Secret
data class SecretBackendRoleArgs(val allowedKubernetesNamespaceSelector: Output<String>? = null, val allowedKubernetesNamespaces: Output<List<String>>? = null, val backend: Output<String>? = null, val extraAnnotations: Output<Map<String, String>>? = null, val extraLabels: Output<Map<String, String>>? = null, val generatedRoleRules: Output<String>? = null, val kubernetesRoleName: Output<String>? = null, val kubernetesRoleType: Output<String>? = null, val name: Output<String>? = null, val nameTemplate: Output<String>? = null, val namespace: Output<String>? = null, val serviceAccountName: Output<String>? = null, val tokenDefaultTtl: Output<Int>? = null, val tokenMaxTtl: Output<Int>? = null) : ConvertibleToJava<SecretBackendRoleArgs>
Example Usage
Example using service_account_name mode:
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const config = new vault.kubernetes.SecretBackend("config", {
path: "kubernetes",
description: "kubernetes secrets engine description",
kubernetesHost: "https://127.0.0.1:61233",
kubernetesCaCert: std.file({
input: "/path/to/cert",
}).then(invoke => invoke.result),
serviceAccountJwt: std.file({
input: "/path/to/token",
}).then(invoke => invoke.result),
disableLocalCaJwt: false,
});
const sa_example = new vault.kubernetes.SecretBackendRole("sa-example", {
backend: config.path,
name: "service-account-name-role",
allowedKubernetesNamespaces: ["*"],
tokenMaxTtl: 43200,
tokenDefaultTtl: 21600,
serviceAccountName: "test-service-account-with-generated-token",
extraLabels: {
id: "abc123",
name: "some_name",
},
extraAnnotations: {
env: "development",
location: "earth",
},
});Content copied to clipboard
import pulumi
import pulumi_std as std
import pulumi_vault as vault
config = vault.kubernetes.SecretBackend("config",
path="kubernetes",
description="kubernetes secrets engine description",
kubernetes_host="https://127.0.0.1:61233",
kubernetes_ca_cert=std.file(input="/path/to/cert").result,
service_account_jwt=std.file(input="/path/to/token").result,
disable_local_ca_jwt=False)
sa_example = vault.kubernetes.SecretBackendRole("sa-example",
backend=config.path,
name="service-account-name-role",
allowed_kubernetes_namespaces=["*"],
token_max_ttl=43200,
token_default_ttl=21600,
service_account_name="test-service-account-with-generated-token",
extra_labels={
"id": "abc123",
"name": "some_name",
},
extra_annotations={
"env": "development",
"location": "earth",
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var config = new Vault.Kubernetes.SecretBackend("config", new()
{
Path = "kubernetes",
Description = "kubernetes secrets engine description",
KubernetesHost = "https://127.0.0.1:61233",
KubernetesCaCert = Std.File.Invoke(new()
{
Input = "/path/to/cert",
}).Apply(invoke => invoke.Result),
ServiceAccountJwt = Std.File.Invoke(new()
{
Input = "/path/to/token",
}).Apply(invoke => invoke.Result),
DisableLocalCaJwt = false,
});
var sa_example = new Vault.Kubernetes.SecretBackendRole("sa-example", new()
{
Backend = config.Path,
Name = "service-account-name-role",
AllowedKubernetesNamespaces = new[]
{
"*",
},
TokenMaxTtl = 43200,
TokenDefaultTtl = 21600,
ServiceAccountName = "test-service-account-with-generated-token",
ExtraLabels =
{
{ "id", "abc123" },
{ "name", "some_name" },
},
ExtraAnnotations =
{
{ "env", "development" },
{ "location", "earth" },
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/cert",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/token",
}, nil)
if err != nil {
return err
}
config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
Path: pulumi.String("kubernetes"),
Description: pulumi.String("kubernetes secrets engine description"),
KubernetesHost: pulumi.String("https://127.0.0.1:61233"),
KubernetesCaCert: pulumi.String(invokeFile.Result),
ServiceAccountJwt: pulumi.String(invokeFile1.Result),
DisableLocalCaJwt: pulumi.Bool(false),
})
if err != nil {
return err
}
_, err = kubernetes.NewSecretBackendRole(ctx, "sa-example", &kubernetes.SecretBackendRoleArgs{
Backend: config.Path,
Name: pulumi.String("service-account-name-role"),
AllowedKubernetesNamespaces: pulumi.StringArray{
pulumi.String("*"),
},
TokenMaxTtl: pulumi.Int(43200),
TokenDefaultTtl: pulumi.Int(21600),
ServiceAccountName: pulumi.String("test-service-account-with-generated-token"),
ExtraLabels: pulumi.StringMap{
"id": pulumi.String("abc123"),
"name": pulumi.String("some_name"),
},
ExtraAnnotations: pulumi.StringMap{
"env": pulumi.String("development"),
"location": pulumi.String("earth"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.kubernetes.SecretBackend;
import com.pulumi.vault.kubernetes.SecretBackendArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import com.pulumi.vault.kubernetes.SecretBackendRole;
import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var config = new SecretBackend("config", SecretBackendArgs.builder()
.path("kubernetes")
.description("kubernetes secrets engine description")
.kubernetesHost("https://127.0.0.1:61233")
.kubernetesCaCert(StdFunctions.file(FileArgs.builder()
.input("/path/to/cert")
.build()).result())
.serviceAccountJwt(StdFunctions.file(FileArgs.builder()
.input("/path/to/token")
.build()).result())
.disableLocalCaJwt(false)
.build());
var sa_example = new SecretBackendRole("sa-example", SecretBackendRoleArgs.builder()
.backend(config.path())
.name("service-account-name-role")
.allowedKubernetesNamespaces("*")
.tokenMaxTtl(43200)
.tokenDefaultTtl(21600)
.serviceAccountName("test-service-account-with-generated-token")
.extraLabels(Map.ofEntries(
Map.entry("id", "abc123"),
Map.entry("name", "some_name")
))
.extraAnnotations(Map.ofEntries(
Map.entry("env", "development"),
Map.entry("location", "earth")
))
.build());
}
}Content copied to clipboard
resources:
config:
type: vault:kubernetes:SecretBackend
properties:
path: kubernetes
description: kubernetes secrets engine description
kubernetesHost: https://127.0.0.1:61233
kubernetesCaCert:
fn::invoke:
function: std:file
arguments:
input: /path/to/cert
return: result
serviceAccountJwt:
fn::invoke:
function: std:file
arguments:
input: /path/to/token
return: result
disableLocalCaJwt: false
sa-example:
type: vault:kubernetes:SecretBackendRole
properties:
backend: ${config.path}
name: service-account-name-role
allowedKubernetesNamespaces:
- '*'
tokenMaxTtl: 43200
tokenDefaultTtl: 21600
serviceAccountName: test-service-account-with-generated-token
extraLabels:
id: abc123
name: some_name
extraAnnotations:
env: development
location: earthContent copied to clipboard
Example using kubernetes_role_name mode:
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const config = new vault.kubernetes.SecretBackend("config", {
path: "kubernetes",
description: "kubernetes secrets engine description",
kubernetesHost: "https://127.0.0.1:61233",
kubernetesCaCert: std.file({
input: "/path/to/cert",
}).then(invoke => invoke.result),
serviceAccountJwt: std.file({
input: "/path/to/token",
}).then(invoke => invoke.result),
disableLocalCaJwt: false,
});
const name_example = new vault.kubernetes.SecretBackendRole("name-example", {
backend: config.path,
name: "service-account-name-role",
allowedKubernetesNamespaces: ["*"],
tokenMaxTtl: 43200,
tokenDefaultTtl: 21600,
kubernetesRoleName: "vault-k8s-secrets-role",
extraLabels: {
id: "abc123",
name: "some_name",
},
extraAnnotations: {
env: "development",
location: "earth",
},
});Content copied to clipboard
import pulumi
import pulumi_std as std
import pulumi_vault as vault
config = vault.kubernetes.SecretBackend("config",
path="kubernetes",
description="kubernetes secrets engine description",
kubernetes_host="https://127.0.0.1:61233",
kubernetes_ca_cert=std.file(input="/path/to/cert").result,
service_account_jwt=std.file(input="/path/to/token").result,
disable_local_ca_jwt=False)
name_example = vault.kubernetes.SecretBackendRole("name-example",
backend=config.path,
name="service-account-name-role",
allowed_kubernetes_namespaces=["*"],
token_max_ttl=43200,
token_default_ttl=21600,
kubernetes_role_name="vault-k8s-secrets-role",
extra_labels={
"id": "abc123",
"name": "some_name",
},
extra_annotations={
"env": "development",
"location": "earth",
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var config = new Vault.Kubernetes.SecretBackend("config", new()
{
Path = "kubernetes",
Description = "kubernetes secrets engine description",
KubernetesHost = "https://127.0.0.1:61233",
KubernetesCaCert = Std.File.Invoke(new()
{
Input = "/path/to/cert",
}).Apply(invoke => invoke.Result),
ServiceAccountJwt = Std.File.Invoke(new()
{
Input = "/path/to/token",
}).Apply(invoke => invoke.Result),
DisableLocalCaJwt = false,
});
var name_example = new Vault.Kubernetes.SecretBackendRole("name-example", new()
{
Backend = config.Path,
Name = "service-account-name-role",
AllowedKubernetesNamespaces = new[]
{
"*",
},
TokenMaxTtl = 43200,
TokenDefaultTtl = 21600,
KubernetesRoleName = "vault-k8s-secrets-role",
ExtraLabels =
{
{ "id", "abc123" },
{ "name", "some_name" },
},
ExtraAnnotations =
{
{ "env", "development" },
{ "location", "earth" },
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/cert",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/token",
}, nil)
if err != nil {
return err
}
config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
Path: pulumi.String("kubernetes"),
Description: pulumi.String("kubernetes secrets engine description"),
KubernetesHost: pulumi.String("https://127.0.0.1:61233"),
KubernetesCaCert: pulumi.String(invokeFile.Result),
ServiceAccountJwt: pulumi.String(invokeFile1.Result),
DisableLocalCaJwt: pulumi.Bool(false),
})
if err != nil {
return err
}
_, err = kubernetes.NewSecretBackendRole(ctx, "name-example", &kubernetes.SecretBackendRoleArgs{
Backend: config.Path,
Name: pulumi.String("service-account-name-role"),
AllowedKubernetesNamespaces: pulumi.StringArray{
pulumi.String("*"),
},
TokenMaxTtl: pulumi.Int(43200),
TokenDefaultTtl: pulumi.Int(21600),
KubernetesRoleName: pulumi.String("vault-k8s-secrets-role"),
ExtraLabels: pulumi.StringMap{
"id": pulumi.String("abc123"),
"name": pulumi.String("some_name"),
},
ExtraAnnotations: pulumi.StringMap{
"env": pulumi.String("development"),
"location": pulumi.String("earth"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.kubernetes.SecretBackend;
import com.pulumi.vault.kubernetes.SecretBackendArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import com.pulumi.vault.kubernetes.SecretBackendRole;
import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var config = new SecretBackend("config", SecretBackendArgs.builder()
.path("kubernetes")
.description("kubernetes secrets engine description")
.kubernetesHost("https://127.0.0.1:61233")
.kubernetesCaCert(StdFunctions.file(FileArgs.builder()
.input("/path/to/cert")
.build()).result())
.serviceAccountJwt(StdFunctions.file(FileArgs.builder()
.input("/path/to/token")
.build()).result())
.disableLocalCaJwt(false)
.build());
var name_example = new SecretBackendRole("name-example", SecretBackendRoleArgs.builder()
.backend(config.path())
.name("service-account-name-role")
.allowedKubernetesNamespaces("*")
.tokenMaxTtl(43200)
.tokenDefaultTtl(21600)
.kubernetesRoleName("vault-k8s-secrets-role")
.extraLabels(Map.ofEntries(
Map.entry("id", "abc123"),
Map.entry("name", "some_name")
))
.extraAnnotations(Map.ofEntries(
Map.entry("env", "development"),
Map.entry("location", "earth")
))
.build());
}
}Content copied to clipboard
resources:
config:
type: vault:kubernetes:SecretBackend
properties:
path: kubernetes
description: kubernetes secrets engine description
kubernetesHost: https://127.0.0.1:61233
kubernetesCaCert:
fn::invoke:
function: std:file
arguments:
input: /path/to/cert
return: result
serviceAccountJwt:
fn::invoke:
function: std:file
arguments:
input: /path/to/token
return: result
disableLocalCaJwt: false
name-example:
type: vault:kubernetes:SecretBackendRole
properties:
backend: ${config.path}
name: service-account-name-role
allowedKubernetesNamespaces:
- '*'
tokenMaxTtl: 43200
tokenDefaultTtl: 21600
kubernetesRoleName: vault-k8s-secrets-role
extraLabels:
id: abc123
name: some_name
extraAnnotations:
env: development
location: earthContent copied to clipboard
Example using generated_role_rules mode:
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const config = new vault.kubernetes.SecretBackend("config", {
path: "kubernetes",
description: "kubernetes secrets engine description",
kubernetesHost: "https://127.0.0.1:61233",
kubernetesCaCert: std.file({
input: "/path/to/cert",
}).then(invoke => invoke.result),
serviceAccountJwt: std.file({
input: "/path/to/token",
}).then(invoke => invoke.result),
disableLocalCaJwt: false,
});
const rules_example = new vault.kubernetes.SecretBackendRole("rules-example", {
backend: config.path,
name: "service-account-name-role",
allowedKubernetesNamespaces: ["*"],
tokenMaxTtl: 43200,
tokenDefaultTtl: 21600,
kubernetesRoleType: "Role",
generatedRoleRules: `rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
`,
extraLabels: {
id: "abc123",
name: "some_name",
},
extraAnnotations: {
env: "development",
location: "earth",
},
});Content copied to clipboard
import pulumi
import pulumi_std as std
import pulumi_vault as vault
config = vault.kubernetes.SecretBackend("config",
path="kubernetes",
description="kubernetes secrets engine description",
kubernetes_host="https://127.0.0.1:61233",
kubernetes_ca_cert=std.file(input="/path/to/cert").result,
service_account_jwt=std.file(input="/path/to/token").result,
disable_local_ca_jwt=False)
rules_example = vault.kubernetes.SecretBackendRole("rules-example",
backend=config.path,
name="service-account-name-role",
allowed_kubernetes_namespaces=["*"],
token_max_ttl=43200,
token_default_ttl=21600,
kubernetes_role_type="Role",
generated_role_rules="""rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
""",
extra_labels={
"id": "abc123",
"name": "some_name",
},
extra_annotations={
"env": "development",
"location": "earth",
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var config = new Vault.Kubernetes.SecretBackend("config", new()
{
Path = "kubernetes",
Description = "kubernetes secrets engine description",
KubernetesHost = "https://127.0.0.1:61233",
KubernetesCaCert = Std.File.Invoke(new()
{
Input = "/path/to/cert",
}).Apply(invoke => invoke.Result),
ServiceAccountJwt = Std.File.Invoke(new()
{
Input = "/path/to/token",
}).Apply(invoke => invoke.Result),
DisableLocalCaJwt = false,
});
var rules_example = new Vault.Kubernetes.SecretBackendRole("rules-example", new()
{
Backend = config.Path,
Name = "service-account-name-role",
AllowedKubernetesNamespaces = new[]
{
"*",
},
TokenMaxTtl = 43200,
TokenDefaultTtl = 21600,
KubernetesRoleType = "Role",
GeneratedRoleRules = @"rules:
- apiGroups: [""""]
resources: [""pods""]
verbs: [""list""]
",
ExtraLabels =
{
{ "id", "abc123" },
{ "name", "some_name" },
},
ExtraAnnotations =
{
{ "env", "development" },
{ "location", "earth" },
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/cert",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/token",
}, nil)
if err != nil {
return err
}
config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
Path: pulumi.String("kubernetes"),
Description: pulumi.String("kubernetes secrets engine description"),
KubernetesHost: pulumi.String("https://127.0.0.1:61233"),
KubernetesCaCert: pulumi.String(invokeFile.Result),
ServiceAccountJwt: pulumi.String(invokeFile1.Result),
DisableLocalCaJwt: pulumi.Bool(false),
})
if err != nil {
return err
}
_, err = kubernetes.NewSecretBackendRole(ctx, "rules-example", &kubernetes.SecretBackendRoleArgs{
Backend: config.Path,
Name: pulumi.String("service-account-name-role"),
AllowedKubernetesNamespaces: pulumi.StringArray{
pulumi.String("*"),
},
TokenMaxTtl: pulumi.Int(43200),
TokenDefaultTtl: pulumi.Int(21600),
KubernetesRoleType: pulumi.String("Role"),
GeneratedRoleRules: pulumi.String("rules:\n- apiGroups: [\"\"]\n resources: [\"pods\"]\n verbs: [\"list\"]\n"),
ExtraLabels: pulumi.StringMap{
"id": pulumi.String("abc123"),
"name": pulumi.String("some_name"),
},
ExtraAnnotations: pulumi.StringMap{
"env": pulumi.String("development"),
"location": pulumi.String("earth"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.kubernetes.SecretBackend;
import com.pulumi.vault.kubernetes.SecretBackendArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import com.pulumi.vault.kubernetes.SecretBackendRole;
import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var config = new SecretBackend("config", SecretBackendArgs.builder()
.path("kubernetes")
.description("kubernetes secrets engine description")
.kubernetesHost("https://127.0.0.1:61233")
.kubernetesCaCert(StdFunctions.file(FileArgs.builder()
.input("/path/to/cert")
.build()).result())
.serviceAccountJwt(StdFunctions.file(FileArgs.builder()
.input("/path/to/token")
.build()).result())
.disableLocalCaJwt(false)
.build());
var rules_example = new SecretBackendRole("rules-example", SecretBackendRoleArgs.builder()
.backend(config.path())
.name("service-account-name-role")
.allowedKubernetesNamespaces("*")
.tokenMaxTtl(43200)
.tokenDefaultTtl(21600)
.kubernetesRoleType("Role")
.generatedRoleRules("""
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
""")
.extraLabels(Map.ofEntries(
Map.entry("id", "abc123"),
Map.entry("name", "some_name")
))
.extraAnnotations(Map.ofEntries(
Map.entry("env", "development"),
Map.entry("location", "earth")
))
.build());
}
}Content copied to clipboard
resources:
config:
type: vault:kubernetes:SecretBackend
properties:
path: kubernetes
description: kubernetes secrets engine description
kubernetesHost: https://127.0.0.1:61233
kubernetesCaCert:
fn::invoke:
function: std:file
arguments:
input: /path/to/cert
return: result
serviceAccountJwt:
fn::invoke:
function: std:file
arguments:
input: /path/to/token
return: result
disableLocalCaJwt: false
rules-example:
type: vault:kubernetes:SecretBackendRole
properties:
backend: ${config.path}
name: service-account-name-role
allowedKubernetesNamespaces:
- '*'
tokenMaxTtl: 43200
tokenDefaultTtl: 21600
kubernetesRoleType: Role
generatedRoleRules: |
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
extraLabels:
id: abc123
name: some_name
extraAnnotations:
env: development
location: earthContent copied to clipboard
Import
The Kubernetes secret backend role can be imported using the full path to the role of the form: <backend_path>/roles/<role_name> e.g.
$ pulumi import vault:kubernetes/secretBackendRole:SecretBackendRole example kubernetes kubernetes/roles/example-roleContent copied to clipboard
Constructors
Link copied to clipboard
constructor(allowedKubernetesNamespaceSelector: Output<String>? = null, allowedKubernetesNamespaces: Output<List<String>>? = null, backend: Output<String>? = null, extraAnnotations: Output<Map<String, String>>? = null, extraLabels: Output<Map<String, String>>? = null, generatedRoleRules: Output<String>? = null, kubernetesRoleName: Output<String>? = null, kubernetesRoleType: Output<String>? = null, name: Output<String>? = null, nameTemplate: Output<String>? = null, namespace: Output<String>? = null, serviceAccountName: Output<String>? = null, tokenDefaultTtl: Output<Int>? = null, tokenMaxTtl: Output<Int>? = null)
Properties
Link copied to clipboard
The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.
Link copied to clipboard
A label selector for Kubernetes namespaces in which credentials can be generated. Accepts either a JSON or YAML object. The value should be of type LabelSelector. If set with allowed_kubernetes_namespace, the conditions are ORed.
Link copied to clipboard
Additional annotations to apply to all generated Kubernetes objects.
Link copied to clipboard
Additional labels to apply to all generated Kubernetes objects. This resource also directly accepts all vault.Mount fields.
Link copied to clipboard
The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.
Link copied to clipboard
The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with service_account_name and generated_role_rules. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.
Link copied to clipboard
Specifies whether the Kubernetes role is a Role or ClusterRole.
Link copied to clipboard
The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
Link copied to clipboard
The pre-existing service account to generate tokens for. Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a Kubernetes token will be created when credentials are requested.
Link copied to clipboard
The default TTL for generated Kubernetes tokens in seconds.
Link copied to clipboard
The maximum TTL for generated Kubernetes tokens in seconds.