Docs
PackagesHashiCorp Vault v6.1.0 published on Thursday, Apr 4, 2024 by Pulumi
vault.kv.SecretV2
Explore with Pulumi AI
Writes a KV-V2 secret to a given path in Vault.
For more information on Vault’s KV-V2 secret backend see here.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const kvv2 = new vault.Mount("kvv2", {
path: "kvv2",
type: "kv",
options: {
version: "2",
},
description: "KV Version 2 secret engine mount",
});
const example = new vault.kv.SecretV2("example", {
mount: kvv2.path,
cas: 1,
deleteAllVersions: true,
dataJson: JSON.stringify({
zip: "zap",
foo: "bar",
}),
customMetadata: {
maxVersions: 5,
data: {
foo: "vault@example.com",
bar: "12345",
},
},
});
import pulumi
import json
import pulumi_vault as vault
kvv2 = vault.Mount("kvv2",
path="kvv2",
type="kv",
options={
"version": "2",
},
description="KV Version 2 secret engine mount")
example = vault.kv.SecretV2("example",
mount=kvv2.path,
cas=1,
delete_all_versions=True,
data_json=json.dumps({
"zip": "zap",
"foo": "bar",
}),
custom_metadata=vault.kv.SecretV2CustomMetadataArgs(
max_versions=5,
data={
"foo": "vault@example.com",
"bar": "12345",
},
))
package main
import (
"encoding/json"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kv"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
kvv2, err := vault.NewMount(ctx, "kvv2", &vault.MountArgs{
Path: pulumi.String("kvv2"),
Type: pulumi.String("kv"),
Options: pulumi.Map{
"version": pulumi.Any("2"),
},
Description: pulumi.String("KV Version 2 secret engine mount"),
})
if err != nil {
return err
}
tmpJSON0, err := json.Marshal(map[string]interface{}{
"zip": "zap",
"foo": "bar",
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
_, err = kv.NewSecretV2(ctx, "example", &kv.SecretV2Args{
Mount: kvv2.Path,
Cas: pulumi.Int(1),
DeleteAllVersions: pulumi.Bool(true),
DataJson: pulumi.String(json0),
CustomMetadata: &kv.SecretV2CustomMetadataArgs{
MaxVersions: pulumi.Int(5),
Data: pulumi.Map{
"foo": pulumi.Any("vault@example.com"),
"bar": pulumi.Any("12345"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var kvv2 = new Vault.Mount("kvv2", new()
{
Path = "kvv2",
Type = "kv",
Options =
{
{ "version", "2" },
},
Description = "KV Version 2 secret engine mount",
});
var example = new Vault.Kv.SecretV2("example", new()
{
Mount = kvv2.Path,
Cas = 1,
DeleteAllVersions = true,
DataJson = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["zip"] = "zap",
["foo"] = "bar",
}),
CustomMetadata = new Vault.kv.Inputs.SecretV2CustomMetadataArgs
{
MaxVersions = 5,
Data =
{
{ "foo", "vault@example.com" },
{ "bar", "12345" },
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.kv.SecretV2;
import com.pulumi.vault.kv.SecretV2Args;
import com.pulumi.vault.kv.inputs.SecretV2CustomMetadataArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var kvv2 = new Mount("kvv2", MountArgs.builder()
.path("kvv2")
.type("kv")
.options(Map.of("version", "2"))
.description("KV Version 2 secret engine mount")
.build());
var example = new SecretV2("example", SecretV2Args.builder()
.mount(kvv2.path())
.cas(1)
.deleteAllVersions(true)
.dataJson(serializeJson(
jsonObject(
jsonProperty("zip", "zap"),
jsonProperty("foo", "bar")
)))
.customMetadata(SecretV2CustomMetadataArgs.builder()
.maxVersions(5)
.data(Map.ofEntries(
Map.entry("foo", "vault@example.com"),
Map.entry("bar", "12345")
))
.build())
.build());
}
}
resources:
kvv2:
type: vault:Mount
properties:
path: kvv2
type: kv
options:
version: '2'
description: KV Version 2 secret engine mount
example:
type: vault:kv:SecretV2
properties:
mount: ${kvv2.path}
cas: 1
deleteAllVersions: true
dataJson:
fn::toJSON:
zip: zap
foo: bar
customMetadata:
maxVersions: 5
data:
foo: vault@example.com
bar: '12345'
Required Vault Capabilities
Use of this resource requires the create or update capability
(depending on whether the resource already exists) on the given path,
the delete capability if the resource is removed from configuration,
and the read capability for drift detection (by default).
Custom Metadata Configuration Options
max_versions- (Optional) The number of versions to keep per key.cas_required- (Optional) If true, all keys will require the cas parameter to be set on all write requests.delete_version_after- (Optional) If set, specifies the length of time before a version is deleted. Accepts duration in integer seconds.data- (Optional) A string to string map describing the secret.
Create SecretV2 Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SecretV2(name: string, args: SecretV2Args, opts?: CustomResourceOptions);@overload
def SecretV2(resource_name: str,
args: SecretV2Args,
opts: Optional[ResourceOptions] = None)
@overload
def SecretV2(resource_name: str,
opts: Optional[ResourceOptions] = None,
data_json: Optional[str] = None,
mount: Optional[str] = None,
cas: Optional[int] = None,
custom_metadata: Optional[SecretV2CustomMetadataArgs] = None,
delete_all_versions: Optional[bool] = None,
disable_read: Optional[bool] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
options: Optional[Mapping[str, Any]] = None)func NewSecretV2(ctx *Context, name string, args SecretV2Args, opts ...ResourceOption) (*SecretV2, error)public SecretV2(string name, SecretV2Args args, CustomResourceOptions? opts = null)
public SecretV2(String name, SecretV2Args args)
public SecretV2(String name, SecretV2Args args, CustomResourceOptions options)
type: vault:kv:SecretV2
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SecretV2Args
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SecretV2Args
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SecretV2Args
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecretV2Args
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SecretV2Args
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Example
The following reference example uses placeholder values for all input properties.
var secretV2Resource = new Vault.Kv.SecretV2("secretV2Resource", new()
{
DataJson = "string",
Mount = "string",
Cas = 0,
CustomMetadata = new Vault.kv.Inputs.SecretV2CustomMetadataArgs
{
CasRequired = false,
Data =
{
{ "string", "any" },
},
DeleteVersionAfter = 0,
MaxVersions = 0,
},
DeleteAllVersions = false,
DisableRead = false,
Name = "string",
Namespace = "string",
Options =
{
{ "string", "any" },
},
});
example, err := kv.NewSecretV2(ctx, "secretV2Resource", &kv.SecretV2Args{
DataJson: pulumi.String("string"),
Mount: pulumi.String("string"),
Cas: pulumi.Int(0),
CustomMetadata: &kv.SecretV2CustomMetadataArgs{
CasRequired: pulumi.Bool(false),
Data: pulumi.Map{
"string": pulumi.Any("any"),
},
DeleteVersionAfter: pulumi.Int(0),
MaxVersions: pulumi.Int(0),
},
DeleteAllVersions: pulumi.Bool(false),
DisableRead: pulumi.Bool(false),
Name: pulumi.String("string"),
Namespace: pulumi.String("string"),
Options: pulumi.Map{
"string": pulumi.Any("any"),
},
})
var secretV2Resource = new SecretV2("secretV2Resource", SecretV2Args.builder()
.dataJson("string")
.mount("string")
.cas(0)
.customMetadata(SecretV2CustomMetadataArgs.builder()
.casRequired(false)
.data(Map.of("string", "any"))
.deleteVersionAfter(0)
.maxVersions(0)
.build())
.deleteAllVersions(false)
.disableRead(false)
.name("string")
.namespace("string")
.options(Map.of("string", "any"))
.build());
secret_v2_resource = vault.kv.SecretV2("secretV2Resource",
data_json="string",
mount="string",
cas=0,
custom_metadata=vault.kv.SecretV2CustomMetadataArgs(
cas_required=False,
data={
"string": "any",
},
delete_version_after=0,
max_versions=0,
),
delete_all_versions=False,
disable_read=False,
name="string",
namespace="string",
options={
"string": "any",
})
const secretV2Resource = new vault.kv.SecretV2("secretV2Resource", {
dataJson: "string",
mount: "string",
cas: 0,
customMetadata: {
casRequired: false,
data: {
string: "any",
},
deleteVersionAfter: 0,
maxVersions: 0,
},
deleteAllVersions: false,
disableRead: false,
name: "string",
namespace: "string",
options: {
string: "any",
},
});
type: vault:kv:SecretV2
properties:
cas: 0
customMetadata:
casRequired: false
data:
string: any
deleteVersionAfter: 0
maxVersions: 0
dataJson: string
deleteAllVersions: false
disableRead: false
mount: string
name: string
namespace: string
options:
string: any
SecretV2 Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The SecretV2 resource accepts the following input properties:
- Data
Json string - JSON-encoded string that will be written as the secret data at the given path.
- Mount string
- Path where KV-V2 engine is mounted.
- Cas int
- This flag is required if
cas_requiredis set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret. - Custom
Metadata Pulumi.Vault.kv. Inputs. Secret V2Custom Metadata - A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
- Delete
All boolVersions - If set to true, permanently deletes all versions for the specified key.
- Disable
Read bool - If set to true, disables reading secret from Vault; note: drift won't be detected.
- Name string
- Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at
kvv2/data/foo/bar/bazthe name isfoo/bar/baz. - Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Options Dictionary<string, object>
- An object that holds option settings.
- Data
Json string - JSON-encoded string that will be written as the secret data at the given path.
- Mount string
- Path where KV-V2 engine is mounted.
- Cas int
- This flag is required if
cas_requiredis set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret. - Custom
Metadata SecretV2Custom Metadata Args - A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
- Delete
All boolVersions - If set to true, permanently deletes all versions for the specified key.
- Disable
Read bool - If set to true, disables reading secret from Vault; note: drift won't be detected.
- Name string
- Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at
kvv2/data/foo/bar/bazthe name isfoo/bar/baz. - Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Options map[string]interface{}
- An object that holds option settings.
- data
Json String - JSON-encoded string that will be written as the secret data at the given path.
- mount String
- Path where KV-V2 engine is mounted.
- cas Integer
- This flag is required if
cas_requiredis set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret. - custom
Metadata SecretV2Custom Metadata - A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
- delete
All BooleanVersions - If set to true, permanently deletes all versions for the specified key.
- disable
Read Boolean - If set to true, disables reading secret from Vault; note: drift won't be detected.
- name String
- Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at
kvv2/data/foo/bar/bazthe name isfoo/bar/baz. - namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Map<String,Object>
- An object that holds option settings.
- data
Json string - JSON-encoded string that will be written as the secret data at the given path.
- mount string
- Path where KV-V2 engine is mounted.
- cas number
- This flag is required if
cas_requiredis set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret. - custom
Metadata SecretV2Custom Metadata - A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
- delete
All booleanVersions - If set to true, permanently deletes all versions for the specified key.
- disable
Read boolean - If set to true, disables reading secret from Vault; note: drift won't be detected.
- name string
- Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at
kvv2/data/foo/bar/bazthe name isfoo/bar/baz. - namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options {[key: string]: any}
- An object that holds option settings.
- data_
json str - JSON-encoded string that will be written as the secret data at the given path.
- mount str
- Path where KV-V2 engine is mounted.
- cas int
- This flag is required if
cas_requiredis set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret. - custom_
metadata SecretV2Custom Metadata Args - A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
- delete_
all_ boolversions - If set to true, permanently deletes all versions for the specified key.
- disable_
read bool - If set to true, disables reading secret from Vault; note: drift won't be detected.
- name str
- Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at
kvv2/data/foo/bar/bazthe name isfoo/bar/baz. - namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Mapping[str, Any]
- An object that holds option settings.
- data
Json String - JSON-encoded string that will be written as the secret data at the given path.
- mount String
- Path where KV-V2 engine is mounted.
- cas Number
- This flag is required if
cas_requiredis set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret. - custom
Metadata Property Map - A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
- delete
All BooleanVersions - If set to true, permanently deletes all versions for the specified key.
- disable
Read Boolean - If set to true, disables reading secret from Vault; note: drift won't be detected.
- name String
- Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at
kvv2/data/foo/bar/bazthe name isfoo/bar/baz. - namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Map<Any>
- An object that holds option settings.
Outputs
All input properties are implicitly available as output properties. Additionally, the SecretV2 resource produces the following output properties:
- Data Dictionary<string, object>
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- Id string
- The provider-assigned unique ID for this managed resource.
- Metadata Dictionary<string, object>
- Metadata associated with this secret read from Vault.
- Path string
- Full path where the KV-V2 secret will be written.
- Data map[string]interface{}
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- Id string
- The provider-assigned unique ID for this managed resource.
- Metadata map[string]interface{}
- Metadata associated with this secret read from Vault.
- Path string
- Full path where the KV-V2 secret will be written.
- data Map<String,Object>
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- id String
- The provider-assigned unique ID for this managed resource.
- metadata Map<String,Object>
- Metadata associated with this secret read from Vault.
- path String
- Full path where the KV-V2 secret will be written.
- data {[key: string]: any}
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- id string
- The provider-assigned unique ID for this managed resource.
- metadata {[key: string]: any}
- Metadata associated with this secret read from Vault.
- path string
- Full path where the KV-V2 secret will be written.
- data Mapping[str, Any]
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- id str
- The provider-assigned unique ID for this managed resource.
- metadata Mapping[str, Any]
- Metadata associated with this secret read from Vault.
- path str
- Full path where the KV-V2 secret will be written.
- data Map<Any>
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- id String
- The provider-assigned unique ID for this managed resource.
- metadata Map<Any>
- Metadata associated with this secret read from Vault.
- path String
- Full path where the KV-V2 secret will be written.
Look up Existing SecretV2 Resource
Get an existing SecretV2 resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SecretV2State, opts?: CustomResourceOptions): SecretV2@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
cas: Optional[int] = None,
custom_metadata: Optional[SecretV2CustomMetadataArgs] = None,
data: Optional[Mapping[str, Any]] = None,
data_json: Optional[str] = None,
delete_all_versions: Optional[bool] = None,
disable_read: Optional[bool] = None,
metadata: Optional[Mapping[str, Any]] = None,
mount: Optional[str] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
options: Optional[Mapping[str, Any]] = None,
path: Optional[str] = None) -> SecretV2func GetSecretV2(ctx *Context, name string, id IDInput, state *SecretV2State, opts ...ResourceOption) (*SecretV2, error)public static SecretV2 Get(string name, Input<string> id, SecretV2State? state, CustomResourceOptions? opts = null)public static SecretV2 get(String name, Output<String> id, SecretV2State state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Cas int
- This flag is required if
cas_requiredis set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret. - Custom
Metadata Pulumi.Vault.kv. Inputs. Secret V2Custom Metadata - A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
- Data Dictionary<string, object>
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- Data
Json string - JSON-encoded string that will be written as the secret data at the given path.
- Delete
All boolVersions - If set to true, permanently deletes all versions for the specified key.
- Disable
Read bool - If set to true, disables reading secret from Vault; note: drift won't be detected.
- Metadata Dictionary<string, object>
- Metadata associated with this secret read from Vault.
- Mount string
- Path where KV-V2 engine is mounted.
- Name string
- Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at
kvv2/data/foo/bar/bazthe name isfoo/bar/baz. - Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Options Dictionary<string, object>
- An object that holds option settings.
- Path string
- Full path where the KV-V2 secret will be written.
- Cas int
- This flag is required if
cas_requiredis set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret. - Custom
Metadata SecretV2Custom Metadata Args - A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
- Data map[string]interface{}
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- Data
Json string - JSON-encoded string that will be written as the secret data at the given path.
- Delete
All boolVersions - If set to true, permanently deletes all versions for the specified key.
- Disable
Read bool - If set to true, disables reading secret from Vault; note: drift won't be detected.
- Metadata map[string]interface{}
- Metadata associated with this secret read from Vault.
- Mount string
- Path where KV-V2 engine is mounted.
- Name string
- Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at
kvv2/data/foo/bar/bazthe name isfoo/bar/baz. - Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Options map[string]interface{}
- An object that holds option settings.
- Path string
- Full path where the KV-V2 secret will be written.
- cas Integer
- This flag is required if
cas_requiredis set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret. - custom
Metadata SecretV2Custom Metadata - A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
- data Map<String,Object>
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- data
Json String - JSON-encoded string that will be written as the secret data at the given path.
- delete
All BooleanVersions - If set to true, permanently deletes all versions for the specified key.
- disable
Read Boolean - If set to true, disables reading secret from Vault; note: drift won't be detected.
- metadata Map<String,Object>
- Metadata associated with this secret read from Vault.
- mount String
- Path where KV-V2 engine is mounted.
- name String
- Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at
kvv2/data/foo/bar/bazthe name isfoo/bar/baz. - namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Map<String,Object>
- An object that holds option settings.
- path String
- Full path where the KV-V2 secret will be written.
- cas number
- This flag is required if
cas_requiredis set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret. - custom
Metadata SecretV2Custom Metadata - A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
- data {[key: string]: any}
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- data
Json string - JSON-encoded string that will be written as the secret data at the given path.
- delete
All booleanVersions - If set to true, permanently deletes all versions for the specified key.
- disable
Read boolean - If set to true, disables reading secret from Vault; note: drift won't be detected.
- metadata {[key: string]: any}
- Metadata associated with this secret read from Vault.
- mount string
- Path where KV-V2 engine is mounted.
- name string
- Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at
kvv2/data/foo/bar/bazthe name isfoo/bar/baz. - namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options {[key: string]: any}
- An object that holds option settings.
- path string
- Full path where the KV-V2 secret will be written.
- cas int
- This flag is required if
cas_requiredis set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret. - custom_
metadata SecretV2Custom Metadata Args - A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
- data Mapping[str, Any]
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- data_
json str - JSON-encoded string that will be written as the secret data at the given path.
- delete_
all_ boolversions - If set to true, permanently deletes all versions for the specified key.
- disable_
read bool - If set to true, disables reading secret from Vault; note: drift won't be detected.
- metadata Mapping[str, Any]
- Metadata associated with this secret read from Vault.
- mount str
- Path where KV-V2 engine is mounted.
- name str
- Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at
kvv2/data/foo/bar/bazthe name isfoo/bar/baz. - namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Mapping[str, Any]
- An object that holds option settings.
- path str
- Full path where the KV-V2 secret will be written.
- cas Number
- This flag is required if
cas_requiredis set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret. - custom
Metadata Property Map - A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
- data Map<Any>
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- data
Json String - JSON-encoded string that will be written as the secret data at the given path.
- delete
All BooleanVersions - If set to true, permanently deletes all versions for the specified key.
- disable
Read Boolean - If set to true, disables reading secret from Vault; note: drift won't be detected.
- metadata Map<Any>
- Metadata associated with this secret read from Vault.
- mount String
- Path where KV-V2 engine is mounted.
- name String
- Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at
kvv2/data/foo/bar/bazthe name isfoo/bar/baz. - namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Map<Any>
- An object that holds option settings.
- path String
- Full path where the KV-V2 secret will be written.
Supporting Types
SecretV2CustomMetadata, SecretV2CustomMetadataArgs
- Cas
Required bool - If true, all keys will require the cas parameter to be set on all write requests.
- Data Dictionary<string, object>
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- Delete
Version intAfter - If set, specifies the length of time before a version is deleted.
- Max
Versions int - The number of versions to keep per key.
- Cas
Required bool - If true, all keys will require the cas parameter to be set on all write requests.
- Data map[string]interface{}
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- Delete
Version intAfter - If set, specifies the length of time before a version is deleted.
- Max
Versions int - The number of versions to keep per key.
- cas
Required Boolean - If true, all keys will require the cas parameter to be set on all write requests.
- data Map<String,Object>
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- delete
Version IntegerAfter - If set, specifies the length of time before a version is deleted.
- max
Versions Integer - The number of versions to keep per key.
- cas
Required boolean - If true, all keys will require the cas parameter to be set on all write requests.
- data {[key: string]: any}
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- delete
Version numberAfter - If set, specifies the length of time before a version is deleted.
- max
Versions number - The number of versions to keep per key.
- cas_
required bool - If true, all keys will require the cas parameter to be set on all write requests.
- data Mapping[str, Any]
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- delete_
version_ intafter - If set, specifies the length of time before a version is deleted.
- max_
versions int - The number of versions to keep per key.
- cas
Required Boolean - If true, all keys will require the cas parameter to be set on all write requests.
- data Map<Any>
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- delete
Version NumberAfter - If set, specifies the length of time before a version is deleted.
- max
Versions Number - The number of versions to keep per key.
Import
KV-V2 secrets can be imported using the path, e.g.
$ pulumi import vault:kv/secretV2:SecretV2 example kvv2/data/secret
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.