1. Packages
  2. HashiCorp Vault
  3. API Docs
  4. gcp
  5. SecretStaticAccount
HashiCorp Vault v6.0.0 published on Monday, Mar 25, 2024 by Pulumi

vault.gcp.SecretStaticAccount

Explore with Pulumi AI

vault logo
HashiCorp Vault v6.0.0 published on Monday, Mar 25, 2024 by Pulumi

    Creates a Static Account in the GCP Secrets Engine for Vault.

    Each static account is tied to a separately managed Service Account, and can have one or more bindings associated with it.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as fs from "fs";
    import * as gcp from "@pulumi/gcp";
    import * as vault from "@pulumi/vault";
    
    const _this = new gcp.serviceaccount.Account("this", {accountId: "my-awesome-account"});
    const gcp = new vault.gcp.SecretBackend("gcp", {
        path: "gcp",
        credentials: fs.readFileSync("credentials.json", "utf8"),
    });
    const staticAccount = new vault.gcp.SecretStaticAccount("staticAccount", {
        backend: gcp.path,
        staticAccount: "project_viewer",
        secretType: "access_token",
        tokenScopes: ["https://www.googleapis.com/auth/cloud-platform"],
        serviceAccountEmail: _this.email,
        bindings: [{
            resource: pulumi.interpolate`//cloudresourcemanager.googleapis.com/projects/${_this.project}`,
            roles: ["roles/viewer"],
        }],
    });
    
    import pulumi
    import pulumi_gcp as gcp
    import pulumi_vault as vault
    
    this = gcp.service_account.Account("this", account_id="my-awesome-account")
    gcp = vault.gcp.SecretBackend("gcp",
        path="gcp",
        credentials=(lambda path: open(path).read())("credentials.json"))
    static_account = vault.gcp.SecretStaticAccount("staticAccount",
        backend=gcp.path,
        static_account="project_viewer",
        secret_type="access_token",
        token_scopes=["https://www.googleapis.com/auth/cloud-platform"],
        service_account_email=this.email,
        bindings=[vault.gcp.SecretStaticAccountBindingArgs(
            resource=this.project.apply(lambda project: f"//cloudresourcemanager.googleapis.com/projects/{project}"),
            roles=["roles/viewer"],
        )])
    
    package main
    
    import (
    	"fmt"
    	"os"
    
    	"github.com/pulumi/pulumi-gcp/sdk/v5/go/gcp/serviceAccount"
    	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func readFileOrPanic(path string) pulumi.StringPtrInput {
    	data, err := os.ReadFile(path)
    	if err != nil {
    		panic(err.Error())
    	}
    	return pulumi.String(string(data))
    }
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		this, err := serviceAccount.NewAccount(ctx, "this", &serviceAccount.AccountArgs{
    			AccountId: pulumi.String("my-awesome-account"),
    		})
    		if err != nil {
    			return err
    		}
    		gcp, err := gcp.NewSecretBackend(ctx, "gcp", &gcp.SecretBackendArgs{
    			Path:        pulumi.String("gcp"),
    			Credentials: readFileOrPanic("credentials.json"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = gcp.NewSecretStaticAccount(ctx, "staticAccount", &gcp.SecretStaticAccountArgs{
    			Backend:       gcp.Path,
    			StaticAccount: pulumi.String("project_viewer"),
    			SecretType:    pulumi.String("access_token"),
    			TokenScopes: pulumi.StringArray{
    				pulumi.String("https://www.googleapis.com/auth/cloud-platform"),
    			},
    			ServiceAccountEmail: this.Email,
    			Bindings: gcp.SecretStaticAccountBindingArray{
    				&gcp.SecretStaticAccountBindingArgs{
    					Resource: this.Project.ApplyT(func(project string) (string, error) {
    						return fmt.Sprintf("//cloudresourcemanager.googleapis.com/projects/%v", project), nil
    					}).(pulumi.StringOutput),
    					Roles: pulumi.StringArray{
    						pulumi.String("roles/viewer"),
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.IO;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    using Vault = Pulumi.Vault;
    
    return await Deployment.RunAsync(() => 
    {
        var @this = new Gcp.ServiceAccount.Account("this", new()
        {
            AccountId = "my-awesome-account",
        });
    
        var gcp = new Vault.Gcp.SecretBackend("gcp", new()
        {
            Path = "gcp",
            Credentials = File.ReadAllText("credentials.json"),
        });
    
        var staticAccount = new Vault.Gcp.SecretStaticAccount("staticAccount", new()
        {
            Backend = gcp.Path,
            StaticAccount = "project_viewer",
            SecretType = "access_token",
            TokenScopes = new[]
            {
                "https://www.googleapis.com/auth/cloud-platform",
            },
            ServiceAccountEmail = @this.Email,
            Bindings = new[]
            {
                new Vault.Gcp.Inputs.SecretStaticAccountBindingArgs
                {
                    Resource = @this.Project.Apply(project => $"//cloudresourcemanager.googleapis.com/projects/{project}"),
                    Roles = new[]
                    {
                        "roles/viewer",
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.serviceAccount.Account;
    import com.pulumi.gcp.serviceAccount.AccountArgs;
    import com.pulumi.vault.gcp.SecretBackend;
    import com.pulumi.vault.gcp.SecretBackendArgs;
    import com.pulumi.vault.gcp.SecretStaticAccount;
    import com.pulumi.vault.gcp.SecretStaticAccountArgs;
    import com.pulumi.vault.gcp.inputs.SecretStaticAccountBindingArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var this_ = new Account("this", AccountArgs.builder()        
                .accountId("my-awesome-account")
                .build());
    
            var gcp = new SecretBackend("gcp", SecretBackendArgs.builder()        
                .path("gcp")
                .credentials(Files.readString(Paths.get("credentials.json")))
                .build());
    
            var staticAccount = new SecretStaticAccount("staticAccount", SecretStaticAccountArgs.builder()        
                .backend(gcp.path())
                .staticAccount("project_viewer")
                .secretType("access_token")
                .tokenScopes("https://www.googleapis.com/auth/cloud-platform")
                .serviceAccountEmail(this_.email())
                .bindings(SecretStaticAccountBindingArgs.builder()
                    .resource(this_.project().applyValue(project -> String.format("//cloudresourcemanager.googleapis.com/projects/%s", project)))
                    .roles("roles/viewer")
                    .build())
                .build());
    
        }
    }
    
    resources:
      this:
        type: gcp:serviceAccount:Account
        properties:
          accountId: my-awesome-account
      gcp:
        type: vault:gcp:SecretBackend
        properties:
          path: gcp
          credentials:
            fn::readFile: credentials.json
      staticAccount:
        type: vault:gcp:SecretStaticAccount
        properties:
          backend: ${gcp.path}
          staticAccount: project_viewer
          secretType: access_token
          tokenScopes:
            - https://www.googleapis.com/auth/cloud-platform
          serviceAccountEmail: ${this.email}
          # Optional
          bindings:
            - resource: //cloudresourcemanager.googleapis.com/projects/${this.project}
              roles:
                - roles/viewer
    

    Create SecretStaticAccount Resource

    new SecretStaticAccount(name: string, args: SecretStaticAccountArgs, opts?: CustomResourceOptions);
    @overload
    def SecretStaticAccount(resource_name: str,
                            opts: Optional[ResourceOptions] = None,
                            backend: Optional[str] = None,
                            bindings: Optional[Sequence[SecretStaticAccountBindingArgs]] = None,
                            namespace: Optional[str] = None,
                            secret_type: Optional[str] = None,
                            service_account_email: Optional[str] = None,
                            static_account: Optional[str] = None,
                            token_scopes: Optional[Sequence[str]] = None)
    @overload
    def SecretStaticAccount(resource_name: str,
                            args: SecretStaticAccountArgs,
                            opts: Optional[ResourceOptions] = None)
    func NewSecretStaticAccount(ctx *Context, name string, args SecretStaticAccountArgs, opts ...ResourceOption) (*SecretStaticAccount, error)
    public SecretStaticAccount(string name, SecretStaticAccountArgs args, CustomResourceOptions? opts = null)
    public SecretStaticAccount(String name, SecretStaticAccountArgs args)
    public SecretStaticAccount(String name, SecretStaticAccountArgs args, CustomResourceOptions options)
    
    type: vault:gcp:SecretStaticAccount
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args SecretStaticAccountArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args SecretStaticAccountArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args SecretStaticAccountArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args SecretStaticAccountArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args SecretStaticAccountArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    SecretStaticAccount Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The SecretStaticAccount resource accepts the following input properties:

    Backend string
    Path where the GCP Secrets Engine is mounted
    ServiceAccountEmail string
    Email of the GCP service account to manage.
    StaticAccount string
    Name of the Static Account to create
    Bindings List<SecretStaticAccountBinding>
    Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    SecretType string
    Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token.
    TokenScopes List<string>
    List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only).
    Backend string
    Path where the GCP Secrets Engine is mounted
    ServiceAccountEmail string
    Email of the GCP service account to manage.
    StaticAccount string
    Name of the Static Account to create
    Bindings []SecretStaticAccountBindingArgs
    Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    SecretType string
    Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token.
    TokenScopes []string
    List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only).
    backend String
    Path where the GCP Secrets Engine is mounted
    serviceAccountEmail String
    Email of the GCP service account to manage.
    staticAccount String
    Name of the Static Account to create
    bindings List<SecretStaticAccountBinding>
    Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    secretType String
    Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token.
    tokenScopes List<String>
    List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only).
    backend string
    Path where the GCP Secrets Engine is mounted
    serviceAccountEmail string
    Email of the GCP service account to manage.
    staticAccount string
    Name of the Static Account to create
    bindings SecretStaticAccountBinding[]
    Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    secretType string
    Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token.
    tokenScopes string[]
    List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only).
    backend str
    Path where the GCP Secrets Engine is mounted
    service_account_email str
    Email of the GCP service account to manage.
    static_account str
    Name of the Static Account to create
    bindings Sequence[SecretStaticAccountBindingArgs]
    Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    secret_type str
    Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token.
    token_scopes Sequence[str]
    List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only).
    backend String
    Path where the GCP Secrets Engine is mounted
    serviceAccountEmail String
    Email of the GCP service account to manage.
    staticAccount String
    Name of the Static Account to create
    bindings List<Property Map>
    Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    secretType String
    Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token.
    tokenScopes List<String>
    List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only).

    Outputs

    All input properties are implicitly available as output properties. Additionally, the SecretStaticAccount resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    ServiceAccountProject string
    Project the service account belongs to.
    Id string
    The provider-assigned unique ID for this managed resource.
    ServiceAccountProject string
    Project the service account belongs to.
    id String
    The provider-assigned unique ID for this managed resource.
    serviceAccountProject String
    Project the service account belongs to.
    id string
    The provider-assigned unique ID for this managed resource.
    serviceAccountProject string
    Project the service account belongs to.
    id str
    The provider-assigned unique ID for this managed resource.
    service_account_project str
    Project the service account belongs to.
    id String
    The provider-assigned unique ID for this managed resource.
    serviceAccountProject String
    Project the service account belongs to.

    Look up Existing SecretStaticAccount Resource

    Get an existing SecretStaticAccount resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: SecretStaticAccountState, opts?: CustomResourceOptions): SecretStaticAccount
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            backend: Optional[str] = None,
            bindings: Optional[Sequence[SecretStaticAccountBindingArgs]] = None,
            namespace: Optional[str] = None,
            secret_type: Optional[str] = None,
            service_account_email: Optional[str] = None,
            service_account_project: Optional[str] = None,
            static_account: Optional[str] = None,
            token_scopes: Optional[Sequence[str]] = None) -> SecretStaticAccount
    func GetSecretStaticAccount(ctx *Context, name string, id IDInput, state *SecretStaticAccountState, opts ...ResourceOption) (*SecretStaticAccount, error)
    public static SecretStaticAccount Get(string name, Input<string> id, SecretStaticAccountState? state, CustomResourceOptions? opts = null)
    public static SecretStaticAccount get(String name, Output<String> id, SecretStaticAccountState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Backend string
    Path where the GCP Secrets Engine is mounted
    Bindings List<SecretStaticAccountBinding>
    Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    SecretType string
    Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token.
    ServiceAccountEmail string
    Email of the GCP service account to manage.
    ServiceAccountProject string
    Project the service account belongs to.
    StaticAccount string
    Name of the Static Account to create
    TokenScopes List<string>
    List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only).
    Backend string
    Path where the GCP Secrets Engine is mounted
    Bindings []SecretStaticAccountBindingArgs
    Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    SecretType string
    Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token.
    ServiceAccountEmail string
    Email of the GCP service account to manage.
    ServiceAccountProject string
    Project the service account belongs to.
    StaticAccount string
    Name of the Static Account to create
    TokenScopes []string
    List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only).
    backend String
    Path where the GCP Secrets Engine is mounted
    bindings List<SecretStaticAccountBinding>
    Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    secretType String
    Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token.
    serviceAccountEmail String
    Email of the GCP service account to manage.
    serviceAccountProject String
    Project the service account belongs to.
    staticAccount String
    Name of the Static Account to create
    tokenScopes List<String>
    List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only).
    backend string
    Path where the GCP Secrets Engine is mounted
    bindings SecretStaticAccountBinding[]
    Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    secretType string
    Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token.
    serviceAccountEmail string
    Email of the GCP service account to manage.
    serviceAccountProject string
    Project the service account belongs to.
    staticAccount string
    Name of the Static Account to create
    tokenScopes string[]
    List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only).
    backend str
    Path where the GCP Secrets Engine is mounted
    bindings Sequence[SecretStaticAccountBindingArgs]
    Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    secret_type str
    Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token.
    service_account_email str
    Email of the GCP service account to manage.
    service_account_project str
    Project the service account belongs to.
    static_account str
    Name of the Static Account to create
    token_scopes Sequence[str]
    List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only).
    backend String
    Path where the GCP Secrets Engine is mounted
    bindings List<Property Map>
    Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    secretType String
    Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token.
    serviceAccountEmail String
    Email of the GCP service account to manage.
    serviceAccountProject String
    Project the service account belongs to.
    staticAccount String
    Name of the Static Account to create
    tokenScopes List<String>
    List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only).

    Supporting Types

    SecretStaticAccountBinding, SecretStaticAccountBindingArgs

    Resource string
    Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
    Roles List<string>
    List of GCP IAM roles for the resource.
    Resource string
    Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
    Roles []string
    List of GCP IAM roles for the resource.
    resource String
    Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
    roles List<String>
    List of GCP IAM roles for the resource.
    resource string
    Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
    roles string[]
    List of GCP IAM roles for the resource.
    resource str
    Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
    roles Sequence[str]
    List of GCP IAM roles for the resource.
    resource String
    Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
    roles List<String>
    List of GCP IAM roles for the resource.

    Import

    A static account can be imported using its Vault Path. For example, referencing the example above,

    $ pulumi import vault:gcp/secretStaticAccount:SecretStaticAccount static_account gcp/static-account/project_viewer
    

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the vault Terraform Provider.
    vault logo
    HashiCorp Vault v6.0.0 published on Monday, Mar 25, 2024 by Pulumi