Viewing docs for HashiCorp Vault v7.8.0
published on Tuesday, Mar 31, 2026 by Pulumi
published on Tuesday, Mar 31, 2026 by Pulumi
Viewing docs for HashiCorp Vault v7.8.0
published on Tuesday, Mar 31, 2026 by Pulumi
published on Tuesday, Mar 31, 2026 by Pulumi
Reads AWS credentials from an AWS secret backend in Vault.
Important All data retrieved from Vault will be written in cleartext to state file generated by Terraform, will appear in the console output when Terraform runs, and may be included in plan files if secrets are interpolated into any resource attributes. Protect these artifacts accordingly. See the main provider documentation for more details.
Note When using the outputs of this data source to authenticate with the Terraform Provider for AWS or the Terraform Provider for AWS Cloud Control, the credentials leased from Vault cannnot be renewed. Ensure that the lease is long enough for Terraform to complete.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const aws = new vault.aws.SecretBackend("aws", {
accessKey: "AKIA.....",
secretKey: "SECRETKEYFROMAWS",
});
const role = new vault.aws.SecretBackendRole("role", {
backend: aws.path,
name: "test",
policy: `{
\\"Version\\": \\"2012-10-17\\",
\\"Statement\\": [
{
\\"Effect\\": \\"Allow\\",
\\"Action\\": \\"iam:*\\",
\\"Resource\\": \\"*\\"
}
]
}
`,
});
// generally, these blocks would be in a different module
const creds = pulumi.all([aws.path, role.name]).apply(([path, name]) => vault.aws.getAccessCredentialsOutput({
backend: path,
role: name,
}));
import pulumi
import pulumi_vault as vault
aws = vault.aws.SecretBackend("aws",
access_key="AKIA.....",
secret_key="SECRETKEYFROMAWS")
role = vault.aws.SecretBackendRole("role",
backend=aws.path,
name="test",
policy="""{
\"Version\": \"2012-10-17\",
\"Statement\": [
{
\"Effect\": \"Allow\",
\"Action\": \"iam:*\",
\"Resource\": \"*\"
}
]
}
""")
# generally, these blocks would be in a different module
creds = pulumi.Output.all(
path=aws.path,
name=role.name
).apply(lambda resolved_outputs: vault.aws.get_access_credentials_output(backend=resolved_outputs['path'],
role=resolved_outputs['name']))
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/aws"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
aws, err := aws.NewSecretBackend(ctx, "aws", &aws.SecretBackendArgs{
AccessKey: pulumi.String("AKIA....."),
SecretKey: pulumi.String("SECRETKEYFROMAWS"),
})
if err != nil {
return err
}
role, err := aws.NewSecretBackendRole(ctx, "role", &aws.SecretBackendRoleArgs{
Backend: aws.Path,
Name: pulumi.String("test"),
Policy: `{
\"Version\": \"2012-10-17\",
\"Statement\": [
{
\"Effect\": \"Allow\",
\"Action\": \"iam:*\",
\"Resource\": \"*\"
}
]
}
`,
})
if err != nil {
return err
}
// generally, these blocks would be in a different module
_ = pulumi.All(aws.Path, role.Name).ApplyT(func(_args []interface{}) (aws.GetAccessCredentialsResult, error) {
path := _args[0].(*string)
name := _args[1].(string)
return aws.GetAccessCredentialsResult(interface{}(aws.GetAccessCredentials(ctx, &aws.GetAccessCredentialsArgs{
Backend: path,
Role: name,
}, nil))), nil
}).(aws.GetAccessCredentialsResultOutput)
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var aws = new Vault.Aws.SecretBackend("aws", new()
{
AccessKey = "AKIA.....",
SecretKey = "SECRETKEYFROMAWS",
});
var role = new Vault.Aws.SecretBackendRole("role", new()
{
Backend = aws.Path,
Name = "test",
Policy = @"{
\""Version\"": \""2012-10-17\"",
\""Statement\"": [
{
\""Effect\"": \""Allow\"",
\""Action\"": \""iam:*\"",
\""Resource\"": \""*\""
}
]
}
",
});
// generally, these blocks would be in a different module
var creds = Vault.Aws.GetAccessCredentials.Invoke(new()
{
Backend = aws.Path,
Role = role.Name,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.aws.SecretBackend;
import com.pulumi.vault.aws.SecretBackendArgs;
import com.pulumi.vault.aws.SecretBackendRole;
import com.pulumi.vault.aws.SecretBackendRoleArgs;
import com.pulumi.vault.aws.AwsFunctions;
import com.pulumi.vault.aws.inputs.GetAccessCredentialsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var aws = new SecretBackend("aws", SecretBackendArgs.builder()
.accessKey("AKIA.....")
.secretKey("SECRETKEYFROMAWS")
.build());
var role = new SecretBackendRole("role", SecretBackendRoleArgs.builder()
.backend(aws.path())
.name("test")
.policy("""
{
\"Version\": \"2012-10-17\",
\"Statement\": [
{
\"Effect\": \"Allow\",
\"Action\": \"iam:*\",
\"Resource\": \"*\"
}
]
}
""")
.build());
// generally, these blocks would be in a different module
final var creds = Output.tuple(aws.path(), role.name()).applyValue(values -> {
var path = values.t1;
var name = values.t2;
return AwsFunctions.getAccessCredentials(GetAccessCredentialsArgs.builder()
.backend(path)
.role(name)
.build());
});
}
}
resources:
aws:
type: vault:aws:SecretBackend
properties:
accessKey: AKIA.....
secretKey: SECRETKEYFROMAWS
role:
type: vault:aws:SecretBackendRole
properties:
backend: ${aws.path}
name: test
policy: |
{
\"Version\": \"2012-10-17\",
\"Statement\": [
{
\"Effect\": \"Allow\",
\"Action\": \"iam:*\",
\"Resource\": \"*\"
}
]
}
variables:
# generally, these blocks would be in a different module
creds:
fn::invoke:
function: vault:aws:getAccessCredentials
arguments:
backend: ${aws.path}
role: ${role.name}
Using getAccessCredentials
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getAccessCredentials(args: GetAccessCredentialsArgs, opts?: InvokeOptions): Promise<GetAccessCredentialsResult>
function getAccessCredentialsOutput(args: GetAccessCredentialsOutputArgs, opts?: InvokeOptions): Output<GetAccessCredentialsResult>def get_access_credentials(backend: Optional[str] = None,
namespace: Optional[str] = None,
region: Optional[str] = None,
role: Optional[str] = None,
role_arn: Optional[str] = None,
ttl: Optional[str] = None,
type: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetAccessCredentialsResult
def get_access_credentials_output(backend: Optional[pulumi.Input[str]] = None,
namespace: Optional[pulumi.Input[str]] = None,
region: Optional[pulumi.Input[str]] = None,
role: Optional[pulumi.Input[str]] = None,
role_arn: Optional[pulumi.Input[str]] = None,
ttl: Optional[pulumi.Input[str]] = None,
type: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetAccessCredentialsResult]func GetAccessCredentials(ctx *Context, args *GetAccessCredentialsArgs, opts ...InvokeOption) (*GetAccessCredentialsResult, error)
func GetAccessCredentialsOutput(ctx *Context, args *GetAccessCredentialsOutputArgs, opts ...InvokeOption) GetAccessCredentialsResultOutput> Note: This function is named GetAccessCredentials in the Go SDK.
public static class GetAccessCredentials
{
public static Task<GetAccessCredentialsResult> InvokeAsync(GetAccessCredentialsArgs args, InvokeOptions? opts = null)
public static Output<GetAccessCredentialsResult> Invoke(GetAccessCredentialsInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetAccessCredentialsResult> getAccessCredentials(GetAccessCredentialsArgs args, InvokeOptions options)
public static Output<GetAccessCredentialsResult> getAccessCredentials(GetAccessCredentialsArgs args, InvokeOptions options)
fn::invoke:
function: vault:aws/getAccessCredentials:getAccessCredentials
arguments:
# arguments dictionaryThe following arguments are supported:
- Backend string
- The path to the AWS secret backend to
read credentials from, with no leading or trailing
/s. - Role string
- The name of the AWS secret backend role to read
credentials from, with no leading or trailing
/s. - Namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Region string
- The region the read credentials belong to.
- Role
Arn string - The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.
- Ttl string
- Specifies the TTL for the use of the STS token. This
is specified as a string with a duration suffix. Valid only when
credentialTypeof the connectedvault.aws.SecretBackendRoleresource isassumedRoleorfederationToken - Type string
- The type of credentials to read. Defaults
to
"creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to"sts", which will return a security token in addition to the keys.
- Backend string
- The path to the AWS secret backend to
read credentials from, with no leading or trailing
/s. - Role string
- The name of the AWS secret backend role to read
credentials from, with no leading or trailing
/s. - Namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Region string
- The region the read credentials belong to.
- Role
Arn string - The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.
- Ttl string
- Specifies the TTL for the use of the STS token. This
is specified as a string with a duration suffix. Valid only when
credentialTypeof the connectedvault.aws.SecretBackendRoleresource isassumedRoleorfederationToken - Type string
- The type of credentials to read. Defaults
to
"creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to"sts", which will return a security token in addition to the keys.
- backend String
- The path to the AWS secret backend to
read credentials from, with no leading or trailing
/s. - role String
- The name of the AWS secret backend role to read
credentials from, with no leading or trailing
/s. - namespace String
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - region String
- The region the read credentials belong to.
- role
Arn String - The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.
- ttl String
- Specifies the TTL for the use of the STS token. This
is specified as a string with a duration suffix. Valid only when
credentialTypeof the connectedvault.aws.SecretBackendRoleresource isassumedRoleorfederationToken - type String
- The type of credentials to read. Defaults
to
"creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to"sts", which will return a security token in addition to the keys.
- backend string
- The path to the AWS secret backend to
read credentials from, with no leading or trailing
/s. - role string
- The name of the AWS secret backend role to read
credentials from, with no leading or trailing
/s. - namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - region string
- The region the read credentials belong to.
- role
Arn string - The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.
- ttl string
- Specifies the TTL for the use of the STS token. This
is specified as a string with a duration suffix. Valid only when
credentialTypeof the connectedvault.aws.SecretBackendRoleresource isassumedRoleorfederationToken - type string
- The type of credentials to read. Defaults
to
"creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to"sts", which will return a security token in addition to the keys.
- backend str
- The path to the AWS secret backend to
read credentials from, with no leading or trailing
/s. - role str
- The name of the AWS secret backend role to read
credentials from, with no leading or trailing
/s. - namespace str
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - region str
- The region the read credentials belong to.
- role_
arn str - The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.
- ttl str
- Specifies the TTL for the use of the STS token. This
is specified as a string with a duration suffix. Valid only when
credentialTypeof the connectedvault.aws.SecretBackendRoleresource isassumedRoleorfederationToken - type str
- The type of credentials to read. Defaults
to
"creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to"sts", which will return a security token in addition to the keys.
- backend String
- The path to the AWS secret backend to
read credentials from, with no leading or trailing
/s. - role String
- The name of the AWS secret backend role to read
credentials from, with no leading or trailing
/s. - namespace String
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - region String
- The region the read credentials belong to.
- role
Arn String - The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.
- ttl String
- Specifies the TTL for the use of the STS token. This
is specified as a string with a duration suffix. Valid only when
credentialTypeof the connectedvault.aws.SecretBackendRoleresource isassumedRoleorfederationToken - type String
- The type of credentials to read. Defaults
to
"creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to"sts", which will return a security token in addition to the keys.
getAccessCredentials Result
The following output properties are available:
- Access
Key string - The AWS Access Key ID returned by Vault.
- Backend string
- Id string
- The provider-assigned unique ID for this managed resource.
- Lease
Duration int - The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.
- Lease
Id string - The lease identifier assigned by Vault.
- Lease
Renewable bool trueif the lease can be renewed using Vault'ssys/renew/{lease-id}endpoint. Terraform does not currently support lease renewal, and so it will request a new lease each time this data source is refreshed.- Lease
Start stringTime - As a convenience, this records the current time
on the computer where Terraform is running when the data is requested.
This can be used to approximate the absolute time represented by
leaseDuration, though users must allow for any clock drift and response latency relative to the Vault server. - Role string
- Secret
Key string - The AWS Secret Key returned by Vault.
- Security
Token string - The STS token returned by Vault, if any.
- Namespace string
- Region string
- Role
Arn string - Ttl string
- Type string
- Access
Key string - The AWS Access Key ID returned by Vault.
- Backend string
- Id string
- The provider-assigned unique ID for this managed resource.
- Lease
Duration int - The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.
- Lease
Id string - The lease identifier assigned by Vault.
- Lease
Renewable bool trueif the lease can be renewed using Vault'ssys/renew/{lease-id}endpoint. Terraform does not currently support lease renewal, and so it will request a new lease each time this data source is refreshed.- Lease
Start stringTime - As a convenience, this records the current time
on the computer where Terraform is running when the data is requested.
This can be used to approximate the absolute time represented by
leaseDuration, though users must allow for any clock drift and response latency relative to the Vault server. - Role string
- Secret
Key string - The AWS Secret Key returned by Vault.
- Security
Token string - The STS token returned by Vault, if any.
- Namespace string
- Region string
- Role
Arn string - Ttl string
- Type string
- access
Key String - The AWS Access Key ID returned by Vault.
- backend String
- id String
- The provider-assigned unique ID for this managed resource.
- lease
Duration Integer - The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.
- lease
Id String - The lease identifier assigned by Vault.
- lease
Renewable Boolean trueif the lease can be renewed using Vault'ssys/renew/{lease-id}endpoint. Terraform does not currently support lease renewal, and so it will request a new lease each time this data source is refreshed.- lease
Start StringTime - As a convenience, this records the current time
on the computer where Terraform is running when the data is requested.
This can be used to approximate the absolute time represented by
leaseDuration, though users must allow for any clock drift and response latency relative to the Vault server. - role String
- secret
Key String - The AWS Secret Key returned by Vault.
- security
Token String - The STS token returned by Vault, if any.
- namespace String
- region String
- role
Arn String - ttl String
- type String
- access
Key string - The AWS Access Key ID returned by Vault.
- backend string
- id string
- The provider-assigned unique ID for this managed resource.
- lease
Duration number - The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.
- lease
Id string - The lease identifier assigned by Vault.
- lease
Renewable boolean trueif the lease can be renewed using Vault'ssys/renew/{lease-id}endpoint. Terraform does not currently support lease renewal, and so it will request a new lease each time this data source is refreshed.- lease
Start stringTime - As a convenience, this records the current time
on the computer where Terraform is running when the data is requested.
This can be used to approximate the absolute time represented by
leaseDuration, though users must allow for any clock drift and response latency relative to the Vault server. - role string
- secret
Key string - The AWS Secret Key returned by Vault.
- security
Token string - The STS token returned by Vault, if any.
- namespace string
- region string
- role
Arn string - ttl string
- type string
- access_
key str - The AWS Access Key ID returned by Vault.
- backend str
- id str
- The provider-assigned unique ID for this managed resource.
- lease_
duration int - The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.
- lease_
id str - The lease identifier assigned by Vault.
- lease_
renewable bool trueif the lease can be renewed using Vault'ssys/renew/{lease-id}endpoint. Terraform does not currently support lease renewal, and so it will request a new lease each time this data source is refreshed.- lease_
start_ strtime - As a convenience, this records the current time
on the computer where Terraform is running when the data is requested.
This can be used to approximate the absolute time represented by
leaseDuration, though users must allow for any clock drift and response latency relative to the Vault server. - role str
- secret_
key str - The AWS Secret Key returned by Vault.
- security_
token str - The STS token returned by Vault, if any.
- namespace str
- region str
- role_
arn str - ttl str
- type str
- access
Key String - The AWS Access Key ID returned by Vault.
- backend String
- id String
- The provider-assigned unique ID for this managed resource.
- lease
Duration Number - The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.
- lease
Id String - The lease identifier assigned by Vault.
- lease
Renewable Boolean trueif the lease can be renewed using Vault'ssys/renew/{lease-id}endpoint. Terraform does not currently support lease renewal, and so it will request a new lease each time this data source is refreshed.- lease
Start StringTime - As a convenience, this records the current time
on the computer where Terraform is running when the data is requested.
This can be used to approximate the absolute time represented by
leaseDuration, though users must allow for any clock drift and response latency relative to the Vault server. - role String
- secret
Key String - The AWS Secret Key returned by Vault.
- security
Token String - The STS token returned by Vault, if any.
- namespace String
- region String
- role
Arn String - ttl String
- type String
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.
Viewing docs for HashiCorp Vault v7.8.0
published on Tuesday, Mar 31, 2026 by Pulumi
published on Tuesday, Mar 31, 2026 by Pulumi
