1. Packages
  2. HashiCorp Vault
  3. API Docs
  4. aws
  5. SecretBackendRole
HashiCorp Vault v5.17.0 published on Thursday, Nov 9, 2023 by Pulumi

vault.aws.SecretBackendRole

Explore with Pulumi AI

vault logo
HashiCorp Vault v5.17.0 published on Thursday, Nov 9, 2023 by Pulumi

    Import

    AWS secret backend roles can be imported using the path, e.g.

     $ pulumi import vault:aws/secretBackendRole:SecretBackendRole role aws/roles/deploy
    

    Example Usage

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Vault = Pulumi.Vault;
    
    return await Deployment.RunAsync(() => 
    {
        var aws = new Vault.Aws.SecretBackend("aws", new()
        {
            AccessKey = "AKIA.....",
            SecretKey = "AWS secret key",
        });
    
        var role = new Vault.Aws.SecretBackendRole("role", new()
        {
            Backend = aws.Path,
            CredentialType = "iam_user",
            PolicyDocument = @"{
      ""Version"": ""2012-10-17"",
      ""Statement"": [
        {
          ""Effect"": ""Allow"",
          ""Action"": ""iam:*"",
          ""Resource"": ""*""
        }
      ]
    }
    ",
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-vault/sdk/v5/go/vault/aws"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		aws, err := aws.NewSecretBackend(ctx, "aws", &aws.SecretBackendArgs{
    			AccessKey: pulumi.String("AKIA....."),
    			SecretKey: pulumi.String("AWS secret key"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = aws.NewSecretBackendRole(ctx, "role", &aws.SecretBackendRoleArgs{
    			Backend:        aws.Path,
    			CredentialType: pulumi.String("iam_user"),
    			PolicyDocument: pulumi.String(`{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "iam:*",
          "Resource": "*"
        }
      ]
    }
    `),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.vault.aws.SecretBackend;
    import com.pulumi.vault.aws.SecretBackendArgs;
    import com.pulumi.vault.aws.SecretBackendRole;
    import com.pulumi.vault.aws.SecretBackendRoleArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var aws = new SecretBackend("aws", SecretBackendArgs.builder()        
                .accessKey("AKIA.....")
                .secretKey("AWS secret key")
                .build());
    
            var role = new SecretBackendRole("role", SecretBackendRoleArgs.builder()        
                .backend(aws.path())
                .credentialType("iam_user")
                .policyDocument("""
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "iam:*",
          "Resource": "*"
        }
      ]
    }
                """)
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_vault as vault
    
    aws = vault.aws.SecretBackend("aws",
        access_key="AKIA.....",
        secret_key="AWS secret key")
    role = vault.aws.SecretBackendRole("role",
        backend=aws.path,
        credential_type="iam_user",
        policy_document="""{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "iam:*",
          "Resource": "*"
        }
      ]
    }
    """)
    
    import * as pulumi from "@pulumi/pulumi";
    import * as vault from "@pulumi/vault";
    
    const aws = new vault.aws.SecretBackend("aws", {
        accessKey: "AKIA.....",
        secretKey: "AWS secret key",
    });
    const role = new vault.aws.SecretBackendRole("role", {
        backend: aws.path,
        credentialType: "iam_user",
        policyDocument: `{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "iam:*",
          "Resource": "*"
        }
      ]
    }
    `,
    });
    
    resources:
      aws:
        type: vault:aws:SecretBackend
        properties:
          accessKey: AKIA.....
          secretKey: AWS secret key
      role:
        type: vault:aws:SecretBackendRole
        properties:
          backend: ${aws.path}
          credentialType: iam_user
          policyDocument: |
            {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": "iam:*",
                  "Resource": "*"
                }
              ]
            }        
    

    Create SecretBackendRole Resource

    new SecretBackendRole(name: string, args: SecretBackendRoleArgs, opts?: CustomResourceOptions);
    @overload
    def SecretBackendRole(resource_name: str,
                          opts: Optional[ResourceOptions] = None,
                          backend: Optional[str] = None,
                          credential_type: Optional[str] = None,
                          default_sts_ttl: Optional[int] = None,
                          iam_groups: Optional[Sequence[str]] = None,
                          max_sts_ttl: Optional[int] = None,
                          name: Optional[str] = None,
                          namespace: Optional[str] = None,
                          permissions_boundary_arn: Optional[str] = None,
                          policy_arns: Optional[Sequence[str]] = None,
                          policy_document: Optional[str] = None,
                          role_arns: Optional[Sequence[str]] = None,
                          user_path: Optional[str] = None)
    @overload
    def SecretBackendRole(resource_name: str,
                          args: SecretBackendRoleArgs,
                          opts: Optional[ResourceOptions] = None)
    func NewSecretBackendRole(ctx *Context, name string, args SecretBackendRoleArgs, opts ...ResourceOption) (*SecretBackendRole, error)
    public SecretBackendRole(string name, SecretBackendRoleArgs args, CustomResourceOptions? opts = null)
    public SecretBackendRole(String name, SecretBackendRoleArgs args)
    public SecretBackendRole(String name, SecretBackendRoleArgs args, CustomResourceOptions options)
    
    type: vault:aws:SecretBackendRole
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    SecretBackendRole Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The SecretBackendRole resource accepts the following input properties:

    Backend string

    The path the AWS secret backend is mounted at, with no leading or trailing /s.

    CredentialType string

    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.

    DefaultStsTtl int

    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.

    IamGroups List<string>

    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.

    MaxStsTtl int

    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.

    Name string

    The name to identify this role within the backend. Must be unique within the backend.

    Namespace string

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    PermissionsBoundaryArn string

    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.

    PolicyArns List<string>

    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.

    PolicyDocument string

    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.

    RoleArns List<string>

    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.

    UserPath string

    The path for the user name. Valid only when credential_type is iam_user. Default is /.

    Backend string

    The path the AWS secret backend is mounted at, with no leading or trailing /s.

    CredentialType string

    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.

    DefaultStsTtl int

    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.

    IamGroups []string

    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.

    MaxStsTtl int

    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.

    Name string

    The name to identify this role within the backend. Must be unique within the backend.

    Namespace string

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    PermissionsBoundaryArn string

    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.

    PolicyArns []string

    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.

    PolicyDocument string

    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.

    RoleArns []string

    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.

    UserPath string

    The path for the user name. Valid only when credential_type is iam_user. Default is /.

    backend String

    The path the AWS secret backend is mounted at, with no leading or trailing /s.

    credentialType String

    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.

    defaultStsTtl Integer

    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.

    iamGroups List<String>

    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.

    maxStsTtl Integer

    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.

    name String

    The name to identify this role within the backend. Must be unique within the backend.

    namespace String

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    permissionsBoundaryArn String

    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.

    policyArns List<String>

    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.

    policyDocument String

    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.

    roleArns List<String>

    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.

    userPath String

    The path for the user name. Valid only when credential_type is iam_user. Default is /.

    backend string

    The path the AWS secret backend is mounted at, with no leading or trailing /s.

    credentialType string

    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.

    defaultStsTtl number

    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.

    iamGroups string[]

    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.

    maxStsTtl number

    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.

    name string

    The name to identify this role within the backend. Must be unique within the backend.

    namespace string

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    permissionsBoundaryArn string

    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.

    policyArns string[]

    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.

    policyDocument string

    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.

    roleArns string[]

    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.

    userPath string

    The path for the user name. Valid only when credential_type is iam_user. Default is /.

    backend str

    The path the AWS secret backend is mounted at, with no leading or trailing /s.

    credential_type str

    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.

    default_sts_ttl int

    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.

    iam_groups Sequence[str]

    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.

    max_sts_ttl int

    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.

    name str

    The name to identify this role within the backend. Must be unique within the backend.

    namespace str

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    permissions_boundary_arn str

    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.

    policy_arns Sequence[str]

    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.

    policy_document str

    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.

    role_arns Sequence[str]

    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.

    user_path str

    The path for the user name. Valid only when credential_type is iam_user. Default is /.

    backend String

    The path the AWS secret backend is mounted at, with no leading or trailing /s.

    credentialType String

    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.

    defaultStsTtl Number

    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.

    iamGroups List<String>

    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.

    maxStsTtl Number

    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.

    name String

    The name to identify this role within the backend. Must be unique within the backend.

    namespace String

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    permissionsBoundaryArn String

    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.

    policyArns List<String>

    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.

    policyDocument String

    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.

    roleArns List<String>

    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.

    userPath String

    The path for the user name. Valid only when credential_type is iam_user. Default is /.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the SecretBackendRole resource produces the following output properties:

    Id string

    The provider-assigned unique ID for this managed resource.

    Id string

    The provider-assigned unique ID for this managed resource.

    id String

    The provider-assigned unique ID for this managed resource.

    id string

    The provider-assigned unique ID for this managed resource.

    id str

    The provider-assigned unique ID for this managed resource.

    id String

    The provider-assigned unique ID for this managed resource.

    Look up Existing SecretBackendRole Resource

    Get an existing SecretBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: SecretBackendRoleState, opts?: CustomResourceOptions): SecretBackendRole
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            backend: Optional[str] = None,
            credential_type: Optional[str] = None,
            default_sts_ttl: Optional[int] = None,
            iam_groups: Optional[Sequence[str]] = None,
            max_sts_ttl: Optional[int] = None,
            name: Optional[str] = None,
            namespace: Optional[str] = None,
            permissions_boundary_arn: Optional[str] = None,
            policy_arns: Optional[Sequence[str]] = None,
            policy_document: Optional[str] = None,
            role_arns: Optional[Sequence[str]] = None,
            user_path: Optional[str] = None) -> SecretBackendRole
    func GetSecretBackendRole(ctx *Context, name string, id IDInput, state *SecretBackendRoleState, opts ...ResourceOption) (*SecretBackendRole, error)
    public static SecretBackendRole Get(string name, Input<string> id, SecretBackendRoleState? state, CustomResourceOptions? opts = null)
    public static SecretBackendRole get(String name, Output<String> id, SecretBackendRoleState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Backend string

    The path the AWS secret backend is mounted at, with no leading or trailing /s.

    CredentialType string

    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.

    DefaultStsTtl int

    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.

    IamGroups List<string>

    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.

    MaxStsTtl int

    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.

    Name string

    The name to identify this role within the backend. Must be unique within the backend.

    Namespace string

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    PermissionsBoundaryArn string

    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.

    PolicyArns List<string>

    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.

    PolicyDocument string

    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.

    RoleArns List<string>

    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.

    UserPath string

    The path for the user name. Valid only when credential_type is iam_user. Default is /.

    Backend string

    The path the AWS secret backend is mounted at, with no leading or trailing /s.

    CredentialType string

    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.

    DefaultStsTtl int

    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.

    IamGroups []string

    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.

    MaxStsTtl int

    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.

    Name string

    The name to identify this role within the backend. Must be unique within the backend.

    Namespace string

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    PermissionsBoundaryArn string

    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.

    PolicyArns []string

    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.

    PolicyDocument string

    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.

    RoleArns []string

    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.

    UserPath string

    The path for the user name. Valid only when credential_type is iam_user. Default is /.

    backend String

    The path the AWS secret backend is mounted at, with no leading or trailing /s.

    credentialType String

    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.

    defaultStsTtl Integer

    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.

    iamGroups List<String>

    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.

    maxStsTtl Integer

    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.

    name String

    The name to identify this role within the backend. Must be unique within the backend.

    namespace String

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    permissionsBoundaryArn String

    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.

    policyArns List<String>

    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.

    policyDocument String

    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.

    roleArns List<String>

    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.

    userPath String

    The path for the user name. Valid only when credential_type is iam_user. Default is /.

    backend string

    The path the AWS secret backend is mounted at, with no leading or trailing /s.

    credentialType string

    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.

    defaultStsTtl number

    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.

    iamGroups string[]

    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.

    maxStsTtl number

    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.

    name string

    The name to identify this role within the backend. Must be unique within the backend.

    namespace string

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    permissionsBoundaryArn string

    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.

    policyArns string[]

    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.

    policyDocument string

    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.

    roleArns string[]

    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.

    userPath string

    The path for the user name. Valid only when credential_type is iam_user. Default is /.

    backend str

    The path the AWS secret backend is mounted at, with no leading or trailing /s.

    credential_type str

    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.

    default_sts_ttl int

    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.

    iam_groups Sequence[str]

    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.

    max_sts_ttl int

    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.

    name str

    The name to identify this role within the backend. Must be unique within the backend.

    namespace str

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    permissions_boundary_arn str

    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.

    policy_arns Sequence[str]

    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.

    policy_document str

    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.

    role_arns Sequence[str]

    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.

    user_path str

    The path for the user name. Valid only when credential_type is iam_user. Default is /.

    backend String

    The path the AWS secret backend is mounted at, with no leading or trailing /s.

    credentialType String

    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.

    defaultStsTtl Number

    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.

    iamGroups List<String>

    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.

    maxStsTtl Number

    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.

    name String

    The name to identify this role within the backend. Must be unique within the backend.

    namespace String

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    permissionsBoundaryArn String

    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.

    policyArns List<String>

    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.

    policyDocument String

    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.

    roleArns List<String>

    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.

    userPath String

    The path for the user name. Valid only when credential_type is iam_user. Default is /.

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes

    This Pulumi package is based on the vault Terraform Provider.

    vault logo
    HashiCorp Vault v5.17.0 published on Thursday, Nov 9, 2023 by Pulumi