp:SecretBackend
    properties:
      identityTokenKey: example-key
      identityTokenTtl: 1800
      identityTokenAudience: <TOKEN_AUDIENCE>
      serviceAccountEmail: <SERVICE_ACCOUNT_EMAIL>
      rotationSchedule: 0 * * * SAT
      rotationWindow: 3600
Content copied to clipboard
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const gcp = new vault.gcp.SecretBackend("gcp", {
    credentials: std.file({
        input: "credentials.json",
    }).then(invoke => invoke.result),
    rotationSchedule: "0 * * * SAT",
    rotationWindow: 3600,
});
Content copied to clipboard
import pulumi
import pulumi_std as std
import pulumi_vault as vault
gcp = vault.gcp.SecretBackend("gcp",
    credentials=std.file(input="credentials.json").result,
    rotation_schedule="0 * * * SAT",
    rotation_window=3600)
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
    var gcp = new Vault.Gcp.SecretBackend("gcp", new()
    {
        Credentials = Std.File.Invoke(new()
        {
            Input = "credentials.json",
        }).Apply(invoke => invoke.Result),
        RotationSchedule = "0 * * * SAT",
        RotationWindow = 3600,
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "credentials.json",
		}, nil)
		if err != nil {
			return err
		}
		_, err = gcp.NewSecretBackend(ctx, "gcp", &gcp.SecretBackendArgs{
			Credentials:      pulumi.String(invokeFile.Result),
			RotationSchedule: pulumi.String("0 * * * SAT"),
			RotationWindow:   pulumi.Int(3600),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.gcp.SecretBackend;
import com.pulumi.vault.gcp.SecretBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var gcp = new SecretBackend("gcp", SecretBackendArgs.builder()
            .credentials(StdFunctions.file(FileArgs.builder()
                .input("credentials.json")
                .build()).result())
            .rotationSchedule("0 * * * SAT")
            .rotationWindow(3600)
            .build());
    }
}
Content copied to clipboard
resources:
  gcp:
    type: vault:gcp:SecretBackend
    properties:
      credentials:
        fn::invoke:
          function: std:file
          arguments:
            input: credentials.json
          return: result
      rotationSchedule: 0 * * * SAT
      rotationWindow: 3600
Content copied to clipboard

Constructors

Link copied to clipboard
constructor(credentials: Output<String>? = null, defaultLeaseTtlSeconds: Output<Int>? = null, description: Output<String>? = null, disableAutomatedRotation: Output<Boolean>? = null, disableRemount: Output<Boolean>? = null, identityTokenAudience: Output<String>? = null, identityTokenKey: Output<String>? = null, identityTokenTtl: Output<Int>? = null, local: Output<Boolean>? = null, maxLeaseTtlSeconds: Output<Int>? = null, namespace: Output<String>? = null, path: Output<String>? = null, rotationPeriod: Output<Int>? = null, rotationSchedule: Output<String>? = null, rotationWindow: Output<Int>? = null, serviceAccountEmail: Output<String>? = null)

Properties

Link copied to clipboard
val credentials: Output<String>? = null

JSON-encoded credentials to use to connect to GCP

Link copied to clipboard
val defaultLeaseTtlSeconds: Output<Int>? = null

The default TTL for credentials issued by this backend. Defaults to '0'.

Link copied to clipboard
val description: Output<String>? = null

A human-friendly description for this backend.

Link copied to clipboard
val disableAutomatedRotation: Output<Boolean>? = null

Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+. Available only for Vault Enterprise.

Link copied to clipboard
val disableRemount: Output<Boolean>? = null

If set, opts out of mount migration on path updates. See here for more info on Mount Migration

Link copied to clipboard
val identityTokenAudience: Output<String>? = null

The audience claim value for plugin identity tokens. Must match an allowed audience configured for the target Workload Identity Pool. Mutually exclusive with credentials. Requires Vault 1.17+. Available only for Vault Enterprise.

Link copied to clipboard
val identityTokenKey: Output<String>? = null

The key to use for signing plugin identity tokens. Requires Vault 1.17+. Available only for Vault Enterprise.

Link copied to clipboard
val identityTokenTtl: Output<Int>? = null

The TTL of generated tokens.

Link copied to clipboard
val local: Output<Boolean>? = null

Boolean flag that can be explicitly set to true to enforce local mount in HA environment

Link copied to clipboard
val maxLeaseTtlSeconds: Output<Int>? = null

The maximum TTL that can be requested for credentials issued by this backend. Defaults to '0'.

Link copied to clipboard
val namespace: Output<String>? = null

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

Link copied to clipboard
val path: Output<String>? = null

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to gcp.

Link copied to clipboard
val rotationPeriod: Output<Int>? = null

The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+. Available only for Vault Enterprise.

Link copied to clipboard
val rotationSchedule: Output<String>? = null

The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+. Available only for Vault Enterprise.

Link copied to clipboard
val rotationWindow: Output<Int>? = null

The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+. Available only for Vault Enterprise.

Link copied to clipboard
val serviceAccountEmail: Output<String>? = null

Service Account to impersonate for plugin workload identity federation. Required with identity_token_audience. Requires Vault 1.17+. Available only for Vault Enterprise.

Functions

Link copied to clipboard
open override fun toJava(): SecretBackendArgs