SecretRoleset

Creates a Roleset in the GCP Secrets Engine for Vault.

Each Roleset is tied to a Service Account, and can have one or more bindings associated with it.

Example Usage

using System.IO;
using Pulumi;
using Vault = Pulumi.Vault;

class MyStack : Stack
{
    public MyStack()
    {
        var project = "my-awesome-project";
        var gcp = new Vault.Gcp.SecretBackend("gcp", new Vault.Gcp.SecretBackendArgs
        {
            Path = "gcp",
            Credentials = File.ReadAllText("credentials.json"),
        });
        var roleset = new Vault.Gcp.SecretRoleset("roleset", new Vault.Gcp.SecretRolesetArgs
        {
            Backend = gcp.Path,
            Roleset = "project_viewer",
            SecretType = "access_token",
            Project = project,
            TokenScopes = 
            {
                "https://www.googleapis.com/auth/cloud-platform",
            },
            Bindings = 
            {
                new Vault.Gcp.Inputs.SecretRolesetBindingArgs
                {
                    Resource = $"//cloudresourcemanager.googleapis.com/projects/{project}",
                    Roles = 
                    {
                        "roles/viewer",
                    },
                },
            },
        });
    }

}

Coming soon!

import pulumi
import pulumi_vault as vault

project = "my-awesome-project"
gcp = vault.gcp.SecretBackend("gcp",
    path="gcp",
    credentials=(lambda path: open(path).read())("credentials.json"))
roleset = vault.gcp.SecretRoleset("roleset",
    backend=gcp.path,
    roleset="project_viewer",
    secret_type="access_token",
    project=project,
    token_scopes=["https://www.googleapis.com/auth/cloud-platform"],
    bindings=[vault.gcp.SecretRolesetBindingArgs(
        resource=f"//cloudresourcemanager.googleapis.com/projects/{project}",
        roles=["roles/viewer"],
    )])
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
import * from "fs";

const project = "my-awesome-project";
const gcp = new vault.gcp.SecretBackend("gcp", {
    path: "gcp",
    credentials: fs.readFileSync("credentials.json"),
});
const roleset = new vault.gcp.SecretRoleset("roleset", {
    backend: gcp.path,
    roleset: "project_viewer",
    secretType: "access_token",
    project: project,
    tokenScopes: ["https://www.googleapis.com/auth/cloud-platform"],
    bindings: [{
        resource: `//cloudresourcemanager.googleapis.com/projects/${project}`,
        roles: ["roles/viewer"],
    }],
});

Create a SecretRoleset Resource

new SecretRoleset(name: string, args: SecretRolesetArgs, opts?: CustomResourceOptions);
@overload
def SecretRoleset(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  backend: Optional[str] = None,
                  bindings: Optional[Sequence[SecretRolesetBindingArgs]] = None,
                  project: Optional[str] = None,
                  roleset: Optional[str] = None,
                  secret_type: Optional[str] = None,
                  token_scopes: Optional[Sequence[str]] = None)
@overload
def SecretRoleset(resource_name: str,
                  args: SecretRolesetArgs,
                  opts: Optional[ResourceOptions] = None)
func NewSecretRoleset(ctx *Context, name string, args SecretRolesetArgs, opts ...ResourceOption) (*SecretRoleset, error)
public SecretRoleset(string name, SecretRolesetArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args SecretRolesetArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args SecretRolesetArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args SecretRolesetArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args SecretRolesetArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

SecretRoleset Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The SecretRoleset resource accepts the following input properties:

Backend string
Path where the GCP Secrets Engine is mounted
Bindings List<SecretRolesetBindingArgs>
Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
Project string
Name of the GCP project that this roleset’s service account will belong to.
Roleset string
Name of the Roleset to create
SecretType string
Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
TokenScopes List<string>
List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).
Backend string
Path where the GCP Secrets Engine is mounted
Bindings []SecretRolesetBindingArgs
Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
Project string
Name of the GCP project that this roleset’s service account will belong to.
Roleset string
Name of the Roleset to create
SecretType string
Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
TokenScopes []string
List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).
backend string
Path where the GCP Secrets Engine is mounted
bindings SecretRolesetBindingArgs[]
Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
project string
Name of the GCP project that this roleset’s service account will belong to.
roleset string
Name of the Roleset to create
secretType string
Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
tokenScopes string[]
List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).
backend str
Path where the GCP Secrets Engine is mounted
bindings Sequence[SecretRolesetBindingArgs]
Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
project str
Name of the GCP project that this roleset’s service account will belong to.
roleset str
Name of the Roleset to create
secret_type str
Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
token_scopes Sequence[str]
List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretRoleset resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
ServiceAccountEmail string
Email of the service account created by Vault for this Roleset
Id string
The provider-assigned unique ID for this managed resource.
ServiceAccountEmail string
Email of the service account created by Vault for this Roleset
id string
The provider-assigned unique ID for this managed resource.
serviceAccountEmail string
Email of the service account created by Vault for this Roleset
id str
The provider-assigned unique ID for this managed resource.
service_account_email str
Email of the service account created by Vault for this Roleset

Look up an Existing SecretRoleset Resource

Get an existing SecretRoleset resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretRolesetState, opts?: CustomResourceOptions): SecretRoleset
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        backend: Optional[str] = None,
        bindings: Optional[Sequence[SecretRolesetBindingArgs]] = None,
        project: Optional[str] = None,
        roleset: Optional[str] = None,
        secret_type: Optional[str] = None,
        service_account_email: Optional[str] = None,
        token_scopes: Optional[Sequence[str]] = None) -> SecretRoleset
func GetSecretRoleset(ctx *Context, name string, id IDInput, state *SecretRolesetState, opts ...ResourceOption) (*SecretRoleset, error)
public static SecretRoleset Get(string name, Input<string> id, SecretRolesetState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

Backend string
Path where the GCP Secrets Engine is mounted
Bindings List<SecretRolesetBindingArgs>
Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
Project string
Name of the GCP project that this roleset’s service account will belong to.
Roleset string
Name of the Roleset to create
SecretType string
Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
ServiceAccountEmail string
Email of the service account created by Vault for this Roleset
TokenScopes List<string>
List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).
Backend string
Path where the GCP Secrets Engine is mounted
Bindings []SecretRolesetBindingArgs
Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
Project string
Name of the GCP project that this roleset’s service account will belong to.
Roleset string
Name of the Roleset to create
SecretType string
Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
ServiceAccountEmail string
Email of the service account created by Vault for this Roleset
TokenScopes []string
List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).
backend string
Path where the GCP Secrets Engine is mounted
bindings SecretRolesetBindingArgs[]
Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
project string
Name of the GCP project that this roleset’s service account will belong to.
roleset string
Name of the Roleset to create
secretType string
Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
serviceAccountEmail string
Email of the service account created by Vault for this Roleset
tokenScopes string[]
List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).
backend str
Path where the GCP Secrets Engine is mounted
bindings Sequence[SecretRolesetBindingArgs]
Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
project str
Name of the GCP project that this roleset’s service account will belong to.
roleset str
Name of the Roleset to create
secret_type str
Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
service_account_email str
Email of the service account created by Vault for this Roleset
token_scopes Sequence[str]
List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).

Supporting Types

SecretRolesetBinding

Resource string
Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
Roles List<string>
List of GCP IAM roles for the resource.
Resource string
Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
Roles []string
List of GCP IAM roles for the resource.
resource string
Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
roles string[]
List of GCP IAM roles for the resource.
resource str
Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
roles Sequence[str]
List of GCP IAM roles for the resource.

Import

A roleset can be imported using its Vault Path. For example, referencing the example above,

 $ pulumi import vault:gcp/secretRoleset:SecretRoleset roleset gcp/roleset/project_viewer

Package Details

Repository
https://github.com/pulumi/pulumi-vault
License
Apache-2.0
Notes
This Pulumi package is based on the vault Terraform Provider.