Secret
data class SecretBackendArgs(val allowedManagedKeys: Output<List<String>>? = null, val allowedResponseHeaders: Output<List<String>>? = null, val auditNonHmacRequestKeys: Output<List<String>>? = null, val auditNonHmacResponseKeys: Output<List<String>>? = null, val defaultLeaseTtlSeconds: Output<Int>? = null, val delegatedAuthAccessors: Output<List<String>>? = null, val description: Output<String>? = null, val disableLocalCaJwt: Output<Boolean>? = null, val externalEntropyAccess: Output<Boolean>? = null, val identityTokenKey: Output<String>? = null, val kubernetesCaCert: Output<String>? = null, val kubernetesHost: Output<String>? = null, val listingVisibility: Output<String>? = null, val local: Output<Boolean>? = null, val maxLeaseTtlSeconds: Output<Int>? = null, val namespace: Output<String>? = null, val options: Output<Map<String, String>>? = null, val passthroughRequestHeaders: Output<List<String>>? = null, val path: Output<String>? = null, val pluginVersion: Output<String>? = null, val sealWrap: Output<Boolean>? = null, val serviceAccountJwt: Output<String>? = null) : ConvertibleToJava<SecretBackendArgs>
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const config = new vault.kubernetes.SecretBackend("config", {
path: "kubernetes",
description: "kubernetes secrets engine description",
defaultLeaseTtlSeconds: 43200,
maxLeaseTtlSeconds: 86400,
kubernetesHost: "https://127.0.0.1:61233",
kubernetesCaCert: std.file({
input: "/path/to/cert",
}).then(invoke => invoke.result),
serviceAccountJwt: std.file({
input: "/path/to/token",
}).then(invoke => invoke.result),
disableLocalCaJwt: false,
});Content copied to clipboard
import pulumi
import pulumi_std as std
import pulumi_vault as vault
config = vault.kubernetes.SecretBackend("config",
path="kubernetes",
description="kubernetes secrets engine description",
default_lease_ttl_seconds=43200,
max_lease_ttl_seconds=86400,
kubernetes_host="https://127.0.0.1:61233",
kubernetes_ca_cert=std.file(input="/path/to/cert").result,
service_account_jwt=std.file(input="/path/to/token").result,
disable_local_ca_jwt=False)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var config = new Vault.Kubernetes.SecretBackend("config", new()
{
Path = "kubernetes",
Description = "kubernetes secrets engine description",
DefaultLeaseTtlSeconds = 43200,
MaxLeaseTtlSeconds = 86400,
KubernetesHost = "https://127.0.0.1:61233",
KubernetesCaCert = Std.File.Invoke(new()
{
Input = "/path/to/cert",
}).Apply(invoke => invoke.Result),
ServiceAccountJwt = Std.File.Invoke(new()
{
Input = "/path/to/token",
}).Apply(invoke => invoke.Result),
DisableLocalCaJwt = false,
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/cert",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/token",
}, nil)
if err != nil {
return err
}
_, err = kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
Path: pulumi.String("kubernetes"),
Description: pulumi.String("kubernetes secrets engine description"),
DefaultLeaseTtlSeconds: pulumi.Int(43200),
MaxLeaseTtlSeconds: pulumi.Int(86400),
KubernetesHost: pulumi.String("https://127.0.0.1:61233"),
KubernetesCaCert: pulumi.String(invokeFile.Result),
ServiceAccountJwt: pulumi.String(invokeFile1.Result),
DisableLocalCaJwt: pulumi.Bool(false),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.kubernetes.SecretBackend;
import com.pulumi.vault.kubernetes.SecretBackendArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var config = new SecretBackend("config", SecretBackendArgs.builder()
.path("kubernetes")
.description("kubernetes secrets engine description")
.defaultLeaseTtlSeconds(43200)
.maxLeaseTtlSeconds(86400)
.kubernetesHost("https://127.0.0.1:61233")
.kubernetesCaCert(StdFunctions.file(FileArgs.builder()
.input("/path/to/cert")
.build()).result())
.serviceAccountJwt(StdFunctions.file(FileArgs.builder()
.input("/path/to/token")
.build()).result())
.disableLocalCaJwt(false)
.build());
}
}Content copied to clipboard
resources:
config:
type: vault:kubernetes:SecretBackend
properties:
path: kubernetes
description: kubernetes secrets engine description
defaultLeaseTtlSeconds: 43200
maxLeaseTtlSeconds: 86400
kubernetesHost: https://127.0.0.1:61233
kubernetesCaCert:
fn::invoke:
function: std:file
arguments:
input: /path/to/cert
return: result
serviceAccountJwt:
fn::invoke:
function: std:file
arguments:
input: /path/to/token
return: result
disableLocalCaJwt: falseContent copied to clipboard
Import
The Kubernetes secret backend can be imported using its path e.g.
$ pulumi import vault:kubernetes/secretBackend:SecretBackend config kubernetesContent copied to clipboard
Constructors
Link copied to clipboard
constructor(allowedManagedKeys: Output<List<String>>? = null, allowedResponseHeaders: Output<List<String>>? = null, auditNonHmacRequestKeys: Output<List<String>>? = null, auditNonHmacResponseKeys: Output<List<String>>? = null, defaultLeaseTtlSeconds: Output<Int>? = null, delegatedAuthAccessors: Output<List<String>>? = null, description: Output<String>? = null, disableLocalCaJwt: Output<Boolean>? = null, externalEntropyAccess: Output<Boolean>? = null, identityTokenKey: Output<String>? = null, kubernetesCaCert: Output<String>? = null, kubernetesHost: Output<String>? = null, listingVisibility: Output<String>? = null, local: Output<Boolean>? = null, maxLeaseTtlSeconds: Output<Int>? = null, namespace: Output<String>? = null, options: Output<Map<String, String>>? = null, passthroughRequestHeaders: Output<List<String>>? = null, path: Output<String>? = null, pluginVersion: Output<String>? = null, sealWrap: Output<Boolean>? = null, serviceAccountJwt: Output<String>? = null)
Properties
Link copied to clipboard
List of managed key registry entry names that the mount in question is allowed to access
Link copied to clipboard
List of headers to allow and pass from the request to the plugin
Link copied to clipboard
Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
Link copied to clipboard
Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
Link copied to clipboard
Default lease duration for tokens and secrets in seconds
Link copied to clipboard
List of headers to allow and pass from the request to the plugin
Link copied to clipboard
Human-friendly description of the mount
Link copied to clipboard
Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
Link copied to clipboard
Enable the secrets engine to access Vault's external entropy source
Link copied to clipboard
The key to use for signing plugin workload identity tokens
Link copied to clipboard
A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
Link copied to clipboard
The Kubernetes API URL to connect to. Required if the standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on.
Link copied to clipboard
Specifies whether to show this mount in the UI-specific listing endpoint
Link copied to clipboard
Maximum possible lease duration for tokens and secrets in seconds
Link copied to clipboard
List of headers to allow and pass from the request to the plugin
Link copied to clipboard
Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
Link copied to clipboard
The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.