Docs Home
HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi
vault.aws.getAccessCredentials
Explore with Pulumi AI
Example Usage
Coming soon!
Coming soon!
Coming soon!
Coming soon!
Coming soon!
resources:
aws:
type: vault:aws:SecretBackend
properties:
accessKey: AKIA.....
secretKey: SECRETKEYFROMAWS
role:
type: vault:aws:SecretBackendRole
properties:
backend: ${aws.path}
name: test
policy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}
variables:
# generally, these blocks would be in a different module
creds:
fn::invoke:
function: vault:aws:getAccessCredentials
arguments:
backend: ${aws.path}
role: ${role.name}
Using getAccessCredentials
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getAccessCredentials(args: GetAccessCredentialsArgs, opts?: InvokeOptions): Promise<GetAccessCredentialsResult>
function getAccessCredentialsOutput(args: GetAccessCredentialsOutputArgs, opts?: InvokeOptions): Output<GetAccessCredentialsResult>def get_access_credentials(backend: Optional[str] = None,
namespace: Optional[str] = None,
region: Optional[str] = None,
role: Optional[str] = None,
role_arn: Optional[str] = None,
ttl: Optional[str] = None,
type: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetAccessCredentialsResult
def get_access_credentials_output(backend: Optional[pulumi.Input[str]] = None,
namespace: Optional[pulumi.Input[str]] = None,
region: Optional[pulumi.Input[str]] = None,
role: Optional[pulumi.Input[str]] = None,
role_arn: Optional[pulumi.Input[str]] = None,
ttl: Optional[pulumi.Input[str]] = None,
type: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetAccessCredentialsResult]func GetAccessCredentials(ctx *Context, args *GetAccessCredentialsArgs, opts ...InvokeOption) (*GetAccessCredentialsResult, error)
func GetAccessCredentialsOutput(ctx *Context, args *GetAccessCredentialsOutputArgs, opts ...InvokeOption) GetAccessCredentialsResultOutput> Note: This function is named GetAccessCredentials in the Go SDK.
public static class GetAccessCredentials
{
public static Task<GetAccessCredentialsResult> InvokeAsync(GetAccessCredentialsArgs args, InvokeOptions? opts = null)
public static Output<GetAccessCredentialsResult> Invoke(GetAccessCredentialsInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetAccessCredentialsResult> getAccessCredentials(GetAccessCredentialsArgs args, InvokeOptions options)
public static Output<GetAccessCredentialsResult> getAccessCredentials(GetAccessCredentialsArgs args, InvokeOptions options)
fn::invoke:
function: vault:aws/getAccessCredentials:getAccessCredentials
arguments:
# arguments dictionaryThe following arguments are supported:
- Backend string
- The path to the AWS secret backend to
read credentials from, with no leading or trailing
/s. - Role string
- The name of the AWS secret backend role to read
credentials from, with no leading or trailing
/s. - Namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Region string
- The region the read credentials belong to.
- Role
Arn string - The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.
- Ttl string
- Specifies the TTL for the use of the STS token. This
is specified as a string with a duration suffix. Valid only when
credential_typeof the connectedvault.aws.SecretBackendRoleresource isassumed_roleorfederation_token - Type string
- The type of credentials to read. Defaults
to
"creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to"sts", which will return a security token in addition to the keys.
- Backend string
- The path to the AWS secret backend to
read credentials from, with no leading or trailing
/s. - Role string
- The name of the AWS secret backend role to read
credentials from, with no leading or trailing
/s. - Namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Region string
- The region the read credentials belong to.
- Role
Arn string - The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.
- Ttl string
- Specifies the TTL for the use of the STS token. This
is specified as a string with a duration suffix. Valid only when
credential_typeof the connectedvault.aws.SecretBackendRoleresource isassumed_roleorfederation_token - Type string
- The type of credentials to read. Defaults
to
"creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to"sts", which will return a security token in addition to the keys.
- backend String
- The path to the AWS secret backend to
read credentials from, with no leading or trailing
/s. - role String
- The name of the AWS secret backend role to read
credentials from, with no leading or trailing
/s. - namespace String
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - region String
- The region the read credentials belong to.
- role
Arn String - The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.
- ttl String
- Specifies the TTL for the use of the STS token. This
is specified as a string with a duration suffix. Valid only when
credential_typeof the connectedvault.aws.SecretBackendRoleresource isassumed_roleorfederation_token - type String
- The type of credentials to read. Defaults
to
"creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to"sts", which will return a security token in addition to the keys.
- backend string
- The path to the AWS secret backend to
read credentials from, with no leading or trailing
/s. - role string
- The name of the AWS secret backend role to read
credentials from, with no leading or trailing
/s. - namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - region string
- The region the read credentials belong to.
- role
Arn string - The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.
- ttl string
- Specifies the TTL for the use of the STS token. This
is specified as a string with a duration suffix. Valid only when
credential_typeof the connectedvault.aws.SecretBackendRoleresource isassumed_roleorfederation_token - type string
- The type of credentials to read. Defaults
to
"creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to"sts", which will return a security token in addition to the keys.
- backend str
- The path to the AWS secret backend to
read credentials from, with no leading or trailing
/s. - role str
- The name of the AWS secret backend role to read
credentials from, with no leading or trailing
/s. - namespace str
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - region str
- The region the read credentials belong to.
- role_
arn str - The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.
- ttl str
- Specifies the TTL for the use of the STS token. This
is specified as a string with a duration suffix. Valid only when
credential_typeof the connectedvault.aws.SecretBackendRoleresource isassumed_roleorfederation_token - type str
- The type of credentials to read. Defaults
to
"creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to"sts", which will return a security token in addition to the keys.
- backend String
- The path to the AWS secret backend to
read credentials from, with no leading or trailing
/s. - role String
- The name of the AWS secret backend role to read
credentials from, with no leading or trailing
/s. - namespace String
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - region String
- The region the read credentials belong to.
- role
Arn String - The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.
- ttl String
- Specifies the TTL for the use of the STS token. This
is specified as a string with a duration suffix. Valid only when
credential_typeof the connectedvault.aws.SecretBackendRoleresource isassumed_roleorfederation_token - type String
- The type of credentials to read. Defaults
to
"creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to"sts", which will return a security token in addition to the keys.
getAccessCredentials Result
The following output properties are available:
- Access
Key string - The AWS Access Key ID returned by Vault.
- Backend string
- Id string
- The provider-assigned unique ID for this managed resource.
- Lease
Duration int - The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.
- Lease
Id string - The lease identifier assigned by Vault.
- Lease
Renewable bool - Lease
Start stringTime - Role string
- Secret
Key string - The AWS Secret Key returned by Vault.
- Security
Token string - The STS token returned by Vault, if any.
- Namespace string
- Region string
- Role
Arn string - Ttl string
- Type string
- Access
Key string - The AWS Access Key ID returned by Vault.
- Backend string
- Id string
- The provider-assigned unique ID for this managed resource.
- Lease
Duration int - The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.
- Lease
Id string - The lease identifier assigned by Vault.
- Lease
Renewable bool - Lease
Start stringTime - Role string
- Secret
Key string - The AWS Secret Key returned by Vault.
- Security
Token string - The STS token returned by Vault, if any.
- Namespace string
- Region string
- Role
Arn string - Ttl string
- Type string
- access
Key String - The AWS Access Key ID returned by Vault.
- backend String
- id String
- The provider-assigned unique ID for this managed resource.
- lease
Duration Integer - The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.
- lease
Id String - The lease identifier assigned by Vault.
- lease
Renewable Boolean - lease
Start StringTime - role String
- secret
Key String - The AWS Secret Key returned by Vault.
- security
Token String - The STS token returned by Vault, if any.
- namespace String
- region String
- role
Arn String - ttl String
- type String
- access
Key string - The AWS Access Key ID returned by Vault.
- backend string
- id string
- The provider-assigned unique ID for this managed resource.
- lease
Duration number - The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.
- lease
Id string - The lease identifier assigned by Vault.
- lease
Renewable boolean - lease
Start stringTime - role string
- secret
Key string - The AWS Secret Key returned by Vault.
- security
Token string - The STS token returned by Vault, if any.
- namespace string
- region string
- role
Arn string - ttl string
- type string
- access_
key str - The AWS Access Key ID returned by Vault.
- backend str
- id str
- The provider-assigned unique ID for this managed resource.
- lease_
duration int - The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.
- lease_
id str - The lease identifier assigned by Vault.
- lease_
renewable bool - lease_
start_ strtime - role str
- secret_
key str - The AWS Secret Key returned by Vault.
- security_
token str - The STS token returned by Vault, if any.
- namespace str
- region str
- role_
arn str - ttl str
- type str
- access
Key String - The AWS Access Key ID returned by Vault.
- backend String
- id String
- The provider-assigned unique ID for this managed resource.
- lease
Duration Number - The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.
- lease
Id String - The lease identifier assigned by Vault.
- lease
Renewable Boolean - lease
Start StringTime - role String
- secret
Key String - The AWS Secret Key returned by Vault.
- security
Token String - The STS token returned by Vault, if any.
- namespace String
- region String
- role
Arn String - ttl String
- type String
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.