vault logo
HashiCorp Vault v5.10.0, Mar 21 23

vault.aws.getAccessCredentials

Example Usage

Coming soon!

Coming soon!

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.aws.SecretBackend;
import com.pulumi.vault.aws.SecretBackendArgs;
import com.pulumi.vault.aws.SecretBackendRole;
import com.pulumi.vault.aws.SecretBackendRoleArgs;
import com.pulumi.vault.aws.AwsFunctions;
import com.pulumi.vault.ad.inputs.GetAccessCredentialsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var aws = new SecretBackend("aws", SecretBackendArgs.builder()        
            .accessKey("AKIA.....")
            .secretKey("SECRETKEYFROMAWS")
            .build());

        var role = new SecretBackendRole("role", SecretBackendRoleArgs.builder()        
            .backend(aws.path())
            .policy("""
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:*",
      "Resource": "*"
    }
  ]
}
            """)
            .build());

        final var creds = AwsFunctions.getAccessCredentials(GetAccessCredentialsArgs.builder()
            .backend(aws.path())
            .role(role.name())
            .build());

    }
}

Coming soon!

Coming soon!

resources:
  aws:
    type: vault:aws:SecretBackend
    properties:
      accessKey: AKIA.....
      secretKey: SECRETKEYFROMAWS
  role:
    type: vault:aws:SecretBackendRole
    properties:
      backend: ${aws.path}
      policy: |
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": "iam:*",
              "Resource": "*"
            }
          ]
        }        
variables:
  creds:
    Fn::Invoke:
      Function: vault:aws:getAccessCredentials
      Arguments:
        backend: ${aws.path}
        role: ${role.name}

Using getAccessCredentials

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getAccessCredentials(args: GetAccessCredentialsArgs, opts?: InvokeOptions): Promise<GetAccessCredentialsResult>
function getAccessCredentialsOutput(args: GetAccessCredentialsOutputArgs, opts?: InvokeOptions): Output<GetAccessCredentialsResult>
def get_access_credentials(backend: Optional[str] = None,
                           namespace: Optional[str] = None,
                           region: Optional[str] = None,
                           role: Optional[str] = None,
                           role_arn: Optional[str] = None,
                           ttl: Optional[str] = None,
                           type: Optional[str] = None,
                           opts: Optional[InvokeOptions] = None) -> GetAccessCredentialsResult
def get_access_credentials_output(backend: Optional[pulumi.Input[str]] = None,
                           namespace: Optional[pulumi.Input[str]] = None,
                           region: Optional[pulumi.Input[str]] = None,
                           role: Optional[pulumi.Input[str]] = None,
                           role_arn: Optional[pulumi.Input[str]] = None,
                           ttl: Optional[pulumi.Input[str]] = None,
                           type: Optional[pulumi.Input[str]] = None,
                           opts: Optional[InvokeOptions] = None) -> Output[GetAccessCredentialsResult]
func GetAccessCredentials(ctx *Context, args *GetAccessCredentialsArgs, opts ...InvokeOption) (*GetAccessCredentialsResult, error)
func GetAccessCredentialsOutput(ctx *Context, args *GetAccessCredentialsOutputArgs, opts ...InvokeOption) GetAccessCredentialsResultOutput

> Note: This function is named GetAccessCredentials in the Go SDK.

public static class GetAccessCredentials 
{
    public static Task<GetAccessCredentialsResult> InvokeAsync(GetAccessCredentialsArgs args, InvokeOptions? opts = null)
    public static Output<GetAccessCredentialsResult> Invoke(GetAccessCredentialsInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetAccessCredentialsResult> getAccessCredentials(GetAccessCredentialsArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
  function: vault:aws/getAccessCredentials:getAccessCredentials
  arguments:
    # arguments dictionary

The following arguments are supported:

Backend string

The path to the AWS secret backend to read credentials from, with no leading or trailing /s.

Role string

The name of the AWS secret backend role to read credentials from, with no leading or trailing /s.

Namespace string

The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

Region string
RoleArn string

The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.

Ttl string

Specifies the TTL for the use of the STS token. This is specified as a string with a duration suffix. Valid only when credential_type is assumed_role or federation_token

Type string

The type of credentials to read. Defaults to "creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to "sts", which will return a security token in addition to the keys.

Backend string

The path to the AWS secret backend to read credentials from, with no leading or trailing /s.

Role string

The name of the AWS secret backend role to read credentials from, with no leading or trailing /s.

Namespace string

The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

Region string
RoleArn string

The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.

Ttl string

Specifies the TTL for the use of the STS token. This is specified as a string with a duration suffix. Valid only when credential_type is assumed_role or federation_token

Type string

The type of credentials to read. Defaults to "creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to "sts", which will return a security token in addition to the keys.

backend String

The path to the AWS secret backend to read credentials from, with no leading or trailing /s.

role String

The name of the AWS secret backend role to read credentials from, with no leading or trailing /s.

namespace String

The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

region String
roleArn String

The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.

ttl String

Specifies the TTL for the use of the STS token. This is specified as a string with a duration suffix. Valid only when credential_type is assumed_role or federation_token

type String

The type of credentials to read. Defaults to "creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to "sts", which will return a security token in addition to the keys.

backend string

The path to the AWS secret backend to read credentials from, with no leading or trailing /s.

role string

The name of the AWS secret backend role to read credentials from, with no leading or trailing /s.

namespace string

The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

region string
roleArn string

The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.

ttl string

Specifies the TTL for the use of the STS token. This is specified as a string with a duration suffix. Valid only when credential_type is assumed_role or federation_token

type string

The type of credentials to read. Defaults to "creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to "sts", which will return a security token in addition to the keys.

backend str

The path to the AWS secret backend to read credentials from, with no leading or trailing /s.

role str

The name of the AWS secret backend role to read credentials from, with no leading or trailing /s.

namespace str

The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

region str
role_arn str

The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.

ttl str

Specifies the TTL for the use of the STS token. This is specified as a string with a duration suffix. Valid only when credential_type is assumed_role or federation_token

type str

The type of credentials to read. Defaults to "creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to "sts", which will return a security token in addition to the keys.

backend String

The path to the AWS secret backend to read credentials from, with no leading or trailing /s.

role String

The name of the AWS secret backend role to read credentials from, with no leading or trailing /s.

namespace String

The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

region String
roleArn String

The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.

ttl String

Specifies the TTL for the use of the STS token. This is specified as a string with a duration suffix. Valid only when credential_type is assumed_role or federation_token

type String

The type of credentials to read. Defaults to "creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to "sts", which will return a security token in addition to the keys.

getAccessCredentials Result

The following output properties are available:

AccessKey string

The AWS Access Key ID returned by Vault.

Backend string
Id string

The provider-assigned unique ID for this managed resource.

LeaseDuration int

The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.

LeaseId string

The lease identifier assigned by Vault.

LeaseRenewable bool
LeaseStartTime string
Role string
SecretKey string

The AWS Secret Key returned by Vault.

SecurityToken string

The STS token returned by Vault, if any.

Namespace string
Region string
RoleArn string
Ttl string
Type string
AccessKey string

The AWS Access Key ID returned by Vault.

Backend string
Id string

The provider-assigned unique ID for this managed resource.

LeaseDuration int

The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.

LeaseId string

The lease identifier assigned by Vault.

LeaseRenewable bool
LeaseStartTime string
Role string
SecretKey string

The AWS Secret Key returned by Vault.

SecurityToken string

The STS token returned by Vault, if any.

Namespace string
Region string
RoleArn string
Ttl string
Type string
accessKey String

The AWS Access Key ID returned by Vault.

backend String
id String

The provider-assigned unique ID for this managed resource.

leaseDuration Integer

The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.

leaseId String

The lease identifier assigned by Vault.

leaseRenewable Boolean
leaseStartTime String
role String
secretKey String

The AWS Secret Key returned by Vault.

securityToken String

The STS token returned by Vault, if any.

namespace String
region String
roleArn String
ttl String
type String
accessKey string

The AWS Access Key ID returned by Vault.

backend string
id string

The provider-assigned unique ID for this managed resource.

leaseDuration number

The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.

leaseId string

The lease identifier assigned by Vault.

leaseRenewable boolean
leaseStartTime string
role string
secretKey string

The AWS Secret Key returned by Vault.

securityToken string

The STS token returned by Vault, if any.

namespace string
region string
roleArn string
ttl string
type string
access_key str

The AWS Access Key ID returned by Vault.

backend str
id str

The provider-assigned unique ID for this managed resource.

lease_duration int

The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.

lease_id str

The lease identifier assigned by Vault.

lease_renewable bool
lease_start_time str
role str
secret_key str

The AWS Secret Key returned by Vault.

security_token str

The STS token returned by Vault, if any.

namespace str
region str
role_arn str
ttl str
type str
accessKey String

The AWS Access Key ID returned by Vault.

backend String
id String

The provider-assigned unique ID for this managed resource.

leaseDuration Number

The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.

leaseId String

The lease identifier assigned by Vault.

leaseRenewable Boolean
leaseStartTime String
role String
secretKey String

The AWS Secret Key returned by Vault.

securityToken String

The STS token returned by Vault, if any.

namespace String
region String
roleArn String
ttl String
type String

Package Details

Repository
Vault pulumi/pulumi-vault
License
Apache-2.0
Notes

This Pulumi package is based on the vault Terraform Provider.