vault.aws.AuthBackendClient

HashiCorp Vault v7.8.0, Mar 31 26

Viewing docs for HashiCorp Vault v7.8.0
published on Tuesday, Mar 31, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

Viewing docs for HashiCorp Vault v7.8.0
published on Tuesday, Mar 31, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

Example Usage

Using Write-Only Secret Key (Recommended)

For enhanced security, use the write-only secretKeyWo field which is never stored in Terraform state:

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const example = new vault.AuthBackend("example", {type: "aws"});
const exampleAuthBackendClient = new vault.aws.AuthBackendClient("example", {
    backend: example.path,
    accessKey: "INSERT_AWS_ACCESS_KEY",
    secretKeyWo: awsSecretKey,
    secretKeyWoVersion: 1,
});

import pulumi
import pulumi_vault as vault

example = vault.AuthBackend("example", type="aws")
example_auth_backend_client = vault.aws.AuthBackendClient("example",
    backend=example.path,
    access_key="INSERT_AWS_ACCESS_KEY",
    secret_key_wo=aws_secret_key,
    secret_key_wo_version=1)

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault"
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/aws"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := vault.NewAuthBackend(ctx, "example", &vault.AuthBackendArgs{
			Type: pulumi.String("aws"),
		})
		if err != nil {
			return err
		}
		_, err = aws.NewAuthBackendClient(ctx, "example", &aws.AuthBackendClientArgs{
			Backend:            example.Path,
			AccessKey:          pulumi.String("INSERT_AWS_ACCESS_KEY"),
			SecretKeyWo:        pulumi.Any(awsSecretKey),
			SecretKeyWoVersion: pulumi.Int(1),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var example = new Vault.AuthBackend("example", new()
    {
        Type = "aws",
    });

    var exampleAuthBackendClient = new Vault.Aws.AuthBackendClient("example", new()
    {
        Backend = example.Path,
        AccessKey = "INSERT_AWS_ACCESS_KEY",
        SecretKeyWo = awsSecretKey,
        SecretKeyWoVersion = 1,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import com.pulumi.vault.aws.AuthBackendClient;
import com.pulumi.vault.aws.AuthBackendClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new AuthBackend("example", AuthBackendArgs.builder()
            .type("aws")
            .build());

        var exampleAuthBackendClient = new AuthBackendClient("exampleAuthBackendClient", AuthBackendClientArgs.builder()
            .backend(example.path())
            .accessKey("INSERT_AWS_ACCESS_KEY")
            .secretKeyWo(awsSecretKey)
            .secretKeyWoVersion(1)
            .build());

    }
}

resources:
  example:
    type: vault:AuthBackend
    properties:
      type: aws
  exampleAuthBackendClient:
    type: vault:aws:AuthBackendClient
    name: example
    properties:
      backend: ${example.path}
      accessKey: INSERT_AWS_ACCESS_KEY
      secretKeyWo: ${awsSecretKey}
      secretKeyWoVersion: 1 # Increment to rotate

Using Workload Identity Federation (Secret-less)

You can setup the AWS auth engine with Workload Identity Federation (WIF) for a secret-less configuration:

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const example = new vault.AuthBackend("example", {type: "aws"});
const exampleAuthBackendClient = new vault.aws.AuthBackendClient("example", {
    identityTokenAudience: "<TOKEN_AUDIENCE>",
    identityTokenTtl: "<TOKEN_TTL>",
    roleArn: "<AWS_ROLE_ARN>",
    rotationSchedule: "0 * * * SAT",
    rotationWindow: 3600,
});

import pulumi
import pulumi_vault as vault

example = vault.AuthBackend("example", type="aws")
example_auth_backend_client = vault.aws.AuthBackendClient("example",
    identity_token_audience="<TOKEN_AUDIENCE>",
    identity_token_ttl="<TOKEN_TTL>",
    role_arn="<AWS_ROLE_ARN>",
    rotation_schedule="0 * * * SAT",
    rotation_window=3600)

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault"
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/aws"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := vault.NewAuthBackend(ctx, "example", &vault.AuthBackendArgs{
			Type: pulumi.String("aws"),
		})
		if err != nil {
			return err
		}
		_, err = aws.NewAuthBackendClient(ctx, "example", &aws.AuthBackendClientArgs{
			IdentityTokenAudience: pulumi.String("<TOKEN_AUDIENCE>"),
			IdentityTokenTtl:      pulumi.Int("<TOKEN_TTL>"),
			RoleArn:               pulumi.String("<AWS_ROLE_ARN>"),
			RotationSchedule:      pulumi.String("0 * * * SAT"),
			RotationWindow:        pulumi.Int(3600),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var example = new Vault.AuthBackend("example", new()
    {
        Type = "aws",
    });

    var exampleAuthBackendClient = new Vault.Aws.AuthBackendClient("example", new()
    {
        IdentityTokenAudience = "<TOKEN_AUDIENCE>",
        IdentityTokenTtl = "<TOKEN_TTL>",
        RoleArn = "<AWS_ROLE_ARN>",
        RotationSchedule = "0 * * * SAT",
        RotationWindow = 3600,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import com.pulumi.vault.aws.AuthBackendClient;
import com.pulumi.vault.aws.AuthBackendClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new AuthBackend("example", AuthBackendArgs.builder()
            .type("aws")
            .build());

        var exampleAuthBackendClient = new AuthBackendClient("exampleAuthBackendClient", AuthBackendClientArgs.builder()
            .identityTokenAudience("<TOKEN_AUDIENCE>")
            .identityTokenTtl("<TOKEN_TTL>")
            .roleArn("<AWS_ROLE_ARN>")
            .rotationSchedule("0 * * * SAT")
            .rotationWindow(3600)
            .build());

    }
}

resources:
  example:
    type: vault:AuthBackend
    properties:
      type: aws
  exampleAuthBackendClient:
    type: vault:aws:AuthBackendClient
    name: example
    properties:
      identityTokenAudience: <TOKEN_AUDIENCE>
      identityTokenTtl: <TOKEN_TTL>
      roleArn: <AWS_ROLE_ARN>
      rotationSchedule: 0 * * * SAT
      rotationWindow: 3600

Using Legacy Secret Key Field

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const example = new vault.AuthBackend("example", {type: "aws"});
const exampleAuthBackendClient = new vault.aws.AuthBackendClient("example", {
    backend: example.path,
    accessKey: "INSERT_AWS_ACCESS_KEY",
    secretKey: "INSERT_AWS_SECRET_KEY",
    rotationSchedule: "0 * * * SAT",
    rotationWindow: 3600,
    allowedStsHeaderValues: [
        "X-Custom-Header",
        "X-Another-Header",
    ],
});

import pulumi
import pulumi_vault as vault

example = vault.AuthBackend("example", type="aws")
example_auth_backend_client = vault.aws.AuthBackendClient("example",
    backend=example.path,
    access_key="INSERT_AWS_ACCESS_KEY",
    secret_key="INSERT_AWS_SECRET_KEY",
    rotation_schedule="0 * * * SAT",
    rotation_window=3600,
    allowed_sts_header_values=[
        "X-Custom-Header",
        "X-Another-Header",
    ])

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault"
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/aws"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := vault.NewAuthBackend(ctx, "example", &vault.AuthBackendArgs{
			Type: pulumi.String("aws"),
		})
		if err != nil {
			return err
		}
		_, err = aws.NewAuthBackendClient(ctx, "example", &aws.AuthBackendClientArgs{
			Backend:          example.Path,
			AccessKey:        pulumi.String("INSERT_AWS_ACCESS_KEY"),
			SecretKey:        pulumi.String("INSERT_AWS_SECRET_KEY"),
			RotationSchedule: pulumi.String("0 * * * SAT"),
			RotationWindow:   pulumi.Int(3600),
			AllowedStsHeaderValues: pulumi.StringArray{
				pulumi.String("X-Custom-Header"),
				pulumi.String("X-Another-Header"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var example = new Vault.AuthBackend("example", new()
    {
        Type = "aws",
    });

    var exampleAuthBackendClient = new Vault.Aws.AuthBackendClient("example", new()
    {
        Backend = example.Path,
        AccessKey = "INSERT_AWS_ACCESS_KEY",
        SecretKey = "INSERT_AWS_SECRET_KEY",
        RotationSchedule = "0 * * * SAT",
        RotationWindow = 3600,
        AllowedStsHeaderValues = new[]
        {
            "X-Custom-Header",
            "X-Another-Header",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import com.pulumi.vault.aws.AuthBackendClient;
import com.pulumi.vault.aws.AuthBackendClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new AuthBackend("example", AuthBackendArgs.builder()
            .type("aws")
            .build());

        var exampleAuthBackendClient = new AuthBackendClient("exampleAuthBackendClient", AuthBackendClientArgs.builder()
            .backend(example.path())
            .accessKey("INSERT_AWS_ACCESS_KEY")
            .secretKey("INSERT_AWS_SECRET_KEY")
            .rotationSchedule("0 * * * SAT")
            .rotationWindow(3600)
            .allowedStsHeaderValues(            
                "X-Custom-Header",
                "X-Another-Header")
            .build());

    }
}

resources:
  example:
    type: vault:AuthBackend
    properties:
      type: aws
  exampleAuthBackendClient:
    type: vault:aws:AuthBackendClient
    name: example
    properties:
      backend: ${example.path}
      accessKey: INSERT_AWS_ACCESS_KEY
      secretKey: INSERT_AWS_SECRET_KEY
      rotationSchedule: 0 * * * SAT
      rotationWindow: 3600
      allowedStsHeaderValues:
        - X-Custom-Header
        - X-Another-Header

Ephemeral Attributes Reference

The following write-only attributes are supported:

secretKeyWo - (Optional) Write-only AWS secret key that Vault should use for the auth backend. This field is recommended over secretKey for enhanced security as it is never stored in Terraform state. Mutually exclusive with secretKey. Must be used together with secretKeyWoVersion. Note: This property is write-only and will not be read from the API.

Create AuthBackendClient Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new AuthBackendClient(name: string, args?: AuthBackendClientArgs, opts?: CustomResourceOptions);

@overload
def AuthBackendClient(resource_name: str,
                      args: Optional[AuthBackendClientArgs] = None,
                      opts: Optional[ResourceOptions] = None)

@overload
def AuthBackendClient(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      access_key: Optional[str] = None,
                      allowed_sts_header_values: Optional[Sequence[str]] = None,
                      backend: Optional[str] = None,
                      disable_automated_rotation: Optional[bool] = None,
                      ec2_endpoint: Optional[str] = None,
                      iam_endpoint: Optional[str] = None,
                      iam_server_id_header_value: Optional[str] = None,
                      identity_token_audience: Optional[str] = None,
                      identity_token_ttl: Optional[int] = None,
                      max_retries: Optional[int] = None,
                      namespace: Optional[str] = None,
                      role_arn: Optional[str] = None,
                      rotation_period: Optional[int] = None,
                      rotation_schedule: Optional[str] = None,
                      rotation_window: Optional[int] = None,
                      secret_key: Optional[str] = None,
                      secret_key_wo: Optional[str] = None,
                      secret_key_wo_version: Optional[int] = None,
                      sts_endpoint: Optional[str] = None,
                      sts_region: Optional[str] = None,
                      use_sts_region_from_client: Optional[bool] = None)

func NewAuthBackendClient(ctx *Context, name string, args *AuthBackendClientArgs, opts ...ResourceOption) (*AuthBackendClient, error)

public AuthBackendClient(string name, AuthBackendClientArgs? args = null, CustomResourceOptions? opts = null)

public AuthBackendClient(String name, AuthBackendClientArgs args)
public AuthBackendClient(String name, AuthBackendClientArgs args, CustomResourceOptions options)

type: vault:aws:AuthBackendClient
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args AuthBackendClientArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args AuthBackendClientArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AuthBackendClientArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AuthBackendClientArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args AuthBackendClientArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var authBackendClientResource = new Vault.Aws.AuthBackendClient("authBackendClientResource", new()
{
    AccessKey = "string",
    AllowedStsHeaderValues = new[]
    {
        "string",
    },
    Backend = "string",
    DisableAutomatedRotation = false,
    Ec2Endpoint = "string",
    IamEndpoint = "string",
    IamServerIdHeaderValue = "string",
    IdentityTokenAudience = "string",
    IdentityTokenTtl = 0,
    MaxRetries = 0,
    Namespace = "string",
    RoleArn = "string",
    RotationPeriod = 0,
    RotationSchedule = "string",
    RotationWindow = 0,
    SecretKey = "string",
    SecretKeyWo = "string",
    SecretKeyWoVersion = 0,
    StsEndpoint = "string",
    StsRegion = "string",
    UseStsRegionFromClient = false,
});

example, err := aws.NewAuthBackendClient(ctx, "authBackendClientResource", &aws.AuthBackendClientArgs{
	AccessKey: pulumi.String("string"),
	AllowedStsHeaderValues: pulumi.StringArray{
		pulumi.String("string"),
	},
	Backend:                  pulumi.String("string"),
	DisableAutomatedRotation: pulumi.Bool(false),
	Ec2Endpoint:              pulumi.String("string"),
	IamEndpoint:              pulumi.String("string"),
	IamServerIdHeaderValue:   pulumi.String("string"),
	IdentityTokenAudience:    pulumi.String("string"),
	IdentityTokenTtl:         pulumi.Int(0),
	MaxRetries:               pulumi.Int(0),
	Namespace:                pulumi.String("string"),
	RoleArn:                  pulumi.String("string"),
	RotationPeriod:           pulumi.Int(0),
	RotationSchedule:         pulumi.String("string"),
	RotationWindow:           pulumi.Int(0),
	SecretKey:                pulumi.String("string"),
	SecretKeyWo:              pulumi.String("string"),
	SecretKeyWoVersion:       pulumi.Int(0),
	StsEndpoint:              pulumi.String("string"),
	StsRegion:                pulumi.String("string"),
	UseStsRegionFromClient:   pulumi.Bool(false),
})

var authBackendClientResource = new AuthBackendClient("authBackendClientResource", AuthBackendClientArgs.builder()
    .accessKey("string")
    .allowedStsHeaderValues("string")
    .backend("string")
    .disableAutomatedRotation(false)
    .ec2Endpoint("string")
    .iamEndpoint("string")
    .iamServerIdHeaderValue("string")
    .identityTokenAudience("string")
    .identityTokenTtl(0)
    .maxRetries(0)
    .namespace("string")
    .roleArn("string")
    .rotationPeriod(0)
    .rotationSchedule("string")
    .rotationWindow(0)
    .secretKey("string")
    .secretKeyWo("string")
    .secretKeyWoVersion(0)
    .stsEndpoint("string")
    .stsRegion("string")
    .useStsRegionFromClient(false)
    .build());

auth_backend_client_resource = vault.aws.AuthBackendClient("authBackendClientResource",
    access_key="string",
    allowed_sts_header_values=["string"],
    backend="string",
    disable_automated_rotation=False,
    ec2_endpoint="string",
    iam_endpoint="string",
    iam_server_id_header_value="string",
    identity_token_audience="string",
    identity_token_ttl=0,
    max_retries=0,
    namespace="string",
    role_arn="string",
    rotation_period=0,
    rotation_schedule="string",
    rotation_window=0,
    secret_key="string",
    secret_key_wo="string",
    secret_key_wo_version=0,
    sts_endpoint="string",
    sts_region="string",
    use_sts_region_from_client=False)

const authBackendClientResource = new vault.aws.AuthBackendClient("authBackendClientResource", {
    accessKey: "string",
    allowedStsHeaderValues: ["string"],
    backend: "string",
    disableAutomatedRotation: false,
    ec2Endpoint: "string",
    iamEndpoint: "string",
    iamServerIdHeaderValue: "string",
    identityTokenAudience: "string",
    identityTokenTtl: 0,
    maxRetries: 0,
    namespace: "string",
    roleArn: "string",
    rotationPeriod: 0,
    rotationSchedule: "string",
    rotationWindow: 0,
    secretKey: "string",
    secretKeyWo: "string",
    secretKeyWoVersion: 0,
    stsEndpoint: "string",
    stsRegion: "string",
    useStsRegionFromClient: false,
});

type: vault:aws:AuthBackendClient
properties:
    accessKey: string
    allowedStsHeaderValues:
        - string
    backend: string
    disableAutomatedRotation: false
    ec2Endpoint: string
    iamEndpoint: string
    iamServerIdHeaderValue: string
    identityTokenAudience: string
    identityTokenTtl: 0
    maxRetries: 0
    namespace: string
    roleArn: string
    rotationPeriod: 0
    rotationSchedule: string
    rotationWindow: 0
    secretKey: string
    secretKeyWo: string
    secretKeyWoVersion: 0
    stsEndpoint: string
    stsRegion: string
    useStsRegionFromClient: false

AuthBackendClient Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The AuthBackendClient resource accepts the following input properties:

AccessKey string: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identityTokenAudience.
AllowedStsHeaderValues List<string>: List of additional headers that are allowed to be in STS request headers. The headers are automatically canonicalized (e.g., content-type becomes Content-Type). Duplicate values are automatically removed. This can be useful when you need to allow specific headers in STS requests for IAM-based authentication.
Backend string: The path the AWS auth backend being configured was mounted at. Defaults to aws.
DisableAutomatedRotation bool: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
Ec2Endpoint string: Override the URL Vault uses when making EC2 API calls.
IamEndpoint string: Override the URL Vault uses when making IAM API calls.
IamServerIdHeaderValue string: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
IdentityTokenAudience string: The audience claim value. Mutually exclusive with accessKey. Requires Vault 1.17+. Available only for Vault Enterprise
IdentityTokenTtl int: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
MaxRetries int: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
RoleArn string: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
RotationPeriod int: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
RotationSchedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
RotationWindow int: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
SecretKey string: The AWS secret key that Vault should use for the auth backend. Mutually exclusive with secretKeyWo. Note: This field stores the secret in Terraform state in plain text. Consider using secretKeyWo instead for enhanced security.
SecretKeyWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only AWS Secret key with permissions to query AWS APIs. This field is recommended over secretKey for enhanced security.
SecretKeyWoVersion int: Version counter for the write-only secretKeyWo field. Increment this value to rotate the secret key. Required when secretKeyWo is set.
StsEndpoint string: Override the URL Vault uses when making STS API calls.
StsRegion string: Override the default region when making STS API calls. The stsEndpoint argument must be set when using stsRegion.
UseStsRegionFromClient bool: Available in Vault v1.15+. If set, overrides both stsEndpoint and stsRegion to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

AccessKey string: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identityTokenAudience.
AllowedStsHeaderValues []string: List of additional headers that are allowed to be in STS request headers. The headers are automatically canonicalized (e.g., content-type becomes Content-Type). Duplicate values are automatically removed. This can be useful when you need to allow specific headers in STS requests for IAM-based authentication.
Backend string: The path the AWS auth backend being configured was mounted at. Defaults to aws.
DisableAutomatedRotation bool: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
Ec2Endpoint string: Override the URL Vault uses when making EC2 API calls.
IamEndpoint string: Override the URL Vault uses when making IAM API calls.
IamServerIdHeaderValue string: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
IdentityTokenAudience string: The audience claim value. Mutually exclusive with accessKey. Requires Vault 1.17+. Available only for Vault Enterprise
IdentityTokenTtl int: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
MaxRetries int: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
RoleArn string: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
RotationPeriod int: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
RotationSchedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
RotationWindow int: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
SecretKey string: The AWS secret key that Vault should use for the auth backend. Mutually exclusive with secretKeyWo. Note: This field stores the secret in Terraform state in plain text. Consider using secretKeyWo instead for enhanced security.
SecretKeyWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only AWS Secret key with permissions to query AWS APIs. This field is recommended over secretKey for enhanced security.
SecretKeyWoVersion int: Version counter for the write-only secretKeyWo field. Increment this value to rotate the secret key. Required when secretKeyWo is set.
StsEndpoint string: Override the URL Vault uses when making STS API calls.
StsRegion string: Override the default region when making STS API calls. The stsEndpoint argument must be set when using stsRegion.
UseStsRegionFromClient bool: Available in Vault v1.15+. If set, overrides both stsEndpoint and stsRegion to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

accessKey String: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identityTokenAudience.
allowedStsHeaderValues List<String>: List of additional headers that are allowed to be in STS request headers. The headers are automatically canonicalized (e.g., content-type becomes Content-Type). Duplicate values are automatically removed. This can be useful when you need to allow specific headers in STS requests for IAM-based authentication.
backend String: The path the AWS auth backend being configured was mounted at. Defaults to aws.
disableAutomatedRotation Boolean: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
ec2Endpoint String: Override the URL Vault uses when making EC2 API calls.
iamEndpoint String: Override the URL Vault uses when making IAM API calls.
iamServerIdHeaderValue String: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
identityTokenAudience String: The audience claim value. Mutually exclusive with accessKey. Requires Vault 1.17+. Available only for Vault Enterprise
identityTokenTtl Integer: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
maxRetries Integer: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
roleArn String: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
rotationPeriod Integer: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
rotationSchedule String: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
rotationWindow Integer: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
secretKey String: The AWS secret key that Vault should use for the auth backend. Mutually exclusive with secretKeyWo. Note: This field stores the secret in Terraform state in plain text. Consider using secretKeyWo instead for enhanced security.
secretKeyWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only AWS Secret key with permissions to query AWS APIs. This field is recommended over secretKey for enhanced security.
secretKeyWoVersion Integer: Version counter for the write-only secretKeyWo field. Increment this value to rotate the secret key. Required when secretKeyWo is set.
stsEndpoint String: Override the URL Vault uses when making STS API calls.
stsRegion String: Override the default region when making STS API calls. The stsEndpoint argument must be set when using stsRegion.
useStsRegionFromClient Boolean: Available in Vault v1.15+. If set, overrides both stsEndpoint and stsRegion to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

accessKey string: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identityTokenAudience.
allowedStsHeaderValues string[]: List of additional headers that are allowed to be in STS request headers. The headers are automatically canonicalized (e.g., content-type becomes Content-Type). Duplicate values are automatically removed. This can be useful when you need to allow specific headers in STS requests for IAM-based authentication.
backend string: The path the AWS auth backend being configured was mounted at. Defaults to aws.
disableAutomatedRotation boolean: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
ec2Endpoint string: Override the URL Vault uses when making EC2 API calls.
iamEndpoint string: Override the URL Vault uses when making IAM API calls.
iamServerIdHeaderValue string: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
identityTokenAudience string: The audience claim value. Mutually exclusive with accessKey. Requires Vault 1.17+. Available only for Vault Enterprise
identityTokenTtl number: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
maxRetries number: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
roleArn string: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
rotationPeriod number: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
rotationSchedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
rotationWindow number: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
secretKey string: The AWS secret key that Vault should use for the auth backend. Mutually exclusive with secretKeyWo. Note: This field stores the secret in Terraform state in plain text. Consider using secretKeyWo instead for enhanced security.
secretKeyWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only AWS Secret key with permissions to query AWS APIs. This field is recommended over secretKey for enhanced security.
secretKeyWoVersion number: Version counter for the write-only secretKeyWo field. Increment this value to rotate the secret key. Required when secretKeyWo is set.
stsEndpoint string: Override the URL Vault uses when making STS API calls.
stsRegion string: Override the default region when making STS API calls. The stsEndpoint argument must be set when using stsRegion.
useStsRegionFromClient boolean: Available in Vault v1.15+. If set, overrides both stsEndpoint and stsRegion to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

access_key str: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identityTokenAudience.
allowed_sts_header_values Sequence[str]: List of additional headers that are allowed to be in STS request headers. The headers are automatically canonicalized (e.g., content-type becomes Content-Type). Duplicate values are automatically removed. This can be useful when you need to allow specific headers in STS requests for IAM-based authentication.
backend str: The path the AWS auth backend being configured was mounted at. Defaults to aws.
disable_automated_rotation bool: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
ec2_endpoint str: Override the URL Vault uses when making EC2 API calls.
iam_endpoint str: Override the URL Vault uses when making IAM API calls.
iam_server_id_header_value str: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
identity_token_audience str: The audience claim value. Mutually exclusive with accessKey. Requires Vault 1.17+. Available only for Vault Enterprise
identity_token_ttl int: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
max_retries int: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
role_arn str: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
rotation_period int: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
rotation_schedule str: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
rotation_window int: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
secret_key str: The AWS secret key that Vault should use for the auth backend. Mutually exclusive with secretKeyWo. Note: This field stores the secret in Terraform state in plain text. Consider using secretKeyWo instead for enhanced security.
secret_key_wo str: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only AWS Secret key with permissions to query AWS APIs. This field is recommended over secretKey for enhanced security.
secret_key_wo_version int: Version counter for the write-only secretKeyWo field. Increment this value to rotate the secret key. Required when secretKeyWo is set.
sts_endpoint str: Override the URL Vault uses when making STS API calls.
sts_region str: Override the default region when making STS API calls. The stsEndpoint argument must be set when using stsRegion.
use_sts_region_from_client bool: Available in Vault v1.15+. If set, overrides both stsEndpoint and stsRegion to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

accessKey String: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identityTokenAudience.
allowedStsHeaderValues List<String>: List of additional headers that are allowed to be in STS request headers. The headers are automatically canonicalized (e.g., content-type becomes Content-Type). Duplicate values are automatically removed. This can be useful when you need to allow specific headers in STS requests for IAM-based authentication.
backend String: The path the AWS auth backend being configured was mounted at. Defaults to aws.
disableAutomatedRotation Boolean: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
ec2Endpoint String: Override the URL Vault uses when making EC2 API calls.
iamEndpoint String: Override the URL Vault uses when making IAM API calls.
iamServerIdHeaderValue String: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
identityTokenAudience String: The audience claim value. Mutually exclusive with accessKey. Requires Vault 1.17+. Available only for Vault Enterprise
identityTokenTtl Number: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
maxRetries Number: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
roleArn String: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
rotationPeriod Number: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
rotationSchedule String: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
rotationWindow Number: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
secretKey String: The AWS secret key that Vault should use for the auth backend. Mutually exclusive with secretKeyWo. Note: This field stores the secret in Terraform state in plain text. Consider using secretKeyWo instead for enhanced security.
secretKeyWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only AWS Secret key with permissions to query AWS APIs. This field is recommended over secretKey for enhanced security.
secretKeyWoVersion Number: Version counter for the write-only secretKeyWo field. Increment this value to rotate the secret key. Required when secretKeyWo is set.
stsEndpoint String: Override the URL Vault uses when making STS API calls.
stsRegion String: Override the default region when making STS API calls. The stsEndpoint argument must be set when using stsRegion.
useStsRegionFromClient Boolean: Available in Vault v1.15+. If set, overrides both stsEndpoint and stsRegion to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

Outputs

All input properties are implicitly available as output properties. Additionally, the AuthBackendClient resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing AuthBackendClient Resource

Get an existing AuthBackendClient resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AuthBackendClientState, opts?: CustomResourceOptions): AuthBackendClient

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        access_key: Optional[str] = None,
        allowed_sts_header_values: Optional[Sequence[str]] = None,
        backend: Optional[str] = None,
        disable_automated_rotation: Optional[bool] = None,
        ec2_endpoint: Optional[str] = None,
        iam_endpoint: Optional[str] = None,
        iam_server_id_header_value: Optional[str] = None,
        identity_token_audience: Optional[str] = None,
        identity_token_ttl: Optional[int] = None,
        max_retries: Optional[int] = None,
        namespace: Optional[str] = None,
        role_arn: Optional[str] = None,
        rotation_period: Optional[int] = None,
        rotation_schedule: Optional[str] = None,
        rotation_window: Optional[int] = None,
        secret_key: Optional[str] = None,
        secret_key_wo: Optional[str] = None,
        secret_key_wo_version: Optional[int] = None,
        sts_endpoint: Optional[str] = None,
        sts_region: Optional[str] = None,
        use_sts_region_from_client: Optional[bool] = None) -> AuthBackendClient

func GetAuthBackendClient(ctx *Context, name string, id IDInput, state *AuthBackendClientState, opts ...ResourceOption) (*AuthBackendClient, error)

public static AuthBackendClient Get(string name, Input<string> id, AuthBackendClientState? state, CustomResourceOptions? opts = null)

public static AuthBackendClient get(String name, Output<String> id, AuthBackendClientState state, CustomResourceOptions options)

resources:  _:    type: vault:aws:AuthBackendClient    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccessKey string: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identityTokenAudience.
AllowedStsHeaderValues List<string>: List of additional headers that are allowed to be in STS request headers. The headers are automatically canonicalized (e.g., content-type becomes Content-Type). Duplicate values are automatically removed. This can be useful when you need to allow specific headers in STS requests for IAM-based authentication.
Backend string: The path the AWS auth backend being configured was mounted at. Defaults to aws.
DisableAutomatedRotation bool: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
Ec2Endpoint string: Override the URL Vault uses when making EC2 API calls.
IamEndpoint string: Override the URL Vault uses when making IAM API calls.
IamServerIdHeaderValue string: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
IdentityTokenAudience string: The audience claim value. Mutually exclusive with accessKey. Requires Vault 1.17+. Available only for Vault Enterprise
IdentityTokenTtl int: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
MaxRetries int: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
RoleArn string: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
RotationPeriod int: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
RotationSchedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
RotationWindow int: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
SecretKey string: The AWS secret key that Vault should use for the auth backend. Mutually exclusive with secretKeyWo. Note: This field stores the secret in Terraform state in plain text. Consider using secretKeyWo instead for enhanced security.
SecretKeyWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only AWS Secret key with permissions to query AWS APIs. This field is recommended over secretKey for enhanced security.
SecretKeyWoVersion int: Version counter for the write-only secretKeyWo field. Increment this value to rotate the secret key. Required when secretKeyWo is set.
StsEndpoint string: Override the URL Vault uses when making STS API calls.
StsRegion string: Override the default region when making STS API calls. The stsEndpoint argument must be set when using stsRegion.
UseStsRegionFromClient bool: Available in Vault v1.15+. If set, overrides both stsEndpoint and stsRegion to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

AccessKey string: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identityTokenAudience.
AllowedStsHeaderValues []string: List of additional headers that are allowed to be in STS request headers. The headers are automatically canonicalized (e.g., content-type becomes Content-Type). Duplicate values are automatically removed. This can be useful when you need to allow specific headers in STS requests for IAM-based authentication.
Backend string: The path the AWS auth backend being configured was mounted at. Defaults to aws.
DisableAutomatedRotation bool: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
Ec2Endpoint string: Override the URL Vault uses when making EC2 API calls.
IamEndpoint string: Override the URL Vault uses when making IAM API calls.
IamServerIdHeaderValue string: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
IdentityTokenAudience string: The audience claim value. Mutually exclusive with accessKey. Requires Vault 1.17+. Available only for Vault Enterprise
IdentityTokenTtl int: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
MaxRetries int: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
RoleArn string: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
RotationPeriod int: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
RotationSchedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
RotationWindow int: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
SecretKey string: The AWS secret key that Vault should use for the auth backend. Mutually exclusive with secretKeyWo. Note: This field stores the secret in Terraform state in plain text. Consider using secretKeyWo instead for enhanced security.
SecretKeyWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only AWS Secret key with permissions to query AWS APIs. This field is recommended over secretKey for enhanced security.
SecretKeyWoVersion int: Version counter for the write-only secretKeyWo field. Increment this value to rotate the secret key. Required when secretKeyWo is set.
StsEndpoint string: Override the URL Vault uses when making STS API calls.
StsRegion string: Override the default region when making STS API calls. The stsEndpoint argument must be set when using stsRegion.
UseStsRegionFromClient bool: Available in Vault v1.15+. If set, overrides both stsEndpoint and stsRegion to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

accessKey String: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identityTokenAudience.
allowedStsHeaderValues List<String>: List of additional headers that are allowed to be in STS request headers. The headers are automatically canonicalized (e.g., content-type becomes Content-Type). Duplicate values are automatically removed. This can be useful when you need to allow specific headers in STS requests for IAM-based authentication.
backend String: The path the AWS auth backend being configured was mounted at. Defaults to aws.
disableAutomatedRotation Boolean: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
ec2Endpoint String: Override the URL Vault uses when making EC2 API calls.
iamEndpoint String: Override the URL Vault uses when making IAM API calls.
iamServerIdHeaderValue String: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
identityTokenAudience String: The audience claim value. Mutually exclusive with accessKey. Requires Vault 1.17+. Available only for Vault Enterprise
identityTokenTtl Integer: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
maxRetries Integer: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
roleArn String: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
rotationPeriod Integer: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
rotationSchedule String: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
rotationWindow Integer: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
secretKey String: The AWS secret key that Vault should use for the auth backend. Mutually exclusive with secretKeyWo. Note: This field stores the secret in Terraform state in plain text. Consider using secretKeyWo instead for enhanced security.
secretKeyWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only AWS Secret key with permissions to query AWS APIs. This field is recommended over secretKey for enhanced security.
secretKeyWoVersion Integer: Version counter for the write-only secretKeyWo field. Increment this value to rotate the secret key. Required when secretKeyWo is set.
stsEndpoint String: Override the URL Vault uses when making STS API calls.
stsRegion String: Override the default region when making STS API calls. The stsEndpoint argument must be set when using stsRegion.
useStsRegionFromClient Boolean: Available in Vault v1.15+. If set, overrides both stsEndpoint and stsRegion to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

accessKey string: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identityTokenAudience.
allowedStsHeaderValues string[]: List of additional headers that are allowed to be in STS request headers. The headers are automatically canonicalized (e.g., content-type becomes Content-Type). Duplicate values are automatically removed. This can be useful when you need to allow specific headers in STS requests for IAM-based authentication.
backend string: The path the AWS auth backend being configured was mounted at. Defaults to aws.
disableAutomatedRotation boolean: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
ec2Endpoint string: Override the URL Vault uses when making EC2 API calls.
iamEndpoint string: Override the URL Vault uses when making IAM API calls.
iamServerIdHeaderValue string: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
identityTokenAudience string: The audience claim value. Mutually exclusive with accessKey. Requires Vault 1.17+. Available only for Vault Enterprise
identityTokenTtl number: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
maxRetries number: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
roleArn string: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
rotationPeriod number: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
rotationSchedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
rotationWindow number: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
secretKey string: The AWS secret key that Vault should use for the auth backend. Mutually exclusive with secretKeyWo. Note: This field stores the secret in Terraform state in plain text. Consider using secretKeyWo instead for enhanced security.
secretKeyWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only AWS Secret key with permissions to query AWS APIs. This field is recommended over secretKey for enhanced security.
secretKeyWoVersion number: Version counter for the write-only secretKeyWo field. Increment this value to rotate the secret key. Required when secretKeyWo is set.
stsEndpoint string: Override the URL Vault uses when making STS API calls.
stsRegion string: Override the default region when making STS API calls. The stsEndpoint argument must be set when using stsRegion.
useStsRegionFromClient boolean: Available in Vault v1.15+. If set, overrides both stsEndpoint and stsRegion to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

access_key str: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identityTokenAudience.
allowed_sts_header_values Sequence[str]: List of additional headers that are allowed to be in STS request headers. The headers are automatically canonicalized (e.g., content-type becomes Content-Type). Duplicate values are automatically removed. This can be useful when you need to allow specific headers in STS requests for IAM-based authentication.
backend str: The path the AWS auth backend being configured was mounted at. Defaults to aws.
disable_automated_rotation bool: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
ec2_endpoint str: Override the URL Vault uses when making EC2 API calls.
iam_endpoint str: Override the URL Vault uses when making IAM API calls.
iam_server_id_header_value str: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
identity_token_audience str: The audience claim value. Mutually exclusive with accessKey. Requires Vault 1.17+. Available only for Vault Enterprise
identity_token_ttl int: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
max_retries int: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
role_arn str: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
rotation_period int: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
rotation_schedule str: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
rotation_window int: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
secret_key str: The AWS secret key that Vault should use for the auth backend. Mutually exclusive with secretKeyWo. Note: This field stores the secret in Terraform state in plain text. Consider using secretKeyWo instead for enhanced security.
secret_key_wo str: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only AWS Secret key with permissions to query AWS APIs. This field is recommended over secretKey for enhanced security.
secret_key_wo_version int: Version counter for the write-only secretKeyWo field. Increment this value to rotate the secret key. Required when secretKeyWo is set.
sts_endpoint str: Override the URL Vault uses when making STS API calls.
sts_region str: Override the default region when making STS API calls. The stsEndpoint argument must be set when using stsRegion.
use_sts_region_from_client bool: Available in Vault v1.15+. If set, overrides both stsEndpoint and stsRegion to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

accessKey String: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identityTokenAudience.
allowedStsHeaderValues List<String>: List of additional headers that are allowed to be in STS request headers. The headers are automatically canonicalized (e.g., content-type becomes Content-Type). Duplicate values are automatically removed. This can be useful when you need to allow specific headers in STS requests for IAM-based authentication.
backend String: The path the AWS auth backend being configured was mounted at. Defaults to aws.
disableAutomatedRotation Boolean: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
ec2Endpoint String: Override the URL Vault uses when making EC2 API calls.
iamEndpoint String: Override the URL Vault uses when making IAM API calls.
iamServerIdHeaderValue String: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
identityTokenAudience String: The audience claim value. Mutually exclusive with accessKey. Requires Vault 1.17+. Available only for Vault Enterprise
identityTokenTtl Number: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
maxRetries Number: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
roleArn String: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
rotationPeriod Number: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
rotationSchedule String: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
rotationWindow Number: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
secretKey String: The AWS secret key that Vault should use for the auth backend. Mutually exclusive with secretKeyWo. Note: This field stores the secret in Terraform state in plain text. Consider using secretKeyWo instead for enhanced security.
secretKeyWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only AWS Secret key with permissions to query AWS APIs. This field is recommended over secretKey for enhanced security.
secretKeyWoVersion Number: Version counter for the write-only secretKeyWo field. Increment this value to rotate the secret key. Required when secretKeyWo is set.
stsEndpoint String: Override the URL Vault uses when making STS API calls.
stsRegion String: Override the default region when making STS API calls. The stsEndpoint argument must be set when using stsRegion.
useStsRegionFromClient Boolean: Available in Vault v1.15+. If set, overrides both stsEndpoint and stsRegion to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

Import

AWS auth backend clients can be imported using auth/, the backend path, and /config/client e.g.

$ pulumi import vault:aws/authBackendClient:AuthBackendClient example auth/aws/config/client

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

Viewing docs for HashiCorp Vault v7.8.0
published on Tuesday, Mar 31, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

vault.aws.AuthBackendClient

On this page

On this page

Example Usage

Using Write-Only Secret Key (Recommended)

Using Workload Identity Federation (Secret-less)

Using Legacy Secret Key Field

Ephemeral Attributes Reference

Create AuthBackendClient Resource

Constructor syntax

Parameters

Constructor example

AuthBackendClient Resource Properties

Inputs

Outputs

Look up Existing AuthBackendClient Resource

Import

Package Details

On this page

On this page