vault-login
The vault-login provider enables you to log in to HashiCorp Vault using OpenID Connect or by providing static credentials. The provider will return a set of credentials that can be used to fetch secrets using the vault-secrets provider.
Examples
values:
vault:
login:
fn::open::vault-login:
address: https://127.0.0.1:8200/
jwt:
role: example-role
environmentVariables:
# Consumed by the Vault CLI and the Pulumi Vault provider
VAULT_ADDR: ${vault.login.address}
VAULT_TOKEN: ${vault.login.token}
values:
vault:
login:
fn::open::vault-login:
address: https://sample-cluster-public-vault-12345678.8ca2e2af.z1.hashicorp.cloud:8200
namespace: admin/example
token:
displayName: esc-token
token:
fn::secret: redacted
policies: [kv-read]
environmentVariables:
# Consumed by the Vault CLI and the Pulumi Vault provider
VAULT_ADDR: ${vault.login.address}
VAULT_TOKEN: ${vault.login.token}
VAULT_NAMESPACE: ${vault.login.namespace}
Schema reference
Reference schemas last updated on 2026-07-11, synced automatically from the Pulumi Cloud ESC API.
Inputs
addressstring requiredThe URL of the Vault server. Must contain a scheme and hostname, but no path.jwtobject optionalOptions for JWT login. JWT login uses an OIDC token issued by the Pulumi Cloud to generate an ephemeral token.- ↳
mountstring optionalThe name of the authentication engine mount. - ↳
rolestring requiredThe name of the role to use for login. - ↳
subjectAttributesarray[string] optionalThe attributes used to issue the oidc token subject. namespacestring optionalThe namespace to log in to. Only available for Vault Enterprise.tokenobject optionalOptions for token login. Token login creates an ephemeral child token.- ↳
displayNamestring optionalThe display name of the ephemeral token. - ↳
maxTtlstring optionalThe maximum TTL of the ephemeral token. - ↳
metadataobject optionalArbitrary metadata to associate with the ephemeral token. - ↳
policiesarray[string] optionalList of policies for the token. - ↳
tokenstring requiredThe parent token.
Outputs
addressstring requiredThe URL of the vault server.namespacestring optionalThe namespace to use for the session.tokenstring requiredThe ephemeral token generated for the session.
Configuring OIDC
To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Vault, see the OpenID Connect integration documentation.