Secret

HashiCorp Vault v7.8.0, Mar 31 26

Viewing docs for HashiCorp Vault v7.8.0
published on Tuesday, Mar 31, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

Viewing docs for HashiCorp Vault v7.8.0
published on Tuesday, Mar 31, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

This resource is primarily intended to be used with both v1 and v2 of Vault’s “generic” secret backend. While it is also compatible, with some limitations, with other Vault endpoints that support the vault write command to create and the vault delete command to delete, see also the generic endpoint resource for a more flexible way to manage arbitrary data.

Important All data provided in the resource configuration will be written in cleartext to state and plan files generated by Terraform, and will appear in the console output when Terraform runs. Protect these artifacts accordingly. See the main provider documentation for more details.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const example = new vault.generic.Secret("example", {
    path: "secret/foo",
    dataJson: `{
  \\"foo\\":   \\"bar\\",
  \\"pizza\\": \\"cheese\\"
}
`,
});

import pulumi
import pulumi_vault as vault

example = vault.generic.Secret("example",
    path="secret/foo",
    data_json="""{
  \"foo\":   \"bar\",
  \"pizza\": \"cheese\"
}
""")

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/generic"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := generic.NewSecret(ctx, "example", &generic.SecretArgs{
			Path:     pulumi.String("secret/foo"),
			DataJson: pulumi.String("{\n  \\\"foo\\\":   \\\"bar\\\",\n  \\\"pizza\\\": \\\"cheese\\\"\n}\n"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var example = new Vault.Generic.Secret("example", new()
    {
        Path = "secret/foo",
        DataJson = @"{
  \""foo\"":   \""bar\"",
  \""pizza\"": \""cheese\""
}
",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.generic.Secret;
import com.pulumi.vault.generic.SecretArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new Secret("example", SecretArgs.builder()
            .path("secret/foo")
            .dataJson("""
{
  \"foo\":   \"bar\",
  \"pizza\": \"cheese\"
}
            """)
            .build());

    }
}

resources:
  example:
    type: vault:generic:Secret
    properties:
      path: secret/foo
      dataJson: |
        {
          \"foo\":   \"bar\",
          \"pizza\": \"cheese\"
        }

Required Vault Capabilities

Use of this resource requires the create or update capability (depending on whether the resource already exists) on the given path, the delete capability if the resource is removed from configuration, and the read capability for drift detection (by default).

Drift Detection

This resource does not necessarily need to read the secret data back from Terraform on refresh. To avoid the need for read access on the given path set the disableRead argument to true. This means that Terraform will not be able to detect and repair “drift” on this resource, should the data be updated or deleted outside of Terraform.

Create Secret Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Secret(name: string, args: SecretArgs, opts?: CustomResourceOptions);

@overload
def Secret(resource_name: str,
           args: SecretArgs,
           opts: Optional[ResourceOptions] = None)

@overload
def Secret(resource_name: str,
           opts: Optional[ResourceOptions] = None,
           data_json: Optional[str] = None,
           path: Optional[str] = None,
           delete_all_versions: Optional[bool] = None,
           disable_read: Optional[bool] = None,
           namespace: Optional[str] = None)

func NewSecret(ctx *Context, name string, args SecretArgs, opts ...ResourceOption) (*Secret, error)

public Secret(string name, SecretArgs args, CustomResourceOptions? opts = null)

public Secret(String name, SecretArgs args)
public Secret(String name, SecretArgs args, CustomResourceOptions options)

type: vault:generic:Secret
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SecretArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SecretArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecretArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecretArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SecretArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var secretResource = new Vault.Generic.Secret("secretResource", new()
{
    DataJson = "string",
    Path = "string",
    DeleteAllVersions = false,
    DisableRead = false,
    Namespace = "string",
});

example, err := generic.NewSecret(ctx, "secretResource", &generic.SecretArgs{
	DataJson:          pulumi.String("string"),
	Path:              pulumi.String("string"),
	DeleteAllVersions: pulumi.Bool(false),
	DisableRead:       pulumi.Bool(false),
	Namespace:         pulumi.String("string"),
})

var secretResource = new com.pulumi.vault.generic.Secret("secretResource", com.pulumi.vault.generic.SecretArgs.builder()
    .dataJson("string")
    .path("string")
    .deleteAllVersions(false)
    .disableRead(false)
    .namespace("string")
    .build());

secret_resource = vault.generic.Secret("secretResource",
    data_json="string",
    path="string",
    delete_all_versions=False,
    disable_read=False,
    namespace="string")

const secretResource = new vault.generic.Secret("secretResource", {
    dataJson: "string",
    path: "string",
    deleteAllVersions: false,
    disableRead: false,
    namespace: "string",
});

type: vault:generic:Secret
properties:
    dataJson: string
    deleteAllVersions: false
    disableRead: false
    namespace: string
    path: string

Secret Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Secret resource accepts the following input properties:

DataJson string: String containing a JSON-encoded object that will be written as the secret data at the given path.
Path string: The full logical path at which to write the given data. To write data into the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Writing to other backends with this resource is possible; consult each backend's documentation to see which endpoints support the PUT and DELETE methods.
DeleteAllVersions bool: true/false. Only applicable for kv-v2 stores. If set to true, permanently deletes all versions for the specified key. The default behavior is to only delete the latest version of the secret.
DisableRead bool: true/false. Set this to true if your vault authentication is not able to read the data. Setting this to true will break drift detection. Defaults to false.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

DataJson string: String containing a JSON-encoded object that will be written as the secret data at the given path.
Path string: The full logical path at which to write the given data. To write data into the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Writing to other backends with this resource is possible; consult each backend's documentation to see which endpoints support the PUT and DELETE methods.
DeleteAllVersions bool: true/false. Only applicable for kv-v2 stores. If set to true, permanently deletes all versions for the specified key. The default behavior is to only delete the latest version of the secret.
DisableRead bool: true/false. Set this to true if your vault authentication is not able to read the data. Setting this to true will break drift detection. Defaults to false.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

dataJson String: String containing a JSON-encoded object that will be written as the secret data at the given path.
path String: The full logical path at which to write the given data. To write data into the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Writing to other backends with this resource is possible; consult each backend's documentation to see which endpoints support the PUT and DELETE methods.
deleteAllVersions Boolean: true/false. Only applicable for kv-v2 stores. If set to true, permanently deletes all versions for the specified key. The default behavior is to only delete the latest version of the secret.
disableRead Boolean: true/false. Set this to true if your vault authentication is not able to read the data. Setting this to true will break drift detection. Defaults to false.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

dataJson string: String containing a JSON-encoded object that will be written as the secret data at the given path.
path string: The full logical path at which to write the given data. To write data into the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Writing to other backends with this resource is possible; consult each backend's documentation to see which endpoints support the PUT and DELETE methods.
deleteAllVersions boolean: true/false. Only applicable for kv-v2 stores. If set to true, permanently deletes all versions for the specified key. The default behavior is to only delete the latest version of the secret.
disableRead boolean: true/false. Set this to true if your vault authentication is not able to read the data. Setting this to true will break drift detection. Defaults to false.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

data_json str: String containing a JSON-encoded object that will be written as the secret data at the given path.
path str: The full logical path at which to write the given data. To write data into the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Writing to other backends with this resource is possible; consult each backend's documentation to see which endpoints support the PUT and DELETE methods.
delete_all_versions bool: true/false. Only applicable for kv-v2 stores. If set to true, permanently deletes all versions for the specified key. The default behavior is to only delete the latest version of the secret.
disable_read bool: true/false. Set this to true if your vault authentication is not able to read the data. Setting this to true will break drift detection. Defaults to false.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

dataJson String: String containing a JSON-encoded object that will be written as the secret data at the given path.
path String: The full logical path at which to write the given data. To write data into the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Writing to other backends with this resource is possible; consult each backend's documentation to see which endpoints support the PUT and DELETE methods.
deleteAllVersions Boolean: true/false. Only applicable for kv-v2 stores. If set to true, permanently deletes all versions for the specified key. The default behavior is to only delete the latest version of the secret.
disableRead Boolean: true/false. Set this to true if your vault authentication is not able to read the data. Setting this to true will break drift detection. Defaults to false.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

Outputs

All input properties are implicitly available as output properties. Additionally, the Secret resource produces the following output properties:

Data Dictionary<string, string>: A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
Id string: The provider-assigned unique ID for this managed resource.

Data map[string]string: A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
Id string: The provider-assigned unique ID for this managed resource.

data Map<String,String>: A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
id String: The provider-assigned unique ID for this managed resource.

data {[key: string]: string}: A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
id string: The provider-assigned unique ID for this managed resource.

data Mapping[str, str]: A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
id str: The provider-assigned unique ID for this managed resource.

data Map<String>: A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
id String: The provider-assigned unique ID for this managed resource.

Look up Existing Secret Resource

Get an existing Secret resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretState, opts?: CustomResourceOptions): Secret

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        data: Optional[Mapping[str, str]] = None,
        data_json: Optional[str] = None,
        delete_all_versions: Optional[bool] = None,
        disable_read: Optional[bool] = None,
        namespace: Optional[str] = None,
        path: Optional[str] = None) -> Secret

func GetSecret(ctx *Context, name string, id IDInput, state *SecretState, opts ...ResourceOption) (*Secret, error)

public static Secret Get(string name, Input<string> id, SecretState? state, CustomResourceOptions? opts = null)

public static Secret get(String name, Output<String> id, SecretState state, CustomResourceOptions options)

resources:  _:    type: vault:generic:Secret    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Data Dictionary<string, string>: A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
DataJson string: String containing a JSON-encoded object that will be written as the secret data at the given path.
DeleteAllVersions bool: true/false. Only applicable for kv-v2 stores. If set to true, permanently deletes all versions for the specified key. The default behavior is to only delete the latest version of the secret.
DisableRead bool: true/false. Set this to true if your vault authentication is not able to read the data. Setting this to true will break drift detection. Defaults to false.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
Path string: The full logical path at which to write the given data. To write data into the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Writing to other backends with this resource is possible; consult each backend's documentation to see which endpoints support the PUT and DELETE methods.

Data map[string]string: A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
DataJson string: String containing a JSON-encoded object that will be written as the secret data at the given path.
DeleteAllVersions bool: true/false. Only applicable for kv-v2 stores. If set to true, permanently deletes all versions for the specified key. The default behavior is to only delete the latest version of the secret.
DisableRead bool: true/false. Set this to true if your vault authentication is not able to read the data. Setting this to true will break drift detection. Defaults to false.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
Path string: The full logical path at which to write the given data. To write data into the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Writing to other backends with this resource is possible; consult each backend's documentation to see which endpoints support the PUT and DELETE methods.

data Map<String,String>: A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
dataJson String: String containing a JSON-encoded object that will be written as the secret data at the given path.
deleteAllVersions Boolean: true/false. Only applicable for kv-v2 stores. If set to true, permanently deletes all versions for the specified key. The default behavior is to only delete the latest version of the secret.
disableRead Boolean: true/false. Set this to true if your vault authentication is not able to read the data. Setting this to true will break drift detection. Defaults to false.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
path String: The full logical path at which to write the given data. To write data into the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Writing to other backends with this resource is possible; consult each backend's documentation to see which endpoints support the PUT and DELETE methods.

data {[key: string]: string}: A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
dataJson string: String containing a JSON-encoded object that will be written as the secret data at the given path.
deleteAllVersions boolean: true/false. Only applicable for kv-v2 stores. If set to true, permanently deletes all versions for the specified key. The default behavior is to only delete the latest version of the secret.
disableRead boolean: true/false. Set this to true if your vault authentication is not able to read the data. Setting this to true will break drift detection. Defaults to false.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
path string: The full logical path at which to write the given data. To write data into the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Writing to other backends with this resource is possible; consult each backend's documentation to see which endpoints support the PUT and DELETE methods.

data Mapping[str, str]: A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
data_json str: String containing a JSON-encoded object that will be written as the secret data at the given path.
delete_all_versions bool: true/false. Only applicable for kv-v2 stores. If set to true, permanently deletes all versions for the specified key. The default behavior is to only delete the latest version of the secret.
disable_read bool: true/false. Set this to true if your vault authentication is not able to read the data. Setting this to true will break drift detection. Defaults to false.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
path str: The full logical path at which to write the given data. To write data into the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Writing to other backends with this resource is possible; consult each backend's documentation to see which endpoints support the PUT and DELETE methods.

data Map<String>: A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
dataJson String: String containing a JSON-encoded object that will be written as the secret data at the given path.
deleteAllVersions Boolean: true/false. Only applicable for kv-v2 stores. If set to true, permanently deletes all versions for the specified key. The default behavior is to only delete the latest version of the secret.
disableRead Boolean: true/false. Set this to true if your vault authentication is not able to read the data. Setting this to true will break drift detection. Defaults to false.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
path String: The full logical path at which to write the given data. To write data into the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Writing to other backends with this resource is possible; consult each backend's documentation to see which endpoints support the PUT and DELETE methods.

Import

Generic secrets can be imported using the path, e.g.

$ pulumi import vault:generic/secret:Secret example secret/foo

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

Viewing docs for HashiCorp Vault v7.8.0
published on Tuesday, Mar 31, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

vault.generic.Secret

On this page

On this page

Example Usage

Required Vault Capabilities

Drift Detection

Create Secret Resource

Constructor syntax

Parameters

Constructor example

Secret Resource Properties

Inputs

Outputs

Look up Existing Secret Resource

Import

Package Details

On this page

On this page