1. Docs
  2. Pulumi ESC
  3. Integrations
  4. Dynamic login credentials
  5. vault-login

vault-login

    The vault-login provider enables you to log in to HashiCorp Vault using OpenID Connect or by providing static credentials. The provider will return a set of credentials that can be used to fetch secrets using the vault-secrets provider.

    Examples

      vault:
        login:
          fn::open::vault-login:
            address: https://127.0.0.1:8200/
            jwt:
              role: example-role
    
      vault:
        login:
          fn::open::vault-login:
            address: https://sample-cluster-public-vault-12345678.8ca2e2af.z1.hashicorp.cloud:8200
            namespace: admin/example
            token:
              displayName: esc-token
              token:
                fn::secret: redacted
              policies: [kv-read]
    

    Configuring OIDC

    To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Vault, see the OpenID Connect integration documentation.

    Inputs

    PropertyTypeDescription
    addressstringThe URL of the Vault server. Must contain a scheme and hostname, but no path.
    namespacestring[Optional] The namespace to log in to. Only available for Vault Enterprise.
    jwtVaultLoginJWT[Optional] Options for JWT login. JWT login uses an OIDC token issued by the Pulumi Cloud to generate an ephemeral token.
    tokenVaultLoginToken[Optional] Options for token login. Token login creates an ephemeral child token.

    VaultLoginJWT

    PropertyTypeDescription
    rolestringThe name of the role to use for login.
    mountstring[Optional] - The name of the authentication engine mount. Defaults to jwt.
    subjectAttributesstring[][Optional] - Subject attributes to be included in the OIDC token. For more information see the see the OpenID subject customization documentation

    VaultLoginToken

    PropertyTypeDescription
    tokenstringThe parent token.
    displayNamestring[Optional] - The display name of the ephemeral token. Defaults to ‘pulumi’.
    maxTtlstring[Optional] - The maximum TTL of the ephemeral token.
    metadataobject[Optional] - Arbitrary metadata to associate with the ephemeral token.
    policiesstring[][Optional] - List of policies for the token.

    Outputs

    PropertyTypeDescription
    addressstringThe URL of the vault server.
    namespacestring[Optional] - The namespace to use for the session.
    tokenstringThe ephemeral token generated for the session.
      PulumiUP 2024. Watch On Demand.