pulumi-vault-kotlin/com.pulumi.vault.gcp.kotlin/SecretRolesetArgs

SecretRolesetArgs

data class SecretRolesetArgs(val backend: Output<String>? = null, val bindings: Output<List<SecretRolesetBindingArgs>>? = null, val namespace: Output<String>? = null, val project: Output<String>? = null, val roleset: Output<String>? = null, val secretType: Output<String>? = null, val tokenScopes: Output<List<String>>? = null) : ConvertibleToJava<SecretRolesetArgs>

Creates a Roleset in the GCP Secrets Engine for Vault. Each Roleset is tied to a Service Account, and can have one or more bindings associated with it.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const project = "my-awesome-project";
const gcp = new vault.gcp.SecretBackend("gcp", {
    path: "gcp",
    credentials: std.file({
        input: "credentials.json",
    }).then(invoke => invoke.result),
});
const roleset = new vault.gcp.SecretRoleset("roleset", {
    backend: gcp.path,
    roleset: "project_viewer",
    secretType: "access_token",
    project: project,
    tokenScopes: ["https://www&#46;googleapis&#46;com/auth/cloud-platform"],
    bindings: [{
        resource: `//cloudresourcemanager.googleapis.com/projects/${project}`,
        roles: ["roles/viewer"],
    }],
});

import pulumi
import pulumi_std as std
import pulumi_vault as vault
project = "my-awesome-project"
gcp = vault.gcp.SecretBackend("gcp",
    path="gcp",
    credentials=std.file(input="credentials.json").result)
roleset = vault.gcp.SecretRoleset("roleset",
    backend=gcp.path,
    roleset="project_viewer",
    secret_type="access_token",
    project=project,
    token_scopes=["https://www&#46;googleapis&#46;com/auth/cloud-platform"],
    bindings=[{
        "resource": f"//cloudresourcemanager.googleapis.com/projects/{project}",
        "roles": ["roles/viewer"],
    }])

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
    var project = "my-awesome-project";
    var gcp = new Vault.Gcp.SecretBackend("gcp", new()
    {
        Path = "gcp",
        Credentials = Std.File.Invoke(new()
        {
            Input = "credentials.json",
        }).Apply(invoke => invoke.Result),
    });
    var roleset = new Vault.Gcp.SecretRoleset("roleset", new()
    {
        Backend = gcp.Path,
        Roleset = "project_viewer",
        SecretType = "access_token",
        Project = project,
        TokenScopes = new[]
        {
            "https://www.googleapis.com/auth/cloud-platform",
        },
        Bindings = new[]
        {
            new Vault.Gcp.Inputs.SecretRolesetBindingArgs
            {
                Resource = $"//cloudresourcemanager.googleapis.com/projects/{project}",
                Roles = new[]
                {
                    "roles/viewer",
                },
            },
        },
    });
});

package main
import (
	"fmt"
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		project := "my-awesome-project"
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "credentials.json",
		}, nil)
		if err != nil {
			return err
		}
		gcp, err := gcp.NewSecretBackend(ctx, "gcp", &gcp.SecretBackendArgs{
			Path:        pulumi.String("gcp"),
			Credentials: pulumi.String(invokeFile.Result),
		})
		if err != nil {
			return err
		}
		_, err = gcp.NewSecretRoleset(ctx, "roleset", &gcp.SecretRolesetArgs{
			Backend:    gcp.Path,
			Roleset:    pulumi.String("project_viewer"),
			SecretType: pulumi.String("access_token"),
			Project:    pulumi.String(project),
			TokenScopes: pulumi.StringArray{
				pulumi.String("https://www.googleapis.com/auth/cloud-platform"),
			},
			Bindings: gcp.SecretRolesetBindingArray{
				&gcp.SecretRolesetBindingArgs{
					Resource: pulumi.Sprintf("//cloudresourcemanager.googleapis.com/projects/%v", project),
					Roles: pulumi.StringArray{
						pulumi.String("roles/viewer"),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.gcp.SecretBackend;
import com.pulumi.vault.gcp.SecretBackendArgs;
import com.pulumi.vault.gcp.SecretRoleset;
import com.pulumi.vault.gcp.SecretRolesetArgs;
import com.pulumi.vault.gcp.inputs.SecretRolesetBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        final var project = "my-awesome-project";
        var gcp = new SecretBackend("gcp", SecretBackendArgs.builder()
            .path("gcp")
            .credentials(StdFunctions.file(FileArgs.builder()
                .input("credentials.json")
                .build()).result())
            .build());
        var roleset = new SecretRoleset("roleset", SecretRolesetArgs.builder()
            .backend(gcp.path())
            .roleset("project_viewer")
            .secretType("access_token")
            .project(project)
            .tokenScopes("https://www.googleapis.com/auth/cloud-platform")
            .bindings(SecretRolesetBindingArgs.builder()
                .resource(String.format("//cloudresourcemanager.googleapis.com/projects/%s", project))
                .roles("roles/viewer")
                .build())
            .build());
    }
}

resources:
  gcp:
    type: vault:gcp:SecretBackend
    properties:
      path: gcp
      credentials:
        fn::invoke:
          function: std:file
          arguments:
            input: credentials.json
          return: result
  roleset:
    type: vault:gcp:SecretRoleset
    properties:
      backend: ${gcp.path}
      roleset: project_viewer
      secretType: access_token
      project: ${project}
      tokenScopes:
        - https://www.googleapis.com/auth/cloud-platform
      bindings:
        - resource: //cloudresourcemanager.googleapis.com/projects/${project}
          roles:
            - roles/viewer
variables:
  project: my-awesome-project

Import

A roleset can be imported using its Vault Path. For example, referencing the example above,

$ pulumi import vault:gcp/secretRoleset:SecretRoleset roleset gcp/roleset/project_viewer

Constructors

SecretRolesetArgs

constructor(backend: Output<String>? = null, bindings: Output<List<SecretRolesetBindingArgs>>? = null, namespace: Output<String>? = null, project: Output<String>? = null, roleset: Output<String>? = null, secretType: Output<String>? = null, tokenScopes: Output<List<String>>? = null)

Properties

backend

val backend: Output<String>? = null

Path where the GCP Secrets Engine is mounted

bindings

val bindings: Output<List<SecretRolesetBindingArgs>>? = null

Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.

namespace

val namespace: Output<String>? = null

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

project

val project: Output<String>? = null

Name of the GCP project that this roleset's service account will belong to.

roleset

val roleset: Output<String>? = null

Name of the Roleset to create

secretType

val secretType: Output<String>? = null

Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.

tokenScopes

val tokenScopes: Output<List<String>>? = null

List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).

Functions

toJava

open override fun toJava(): SecretRolesetArgs