1. Packages
  2. HashiCorp Vault
  3. API Docs
  4. kubernetes
  5. getServiceAccountToken
HashiCorp Vault v6.0.0 published on Monday, Mar 25, 2024 by Pulumi

vault.kubernetes.getServiceAccountToken

Explore with Pulumi AI

vault logo
HashiCorp Vault v6.0.0 published on Monday, Mar 25, 2024 by Pulumi

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as fs from "fs";
    import * as vault from "@pulumi/vault";
    
    const config = new vault.kubernetes.SecretBackend("config", {
        path: "kubernetes",
        description: "kubernetes secrets engine description",
        kubernetesHost: "https://127.0.0.1:61233",
        kubernetesCaCert: fs.readFileSync("/path/to/cert", "utf8"),
        serviceAccountJwt: fs.readFileSync("/path/to/token", "utf8"),
        disableLocalCaJwt: false,
    });
    const role = new vault.kubernetes.SecretBackendRole("role", {
        backend: config.path,
        allowedKubernetesNamespaces: ["*"],
        tokenMaxTtl: 43200,
        tokenDefaultTtl: 21600,
        serviceAccountName: "test-service-account-with-generated-token",
        extraLabels: {
            id: "abc123",
            name: "some_name",
        },
        extraAnnotations: {
            env: "development",
            location: "earth",
        },
    });
    const token = vault.kubernetes.getServiceAccountTokenOutput({
        backend: config.path,
        role: role.name,
        kubernetesNamespace: "test",
        clusterRoleBinding: false,
        ttl: "1h",
    });
    
    import pulumi
    import pulumi_vault as vault
    
    config = vault.kubernetes.SecretBackend("config",
        path="kubernetes",
        description="kubernetes secrets engine description",
        kubernetes_host="https://127.0.0.1:61233",
        kubernetes_ca_cert=(lambda path: open(path).read())("/path/to/cert"),
        service_account_jwt=(lambda path: open(path).read())("/path/to/token"),
        disable_local_ca_jwt=False)
    role = vault.kubernetes.SecretBackendRole("role",
        backend=config.path,
        allowed_kubernetes_namespaces=["*"],
        token_max_ttl=43200,
        token_default_ttl=21600,
        service_account_name="test-service-account-with-generated-token",
        extra_labels={
            "id": "abc123",
            "name": "some_name",
        },
        extra_annotations={
            "env": "development",
            "location": "earth",
        })
    token = vault.kubernetes.get_service_account_token_output(backend=config.path,
        role=role.name,
        kubernetes_namespace="test",
        cluster_role_binding=False,
        ttl="1h")
    
    package main
    
    import (
    	"os"
    
    	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func readFileOrPanic(path string) pulumi.StringPtrInput {
    	data, err := os.ReadFile(path)
    	if err != nil {
    		panic(err.Error())
    	}
    	return pulumi.String(string(data))
    }
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
    			Path:              pulumi.String("kubernetes"),
    			Description:       pulumi.String("kubernetes secrets engine description"),
    			KubernetesHost:    pulumi.String("https://127.0.0.1:61233"),
    			KubernetesCaCert:  readFileOrPanic("/path/to/cert"),
    			ServiceAccountJwt: readFileOrPanic("/path/to/token"),
    			DisableLocalCaJwt: pulumi.Bool(false),
    		})
    		if err != nil {
    			return err
    		}
    		role, err := kubernetes.NewSecretBackendRole(ctx, "role", &kubernetes.SecretBackendRoleArgs{
    			Backend: config.Path,
    			AllowedKubernetesNamespaces: pulumi.StringArray{
    				pulumi.String("*"),
    			},
    			TokenMaxTtl:        pulumi.Int(43200),
    			TokenDefaultTtl:    pulumi.Int(21600),
    			ServiceAccountName: pulumi.String("test-service-account-with-generated-token"),
    			ExtraLabels: pulumi.StringMap{
    				"id":   pulumi.String("abc123"),
    				"name": pulumi.String("some_name"),
    			},
    			ExtraAnnotations: pulumi.StringMap{
    				"env":      pulumi.String("development"),
    				"location": pulumi.String("earth"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_ = kubernetes.GetServiceAccountTokenOutput(ctx, kubernetes.GetServiceAccountTokenOutputArgs{
    			Backend:             config.Path,
    			Role:                role.Name,
    			KubernetesNamespace: pulumi.String("test"),
    			ClusterRoleBinding:  pulumi.Bool(false),
    			Ttl:                 pulumi.String("1h"),
    		}, nil)
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.IO;
    using System.Linq;
    using Pulumi;
    using Vault = Pulumi.Vault;
    
    return await Deployment.RunAsync(() => 
    {
        var config = new Vault.Kubernetes.SecretBackend("config", new()
        {
            Path = "kubernetes",
            Description = "kubernetes secrets engine description",
            KubernetesHost = "https://127.0.0.1:61233",
            KubernetesCaCert = File.ReadAllText("/path/to/cert"),
            ServiceAccountJwt = File.ReadAllText("/path/to/token"),
            DisableLocalCaJwt = false,
        });
    
        var role = new Vault.Kubernetes.SecretBackendRole("role", new()
        {
            Backend = config.Path,
            AllowedKubernetesNamespaces = new[]
            {
                "*",
            },
            TokenMaxTtl = 43200,
            TokenDefaultTtl = 21600,
            ServiceAccountName = "test-service-account-with-generated-token",
            ExtraLabels = 
            {
                { "id", "abc123" },
                { "name", "some_name" },
            },
            ExtraAnnotations = 
            {
                { "env", "development" },
                { "location", "earth" },
            },
        });
    
        var token = Vault.Kubernetes.GetServiceAccountToken.Invoke(new()
        {
            Backend = config.Path,
            Role = role.Name,
            KubernetesNamespace = "test",
            ClusterRoleBinding = false,
            Ttl = "1h",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.vault.kubernetes.SecretBackend;
    import com.pulumi.vault.kubernetes.SecretBackendArgs;
    import com.pulumi.vault.kubernetes.SecretBackendRole;
    import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
    import com.pulumi.vault.kubernetes.KubernetesFunctions;
    import com.pulumi.vault.kubernetes.inputs.GetServiceAccountTokenArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var config = new SecretBackend("config", SecretBackendArgs.builder()        
                .path("kubernetes")
                .description("kubernetes secrets engine description")
                .kubernetesHost("https://127.0.0.1:61233")
                .kubernetesCaCert(Files.readString(Paths.get("/path/to/cert")))
                .serviceAccountJwt(Files.readString(Paths.get("/path/to/token")))
                .disableLocalCaJwt(false)
                .build());
    
            var role = new SecretBackendRole("role", SecretBackendRoleArgs.builder()        
                .backend(config.path())
                .allowedKubernetesNamespaces("*")
                .tokenMaxTtl(43200)
                .tokenDefaultTtl(21600)
                .serviceAccountName("test-service-account-with-generated-token")
                .extraLabels(Map.ofEntries(
                    Map.entry("id", "abc123"),
                    Map.entry("name", "some_name")
                ))
                .extraAnnotations(Map.ofEntries(
                    Map.entry("env", "development"),
                    Map.entry("location", "earth")
                ))
                .build());
    
            final var token = KubernetesFunctions.getServiceAccountToken(GetServiceAccountTokenArgs.builder()
                .backend(config.path())
                .role(role.name())
                .kubernetesNamespace("test")
                .clusterRoleBinding(false)
                .ttl("1h")
                .build());
    
        }
    }
    
    resources:
      config:
        type: vault:kubernetes:SecretBackend
        properties:
          path: kubernetes
          description: kubernetes secrets engine description
          kubernetesHost: https://127.0.0.1:61233
          kubernetesCaCert:
            fn::readFile: /path/to/cert
          serviceAccountJwt:
            fn::readFile: /path/to/token
          disableLocalCaJwt: false
      role:
        type: vault:kubernetes:SecretBackendRole
        properties:
          backend: ${config.path}
          allowedKubernetesNamespaces:
            - '*'
          tokenMaxTtl: 43200
          tokenDefaultTtl: 21600
          serviceAccountName: test-service-account-with-generated-token
          extraLabels:
            id: abc123
            name: some_name
          extraAnnotations:
            env: development
            location: earth
    variables:
      token:
        fn::invoke:
          Function: vault:kubernetes:getServiceAccountToken
          Arguments:
            backend: ${config.path}
            role: ${role.name}
            kubernetesNamespace: test
            clusterRoleBinding: false
            ttl: 1h
    

    Using getServiceAccountToken

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getServiceAccountToken(args: GetServiceAccountTokenArgs, opts?: InvokeOptions): Promise<GetServiceAccountTokenResult>
    function getServiceAccountTokenOutput(args: GetServiceAccountTokenOutputArgs, opts?: InvokeOptions): Output<GetServiceAccountTokenResult>
    def get_service_account_token(backend: Optional[str] = None,
                                  cluster_role_binding: Optional[bool] = None,
                                  kubernetes_namespace: Optional[str] = None,
                                  namespace: Optional[str] = None,
                                  role: Optional[str] = None,
                                  ttl: Optional[str] = None,
                                  opts: Optional[InvokeOptions] = None) -> GetServiceAccountTokenResult
    def get_service_account_token_output(backend: Optional[pulumi.Input[str]] = None,
                                  cluster_role_binding: Optional[pulumi.Input[bool]] = None,
                                  kubernetes_namespace: Optional[pulumi.Input[str]] = None,
                                  namespace: Optional[pulumi.Input[str]] = None,
                                  role: Optional[pulumi.Input[str]] = None,
                                  ttl: Optional[pulumi.Input[str]] = None,
                                  opts: Optional[InvokeOptions] = None) -> Output[GetServiceAccountTokenResult]
    func GetServiceAccountToken(ctx *Context, args *GetServiceAccountTokenArgs, opts ...InvokeOption) (*GetServiceAccountTokenResult, error)
    func GetServiceAccountTokenOutput(ctx *Context, args *GetServiceAccountTokenOutputArgs, opts ...InvokeOption) GetServiceAccountTokenResultOutput

    > Note: This function is named GetServiceAccountToken in the Go SDK.

    public static class GetServiceAccountToken 
    {
        public static Task<GetServiceAccountTokenResult> InvokeAsync(GetServiceAccountTokenArgs args, InvokeOptions? opts = null)
        public static Output<GetServiceAccountTokenResult> Invoke(GetServiceAccountTokenInvokeArgs args, InvokeOptions? opts = null)
    }
    public static CompletableFuture<GetServiceAccountTokenResult> getServiceAccountToken(GetServiceAccountTokenArgs args, InvokeOptions options)
    // Output-based functions aren't available in Java yet
    
    fn::invoke:
      function: vault:kubernetes/getServiceAccountToken:getServiceAccountToken
      arguments:
        # arguments dictionary

    The following arguments are supported:

    Backend string
    The Kubernetes secret backend to generate service account tokens from.
    KubernetesNamespace string
    The name of the Kubernetes namespace in which to generate the credentials.
    Role string
    The name of the Kubernetes secret backend role to generate service account tokens from.
    ClusterRoleBinding bool
    If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
    Namespace string
    The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Ttl string
    The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
    Backend string
    The Kubernetes secret backend to generate service account tokens from.
    KubernetesNamespace string
    The name of the Kubernetes namespace in which to generate the credentials.
    Role string
    The name of the Kubernetes secret backend role to generate service account tokens from.
    ClusterRoleBinding bool
    If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
    Namespace string
    The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Ttl string
    The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
    backend String
    The Kubernetes secret backend to generate service account tokens from.
    kubernetesNamespace String
    The name of the Kubernetes namespace in which to generate the credentials.
    role String
    The name of the Kubernetes secret backend role to generate service account tokens from.
    clusterRoleBinding Boolean
    If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
    namespace String
    The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    ttl String
    The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
    backend string
    The Kubernetes secret backend to generate service account tokens from.
    kubernetesNamespace string
    The name of the Kubernetes namespace in which to generate the credentials.
    role string
    The name of the Kubernetes secret backend role to generate service account tokens from.
    clusterRoleBinding boolean
    If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
    namespace string
    The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    ttl string
    The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
    backend str
    The Kubernetes secret backend to generate service account tokens from.
    kubernetes_namespace str
    The name of the Kubernetes namespace in which to generate the credentials.
    role str
    The name of the Kubernetes secret backend role to generate service account tokens from.
    cluster_role_binding bool
    If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
    namespace str
    The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    ttl str
    The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
    backend String
    The Kubernetes secret backend to generate service account tokens from.
    kubernetesNamespace String
    The name of the Kubernetes namespace in which to generate the credentials.
    role String
    The name of the Kubernetes secret backend role to generate service account tokens from.
    clusterRoleBinding Boolean
    If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
    namespace String
    The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    ttl String
    The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.

    getServiceAccountToken Result

    The following output properties are available:

    Backend string
    Id string
    The provider-assigned unique ID for this managed resource.
    KubernetesNamespace string
    LeaseDuration int
    The duration of the lease in seconds.
    LeaseId string
    The lease identifier assigned by Vault.
    LeaseRenewable bool
    True if the duration of this lease can be extended through renewal.
    Role string
    ServiceAccountName string
    The name of the service account associated with the token.
    ServiceAccountNamespace string
    The Kubernetes namespace that the service account resides in.
    ServiceAccountToken string
    The Kubernetes service account token.
    ClusterRoleBinding bool
    Namespace string
    Ttl string
    Backend string
    Id string
    The provider-assigned unique ID for this managed resource.
    KubernetesNamespace string
    LeaseDuration int
    The duration of the lease in seconds.
    LeaseId string
    The lease identifier assigned by Vault.
    LeaseRenewable bool
    True if the duration of this lease can be extended through renewal.
    Role string
    ServiceAccountName string
    The name of the service account associated with the token.
    ServiceAccountNamespace string
    The Kubernetes namespace that the service account resides in.
    ServiceAccountToken string
    The Kubernetes service account token.
    ClusterRoleBinding bool
    Namespace string
    Ttl string
    backend String
    id String
    The provider-assigned unique ID for this managed resource.
    kubernetesNamespace String
    leaseDuration Integer
    The duration of the lease in seconds.
    leaseId String
    The lease identifier assigned by Vault.
    leaseRenewable Boolean
    True if the duration of this lease can be extended through renewal.
    role String
    serviceAccountName String
    The name of the service account associated with the token.
    serviceAccountNamespace String
    The Kubernetes namespace that the service account resides in.
    serviceAccountToken String
    The Kubernetes service account token.
    clusterRoleBinding Boolean
    namespace String
    ttl String
    backend string
    id string
    The provider-assigned unique ID for this managed resource.
    kubernetesNamespace string
    leaseDuration number
    The duration of the lease in seconds.
    leaseId string
    The lease identifier assigned by Vault.
    leaseRenewable boolean
    True if the duration of this lease can be extended through renewal.
    role string
    serviceAccountName string
    The name of the service account associated with the token.
    serviceAccountNamespace string
    The Kubernetes namespace that the service account resides in.
    serviceAccountToken string
    The Kubernetes service account token.
    clusterRoleBinding boolean
    namespace string
    ttl string
    backend str
    id str
    The provider-assigned unique ID for this managed resource.
    kubernetes_namespace str
    lease_duration int
    The duration of the lease in seconds.
    lease_id str
    The lease identifier assigned by Vault.
    lease_renewable bool
    True if the duration of this lease can be extended through renewal.
    role str
    service_account_name str
    The name of the service account associated with the token.
    service_account_namespace str
    The Kubernetes namespace that the service account resides in.
    service_account_token str
    The Kubernetes service account token.
    cluster_role_binding bool
    namespace str
    ttl str
    backend String
    id String
    The provider-assigned unique ID for this managed resource.
    kubernetesNamespace String
    leaseDuration Number
    The duration of the lease in seconds.
    leaseId String
    The lease identifier assigned by Vault.
    leaseRenewable Boolean
    True if the duration of this lease can be extended through renewal.
    role String
    serviceAccountName String
    The name of the service account associated with the token.
    serviceAccountNamespace String
    The Kubernetes namespace that the service account resides in.
    serviceAccountToken String
    The Kubernetes service account token.
    clusterRoleBinding Boolean
    namespace String
    ttl String

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the vault Terraform Provider.
    vault logo
    HashiCorp Vault v6.0.0 published on Monday, Mar 25, 2024 by Pulumi