Skip to main content
  1. Docs
  2. Secrets & Configuration
  3. Providers
  4. Login & OIDC
  5. vault-login

vault-login

    The vault-login provider enables you to log in to HashiCorp Vault using OpenID Connect or by providing static credentials. The provider will return a set of credentials that can be used to fetch secrets using the vault-secrets provider.

    Examples

    values:
      vault:
        login:
          fn::open::vault-login:
            address: https://127.0.0.1:8200/
            jwt:
              role: example-role
      environmentVariables:
        # Consumed by the Vault CLI and the Pulumi Vault provider
        VAULT_ADDR: ${vault.login.address}
        VAULT_TOKEN: ${vault.login.token}
    
    values:
      vault:
        login:
          fn::open::vault-login:
            address: https://sample-cluster-public-vault-12345678.8ca2e2af.z1.hashicorp.cloud:8200
            namespace: admin/example
            token:
              displayName: esc-token
              token:
                fn::secret: redacted
              policies: [kv-read]
      environmentVariables:
        # Consumed by the Vault CLI and the Pulumi Vault provider
        VAULT_ADDR: ${vault.login.address}
        VAULT_TOKEN: ${vault.login.token}
        VAULT_NAMESPACE: ${vault.login.namespace}
    

    Schema reference

    Reference schemas last updated on 2026-07-11, synced automatically from the Pulumi Cloud ESC API.

    Inputs

    • address string required
      The URL of the Vault server. Must contain a scheme and hostname, but no path.
    • jwt object optional
      Options for JWT login. JWT login uses an OIDC token issued by the Pulumi Cloud to generate an ephemeral token.
    • mount string optional
      The name of the authentication engine mount.
    • role string required
      The name of the role to use for login.
    • subjectAttributes array[string] optional
      The attributes used to issue the oidc token subject.
    • namespace string optional
      The namespace to log in to. Only available for Vault Enterprise.
    • token object optional
      Options for token login. Token login creates an ephemeral child token.
    • displayName string optional
      The display name of the ephemeral token.
    • maxTtl string optional
      The maximum TTL of the ephemeral token.
    • metadata object optional
      Arbitrary metadata to associate with the ephemeral token.
    • policies array[string] optional
      List of policies for the token.
    • token string required
      The parent token.

    Outputs

    • address string required
      The URL of the vault server.
    • namespace string optional
      The namespace to use for the session.
    • token string required
      The ephemeral token generated for the session.

    Configuring OIDC

    To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Vault, see the OpenID Connect integration documentation.