Auth
Example Usage
You can setup the AWS auth engine with Workload Identity Federation (WIF) for a secret-less configuration:
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const example = new vault.AuthBackend("example", {type: "aws"});
const exampleAuthBackendClient = new vault.aws.AuthBackendClient("example", {
identityTokenAudience: "<TOKEN_AUDIENCE>",
identityTokenTtl: "<TOKEN_TTL>",
roleArn: "<AWS_ROLE_ARN>",
rotationSchedule: "0 * * * SAT",
rotationWindow: 3600,
});import pulumi
import pulumi_vault as vault
example = vault.AuthBackend("example", type="aws")
example_auth_backend_client = vault.aws.AuthBackendClient("example",
identity_token_audience="<TOKEN_AUDIENCE>",
identity_token_ttl="<TOKEN_TTL>",
role_arn="<AWS_ROLE_ARN>",
rotation_schedule="0 * * * SAT",
rotation_window=3600)using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var example = new Vault.AuthBackend("example", new()
{
Type = "aws",
});
var exampleAuthBackendClient = new Vault.Aws.AuthBackendClient("example", new()
{
IdentityTokenAudience = "<TOKEN_AUDIENCE>",
IdentityTokenTtl = "<TOKEN_TTL>",
RoleArn = "<AWS_ROLE_ARN>",
RotationSchedule = "0 * * * SAT",
RotationWindow = 3600,
});
});package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/aws"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vault.NewAuthBackend(ctx, "example", &vault.AuthBackendArgs{
Type: pulumi.String("aws"),
})
if err != nil {
return err
}
_, err = aws.NewAuthBackendClient(ctx, "example", &aws.AuthBackendClientArgs{
IdentityTokenAudience: pulumi.String("<TOKEN_AUDIENCE>"),
IdentityTokenTtl: pulumi.Int("<TOKEN_TTL>"),
RoleArn: pulumi.String("<AWS_ROLE_ARN>"),
RotationSchedule: pulumi.String("0 * * * SAT"),
RotationWindow: pulumi.Int(3600),
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import com.pulumi.vault.aws.AuthBackendClient;
import com.pulumi.vault.aws.AuthBackendClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new AuthBackend("example", AuthBackendArgs.builder()
.type("aws")
.build());
var exampleAuthBackendClient = new AuthBackendClient("exampleAuthBackendClient", AuthBackendClientArgs.builder()
.identityTokenAudience("<TOKEN_AUDIENCE>")
.identityTokenTtl("<TOKEN_TTL>")
.roleArn("<AWS_ROLE_ARN>")
.rotationSchedule("0 * * * SAT")
.rotationWindow(3600)
.build());
}
}resources:
example:
type: vault:AuthBackend
properties:
type: aws
exampleAuthBackendClient:
type: vault:aws:AuthBackendClient
name: example
properties:
identityTokenAudience: <TOKEN_AUDIENCE>
identityTokenTtl: <TOKEN_TTL>
roleArn: <AWS_ROLE_ARN>
rotationSchedule: 0 * * * SAT
rotationWindow: 3600import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const example = new vault.AuthBackend("example", {type: "aws"});
const exampleAuthBackendClient = new vault.aws.AuthBackendClient("example", {
backend: example.path,
accessKey: "INSERT_AWS_ACCESS_KEY",
secretKey: "INSERT_AWS_SECRET_KEY",
rotationSchedule: "0 * * * SAT",
rotationWindow: 3600,
});import pulumi
import pulumi_vault as vault
example = vault.AuthBackend("example", type="aws")
example_auth_backend_client = vault.aws.AuthBackendClient("example",
backend=example.path,
access_key="INSERT_AWS_ACCESS_KEY",
secret_key="INSERT_AWS_SECRET_KEY",
rotation_schedule="0 * * * SAT",
rotation_window=3600)using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var example = new Vault.AuthBackend("example", new()
{
Type = "aws",
});
var exampleAuthBackendClient = new Vault.Aws.AuthBackendClient("example", new()
{
Backend = example.Path,
AccessKey = "INSERT_AWS_ACCESS_KEY",
SecretKey = "INSERT_AWS_SECRET_KEY",
RotationSchedule = "0 * * * SAT",
RotationWindow = 3600,
});
});package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/aws"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := vault.NewAuthBackend(ctx, "example", &vault.AuthBackendArgs{
Type: pulumi.String("aws"),
})
if err != nil {
return err
}
_, err = aws.NewAuthBackendClient(ctx, "example", &aws.AuthBackendClientArgs{
Backend: example.Path,
AccessKey: pulumi.String("INSERT_AWS_ACCESS_KEY"),
SecretKey: pulumi.String("INSERT_AWS_SECRET_KEY"),
RotationSchedule: pulumi.String("0 * * * SAT"),
RotationWindow: pulumi.Int(3600),
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import com.pulumi.vault.aws.AuthBackendClient;
import com.pulumi.vault.aws.AuthBackendClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new AuthBackend("example", AuthBackendArgs.builder()
.type("aws")
.build());
var exampleAuthBackendClient = new AuthBackendClient("exampleAuthBackendClient", AuthBackendClientArgs.builder()
.backend(example.path())
.accessKey("INSERT_AWS_ACCESS_KEY")
.secretKey("INSERT_AWS_SECRET_KEY")
.rotationSchedule("0 * * * SAT")
.rotationWindow(3600)
.build());
}
}resources:
example:
type: vault:AuthBackend
properties:
type: aws
exampleAuthBackendClient:
type: vault:aws:AuthBackendClient
name: example
properties:
backend: ${example.path}
accessKey: INSERT_AWS_ACCESS_KEY
secretKey: INSERT_AWS_SECRET_KEY
rotationSchedule: 0 * * * SAT
rotationWindow: 3600Import
AWS auth backend clients can be imported using auth/, the backend path, and /config/client e.g.
$ pulumi import vault:aws/authBackendClient:AuthBackendClient example auth/aws/config/clientProperties
Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
Override the URL Vault uses when making EC2 API calls.
Override the URL Vault uses when making IAM API calls.
The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
The audience claim value. Mutually exclusive with access_key. Requires Vault 1.17+. Available only for Vault Enterprise
The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
Override the URL Vault uses when making STS API calls.
Available in Vault v1.15+. If set, overrides both sts_endpoint and sts_region to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.