HashiCorp Vault v6.7.1, May 2 25

HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi

vault.aws.SecretBackendRole

Explore with Pulumi AI

HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const aws = new vault.aws.SecretBackend("aws", {
    accessKey: "AKIA.....",
    secretKey: "AWS secret key",
});
const role = new vault.aws.SecretBackendRole("role", {
    backend: aws.path,
    name: "deploy",
    credentialType: "iam_user",
    policyDocument: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:*",
      "Resource": "*"
    }
  ]
}
`,
});

import pulumi
import pulumi_vault as vault

aws = vault.aws.SecretBackend("aws",
    access_key="AKIA.....",
    secret_key="AWS secret key")
role = vault.aws.SecretBackendRole("role",
    backend=aws.path,
    name="deploy",
    credential_type="iam_user",
    policy_document="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:*",
      "Resource": "*"
    }
  ]
}
""")

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/aws"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		aws, err := aws.NewSecretBackend(ctx, "aws", &aws.SecretBackendArgs{
			AccessKey: pulumi.String("AKIA....."),
			SecretKey: pulumi.String("AWS secret key"),
		})
		if err != nil {
			return err
		}
		_, err = aws.NewSecretBackendRole(ctx, "role", &aws.SecretBackendRoleArgs{
			Backend:        aws.Path,
			Name:           pulumi.String("deploy"),
			CredentialType: pulumi.String("iam_user"),
			PolicyDocument: pulumi.String(`{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:*",
      "Resource": "*"
    }
  ]
}
`),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var aws = new Vault.Aws.SecretBackend("aws", new()
    {
        AccessKey = "AKIA.....",
        SecretKey = "AWS secret key",
    });

    var role = new Vault.Aws.SecretBackendRole("role", new()
    {
        Backend = aws.Path,
        Name = "deploy",
        CredentialType = "iam_user",
        PolicyDocument = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
      ""Effect"": ""Allow"",
      ""Action"": ""iam:*"",
      ""Resource"": ""*""
    }
  ]
}
",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.aws.SecretBackend;
import com.pulumi.vault.aws.SecretBackendArgs;
import com.pulumi.vault.aws.SecretBackendRole;
import com.pulumi.vault.aws.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var aws = new SecretBackend("aws", SecretBackendArgs.builder()
            .accessKey("AKIA.....")
            .secretKey("AWS secret key")
            .build());

        var role = new SecretBackendRole("role", SecretBackendRoleArgs.builder()
            .backend(aws.path())
            .name("deploy")
            .credentialType("iam_user")
            .policyDocument("""
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:*",
      "Resource": "*"
    }
  ]
}
            """)
            .build());

    }
}

resources:
  aws:
    type: vault:aws:SecretBackend
    properties:
      accessKey: AKIA.....
      secretKey: AWS secret key
  role:
    type: vault:aws:SecretBackendRole
    properties:
      backend: ${aws.path}
      name: deploy
      credentialType: iam_user
      policyDocument: |
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": "iam:*",
              "Resource": "*"
            }
          ]
        }

Create SecretBackendRole Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SecretBackendRole(name: string, args: SecretBackendRoleArgs, opts?: CustomResourceOptions);

@overload
def SecretBackendRole(resource_name: str,
                      args: SecretBackendRoleArgs,
                      opts: Optional[ResourceOptions] = None)

@overload
def SecretBackendRole(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      backend: Optional[str] = None,
                      credential_type: Optional[str] = None,
                      default_sts_ttl: Optional[int] = None,
                      external_id: Optional[str] = None,
                      iam_groups: Optional[Sequence[str]] = None,
                      iam_tags: Optional[Mapping[str, str]] = None,
                      max_sts_ttl: Optional[int] = None,
                      name: Optional[str] = None,
                      namespace: Optional[str] = None,
                      permissions_boundary_arn: Optional[str] = None,
                      policy_arns: Optional[Sequence[str]] = None,
                      policy_document: Optional[str] = None,
                      role_arns: Optional[Sequence[str]] = None,
                      session_tags: Optional[Mapping[str, str]] = None,
                      user_path: Optional[str] = None)

func NewSecretBackendRole(ctx *Context, name string, args SecretBackendRoleArgs, opts ...ResourceOption) (*SecretBackendRole, error)

public SecretBackendRole(string name, SecretBackendRoleArgs args, CustomResourceOptions? opts = null)

public SecretBackendRole(String name, SecretBackendRoleArgs args)
public SecretBackendRole(String name, SecretBackendRoleArgs args, CustomResourceOptions options)

type: vault:aws:SecretBackendRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var secretBackendRoleResource = new Vault.Aws.SecretBackendRole("secretBackendRoleResource", new()
{
    Backend = "string",
    CredentialType = "string",
    DefaultStsTtl = 0,
    ExternalId = "string",
    IamGroups = new[]
    {
        "string",
    },
    IamTags = 
    {
        { "string", "string" },
    },
    MaxStsTtl = 0,
    Name = "string",
    Namespace = "string",
    PermissionsBoundaryArn = "string",
    PolicyArns = new[]
    {
        "string",
    },
    PolicyDocument = "string",
    RoleArns = new[]
    {
        "string",
    },
    SessionTags = 
    {
        { "string", "string" },
    },
    UserPath = "string",
});

example, err := aws.NewSecretBackendRole(ctx, "secretBackendRoleResource", &aws.SecretBackendRoleArgs{
	Backend:        pulumi.String("string"),
	CredentialType: pulumi.String("string"),
	DefaultStsTtl:  pulumi.Int(0),
	ExternalId:     pulumi.String("string"),
	IamGroups: pulumi.StringArray{
		pulumi.String("string"),
	},
	IamTags: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	MaxStsTtl:              pulumi.Int(0),
	Name:                   pulumi.String("string"),
	Namespace:              pulumi.String("string"),
	PermissionsBoundaryArn: pulumi.String("string"),
	PolicyArns: pulumi.StringArray{
		pulumi.String("string"),
	},
	PolicyDocument: pulumi.String("string"),
	RoleArns: pulumi.StringArray{
		pulumi.String("string"),
	},
	SessionTags: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	UserPath: pulumi.String("string"),
})

var secretBackendRoleResource = new com.pulumi.vault.aws.SecretBackendRole("secretBackendRoleResource", com.pulumi.vault.aws.SecretBackendRoleArgs.builder()
    .backend("string")
    .credentialType("string")
    .defaultStsTtl(0)
    .externalId("string")
    .iamGroups("string")
    .iamTags(Map.of("string", "string"))
    .maxStsTtl(0)
    .name("string")
    .namespace("string")
    .permissionsBoundaryArn("string")
    .policyArns("string")
    .policyDocument("string")
    .roleArns("string")
    .sessionTags(Map.of("string", "string"))
    .userPath("string")
    .build());

secret_backend_role_resource = vault.aws.SecretBackendRole("secretBackendRoleResource",
    backend="string",
    credential_type="string",
    default_sts_ttl=0,
    external_id="string",
    iam_groups=["string"],
    iam_tags={
        "string": "string",
    },
    max_sts_ttl=0,
    name="string",
    namespace="string",
    permissions_boundary_arn="string",
    policy_arns=["string"],
    policy_document="string",
    role_arns=["string"],
    session_tags={
        "string": "string",
    },
    user_path="string")

const secretBackendRoleResource = new vault.aws.SecretBackendRole("secretBackendRoleResource", {
    backend: "string",
    credentialType: "string",
    defaultStsTtl: 0,
    externalId: "string",
    iamGroups: ["string"],
    iamTags: {
        string: "string",
    },
    maxStsTtl: 0,
    name: "string",
    namespace: "string",
    permissionsBoundaryArn: "string",
    policyArns: ["string"],
    policyDocument: "string",
    roleArns: ["string"],
    sessionTags: {
        string: "string",
    },
    userPath: "string",
});

type: vault:aws:SecretBackendRole
properties:
    backend: string
    credentialType: string
    defaultStsTtl: 0
    externalId: string
    iamGroups:
        - string
    iamTags:
        string: string
    maxStsTtl: 0
    name: string
    namespace: string
    permissionsBoundaryArn: string
    policyArns:
        - string
    policyDocument: string
    roleArns:
        - string
    sessionTags:
        string: string
    userPath: string

SecretBackendRole Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The SecretBackendRole resource accepts the following input properties:

Backend string: The path the AWS secret backend is mounted at, with no leading or trailing /s.
CredentialType string: Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
DefaultStsTtl int: The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
ExternalId string: External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
IamGroups List<string>: A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
IamTags Dictionary<string, string>: A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
MaxStsTtl int: The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
Name string: The name to identify this role within the backend. Must be unique within the backend.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
PermissionsBoundaryArn string: The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
PolicyArns List<string>: Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
PolicyDocument string: The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
RoleArns List<string>: Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
SessionTags Dictionary<string, string>: A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
UserPath string: The path for the user name. Valid only when credential_type is iam_user. Default is /.

Backend string: The path the AWS secret backend is mounted at, with no leading or trailing /s.
CredentialType string: Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
DefaultStsTtl int: The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
ExternalId string: External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
IamGroups []string: A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
IamTags map[string]string: A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
MaxStsTtl int: The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
Name string: The name to identify this role within the backend. Must be unique within the backend.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
PermissionsBoundaryArn string: The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
PolicyArns []string: Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
PolicyDocument string: The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
RoleArns []string: Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
SessionTags map[string]string: A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
UserPath string: The path for the user name. Valid only when credential_type is iam_user. Default is /.

backend String: The path the AWS secret backend is mounted at, with no leading or trailing /s.
credentialType String: Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
defaultStsTtl Integer: The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
externalId String: External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
iamGroups List<String>: A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
iamTags Map<String,String>: A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
maxStsTtl Integer: The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
name String: The name to identify this role within the backend. Must be unique within the backend.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
permissionsBoundaryArn String: The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
policyArns List<String>: Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
policyDocument String: The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
roleArns List<String>: Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
sessionTags Map<String,String>: A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
userPath String: The path for the user name. Valid only when credential_type is iam_user. Default is /.

backend string: The path the AWS secret backend is mounted at, with no leading or trailing /s.
credentialType string: Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
defaultStsTtl number: The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
externalId string: External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
iamGroups string[]: A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
iamTags {[key: string]: string}: A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
maxStsTtl number: The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
name string: The name to identify this role within the backend. Must be unique within the backend.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
permissionsBoundaryArn string: The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
policyArns string[]: Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
policyDocument string: The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
roleArns string[]: Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
sessionTags {[key: string]: string}: A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
userPath string: The path for the user name. Valid only when credential_type is iam_user. Default is /.

backend str: The path the AWS secret backend is mounted at, with no leading or trailing /s.
credential_type str: Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
default_sts_ttl int: The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
external_id str: External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
iam_groups Sequence[str]: A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
iam_tags Mapping[str, str]: A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
max_sts_ttl int: The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
name str: The name to identify this role within the backend. Must be unique within the backend.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
permissions_boundary_arn str: The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
policy_arns Sequence[str]: Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
policy_document str: The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
role_arns Sequence[str]: Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
session_tags Mapping[str, str]: A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
user_path str: The path for the user name. Valid only when credential_type is iam_user. Default is /.

backend String: The path the AWS secret backend is mounted at, with no leading or trailing /s.
credentialType String: Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
defaultStsTtl Number: The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
externalId String: External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
iamGroups List<String>: A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
iamTags Map<String>: A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
maxStsTtl Number: The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
name String: The name to identify this role within the backend. Must be unique within the backend.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
permissionsBoundaryArn String: The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
policyArns List<String>: Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
policyDocument String: The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
roleArns List<String>: Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
sessionTags Map<String>: A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
userPath String: The path for the user name. Valid only when credential_type is iam_user. Default is /.

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretBackendRole resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing SecretBackendRole Resource

Get an existing SecretBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretBackendRoleState, opts?: CustomResourceOptions): SecretBackendRole

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        backend: Optional[str] = None,
        credential_type: Optional[str] = None,
        default_sts_ttl: Optional[int] = None,
        external_id: Optional[str] = None,
        iam_groups: Optional[Sequence[str]] = None,
        iam_tags: Optional[Mapping[str, str]] = None,
        max_sts_ttl: Optional[int] = None,
        name: Optional[str] = None,
        namespace: Optional[str] = None,
        permissions_boundary_arn: Optional[str] = None,
        policy_arns: Optional[Sequence[str]] = None,
        policy_document: Optional[str] = None,
        role_arns: Optional[Sequence[str]] = None,
        session_tags: Optional[Mapping[str, str]] = None,
        user_path: Optional[str] = None) -> SecretBackendRole

func GetSecretBackendRole(ctx *Context, name string, id IDInput, state *SecretBackendRoleState, opts ...ResourceOption) (*SecretBackendRole, error)

public static SecretBackendRole Get(string name, Input<string> id, SecretBackendRoleState? state, CustomResourceOptions? opts = null)

public static SecretBackendRole get(String name, Output<String> id, SecretBackendRoleState state, CustomResourceOptions options)

resources:  _:    type: vault:aws:SecretBackendRole    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Backend string: The path the AWS secret backend is mounted at, with no leading or trailing /s.
CredentialType string: Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
DefaultStsTtl int: The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
ExternalId string: External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
IamGroups List<string>: A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
IamTags Dictionary<string, string>: A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
MaxStsTtl int: The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
Name string: The name to identify this role within the backend. Must be unique within the backend.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
PermissionsBoundaryArn string: The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
PolicyArns List<string>: Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
PolicyDocument string: The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
RoleArns List<string>: Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
SessionTags Dictionary<string, string>: A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
UserPath string: The path for the user name. Valid only when credential_type is iam_user. Default is /.

Backend string: The path the AWS secret backend is mounted at, with no leading or trailing /s.
CredentialType string: Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
DefaultStsTtl int: The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
ExternalId string: External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
IamGroups []string: A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
IamTags map[string]string: A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
MaxStsTtl int: The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
Name string: The name to identify this role within the backend. Must be unique within the backend.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
PermissionsBoundaryArn string: The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
PolicyArns []string: Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
PolicyDocument string: The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
RoleArns []string: Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
SessionTags map[string]string: A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
UserPath string: The path for the user name. Valid only when credential_type is iam_user. Default is /.

backend String: The path the AWS secret backend is mounted at, with no leading or trailing /s.
credentialType String: Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
defaultStsTtl Integer: The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
externalId String: External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
iamGroups List<String>: A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
iamTags Map<String,String>: A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
maxStsTtl Integer: The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
name String: The name to identify this role within the backend. Must be unique within the backend.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
permissionsBoundaryArn String: The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
policyArns List<String>: Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
policyDocument String: The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
roleArns List<String>: Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
sessionTags Map<String,String>: A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
userPath String: The path for the user name. Valid only when credential_type is iam_user. Default is /.

backend string: The path the AWS secret backend is mounted at, with no leading or trailing /s.
credentialType string: Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
defaultStsTtl number: The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
externalId string: External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
iamGroups string[]: A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
iamTags {[key: string]: string}: A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
maxStsTtl number: The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
name string: The name to identify this role within the backend. Must be unique within the backend.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
permissionsBoundaryArn string: The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
policyArns string[]: Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
policyDocument string: The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
roleArns string[]: Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
sessionTags {[key: string]: string}: A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
userPath string: The path for the user name. Valid only when credential_type is iam_user. Default is /.

backend str: The path the AWS secret backend is mounted at, with no leading or trailing /s.
credential_type str: Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
default_sts_ttl int: The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
external_id str: External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
iam_groups Sequence[str]: A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
iam_tags Mapping[str, str]: A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
max_sts_ttl int: The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
name str: The name to identify this role within the backend. Must be unique within the backend.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
permissions_boundary_arn str: The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
policy_arns Sequence[str]: Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
policy_document str: The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
role_arns Sequence[str]: Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
session_tags Mapping[str, str]: A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
user_path str: The path for the user name. Valid only when credential_type is iam_user. Default is /.

backend String: The path the AWS secret backend is mounted at, with no leading or trailing /s.
credentialType String: Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
defaultStsTtl Number: The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
externalId String: External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
iamGroups List<String>: A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
iamTags Map<String>: A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
maxStsTtl Number: The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
name String: The name to identify this role within the backend. Must be unique within the backend.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
permissionsBoundaryArn String: The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
policyArns List<String>: Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
policyDocument String: The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
roleArns List<String>: Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
sessionTags Map<String>: A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
userPath String: The path for the user name. Valid only when credential_type is iam_user. Default is /.

Import

AWS secret backend roles can be imported using the path, e.g.

$ pulumi import vault:aws/secretBackendRole:SecretBackendRole role aws/roles/deploy

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi

pulumi/pulumi-vault

vault.aws.SecretBackendRole

On this page

On this page

Example Usage

Create SecretBackendRole Resource

Constructor syntax

Parameters

Constructor example

SecretBackendRole Resource Properties

Inputs

Outputs

Look up Existing SecretBackendRole Resource

Import

Package Details

On this page

On this page