1. Packages
  2. HashiCorp Vault
  3. API Docs
  4. aws
  5. SecretBackend
HashiCorp Vault v6.1.1 published on Wednesday, Jun 5, 2024 by Pulumi

vault.aws.SecretBackend

Explore with Pulumi AI

vault logo
HashiCorp Vault v6.1.1 published on Wednesday, Jun 5, 2024 by Pulumi

    Import

    AWS secret backends can be imported using the path, e.g.

    $ pulumi import vault:aws/secretBackend:SecretBackend aws aws
    

    Create SecretBackend Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new SecretBackend(name: string, args?: SecretBackendArgs, opts?: CustomResourceOptions);
    @overload
    def SecretBackend(resource_name: str,
                      args: Optional[SecretBackendArgs] = None,
                      opts: Optional[ResourceOptions] = None)
    
    @overload
    def SecretBackend(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      access_key: Optional[str] = None,
                      default_lease_ttl_seconds: Optional[int] = None,
                      description: Optional[str] = None,
                      disable_remount: Optional[bool] = None,
                      iam_endpoint: Optional[str] = None,
                      identity_token_audience: Optional[str] = None,
                      identity_token_key: Optional[str] = None,
                      identity_token_ttl: Optional[int] = None,
                      local: Optional[bool] = None,
                      max_lease_ttl_seconds: Optional[int] = None,
                      namespace: Optional[str] = None,
                      path: Optional[str] = None,
                      region: Optional[str] = None,
                      role_arn: Optional[str] = None,
                      secret_key: Optional[str] = None,
                      sts_endpoint: Optional[str] = None,
                      username_template: Optional[str] = None)
    func NewSecretBackend(ctx *Context, name string, args *SecretBackendArgs, opts ...ResourceOption) (*SecretBackend, error)
    public SecretBackend(string name, SecretBackendArgs? args = null, CustomResourceOptions? opts = null)
    public SecretBackend(String name, SecretBackendArgs args)
    public SecretBackend(String name, SecretBackendArgs args, CustomResourceOptions options)
    
    type: vault:aws:SecretBackend
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Example

    The following reference example uses placeholder values for all input properties.

    var vaultSecretBackendResource = new Vault.Aws.SecretBackend("vaultSecretBackendResource", new()
    {
        AccessKey = "string",
        DefaultLeaseTtlSeconds = 0,
        Description = "string",
        DisableRemount = false,
        IamEndpoint = "string",
        IdentityTokenAudience = "string",
        IdentityTokenKey = "string",
        IdentityTokenTtl = 0,
        Local = false,
        MaxLeaseTtlSeconds = 0,
        Namespace = "string",
        Path = "string",
        Region = "string",
        RoleArn = "string",
        SecretKey = "string",
        StsEndpoint = "string",
        UsernameTemplate = "string",
    });
    
    example, err := aws.NewSecretBackend(ctx, "vaultSecretBackendResource", &aws.SecretBackendArgs{
    	AccessKey:              pulumi.String("string"),
    	DefaultLeaseTtlSeconds: pulumi.Int(0),
    	Description:            pulumi.String("string"),
    	DisableRemount:         pulumi.Bool(false),
    	IamEndpoint:            pulumi.String("string"),
    	IdentityTokenAudience:  pulumi.String("string"),
    	IdentityTokenKey:       pulumi.String("string"),
    	IdentityTokenTtl:       pulumi.Int(0),
    	Local:                  pulumi.Bool(false),
    	MaxLeaseTtlSeconds:     pulumi.Int(0),
    	Namespace:              pulumi.String("string"),
    	Path:                   pulumi.String("string"),
    	Region:                 pulumi.String("string"),
    	RoleArn:                pulumi.String("string"),
    	SecretKey:              pulumi.String("string"),
    	StsEndpoint:            pulumi.String("string"),
    	UsernameTemplate:       pulumi.String("string"),
    })
    
    var vaultSecretBackendResource = new SecretBackend("vaultSecretBackendResource", SecretBackendArgs.builder()
        .accessKey("string")
        .defaultLeaseTtlSeconds(0)
        .description("string")
        .disableRemount(false)
        .iamEndpoint("string")
        .identityTokenAudience("string")
        .identityTokenKey("string")
        .identityTokenTtl(0)
        .local(false)
        .maxLeaseTtlSeconds(0)
        .namespace("string")
        .path("string")
        .region("string")
        .roleArn("string")
        .secretKey("string")
        .stsEndpoint("string")
        .usernameTemplate("string")
        .build());
    
    vault_secret_backend_resource = vault.aws.SecretBackend("vaultSecretBackendResource",
        access_key="string",
        default_lease_ttl_seconds=0,
        description="string",
        disable_remount=False,
        iam_endpoint="string",
        identity_token_audience="string",
        identity_token_key="string",
        identity_token_ttl=0,
        local=False,
        max_lease_ttl_seconds=0,
        namespace="string",
        path="string",
        region="string",
        role_arn="string",
        secret_key="string",
        sts_endpoint="string",
        username_template="string")
    
    const vaultSecretBackendResource = new vault.aws.SecretBackend("vaultSecretBackendResource", {
        accessKey: "string",
        defaultLeaseTtlSeconds: 0,
        description: "string",
        disableRemount: false,
        iamEndpoint: "string",
        identityTokenAudience: "string",
        identityTokenKey: "string",
        identityTokenTtl: 0,
        local: false,
        maxLeaseTtlSeconds: 0,
        namespace: "string",
        path: "string",
        region: "string",
        roleArn: "string",
        secretKey: "string",
        stsEndpoint: "string",
        usernameTemplate: "string",
    });
    
    type: vault:aws:SecretBackend
    properties:
        accessKey: string
        defaultLeaseTtlSeconds: 0
        description: string
        disableRemount: false
        iamEndpoint: string
        identityTokenAudience: string
        identityTokenKey: string
        identityTokenTtl: 0
        local: false
        maxLeaseTtlSeconds: 0
        namespace: string
        path: string
        region: string
        roleArn: string
        secretKey: string
        stsEndpoint: string
        usernameTemplate: string
    

    SecretBackend Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The SecretBackend resource accepts the following input properties:

    AccessKey string
    The AWS Access Key ID this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
    DefaultLeaseTtlSeconds int
    The default TTL for credentials issued by this backend.
    Description string
    A human-friendly description for this backend.
    DisableRemount bool
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    IamEndpoint string
    Specifies a custom HTTP IAM endpoint to use.
    IdentityTokenAudience string
    The audience claim value. Requires Vault 1.16+.
    IdentityTokenKey string
    The key to use for signing identity tokens. Requires Vault 1.16+.
    IdentityTokenTtl int
    The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
    Local bool
    Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
    MaxLeaseTtlSeconds int
    The maximum TTL that can be requested for credentials issued by this backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Path string
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.
    Region string
    The AWS region to make API calls against. Defaults to us-east-1.
    RoleArn string
    Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.

    {{ if (eq .Type "STS") }}
    {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
    {{ else }}
    {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
    {{ end }}
    

    SecretKey string
    The AWS Secret Access Key to use when generating new credentials.
    StsEndpoint string
    Specifies a custom HTTP STS endpoint to use.
    UsernameTemplate string
    Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:

    AccessKey string
    The AWS Access Key ID this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
    DefaultLeaseTtlSeconds int
    The default TTL for credentials issued by this backend.
    Description string
    A human-friendly description for this backend.
    DisableRemount bool
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    IamEndpoint string
    Specifies a custom HTTP IAM endpoint to use.
    IdentityTokenAudience string
    The audience claim value. Requires Vault 1.16+.
    IdentityTokenKey string
    The key to use for signing identity tokens. Requires Vault 1.16+.
    IdentityTokenTtl int
    The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
    Local bool
    Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
    MaxLeaseTtlSeconds int
    The maximum TTL that can be requested for credentials issued by this backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Path string
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.
    Region string
    The AWS region to make API calls against. Defaults to us-east-1.
    RoleArn string
    Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.

    {{ if (eq .Type "STS") }}
    {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
    {{ else }}
    {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
    {{ end }}
    

    SecretKey string
    The AWS Secret Access Key to use when generating new credentials.
    StsEndpoint string
    Specifies a custom HTTP STS endpoint to use.
    UsernameTemplate string
    Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:

    accessKey String
    The AWS Access Key ID this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
    defaultLeaseTtlSeconds Integer
    The default TTL for credentials issued by this backend.
    description String
    A human-friendly description for this backend.
    disableRemount Boolean
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    iamEndpoint String
    Specifies a custom HTTP IAM endpoint to use.
    identityTokenAudience String
    The audience claim value. Requires Vault 1.16+.
    identityTokenKey String
    The key to use for signing identity tokens. Requires Vault 1.16+.
    identityTokenTtl Integer
    The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
    local Boolean
    Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
    maxLeaseTtlSeconds Integer
    The maximum TTL that can be requested for credentials issued by this backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    path String
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.
    region String
    The AWS region to make API calls against. Defaults to us-east-1.
    roleArn String
    Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.

    {{ if (eq .Type "STS") }}
    {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
    {{ else }}
    {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
    {{ end }}
    

    secretKey String
    The AWS Secret Access Key to use when generating new credentials.
    stsEndpoint String
    Specifies a custom HTTP STS endpoint to use.
    usernameTemplate String
    Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:

    accessKey string
    The AWS Access Key ID this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
    defaultLeaseTtlSeconds number
    The default TTL for credentials issued by this backend.
    description string
    A human-friendly description for this backend.
    disableRemount boolean
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    iamEndpoint string
    Specifies a custom HTTP IAM endpoint to use.
    identityTokenAudience string
    The audience claim value. Requires Vault 1.16+.
    identityTokenKey string
    The key to use for signing identity tokens. Requires Vault 1.16+.
    identityTokenTtl number
    The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
    local boolean
    Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
    maxLeaseTtlSeconds number
    The maximum TTL that can be requested for credentials issued by this backend.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    path string
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.
    region string
    The AWS region to make API calls against. Defaults to us-east-1.
    roleArn string
    Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.

    {{ if (eq .Type "STS") }}
    {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
    {{ else }}
    {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
    {{ end }}
    

    secretKey string
    The AWS Secret Access Key to use when generating new credentials.
    stsEndpoint string
    Specifies a custom HTTP STS endpoint to use.
    usernameTemplate string
    Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:

    access_key str
    The AWS Access Key ID this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
    default_lease_ttl_seconds int
    The default TTL for credentials issued by this backend.
    description str
    A human-friendly description for this backend.
    disable_remount bool
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    iam_endpoint str
    Specifies a custom HTTP IAM endpoint to use.
    identity_token_audience str
    The audience claim value. Requires Vault 1.16+.
    identity_token_key str
    The key to use for signing identity tokens. Requires Vault 1.16+.
    identity_token_ttl int
    The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
    local bool
    Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
    max_lease_ttl_seconds int
    The maximum TTL that can be requested for credentials issued by this backend.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    path str
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.
    region str
    The AWS region to make API calls against. Defaults to us-east-1.
    role_arn str
    Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.

    {{ if (eq .Type "STS") }}
    {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
    {{ else }}
    {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
    {{ end }}
    

    secret_key str
    The AWS Secret Access Key to use when generating new credentials.
    sts_endpoint str
    Specifies a custom HTTP STS endpoint to use.
    username_template str
    Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:

    accessKey String
    The AWS Access Key ID this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
    defaultLeaseTtlSeconds Number
    The default TTL for credentials issued by this backend.
    description String
    A human-friendly description for this backend.
    disableRemount Boolean
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    iamEndpoint String
    Specifies a custom HTTP IAM endpoint to use.
    identityTokenAudience String
    The audience claim value. Requires Vault 1.16+.
    identityTokenKey String
    The key to use for signing identity tokens. Requires Vault 1.16+.
    identityTokenTtl Number
    The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
    local Boolean
    Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
    maxLeaseTtlSeconds Number
    The maximum TTL that can be requested for credentials issued by this backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    path String
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.
    region String
    The AWS region to make API calls against. Defaults to us-east-1.
    roleArn String
    Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.

    {{ if (eq .Type "STS") }}
    {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
    {{ else }}
    {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
    {{ end }}
    

    secretKey String
    The AWS Secret Access Key to use when generating new credentials.
    stsEndpoint String
    Specifies a custom HTTP STS endpoint to use.
    usernameTemplate String
    Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:

    Outputs

    All input properties are implicitly available as output properties. Additionally, the SecretBackend resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing SecretBackend Resource

    Get an existing SecretBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: SecretBackendState, opts?: CustomResourceOptions): SecretBackend
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            access_key: Optional[str] = None,
            default_lease_ttl_seconds: Optional[int] = None,
            description: Optional[str] = None,
            disable_remount: Optional[bool] = None,
            iam_endpoint: Optional[str] = None,
            identity_token_audience: Optional[str] = None,
            identity_token_key: Optional[str] = None,
            identity_token_ttl: Optional[int] = None,
            local: Optional[bool] = None,
            max_lease_ttl_seconds: Optional[int] = None,
            namespace: Optional[str] = None,
            path: Optional[str] = None,
            region: Optional[str] = None,
            role_arn: Optional[str] = None,
            secret_key: Optional[str] = None,
            sts_endpoint: Optional[str] = None,
            username_template: Optional[str] = None) -> SecretBackend
    func GetSecretBackend(ctx *Context, name string, id IDInput, state *SecretBackendState, opts ...ResourceOption) (*SecretBackend, error)
    public static SecretBackend Get(string name, Input<string> id, SecretBackendState? state, CustomResourceOptions? opts = null)
    public static SecretBackend get(String name, Output<String> id, SecretBackendState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AccessKey string
    The AWS Access Key ID this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
    DefaultLeaseTtlSeconds int
    The default TTL for credentials issued by this backend.
    Description string
    A human-friendly description for this backend.
    DisableRemount bool
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    IamEndpoint string
    Specifies a custom HTTP IAM endpoint to use.
    IdentityTokenAudience string
    The audience claim value. Requires Vault 1.16+.
    IdentityTokenKey string
    The key to use for signing identity tokens. Requires Vault 1.16+.
    IdentityTokenTtl int
    The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
    Local bool
    Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
    MaxLeaseTtlSeconds int
    The maximum TTL that can be requested for credentials issued by this backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Path string
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.
    Region string
    The AWS region to make API calls against. Defaults to us-east-1.
    RoleArn string
    Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.

    {{ if (eq .Type "STS") }}
    {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
    {{ else }}
    {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
    {{ end }}
    

    SecretKey string
    The AWS Secret Access Key to use when generating new credentials.
    StsEndpoint string
    Specifies a custom HTTP STS endpoint to use.
    UsernameTemplate string
    Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:

    AccessKey string
    The AWS Access Key ID this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
    DefaultLeaseTtlSeconds int
    The default TTL for credentials issued by this backend.
    Description string
    A human-friendly description for this backend.
    DisableRemount bool
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    IamEndpoint string
    Specifies a custom HTTP IAM endpoint to use.
    IdentityTokenAudience string
    The audience claim value. Requires Vault 1.16+.
    IdentityTokenKey string
    The key to use for signing identity tokens. Requires Vault 1.16+.
    IdentityTokenTtl int
    The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
    Local bool
    Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
    MaxLeaseTtlSeconds int
    The maximum TTL that can be requested for credentials issued by this backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Path string
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.
    Region string
    The AWS region to make API calls against. Defaults to us-east-1.
    RoleArn string
    Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.

    {{ if (eq .Type "STS") }}
    {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
    {{ else }}
    {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
    {{ end }}
    

    SecretKey string
    The AWS Secret Access Key to use when generating new credentials.
    StsEndpoint string
    Specifies a custom HTTP STS endpoint to use.
    UsernameTemplate string
    Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:

    accessKey String
    The AWS Access Key ID this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
    defaultLeaseTtlSeconds Integer
    The default TTL for credentials issued by this backend.
    description String
    A human-friendly description for this backend.
    disableRemount Boolean
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    iamEndpoint String
    Specifies a custom HTTP IAM endpoint to use.
    identityTokenAudience String
    The audience claim value. Requires Vault 1.16+.
    identityTokenKey String
    The key to use for signing identity tokens. Requires Vault 1.16+.
    identityTokenTtl Integer
    The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
    local Boolean
    Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
    maxLeaseTtlSeconds Integer
    The maximum TTL that can be requested for credentials issued by this backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    path String
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.
    region String
    The AWS region to make API calls against. Defaults to us-east-1.
    roleArn String
    Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.

    {{ if (eq .Type "STS") }}
    {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
    {{ else }}
    {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
    {{ end }}
    

    secretKey String
    The AWS Secret Access Key to use when generating new credentials.
    stsEndpoint String
    Specifies a custom HTTP STS endpoint to use.
    usernameTemplate String
    Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:

    accessKey string
    The AWS Access Key ID this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
    defaultLeaseTtlSeconds number
    The default TTL for credentials issued by this backend.
    description string
    A human-friendly description for this backend.
    disableRemount boolean
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    iamEndpoint string
    Specifies a custom HTTP IAM endpoint to use.
    identityTokenAudience string
    The audience claim value. Requires Vault 1.16+.
    identityTokenKey string
    The key to use for signing identity tokens. Requires Vault 1.16+.
    identityTokenTtl number
    The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
    local boolean
    Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
    maxLeaseTtlSeconds number
    The maximum TTL that can be requested for credentials issued by this backend.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    path string
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.
    region string
    The AWS region to make API calls against. Defaults to us-east-1.
    roleArn string
    Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.

    {{ if (eq .Type "STS") }}
    {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
    {{ else }}
    {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
    {{ end }}
    

    secretKey string
    The AWS Secret Access Key to use when generating new credentials.
    stsEndpoint string
    Specifies a custom HTTP STS endpoint to use.
    usernameTemplate string
    Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:

    access_key str
    The AWS Access Key ID this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
    default_lease_ttl_seconds int
    The default TTL for credentials issued by this backend.
    description str
    A human-friendly description for this backend.
    disable_remount bool
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    iam_endpoint str
    Specifies a custom HTTP IAM endpoint to use.
    identity_token_audience str
    The audience claim value. Requires Vault 1.16+.
    identity_token_key str
    The key to use for signing identity tokens. Requires Vault 1.16+.
    identity_token_ttl int
    The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
    local bool
    Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
    max_lease_ttl_seconds int
    The maximum TTL that can be requested for credentials issued by this backend.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    path str
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.
    region str
    The AWS region to make API calls against. Defaults to us-east-1.
    role_arn str
    Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.

    {{ if (eq .Type "STS") }}
    {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
    {{ else }}
    {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
    {{ end }}
    

    secret_key str
    The AWS Secret Access Key to use when generating new credentials.
    sts_endpoint str
    Specifies a custom HTTP STS endpoint to use.
    username_template str
    Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:

    accessKey String
    The AWS Access Key ID this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
    defaultLeaseTtlSeconds Number
    The default TTL for credentials issued by this backend.
    description String
    A human-friendly description for this backend.
    disableRemount Boolean
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    iamEndpoint String
    Specifies a custom HTTP IAM endpoint to use.
    identityTokenAudience String
    The audience claim value. Requires Vault 1.16+.
    identityTokenKey String
    The key to use for signing identity tokens. Requires Vault 1.16+.
    identityTokenTtl Number
    The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
    local Boolean
    Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
    maxLeaseTtlSeconds Number
    The maximum TTL that can be requested for credentials issued by this backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    path String
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.
    region String
    The AWS region to make API calls against. Defaults to us-east-1.
    roleArn String
    Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.

    {{ if (eq .Type "STS") }}
    {{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
    {{ else }}
    {{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
    {{ end }}
    

    secretKey String
    The AWS Secret Access Key to use when generating new credentials.
    stsEndpoint String
    Specifies a custom HTTP STS endpoint to use.
    usernameTemplate String
    Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the vault Terraform Provider.
    vault logo
    HashiCorp Vault v6.1.1 published on Wednesday, Jun 5, 2024 by Pulumi