Docs
Packagesvault-login
The vault-login provider enables you to log in to HashiCorp Vault using OpenID Connect or by providing static credentials. The provider will return a set of credentials that can be used to fetch secrets using the vault-secrets provider.
The
namespaces functionality of Vault is not currently supported. More specifically, this configuration will only work for the root namespace. This means that this configuration will only work with Vault OSS at this time (Vault HCP and Enterprise are not supported).Example
vault:
login:
fn::open::vault-login:
address: https://127.0.0.1:8200/
jwt:
role: example-role
Configuring OIDC
To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Vault, see the OpenID Connect integration documentation.
Inputs
| Property | Type | Description |
|---|---|---|
address | string | The URL of the Vault server. Must contain a scheme and hostname, but no path. |
jwt | VaultLoginJWT | [Optional] Options for JWT login. JWT login uses an OIDC token issued by the Pulumi Cloud to generate an ephemeral token. |
token | VaultLoginToken | [Optional] Options for token login. Token login creates an ephemeral child token. |
VaultLoginJWT
| Property | Type | Description |
|---|---|---|
role | string | The name of the role to use for login. |
mount | string | [Optional] - The name of the authentication engine mount. Defaults to jwt. |
VaultLoginToken
| Property | Type | Description |
|---|---|---|
token | string | The parent token. |
displayName | string | [Optional] - The display name of the ephemeral token. Defaults to ‘pulumi’. |
maxTtl | string | [Optional] - The maximum TTL of the ephemeral token. |
Outputs
| Property | Type | Description |
|---|---|---|
address | string | The URL of the vault server. |
token | string | The ephemeral token generated for the session. |
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.
