1. Docs
  2. Pulumi ESC
  3. Integrations
  4. Dynamic secrets
  5. vault-secrets

vault-secrets

    The vault-secrets provider enables you to dynamically import Secrets from HashiCorp Vault into your Environment. The provider will return a map of names to Secrets.

    Example

      vault:
        login:
          fn::open::vault-login:
            address: https://127.0.0.1:8200/
            jwt:
              role: example-role
        secrets:
          fn::open::vault-secrets:
            login: ${vault.login}
            read:
              api-key:
                path: api-key
              app-secret:
                path: app-secret
    

    Configuring OIDC

    To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Vault, see the OpenID Connect integration documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following:

    • esc open <your-org>/<your-environment> command of the Pulumi ESC CLI
    • pulumi env open <your-org>/<your-environment> command of the Pulumi CLI

    Make sure to replace <your-org> and <your-environment> with the values of your Pulumi organization and environment file respectively. You should see output similar to the following:

    {
      "vault": {
        "login": {
          "address": "***",
          "token": "***"
        },
        "secrets": {
          "test1": {
            "data": {
              "keyA": "valA",
              "keyB": "valB"
            },
            "metadata": {
              "created_time": "2023-11-06T18:24:05.784222Z",
              "custom_metadata": null,
              "deletion_time": "",
              "destroyed": false,
              "version": 1
            }
          }
        }
      }
    }
    

    Inputs

    PropertyTypeDescription
    loginVaultSecretsLoginCredentials used to log in to HashiCorp Vault.
    readmap[string]VaultSecretsReadA map of names to paths to read from the server. The outputs will map each name to the raw data for the value.

    VaultSecretsLogin

    PropertyTypeDescription
    addressstringThe URL of the vault server. Must contain a scheme and hostname, but no path.
    namespacestring[Optional] The namespace to use for the session.
    tokenstringThe token to use for authentication.

    VaultSecretsRead

    PropertyTypeDescription
    pathstringThe path to read.
    fieldstring[Optional] - The field of the value to read.

    Outputs

    PropertyTypeDescription
    N/AobjectA map from names to raw values as read from the server (vault.secrets.<key-name>).
      PulumiUP 2024. Watch On Demand.