getSecret

HashiCorp Vault v7.8.0, Mar 31 26

Viewing docs for HashiCorp Vault v7.8.0
published on Tuesday, Mar 31, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

Viewing docs for HashiCorp Vault v7.8.0
published on Tuesday, Mar 31, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

Important All data retrieved from Vault will be written in cleartext to state file generated by Terraform, will appear in the console output when Terraform runs, and may be included in plan files if secrets are interpolated into any resource attributes. Protect these artifacts accordingly. See the main provider documentation for more details.

Example Usage

Generic secret

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const rundeckAuth = vault.generic.getSecret({
    path: "secret/rundeck_auth",
});

import pulumi
import pulumi_vault as vault

rundeck_auth = vault.generic.get_secret(path="secret/rundeck_auth")

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/generic"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := generic.LookupSecret(ctx, &generic.LookupSecretArgs{
			Path: "secret/rundeck_auth",
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var rundeckAuth = Vault.Generic.GetSecret.Invoke(new()
    {
        Path = "secret/rundeck_auth",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.generic.GenericFunctions;
import com.pulumi.vault.generic.inputs.GetSecretArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var rundeckAuth = GenericFunctions.getSecret(GetSecretArgs.builder()
            .path("secret/rundeck_auth")
            .build());

    }
}

variables:
  rundeckAuth:
    fn::invoke:
      function: vault:generic:getSecret
      arguments:
        path: secret/rundeck_auth

KV

For this example, consider example as a path for a KV engine.

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

function notImplemented(message: string) {
    throw new Error(message);
}

const exampleCreds = vault.generic.getSecret({
    path: "example/creds",
});
const exampleTemplate = notImplemented("The template_file data resource is not yet supported.");

import pulumi
import pulumi_vault as vault


def not_implemented(msg):
    raise NotImplementedError(msg)

example_creds = vault.generic.get_secret(path="example/creds")
example_template = not_implemented("The template_file data resource is not yet supported.")

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/generic"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func notImplemented(message string) pulumi.AnyOutput {
	panic(message)
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := generic.LookupSecret(ctx, &generic.LookupSecretArgs{
			Path: "example/creds",
		}, nil)
		if err != nil {
			return err
		}
		_ = notImplemented("The template_file data resource is not yet supported.")
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

	
object NotImplemented(string errorMessage) 
{
    throw new System.NotImplementedException(errorMessage);
}

return await Deployment.RunAsync(() => 
{
    var exampleCreds = Vault.Generic.GetSecret.Invoke(new()
    {
        Path = "example/creds",
    });

    var exampleTemplate = NotImplemented("The template_file data resource is not yet supported.");

});

Example coming soon!

Example coming soon!

Required Vault Capabilities

Use of this resource requires the read capability on the given path.

Using getSecret

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getSecret(args: GetSecretArgs, opts?: InvokeOptions): Promise<GetSecretResult>
function getSecretOutput(args: GetSecretOutputArgs, opts?: InvokeOptions): Output<GetSecretResult>

def get_secret(namespace: Optional[str] = None,
               path: Optional[str] = None,
               version: Optional[int] = None,
               with_lease_start_time: Optional[bool] = None,
               opts: Optional[InvokeOptions] = None) -> GetSecretResult
def get_secret_output(namespace: Optional[pulumi.Input[str]] = None,
               path: Optional[pulumi.Input[str]] = None,
               version: Optional[pulumi.Input[int]] = None,
               with_lease_start_time: Optional[pulumi.Input[bool]] = None,
               opts: Optional[InvokeOptions] = None) -> Output[GetSecretResult]

func LookupSecret(ctx *Context, args *LookupSecretArgs, opts ...InvokeOption) (*LookupSecretResult, error)
func LookupSecretOutput(ctx *Context, args *LookupSecretOutputArgs, opts ...InvokeOption) LookupSecretResultOutput

> Note: This function is named LookupSecret in the Go SDK.

public static class GetSecret 
{
    public static Task<GetSecretResult> InvokeAsync(GetSecretArgs args, InvokeOptions? opts = null)
    public static Output<GetSecretResult> Invoke(GetSecretInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetSecretResult> getSecret(GetSecretArgs args, InvokeOptions options)
public static Output<GetSecretResult> getSecret(GetSecretArgs args, InvokeOptions options)

fn::invoke:
  function: vault:generic/getSecret:getSecret
  arguments:
    # arguments dictionary

The following arguments are supported:

Path string: The full logical path from which to request data. To read data from the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Reading from other backends with this data source is possible; consult each backend's documentation to see which endpoints support the GET method.
Namespace string: The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
Version int: The version of the secret to read. This is used by the Vault KV secrets engine - version 2 to indicate which version of the secret to read.
WithLeaseStartTime bool: If set to true, stores leaseStartTime in the TF state. Note that storing the leaseStartTime in the TF state will cause a persistent drift on every pulumi preview and will require a pulumi up.

Path string: The full logical path from which to request data. To read data from the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Reading from other backends with this data source is possible; consult each backend's documentation to see which endpoints support the GET method.
Namespace string: The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
Version int: The version of the secret to read. This is used by the Vault KV secrets engine - version 2 to indicate which version of the secret to read.
WithLeaseStartTime bool: If set to true, stores leaseStartTime in the TF state. Note that storing the leaseStartTime in the TF state will cause a persistent drift on every pulumi preview and will require a pulumi up.

path String: The full logical path from which to request data. To read data from the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Reading from other backends with this data source is possible; consult each backend's documentation to see which endpoints support the GET method.
namespace String: The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
version Integer: The version of the secret to read. This is used by the Vault KV secrets engine - version 2 to indicate which version of the secret to read.
withLeaseStartTime Boolean: If set to true, stores leaseStartTime in the TF state. Note that storing the leaseStartTime in the TF state will cause a persistent drift on every pulumi preview and will require a pulumi up.

path string: The full logical path from which to request data. To read data from the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Reading from other backends with this data source is possible; consult each backend's documentation to see which endpoints support the GET method.
namespace string: The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
version number: The version of the secret to read. This is used by the Vault KV secrets engine - version 2 to indicate which version of the secret to read.
withLeaseStartTime boolean: If set to true, stores leaseStartTime in the TF state. Note that storing the leaseStartTime in the TF state will cause a persistent drift on every pulumi preview and will require a pulumi up.

path str: The full logical path from which to request data. To read data from the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Reading from other backends with this data source is possible; consult each backend's documentation to see which endpoints support the GET method.
namespace str: The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
version int: The version of the secret to read. This is used by the Vault KV secrets engine - version 2 to indicate which version of the secret to read.
with_lease_start_time bool: If set to true, stores leaseStartTime in the TF state. Note that storing the leaseStartTime in the TF state will cause a persistent drift on every pulumi preview and will require a pulumi up.

path String: The full logical path from which to request data. To read data from the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Reading from other backends with this data source is possible; consult each backend's documentation to see which endpoints support the GET method.
namespace String: The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
version Number: The version of the secret to read. This is used by the Vault KV secrets engine - version 2 to indicate which version of the secret to read.
withLeaseStartTime Boolean: If set to true, stores leaseStartTime in the TF state. Note that storing the leaseStartTime in the TF state will cause a persistent drift on every pulumi preview and will require a pulumi up.

getSecret Result

The following output properties are available:

Data Dictionary<string, string>: A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
DataJson string: A string containing the full data payload retrieved from Vault, serialized in JSON format.
Id string: The provider-assigned unique ID for this managed resource.
LeaseDuration int: The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.
LeaseId string: The lease identifier assigned by Vault, if any.
LeaseRenewable bool: true if the lease can be renewed using Vault's sys/renew/{lease-id} endpoint. Terraform does not currently support lease renewal, and so it will request a new lease each time this data source is refreshed.
LeaseStartTime string: The date and time of Terraform execution. It is derived from the local machine's clock, and is recorded in RFC3339 format UTC. This can be used to approximate the absolute time represented by leaseDuration, though users must allow for any clock drift and response latency relative to the Vault server. Provided only as a convenience.
Path string
Namespace string
Version int
WithLeaseStartTime bool

Data map[string]string: A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
DataJson string: A string containing the full data payload retrieved from Vault, serialized in JSON format.
Id string: The provider-assigned unique ID for this managed resource.
LeaseDuration int: The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.
LeaseId string: The lease identifier assigned by Vault, if any.
LeaseRenewable bool: true if the lease can be renewed using Vault's sys/renew/{lease-id} endpoint. Terraform does not currently support lease renewal, and so it will request a new lease each time this data source is refreshed.
LeaseStartTime string: The date and time of Terraform execution. It is derived from the local machine's clock, and is recorded in RFC3339 format UTC. This can be used to approximate the absolute time represented by leaseDuration, though users must allow for any clock drift and response latency relative to the Vault server. Provided only as a convenience.
Path string
Namespace string
Version int
WithLeaseStartTime bool

data Map<String,String>: A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
dataJson String: A string containing the full data payload retrieved from Vault, serialized in JSON format.
id String: The provider-assigned unique ID for this managed resource.
leaseDuration Integer: The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.
leaseId String: The lease identifier assigned by Vault, if any.
leaseRenewable Boolean: true if the lease can be renewed using Vault's sys/renew/{lease-id} endpoint. Terraform does not currently support lease renewal, and so it will request a new lease each time this data source is refreshed.
leaseStartTime String: The date and time of Terraform execution. It is derived from the local machine's clock, and is recorded in RFC3339 format UTC. This can be used to approximate the absolute time represented by leaseDuration, though users must allow for any clock drift and response latency relative to the Vault server. Provided only as a convenience.
path String
namespace String
version Integer
withLeaseStartTime Boolean

data {[key: string]: string}: A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
dataJson string: A string containing the full data payload retrieved from Vault, serialized in JSON format.
id string: The provider-assigned unique ID for this managed resource.
leaseDuration number: The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.
leaseId string: The lease identifier assigned by Vault, if any.
leaseRenewable boolean: true if the lease can be renewed using Vault's sys/renew/{lease-id} endpoint. Terraform does not currently support lease renewal, and so it will request a new lease each time this data source is refreshed.
leaseStartTime string: The date and time of Terraform execution. It is derived from the local machine's clock, and is recorded in RFC3339 format UTC. This can be used to approximate the absolute time represented by leaseDuration, though users must allow for any clock drift and response latency relative to the Vault server. Provided only as a convenience.
path string
namespace string
version number
withLeaseStartTime boolean

data Mapping[str, str]: A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
data_json str: A string containing the full data payload retrieved from Vault, serialized in JSON format.
id str: The provider-assigned unique ID for this managed resource.
lease_duration int: The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.
lease_id str: The lease identifier assigned by Vault, if any.
lease_renewable bool: true if the lease can be renewed using Vault's sys/renew/{lease-id} endpoint. Terraform does not currently support lease renewal, and so it will request a new lease each time this data source is refreshed.
lease_start_time str: The date and time of Terraform execution. It is derived from the local machine's clock, and is recorded in RFC3339 format UTC. This can be used to approximate the absolute time represented by leaseDuration, though users must allow for any clock drift and response latency relative to the Vault server. Provided only as a convenience.
path str
namespace str
version int
with_lease_start_time bool

data Map<String>: A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
dataJson String: A string containing the full data payload retrieved from Vault, serialized in JSON format.
id String: The provider-assigned unique ID for this managed resource.
leaseDuration Number: The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.
leaseId String: The lease identifier assigned by Vault, if any.
leaseRenewable Boolean: true if the lease can be renewed using Vault's sys/renew/{lease-id} endpoint. Terraform does not currently support lease renewal, and so it will request a new lease each time this data source is refreshed.
leaseStartTime String: The date and time of Terraform execution. It is derived from the local machine's clock, and is recorded in RFC3339 format UTC. This can be used to approximate the absolute time represented by leaseDuration, though users must allow for any clock drift and response latency relative to the Vault server. Provided only as a convenience.
path String
namespace String
version Number
withLeaseStartTime Boolean

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

Viewing docs for HashiCorp Vault v7.8.0
published on Tuesday, Mar 31, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

vault.generic.getSecret

On this page

On this page

Example Usage

Generic secret

KV

Required Vault Capabilities

Using getSecret

getSecret Result

Package Details

On this page

On this page