get
suspend fun getServiceAccountToken(argument: GetServiceAccountTokenPlainArgs): GetServiceAccountTokenResult
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const config = new vault.kubernetes.SecretBackend("config", {
path: "kubernetes",
description: "kubernetes secrets engine description",
kubernetesHost: "https://127.0.0.1:61233",
kubernetesCaCert: std.file({
input: "/path/to/cert",
}).then(invoke => invoke.result),
serviceAccountJwt: std.file({
input: "/path/to/token",
}).then(invoke => invoke.result),
disableLocalCaJwt: false,
});
const role = new vault.kubernetes.SecretBackendRole("role", {
backend: config.path,
name: "service-account-name-role",
allowedKubernetesNamespaces: ["*"],
tokenMaxTtl: 43200,
tokenDefaultTtl: 21600,
serviceAccountName: "test-service-account-with-generated-token",
extraLabels: {
id: "abc123",
name: "some_name",
},
extraAnnotations: {
env: "development",
location: "earth",
},
});
const token = vault.kubernetes.getServiceAccountTokenOutput({
backend: config.path,
role: role.name,
kubernetesNamespace: "test",
clusterRoleBinding: false,
ttl: "1h",
});Content copied to clipboard
import pulumi
import pulumi_std as std
import pulumi_vault as vault
config = vault.kubernetes.SecretBackend("config",
path="kubernetes",
description="kubernetes secrets engine description",
kubernetes_host="https://127.0.0.1:61233",
kubernetes_ca_cert=std.file(input="/path/to/cert").result,
service_account_jwt=std.file(input="/path/to/token").result,
disable_local_ca_jwt=False)
role = vault.kubernetes.SecretBackendRole("role",
backend=config.path,
name="service-account-name-role",
allowed_kubernetes_namespaces=["*"],
token_max_ttl=43200,
token_default_ttl=21600,
service_account_name="test-service-account-with-generated-token",
extra_labels={
"id": "abc123",
"name": "some_name",
},
extra_annotations={
"env": "development",
"location": "earth",
})
token = vault.kubernetes.get_service_account_token_output(backend=config.path,
role=role.name,
kubernetes_namespace="test",
cluster_role_binding=False,
ttl="1h")Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var config = new Vault.Kubernetes.SecretBackend("config", new()
{
Path = "kubernetes",
Description = "kubernetes secrets engine description",
KubernetesHost = "https://127.0.0.1:61233",
KubernetesCaCert = Std.File.Invoke(new()
{
Input = "/path/to/cert",
}).Apply(invoke => invoke.Result),
ServiceAccountJwt = Std.File.Invoke(new()
{
Input = "/path/to/token",
}).Apply(invoke => invoke.Result),
DisableLocalCaJwt = false,
});
var role = new Vault.Kubernetes.SecretBackendRole("role", new()
{
Backend = config.Path,
Name = "service-account-name-role",
AllowedKubernetesNamespaces = new[]
{
"*",
},
TokenMaxTtl = 43200,
TokenDefaultTtl = 21600,
ServiceAccountName = "test-service-account-with-generated-token",
ExtraLabels =
{
{ "id", "abc123" },
{ "name", "some_name" },
},
ExtraAnnotations =
{
{ "env", "development" },
{ "location", "earth" },
},
});
var token = Vault.Kubernetes.GetServiceAccountToken.Invoke(new()
{
Backend = config.Path,
Role = role.Name,
KubernetesNamespace = "test",
ClusterRoleBinding = false,
Ttl = "1h",
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/cert",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/token",
}, nil)
if err != nil {
return err
}
config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
Path: pulumi.String("kubernetes"),
Description: pulumi.String("kubernetes secrets engine description"),
KubernetesHost: pulumi.String("https://127.0.0.1:61233"),
KubernetesCaCert: pulumi.String(invokeFile.Result),
ServiceAccountJwt: pulumi.String(invokeFile1.Result),
DisableLocalCaJwt: pulumi.Bool(false),
})
if err != nil {
return err
}
role, err := kubernetes.NewSecretBackendRole(ctx, "role", &kubernetes.SecretBackendRoleArgs{
Backend: config.Path,
Name: pulumi.String("service-account-name-role"),
AllowedKubernetesNamespaces: pulumi.StringArray{
pulumi.String("*"),
},
TokenMaxTtl: pulumi.Int(43200),
TokenDefaultTtl: pulumi.Int(21600),
ServiceAccountName: pulumi.String("test-service-account-with-generated-token"),
ExtraLabels: pulumi.StringMap{
"id": pulumi.String("abc123"),
"name": pulumi.String("some_name"),
},
ExtraAnnotations: pulumi.StringMap{
"env": pulumi.String("development"),
"location": pulumi.String("earth"),
},
})
if err != nil {
return err
}
_ = kubernetes.GetServiceAccountTokenOutput(ctx, kubernetes.GetServiceAccountTokenOutputArgs{
Backend: config.Path,
Role: role.Name,
KubernetesNamespace: pulumi.String("test"),
ClusterRoleBinding: pulumi.Bool(false),
Ttl: pulumi.String("1h"),
}, nil)
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.kubernetes.SecretBackend;
import com.pulumi.vault.kubernetes.SecretBackendArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import com.pulumi.vault.kubernetes.SecretBackendRole;
import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
import com.pulumi.vault.kubernetes.KubernetesFunctions;
import com.pulumi.vault.kubernetes.inputs.GetServiceAccountTokenArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var config = new SecretBackend("config", SecretBackendArgs.builder()
.path("kubernetes")
.description("kubernetes secrets engine description")
.kubernetesHost("https://127.0.0.1:61233")
.kubernetesCaCert(StdFunctions.file(FileArgs.builder()
.input("/path/to/cert")
.build()).result())
.serviceAccountJwt(StdFunctions.file(FileArgs.builder()
.input("/path/to/token")
.build()).result())
.disableLocalCaJwt(false)
.build());
var role = new SecretBackendRole("role", SecretBackendRoleArgs.builder()
.backend(config.path())
.name("service-account-name-role")
.allowedKubernetesNamespaces("*")
.tokenMaxTtl(43200)
.tokenDefaultTtl(21600)
.serviceAccountName("test-service-account-with-generated-token")
.extraLabels(Map.ofEntries(
Map.entry("id", "abc123"),
Map.entry("name", "some_name")
))
.extraAnnotations(Map.ofEntries(
Map.entry("env", "development"),
Map.entry("location", "earth")
))
.build());
final var token = KubernetesFunctions.getServiceAccountToken(GetServiceAccountTokenArgs.builder()
.backend(config.path())
.role(role.name())
.kubernetesNamespace("test")
.clusterRoleBinding(false)
.ttl("1h")
.build());
}
}Content copied to clipboard
resources:
config:
type: vault:kubernetes:SecretBackend
properties:
path: kubernetes
description: kubernetes secrets engine description
kubernetesHost: https://127.0.0.1:61233
kubernetesCaCert:
fn::invoke:
function: std:file
arguments:
input: /path/to/cert
return: result
serviceAccountJwt:
fn::invoke:
function: std:file
arguments:
input: /path/to/token
return: result
disableLocalCaJwt: false
role:
type: vault:kubernetes:SecretBackendRole
properties:
backend: ${config.path}
name: service-account-name-role
allowedKubernetesNamespaces:
- '*'
tokenMaxTtl: 43200
tokenDefaultTtl: 21600
serviceAccountName: test-service-account-with-generated-token
extraLabels:
id: abc123
name: some_name
extraAnnotations:
env: development
location: earth
variables:
token:
fn::invoke:
function: vault:kubernetes:getServiceAccountToken
arguments:
backend: ${config.path}
role: ${role.name}
kubernetesNamespace: test
clusterRoleBinding: false
ttl: 1hContent copied to clipboard
Return
A collection of values returned by getServiceAccountToken.
Parameters
argument
A collection of arguments for invoking getServiceAccountToken.
suspend fun getServiceAccountToken(backend: String, clusterRoleBinding: Boolean? = null, kubernetesNamespace: String, namespace: String? = null, role: String, ttl: String? = null): GetServiceAccountTokenResult
Return
A collection of values returned by getServiceAccountToken.
Parameters
backend
The Kubernetes secret backend to generate service account tokens from.
cluster
If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
kubernetes
The name of the Kubernetes namespace in which to generate the credentials.
namespace
The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
role
The name of the Kubernetes secret backend role to generate service account tokens from.
ttl
The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
See also
suspend fun getServiceAccountToken(argument: suspend GetServiceAccountTokenPlainArgsBuilder.() -> Unit): GetServiceAccountTokenResult
Return
A collection of values returned by getServiceAccountToken.
Parameters
argument
Builder for com.pulumi.vault.kubernetes.kotlin.inputs.GetServiceAccountTokenPlainArgs.