Sync
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const aws = new vault.secrets.SyncAwsDestination("aws", {
name: "aws-dest",
accessKeyId: accessKeyId,
secretAccessKey: secretAccessKey,
region: "us-east-1",
roleArn: "role-arn",
externalId: "external-id",
secretNameTemplate: "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
customTags: {
foo: "bar",
},
});import pulumi
import pulumi_vault as vault
aws = vault.secrets.SyncAwsDestination("aws",
name="aws-dest",
access_key_id=access_key_id,
secret_access_key=secret_access_key,
region="us-east-1",
role_arn="role-arn",
external_id="external-id",
secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
custom_tags={
"foo": "bar",
})using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var aws = new Vault.Secrets.SyncAwsDestination("aws", new()
{
Name = "aws-dest",
AccessKeyId = accessKeyId,
SecretAccessKey = secretAccessKey,
Region = "us-east-1",
RoleArn = "role-arn",
ExternalId = "external-id",
SecretNameTemplate = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
CustomTags =
{
{ "foo", "bar" },
},
});
});package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/secrets"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := secrets.NewSyncAwsDestination(ctx, "aws", &secrets.SyncAwsDestinationArgs{
Name: pulumi.String("aws-dest"),
AccessKeyId: pulumi.Any(accessKeyId),
SecretAccessKey: pulumi.Any(secretAccessKey),
Region: pulumi.String("us-east-1"),
RoleArn: pulumi.String("role-arn"),
ExternalId: pulumi.String("external-id"),
SecretNameTemplate: pulumi.String("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}"),
CustomTags: pulumi.StringMap{
"foo": pulumi.String("bar"),
},
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.secrets.SyncAwsDestination;
import com.pulumi.vault.secrets.SyncAwsDestinationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var aws = new SyncAwsDestination("aws", SyncAwsDestinationArgs.builder()
.name("aws-dest")
.accessKeyId(accessKeyId)
.secretAccessKey(secretAccessKey)
.region("us-east-1")
.roleArn("role-arn")
.externalId("external-id")
.secretNameTemplate("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}")
.customTags(Map.of("foo", "bar"))
.build());
}
}resources:
aws:
type: vault:secrets:SyncAwsDestination
properties:
name: aws-dest
accessKeyId: ${accessKeyId}
secretAccessKey: ${secretAccessKey}
region: us-east-1
roleArn: role-arn
externalId: external-id
secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}
customTags:
foo: barImport
AWS Secrets sync destinations can be imported using the name, e.g.
$ pulumi import vault:secrets/syncAwsDestination:SyncAwsDestination aws aws-destProperties
Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
Custom tags to set on the secret managed at the destination.
Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
Template describing how to generate external secret names. Supports a subset of the Go Template syntax.