1. Packages
  2. HashiCorp Vault
  3. API Docs
  4. gcp
  5. SecretRoleset
HashiCorp Vault v6.0.0 published on Monday, Mar 25, 2024 by Pulumi

vault.gcp.SecretRoleset

Explore with Pulumi AI

vault logo
HashiCorp Vault v6.0.0 published on Monday, Mar 25, 2024 by Pulumi

    Creates a Roleset in the GCP Secrets Engine for Vault.

    Each Roleset is tied to a Service Account, and can have one or more bindings associated with it.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as fs from "fs";
    import * as vault from "@pulumi/vault";
    
    const project = "my-awesome-project";
    const gcp = new vault.gcp.SecretBackend("gcp", {
        path: "gcp",
        credentials: fs.readFileSync("credentials.json", "utf8"),
    });
    const roleset = new vault.gcp.SecretRoleset("roleset", {
        backend: gcp.path,
        roleset: "project_viewer",
        secretType: "access_token",
        project: project,
        tokenScopes: ["https://www.googleapis.com/auth/cloud-platform"],
        bindings: [{
            resource: `//cloudresourcemanager.googleapis.com/projects/${project}`,
            roles: ["roles/viewer"],
        }],
    });
    
    import pulumi
    import pulumi_vault as vault
    
    project = "my-awesome-project"
    gcp = vault.gcp.SecretBackend("gcp",
        path="gcp",
        credentials=(lambda path: open(path).read())("credentials.json"))
    roleset = vault.gcp.SecretRoleset("roleset",
        backend=gcp.path,
        roleset="project_viewer",
        secret_type="access_token",
        project=project,
        token_scopes=["https://www.googleapis.com/auth/cloud-platform"],
        bindings=[vault.gcp.SecretRolesetBindingArgs(
            resource=f"//cloudresourcemanager.googleapis.com/projects/{project}",
            roles=["roles/viewer"],
        )])
    
    package main
    
    import (
    	"fmt"
    	"os"
    
    	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func readFileOrPanic(path string) pulumi.StringPtrInput {
    	data, err := os.ReadFile(path)
    	if err != nil {
    		panic(err.Error())
    	}
    	return pulumi.String(string(data))
    }
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		project := "my-awesome-project"
    		gcp, err := gcp.NewSecretBackend(ctx, "gcp", &gcp.SecretBackendArgs{
    			Path:        pulumi.String("gcp"),
    			Credentials: readFileOrPanic("credentials.json"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = gcp.NewSecretRoleset(ctx, "roleset", &gcp.SecretRolesetArgs{
    			Backend:    gcp.Path,
    			Roleset:    pulumi.String("project_viewer"),
    			SecretType: pulumi.String("access_token"),
    			Project:    pulumi.String(project),
    			TokenScopes: pulumi.StringArray{
    				pulumi.String("https://www.googleapis.com/auth/cloud-platform"),
    			},
    			Bindings: gcp.SecretRolesetBindingArray{
    				&gcp.SecretRolesetBindingArgs{
    					Resource: pulumi.String(fmt.Sprintf("//cloudresourcemanager.googleapis.com/projects/%v", project)),
    					Roles: pulumi.StringArray{
    						pulumi.String("roles/viewer"),
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.IO;
    using System.Linq;
    using Pulumi;
    using Vault = Pulumi.Vault;
    
    return await Deployment.RunAsync(() => 
    {
        var project = "my-awesome-project";
    
        var gcp = new Vault.Gcp.SecretBackend("gcp", new()
        {
            Path = "gcp",
            Credentials = File.ReadAllText("credentials.json"),
        });
    
        var roleset = new Vault.Gcp.SecretRoleset("roleset", new()
        {
            Backend = gcp.Path,
            Roleset = "project_viewer",
            SecretType = "access_token",
            Project = project,
            TokenScopes = new[]
            {
                "https://www.googleapis.com/auth/cloud-platform",
            },
            Bindings = new[]
            {
                new Vault.Gcp.Inputs.SecretRolesetBindingArgs
                {
                    Resource = $"//cloudresourcemanager.googleapis.com/projects/{project}",
                    Roles = new[]
                    {
                        "roles/viewer",
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.vault.gcp.SecretBackend;
    import com.pulumi.vault.gcp.SecretBackendArgs;
    import com.pulumi.vault.gcp.SecretRoleset;
    import com.pulumi.vault.gcp.SecretRolesetArgs;
    import com.pulumi.vault.gcp.inputs.SecretRolesetBindingArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var project = "my-awesome-project";
    
            var gcp = new SecretBackend("gcp", SecretBackendArgs.builder()        
                .path("gcp")
                .credentials(Files.readString(Paths.get("credentials.json")))
                .build());
    
            var roleset = new SecretRoleset("roleset", SecretRolesetArgs.builder()        
                .backend(gcp.path())
                .roleset("project_viewer")
                .secretType("access_token")
                .project(project)
                .tokenScopes("https://www.googleapis.com/auth/cloud-platform")
                .bindings(SecretRolesetBindingArgs.builder()
                    .resource(String.format("//cloudresourcemanager.googleapis.com/projects/%s", project))
                    .roles("roles/viewer")
                    .build())
                .build());
    
        }
    }
    
    resources:
      gcp:
        type: vault:gcp:SecretBackend
        properties:
          path: gcp
          credentials:
            fn::readFile: credentials.json
      roleset:
        type: vault:gcp:SecretRoleset
        properties:
          backend: ${gcp.path}
          roleset: project_viewer
          secretType: access_token
          project: ${project}
          tokenScopes:
            - https://www.googleapis.com/auth/cloud-platform
          bindings:
            - resource: //cloudresourcemanager.googleapis.com/projects/${project}
              roles:
                - roles/viewer
    variables:
      project: my-awesome-project
    

    Create SecretRoleset Resource

    new SecretRoleset(name: string, args: SecretRolesetArgs, opts?: CustomResourceOptions);
    @overload
    def SecretRoleset(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      backend: Optional[str] = None,
                      bindings: Optional[Sequence[SecretRolesetBindingArgs]] = None,
                      namespace: Optional[str] = None,
                      project: Optional[str] = None,
                      roleset: Optional[str] = None,
                      secret_type: Optional[str] = None,
                      token_scopes: Optional[Sequence[str]] = None)
    @overload
    def SecretRoleset(resource_name: str,
                      args: SecretRolesetArgs,
                      opts: Optional[ResourceOptions] = None)
    func NewSecretRoleset(ctx *Context, name string, args SecretRolesetArgs, opts ...ResourceOption) (*SecretRoleset, error)
    public SecretRoleset(string name, SecretRolesetArgs args, CustomResourceOptions? opts = null)
    public SecretRoleset(String name, SecretRolesetArgs args)
    public SecretRoleset(String name, SecretRolesetArgs args, CustomResourceOptions options)
    
    type: vault:gcp:SecretRoleset
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args SecretRolesetArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args SecretRolesetArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args SecretRolesetArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args SecretRolesetArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args SecretRolesetArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    SecretRoleset Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The SecretRoleset resource accepts the following input properties:

    Backend string
    Path where the GCP Secrets Engine is mounted
    Bindings List<SecretRolesetBinding>
    Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
    Project string
    Name of the GCP project that this roleset's service account will belong to.
    Roleset string
    Name of the Roleset to create
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    SecretType string
    Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
    TokenScopes List<string>
    List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).
    Backend string
    Path where the GCP Secrets Engine is mounted
    Bindings []SecretRolesetBindingArgs
    Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
    Project string
    Name of the GCP project that this roleset's service account will belong to.
    Roleset string
    Name of the Roleset to create
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    SecretType string
    Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
    TokenScopes []string
    List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).
    backend String
    Path where the GCP Secrets Engine is mounted
    bindings List<SecretRolesetBinding>
    Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
    project String
    Name of the GCP project that this roleset's service account will belong to.
    roleset String
    Name of the Roleset to create
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    secretType String
    Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
    tokenScopes List<String>
    List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).
    backend string
    Path where the GCP Secrets Engine is mounted
    bindings SecretRolesetBinding[]
    Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
    project string
    Name of the GCP project that this roleset's service account will belong to.
    roleset string
    Name of the Roleset to create
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    secretType string
    Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
    tokenScopes string[]
    List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).
    backend str
    Path where the GCP Secrets Engine is mounted
    bindings Sequence[SecretRolesetBindingArgs]
    Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
    project str
    Name of the GCP project that this roleset's service account will belong to.
    roleset str
    Name of the Roleset to create
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    secret_type str
    Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
    token_scopes Sequence[str]
    List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).
    backend String
    Path where the GCP Secrets Engine is mounted
    bindings List<Property Map>
    Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
    project String
    Name of the GCP project that this roleset's service account will belong to.
    roleset String
    Name of the Roleset to create
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    secretType String
    Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
    tokenScopes List<String>
    List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).

    Outputs

    All input properties are implicitly available as output properties. Additionally, the SecretRoleset resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    ServiceAccountEmail string
    Email of the service account created by Vault for this Roleset.
    Id string
    The provider-assigned unique ID for this managed resource.
    ServiceAccountEmail string
    Email of the service account created by Vault for this Roleset.
    id String
    The provider-assigned unique ID for this managed resource.
    serviceAccountEmail String
    Email of the service account created by Vault for this Roleset.
    id string
    The provider-assigned unique ID for this managed resource.
    serviceAccountEmail string
    Email of the service account created by Vault for this Roleset.
    id str
    The provider-assigned unique ID for this managed resource.
    service_account_email str
    Email of the service account created by Vault for this Roleset.
    id String
    The provider-assigned unique ID for this managed resource.
    serviceAccountEmail String
    Email of the service account created by Vault for this Roleset.

    Look up Existing SecretRoleset Resource

    Get an existing SecretRoleset resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: SecretRolesetState, opts?: CustomResourceOptions): SecretRoleset
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            backend: Optional[str] = None,
            bindings: Optional[Sequence[SecretRolesetBindingArgs]] = None,
            namespace: Optional[str] = None,
            project: Optional[str] = None,
            roleset: Optional[str] = None,
            secret_type: Optional[str] = None,
            service_account_email: Optional[str] = None,
            token_scopes: Optional[Sequence[str]] = None) -> SecretRoleset
    func GetSecretRoleset(ctx *Context, name string, id IDInput, state *SecretRolesetState, opts ...ResourceOption) (*SecretRoleset, error)
    public static SecretRoleset Get(string name, Input<string> id, SecretRolesetState? state, CustomResourceOptions? opts = null)
    public static SecretRoleset get(String name, Output<String> id, SecretRolesetState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Backend string
    Path where the GCP Secrets Engine is mounted
    Bindings List<SecretRolesetBinding>
    Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Project string
    Name of the GCP project that this roleset's service account will belong to.
    Roleset string
    Name of the Roleset to create
    SecretType string
    Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
    ServiceAccountEmail string
    Email of the service account created by Vault for this Roleset.
    TokenScopes List<string>
    List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).
    Backend string
    Path where the GCP Secrets Engine is mounted
    Bindings []SecretRolesetBindingArgs
    Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Project string
    Name of the GCP project that this roleset's service account will belong to.
    Roleset string
    Name of the Roleset to create
    SecretType string
    Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
    ServiceAccountEmail string
    Email of the service account created by Vault for this Roleset.
    TokenScopes []string
    List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).
    backend String
    Path where the GCP Secrets Engine is mounted
    bindings List<SecretRolesetBinding>
    Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    project String
    Name of the GCP project that this roleset's service account will belong to.
    roleset String
    Name of the Roleset to create
    secretType String
    Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
    serviceAccountEmail String
    Email of the service account created by Vault for this Roleset.
    tokenScopes List<String>
    List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).
    backend string
    Path where the GCP Secrets Engine is mounted
    bindings SecretRolesetBinding[]
    Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    project string
    Name of the GCP project that this roleset's service account will belong to.
    roleset string
    Name of the Roleset to create
    secretType string
    Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
    serviceAccountEmail string
    Email of the service account created by Vault for this Roleset.
    tokenScopes string[]
    List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).
    backend str
    Path where the GCP Secrets Engine is mounted
    bindings Sequence[SecretRolesetBindingArgs]
    Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    project str
    Name of the GCP project that this roleset's service account will belong to.
    roleset str
    Name of the Roleset to create
    secret_type str
    Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
    service_account_email str
    Email of the service account created by Vault for this Roleset.
    token_scopes Sequence[str]
    List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).
    backend String
    Path where the GCP Secrets Engine is mounted
    bindings List<Property Map>
    Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    project String
    Name of the GCP project that this roleset's service account will belong to.
    roleset String
    Name of the Roleset to create
    secretType String
    Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
    serviceAccountEmail String
    Email of the service account created by Vault for this Roleset.
    tokenScopes List<String>
    List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).

    Supporting Types

    SecretRolesetBinding, SecretRolesetBindingArgs

    Resource string
    Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
    Roles List<string>
    List of GCP IAM roles for the resource.
    Resource string
    Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
    Roles []string
    List of GCP IAM roles for the resource.
    resource String
    Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
    roles List<String>
    List of GCP IAM roles for the resource.
    resource string
    Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
    roles string[]
    List of GCP IAM roles for the resource.
    resource str
    Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
    roles Sequence[str]
    List of GCP IAM roles for the resource.
    resource String
    Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
    roles List<String>
    List of GCP IAM roles for the resource.

    Import

    A roleset can be imported using its Vault Path. For example, referencing the example above,

    $ pulumi import vault:gcp/secretRoleset:SecretRoleset roleset gcp/roleset/project_viewer
    

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the vault Terraform Provider.
    vault logo
    HashiCorp Vault v6.0.0 published on Monday, Mar 25, 2024 by Pulumi