Secret
Example Usage
You can setup the GCP secret backend with Workload Identity Federation (WIF) for a secret-less configuration:
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const gcp = new vault.gcp.SecretBackend("gcp", {
identityTokenKey: "example-key",
identityTokenTtl: 1800,
identityTokenAudience: "<TOKEN_AUDIENCE>",
serviceAccountEmail: "<SERVICE_ACCOUNT_EMAIL>",
rotationSchedule: "0 * * * SAT",
rotationWindow: 3600,
});import pulumi
import pulumi_vault as vault
gcp = vault.gcp.SecretBackend("gcp",
identity_token_key="example-key",
identity_token_ttl=1800,
identity_token_audience="<TOKEN_AUDIENCE>",
service_account_email="<SERVICE_ACCOUNT_EMAIL>",
rotation_schedule="0 * * * SAT",
rotation_window=3600)using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var gcp = new Vault.Gcp.SecretBackend("gcp", new()
{
IdentityTokenKey = "example-key",
IdentityTokenTtl = 1800,
IdentityTokenAudience = "<TOKEN_AUDIENCE>",
ServiceAccountEmail = "<SERVICE_ACCOUNT_EMAIL>",
RotationSchedule = "0 * * * SAT",
RotationWindow = 3600,
});
});package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := gcp.NewSecretBackend(ctx, "gcp", &gcp.SecretBackendArgs{
IdentityTokenKey: pulumi.String("example-key"),
IdentityTokenTtl: pulumi.Int(1800),
IdentityTokenAudience: pulumi.String("<TOKEN_AUDIENCE>"),
ServiceAccountEmail: pulumi.String("<SERVICE_ACCOUNT_EMAIL>"),
RotationSchedule: pulumi.String("0 * * * SAT"),
RotationWindow: pulumi.Int(3600),
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.gcp.SecretBackend;
import com.pulumi.vault.gcp.SecretBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var gcp = new SecretBackend("gcp", SecretBackendArgs.builder()
.identityTokenKey("example-key")
.identityTokenTtl(1800)
.identityTokenAudience("<TOKEN_AUDIENCE>")
.serviceAccountEmail("<SERVICE_ACCOUNT_EMAIL>")
.rotationSchedule("0 * * * SAT")
.rotationWindow(3600)
.build());
}
}resources:
gcp:
type: vault:gcp:SecretBackend
properties:
identityTokenKey: example-key
identityTokenTtl: 1800
identityTokenAudience: <TOKEN_AUDIENCE>
serviceAccountEmail: <SERVICE_ACCOUNT_EMAIL>
rotationSchedule: 0 * * * SAT
rotationWindow: 3600import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const gcp = new vault.gcp.SecretBackend("gcp", {
credentials: std.file({
input: "credentials.json",
}).then(invoke => invoke.result),
rotationSchedule: "0 * * * SAT",
rotationWindow: 3600,
});import pulumi
import pulumi_std as std
import pulumi_vault as vault
gcp = vault.gcp.SecretBackend("gcp",
credentials=std.file(input="credentials.json").result,
rotation_schedule="0 * * * SAT",
rotation_window=3600)using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var gcp = new Vault.Gcp.SecretBackend("gcp", new()
{
Credentials = Std.File.Invoke(new()
{
Input = "credentials.json",
}).Apply(invoke => invoke.Result),
RotationSchedule = "0 * * * SAT",
RotationWindow = 3600,
});
});package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "credentials.json",
}, nil)
if err != nil {
return err
}
_, err = gcp.NewSecretBackend(ctx, "gcp", &gcp.SecretBackendArgs{
Credentials: pulumi.String(invokeFile.Result),
RotationSchedule: pulumi.String("0 * * * SAT"),
RotationWindow: pulumi.Int(3600),
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.gcp.SecretBackend;
import com.pulumi.vault.gcp.SecretBackendArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var gcp = new SecretBackend("gcp", SecretBackendArgs.builder()
.credentials(StdFunctions.file(FileArgs.builder()
.input("credentials.json")
.build()).result())
.rotationSchedule("0 * * * SAT")
.rotationWindow(3600)
.build());
}
}resources:
gcp:
type: vault:gcp:SecretBackend
properties:
credentials:
fn::invoke:
function: std:file
arguments:
input: credentials.json
return: result
rotationSchedule: 0 * * * SAT
rotationWindow: 3600Properties
JSON-encoded credentials to use to connect to GCP
The default TTL for credentials issued by this backend. Defaults to '0'.
A human-friendly description for this backend.
Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+. Available only for Vault Enterprise.
If set, opts out of mount migration on path updates. See here for more info on Mount Migration
The audience claim value for plugin identity tokens. Must match an allowed audience configured for the target Workload Identity Pool. Mutually exclusive with credentials. Requires Vault 1.17+. Available only for Vault Enterprise.
The key to use for signing plugin identity tokens. Requires Vault 1.17+. Available only for Vault Enterprise.
The TTL of generated tokens.
The maximum TTL that can be requested for credentials issued by this backend. Defaults to '0'.
The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+. Available only for Vault Enterprise.
The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+. Available only for Vault Enterprise.
The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+. Available only for Vault Enterprise.
Service Account to impersonate for plugin workload identity federation. Required with identity_token_audience. Requires Vault 1.17+. Available only for Vault Enterprise.