Secret
Creates a Roleset in the GCP Secrets Engine for Vault. Each Roleset is tied to a Service Account, and can have one or more bindings associated with it.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const project = "my-awesome-project";
const gcp = new vault.gcp.SecretBackend("gcp", {
path: "gcp",
credentials: std.file({
input: "credentials.json",
}).then(invoke => invoke.result),
});
const roleset = new vault.gcp.SecretRoleset("roleset", {
backend: gcp.path,
roleset: "project_viewer",
secretType: "access_token",
project: project,
tokenScopes: ["https://www.googleapis.com/auth/cloud-platform"],
bindings: [{
resource: `//cloudresourcemanager.googleapis.com/projects/${project}`,
roles: ["roles/viewer"],
}],
});Content copied to clipboard
import pulumi
import pulumi_std as std
import pulumi_vault as vault
project = "my-awesome-project"
gcp = vault.gcp.SecretBackend("gcp",
path="gcp",
credentials=std.file(input="credentials.json").result)
roleset = vault.gcp.SecretRoleset("roleset",
backend=gcp.path,
roleset="project_viewer",
secret_type="access_token",
project=project,
token_scopes=["https://www.googleapis.com/auth/cloud-platform"],
bindings=[{
"resource": f"//cloudresourcemanager.googleapis.com/projects/{project}",
"roles": ["roles/viewer"],
}])Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var project = "my-awesome-project";
var gcp = new Vault.Gcp.SecretBackend("gcp", new()
{
Path = "gcp",
Credentials = Std.File.Invoke(new()
{
Input = "credentials.json",
}).Apply(invoke => invoke.Result),
});
var roleset = new Vault.Gcp.SecretRoleset("roleset", new()
{
Backend = gcp.Path,
Roleset = "project_viewer",
SecretType = "access_token",
Project = project,
TokenScopes = new[]
{
"https://www.googleapis.com/auth/cloud-platform",
},
Bindings = new[]
{
new Vault.Gcp.Inputs.SecretRolesetBindingArgs
{
Resource = $"//cloudresourcemanager.googleapis.com/projects/{project}",
Roles = new[]
{
"roles/viewer",
},
},
},
});
});Content copied to clipboard
package main
import (
"fmt"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
project := "my-awesome-project"
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "credentials.json",
}, nil)
if err != nil {
return err
}
gcp, err := gcp.NewSecretBackend(ctx, "gcp", &gcp.SecretBackendArgs{
Path: pulumi.String("gcp"),
Credentials: pulumi.String(invokeFile.Result),
})
if err != nil {
return err
}
_, err = gcp.NewSecretRoleset(ctx, "roleset", &gcp.SecretRolesetArgs{
Backend: gcp.Path,
Roleset: pulumi.String("project_viewer"),
SecretType: pulumi.String("access_token"),
Project: pulumi.String(project),
TokenScopes: pulumi.StringArray{
pulumi.String("https://www.googleapis.com/auth/cloud-platform"),
},
Bindings: gcp.SecretRolesetBindingArray{
&gcp.SecretRolesetBindingArgs{
Resource: pulumi.Sprintf("//cloudresourcemanager.googleapis.com/projects/%v", project),
Roles: pulumi.StringArray{
pulumi.String("roles/viewer"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.gcp.SecretBackend;
import com.pulumi.vault.gcp.SecretBackendArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import com.pulumi.vault.gcp.SecretRoleset;
import com.pulumi.vault.gcp.SecretRolesetArgs;
import com.pulumi.vault.gcp.inputs.SecretRolesetBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var project = "my-awesome-project";
var gcp = new SecretBackend("gcp", SecretBackendArgs.builder()
.path("gcp")
.credentials(StdFunctions.file(FileArgs.builder()
.input("credentials.json")
.build()).result())
.build());
var roleset = new SecretRoleset("roleset", SecretRolesetArgs.builder()
.backend(gcp.path())
.roleset("project_viewer")
.secretType("access_token")
.project(project)
.tokenScopes("https://www.googleapis.com/auth/cloud-platform")
.bindings(SecretRolesetBindingArgs.builder()
.resource(String.format("//cloudresourcemanager.googleapis.com/projects/%s", project))
.roles("roles/viewer")
.build())
.build());
}
}Content copied to clipboard
resources:
gcp:
type: vault:gcp:SecretBackend
properties:
path: gcp
credentials:
fn::invoke:
function: std:file
arguments:
input: credentials.json
return: result
roleset:
type: vault:gcp:SecretRoleset
properties:
backend: ${gcp.path}
roleset: project_viewer
secretType: access_token
project: ${project}
tokenScopes:
- https://www.googleapis.com/auth/cloud-platform
bindings:
- resource: //cloudresourcemanager.googleapis.com/projects/${project}
roles:
- roles/viewer
variables:
project: my-awesome-projectContent copied to clipboard
Import
A roleset can be imported using its Vault Path. For example, referencing the example above,
$ pulumi import vault:gcp/secretRoleset:SecretRoleset roleset gcp/roleset/project_viewerContent copied to clipboard
Properties
Link copied to clipboard
Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
Link copied to clipboard
Email of the service account created by Vault for this Roleset.
Link copied to clipboard
List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).