1. Packages
  2. HashiCorp Vault
  3. API Docs
  4. kv
  5. SecretV2
HashiCorp Vault v5.20.0 published on Tuesday, Feb 20, 2024 by Pulumi

vault.kv.SecretV2

Explore with Pulumi AI

vault logo
HashiCorp Vault v5.20.0 published on Tuesday, Feb 20, 2024 by Pulumi

    Writes a KV-V2 secret to a given path in Vault.

    For more information on Vault’s KV-V2 secret backend see here.

    Required Vault Capabilities

    Use of this resource requires the create or update capability (depending on whether the resource already exists) on the given path, the delete capability if the resource is removed from configuration, and the read capability for drift detection (by default).

    Custom Metadata Configuration Options

    • max_versions - (Optional) The number of versions to keep per key.

    • cas_required - (Optional) If true, all keys will require the cas parameter to be set on all write requests.

    • delete_version_after - (Optional) If set, specifies the length of time before a version is deleted. Accepts duration in integer seconds.

    • data - (Optional) A string to string map describing the secret.

    Example Usage

    using System.Collections.Generic;
    using System.Linq;
    using System.Text.Json;
    using Pulumi;
    using Vault = Pulumi.Vault;
    
    return await Deployment.RunAsync(() => 
    {
        var kvv2 = new Vault.Mount("kvv2", new()
        {
            Path = "kvv2",
            Type = "kv",
            Options = 
            {
                { "version", "2" },
            },
            Description = "KV Version 2 secret engine mount",
        });
    
        var example = new Vault.Kv.SecretV2("example", new()
        {
            Mount = kvv2.Path,
            Cas = 1,
            DeleteAllVersions = true,
            DataJson = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["zip"] = "zap",
                ["foo"] = "bar",
            }),
            CustomMetadata = new Vault.kv.Inputs.SecretV2CustomMetadataArgs
            {
                MaxVersions = 5,
                Data = 
                {
                    { "foo", "vault@example.com" },
                    { "bar", "12345" },
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"encoding/json"
    
    	"github.com/pulumi/pulumi-vault/sdk/v5/go/vault"
    	"github.com/pulumi/pulumi-vault/sdk/v5/go/vault/kv"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		kvv2, err := vault.NewMount(ctx, "kvv2", &vault.MountArgs{
    			Path: pulumi.String("kvv2"),
    			Type: pulumi.String("kv"),
    			Options: pulumi.Map{
    				"version": pulumi.Any("2"),
    			},
    			Description: pulumi.String("KV Version 2 secret engine mount"),
    		})
    		if err != nil {
    			return err
    		}
    		tmpJSON0, err := json.Marshal(map[string]interface{}{
    			"zip": "zap",
    			"foo": "bar",
    		})
    		if err != nil {
    			return err
    		}
    		json0 := string(tmpJSON0)
    		_, err = kv.NewSecretV2(ctx, "example", &kv.SecretV2Args{
    			Mount:             kvv2.Path,
    			Cas:               pulumi.Int(1),
    			DeleteAllVersions: pulumi.Bool(true),
    			DataJson:          pulumi.String(json0),
    			CustomMetadata: &kv.SecretV2CustomMetadataArgs{
    				MaxVersions: pulumi.Int(5),
    				Data: pulumi.Map{
    					"foo": pulumi.Any("vault@example.com"),
    					"bar": pulumi.Any("12345"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.vault.Mount;
    import com.pulumi.vault.MountArgs;
    import com.pulumi.vault.kv.SecretV2;
    import com.pulumi.vault.kv.SecretV2Args;
    import com.pulumi.vault.kv.inputs.SecretV2CustomMetadataArgs;
    import static com.pulumi.codegen.internal.Serialization.*;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var kvv2 = new Mount("kvv2", MountArgs.builder()        
                .path("kvv2")
                .type("kv")
                .options(Map.of("version", "2"))
                .description("KV Version 2 secret engine mount")
                .build());
    
            var example = new SecretV2("example", SecretV2Args.builder()        
                .mount(kvv2.path())
                .cas(1)
                .deleteAllVersions(true)
                .dataJson(serializeJson(
                    jsonObject(
                        jsonProperty("zip", "zap"),
                        jsonProperty("foo", "bar")
                    )))
                .customMetadata(SecretV2CustomMetadataArgs.builder()
                    .maxVersions(5)
                    .data(Map.ofEntries(
                        Map.entry("foo", "vault@example.com"),
                        Map.entry("bar", "12345")
                    ))
                    .build())
                .build());
    
        }
    }
    
    import pulumi
    import json
    import pulumi_vault as vault
    
    kvv2 = vault.Mount("kvv2",
        path="kvv2",
        type="kv",
        options={
            "version": "2",
        },
        description="KV Version 2 secret engine mount")
    example = vault.kv.SecretV2("example",
        mount=kvv2.path,
        cas=1,
        delete_all_versions=True,
        data_json=json.dumps({
            "zip": "zap",
            "foo": "bar",
        }),
        custom_metadata=vault.kv.SecretV2CustomMetadataArgs(
            max_versions=5,
            data={
                "foo": "vault@example.com",
                "bar": "12345",
            },
        ))
    
    import * as pulumi from "@pulumi/pulumi";
    import * as vault from "@pulumi/vault";
    
    const kvv2 = new vault.Mount("kvv2", {
        path: "kvv2",
        type: "kv",
        options: {
            version: "2",
        },
        description: "KV Version 2 secret engine mount",
    });
    const example = new vault.kv.SecretV2("example", {
        mount: kvv2.path,
        cas: 1,
        deleteAllVersions: true,
        dataJson: JSON.stringify({
            zip: "zap",
            foo: "bar",
        }),
        customMetadata: {
            maxVersions: 5,
            data: {
                foo: "vault@example.com",
                bar: "12345",
            },
        },
    });
    
    resources:
      kvv2:
        type: vault:Mount
        properties:
          path: kvv2
          type: kv
          options:
            version: '2'
          description: KV Version 2 secret engine mount
      example:
        type: vault:kv:SecretV2
        properties:
          mount: ${kvv2.path}
          cas: 1
          deleteAllVersions: true
          dataJson:
            fn::toJSON:
              zip: zap
              foo: bar
          customMetadata:
            maxVersions: 5
            data:
              foo: vault@example.com
              bar: '12345'
    

    Create SecretV2 Resource

    new SecretV2(name: string, args: SecretV2Args, opts?: CustomResourceOptions);
    @overload
    def SecretV2(resource_name: str,
                 opts: Optional[ResourceOptions] = None,
                 cas: Optional[int] = None,
                 custom_metadata: Optional[SecretV2CustomMetadataArgs] = None,
                 data_json: Optional[str] = None,
                 delete_all_versions: Optional[bool] = None,
                 disable_read: Optional[bool] = None,
                 mount: Optional[str] = None,
                 name: Optional[str] = None,
                 namespace: Optional[str] = None,
                 options: Optional[Mapping[str, Any]] = None)
    @overload
    def SecretV2(resource_name: str,
                 args: SecretV2Args,
                 opts: Optional[ResourceOptions] = None)
    func NewSecretV2(ctx *Context, name string, args SecretV2Args, opts ...ResourceOption) (*SecretV2, error)
    public SecretV2(string name, SecretV2Args args, CustomResourceOptions? opts = null)
    public SecretV2(String name, SecretV2Args args)
    public SecretV2(String name, SecretV2Args args, CustomResourceOptions options)
    
    type: vault:kv:SecretV2
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args SecretV2Args
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args SecretV2Args
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args SecretV2Args
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args SecretV2Args
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args SecretV2Args
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    SecretV2 Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The SecretV2 resource accepts the following input properties:

    DataJson string
    JSON-encoded string that will be written as the secret data at the given path.
    Mount string
    Path where KV-V2 engine is mounted.
    Cas int
    This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret.
    CustomMetadata Pulumi.Vault.kv.Inputs.SecretV2CustomMetadata
    A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
    DeleteAllVersions bool
    If set to true, permanently deletes all versions for the specified key.
    DisableRead bool
    If set to true, disables reading secret from Vault; note: drift won't be detected.
    Name string
    Full name of the secret. For a nested secret the name is the nested path excluding the mount and data prefix. For example, for a secret at kvv2/data/foo/bar/baz the name is foo/bar/baz.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Options Dictionary<string, object>
    An object that holds option settings.
    DataJson string
    JSON-encoded string that will be written as the secret data at the given path.
    Mount string
    Path where KV-V2 engine is mounted.
    Cas int
    This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret.
    CustomMetadata SecretV2CustomMetadataArgs
    A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
    DeleteAllVersions bool
    If set to true, permanently deletes all versions for the specified key.
    DisableRead bool
    If set to true, disables reading secret from Vault; note: drift won't be detected.
    Name string
    Full name of the secret. For a nested secret the name is the nested path excluding the mount and data prefix. For example, for a secret at kvv2/data/foo/bar/baz the name is foo/bar/baz.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Options map[string]interface{}
    An object that holds option settings.
    dataJson String
    JSON-encoded string that will be written as the secret data at the given path.
    mount String
    Path where KV-V2 engine is mounted.
    cas Integer
    This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret.
    customMetadata SecretV2CustomMetadata
    A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
    deleteAllVersions Boolean
    If set to true, permanently deletes all versions for the specified key.
    disableRead Boolean
    If set to true, disables reading secret from Vault; note: drift won't be detected.
    name String
    Full name of the secret. For a nested secret the name is the nested path excluding the mount and data prefix. For example, for a secret at kvv2/data/foo/bar/baz the name is foo/bar/baz.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options Map<String,Object>
    An object that holds option settings.
    dataJson string
    JSON-encoded string that will be written as the secret data at the given path.
    mount string
    Path where KV-V2 engine is mounted.
    cas number
    This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret.
    customMetadata SecretV2CustomMetadata
    A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
    deleteAllVersions boolean
    If set to true, permanently deletes all versions for the specified key.
    disableRead boolean
    If set to true, disables reading secret from Vault; note: drift won't be detected.
    name string
    Full name of the secret. For a nested secret the name is the nested path excluding the mount and data prefix. For example, for a secret at kvv2/data/foo/bar/baz the name is foo/bar/baz.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options {[key: string]: any}
    An object that holds option settings.
    data_json str
    JSON-encoded string that will be written as the secret data at the given path.
    mount str
    Path where KV-V2 engine is mounted.
    cas int
    This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret.
    custom_metadata SecretV2CustomMetadataArgs
    A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
    delete_all_versions bool
    If set to true, permanently deletes all versions for the specified key.
    disable_read bool
    If set to true, disables reading secret from Vault; note: drift won't be detected.
    name str
    Full name of the secret. For a nested secret the name is the nested path excluding the mount and data prefix. For example, for a secret at kvv2/data/foo/bar/baz the name is foo/bar/baz.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options Mapping[str, Any]
    An object that holds option settings.
    dataJson String
    JSON-encoded string that will be written as the secret data at the given path.
    mount String
    Path where KV-V2 engine is mounted.
    cas Number
    This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret.
    customMetadata Property Map
    A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
    deleteAllVersions Boolean
    If set to true, permanently deletes all versions for the specified key.
    disableRead Boolean
    If set to true, disables reading secret from Vault; note: drift won't be detected.
    name String
    Full name of the secret. For a nested secret the name is the nested path excluding the mount and data prefix. For example, for a secret at kvv2/data/foo/bar/baz the name is foo/bar/baz.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options Map<Any>
    An object that holds option settings.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the SecretV2 resource produces the following output properties:

    Data Dictionary<string, object>
    A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
    Id string
    The provider-assigned unique ID for this managed resource.
    Metadata Dictionary<string, object>
    Metadata associated with this secret read from Vault.
    Path string
    Full path where the KV-V2 secret will be written.
    Data map[string]interface{}
    A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
    Id string
    The provider-assigned unique ID for this managed resource.
    Metadata map[string]interface{}
    Metadata associated with this secret read from Vault.
    Path string
    Full path where the KV-V2 secret will be written.
    data Map<String,Object>
    A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
    id String
    The provider-assigned unique ID for this managed resource.
    metadata Map<String,Object>
    Metadata associated with this secret read from Vault.
    path String
    Full path where the KV-V2 secret will be written.
    data {[key: string]: any}
    A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
    id string
    The provider-assigned unique ID for this managed resource.
    metadata {[key: string]: any}
    Metadata associated with this secret read from Vault.
    path string
    Full path where the KV-V2 secret will be written.
    data Mapping[str, Any]
    A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
    id str
    The provider-assigned unique ID for this managed resource.
    metadata Mapping[str, Any]
    Metadata associated with this secret read from Vault.
    path str
    Full path where the KV-V2 secret will be written.
    data Map<Any>
    A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
    id String
    The provider-assigned unique ID for this managed resource.
    metadata Map<Any>
    Metadata associated with this secret read from Vault.
    path String
    Full path where the KV-V2 secret will be written.

    Look up Existing SecretV2 Resource

    Get an existing SecretV2 resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: SecretV2State, opts?: CustomResourceOptions): SecretV2
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            cas: Optional[int] = None,
            custom_metadata: Optional[SecretV2CustomMetadataArgs] = None,
            data: Optional[Mapping[str, Any]] = None,
            data_json: Optional[str] = None,
            delete_all_versions: Optional[bool] = None,
            disable_read: Optional[bool] = None,
            metadata: Optional[Mapping[str, Any]] = None,
            mount: Optional[str] = None,
            name: Optional[str] = None,
            namespace: Optional[str] = None,
            options: Optional[Mapping[str, Any]] = None,
            path: Optional[str] = None) -> SecretV2
    func GetSecretV2(ctx *Context, name string, id IDInput, state *SecretV2State, opts ...ResourceOption) (*SecretV2, error)
    public static SecretV2 Get(string name, Input<string> id, SecretV2State? state, CustomResourceOptions? opts = null)
    public static SecretV2 get(String name, Output<String> id, SecretV2State state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Cas int
    This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret.
    CustomMetadata Pulumi.Vault.kv.Inputs.SecretV2CustomMetadata
    A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
    Data Dictionary<string, object>
    A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
    DataJson string
    JSON-encoded string that will be written as the secret data at the given path.
    DeleteAllVersions bool
    If set to true, permanently deletes all versions for the specified key.
    DisableRead bool
    If set to true, disables reading secret from Vault; note: drift won't be detected.
    Metadata Dictionary<string, object>
    Metadata associated with this secret read from Vault.
    Mount string
    Path where KV-V2 engine is mounted.
    Name string
    Full name of the secret. For a nested secret the name is the nested path excluding the mount and data prefix. For example, for a secret at kvv2/data/foo/bar/baz the name is foo/bar/baz.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Options Dictionary<string, object>
    An object that holds option settings.
    Path string
    Full path where the KV-V2 secret will be written.
    Cas int
    This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret.
    CustomMetadata SecretV2CustomMetadataArgs
    A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
    Data map[string]interface{}
    A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
    DataJson string
    JSON-encoded string that will be written as the secret data at the given path.
    DeleteAllVersions bool
    If set to true, permanently deletes all versions for the specified key.
    DisableRead bool
    If set to true, disables reading secret from Vault; note: drift won't be detected.
    Metadata map[string]interface{}
    Metadata associated with this secret read from Vault.
    Mount string
    Path where KV-V2 engine is mounted.
    Name string
    Full name of the secret. For a nested secret the name is the nested path excluding the mount and data prefix. For example, for a secret at kvv2/data/foo/bar/baz the name is foo/bar/baz.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Options map[string]interface{}
    An object that holds option settings.
    Path string
    Full path where the KV-V2 secret will be written.
    cas Integer
    This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret.
    customMetadata SecretV2CustomMetadata
    A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
    data Map<String,Object>
    A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
    dataJson String
    JSON-encoded string that will be written as the secret data at the given path.
    deleteAllVersions Boolean
    If set to true, permanently deletes all versions for the specified key.
    disableRead Boolean
    If set to true, disables reading secret from Vault; note: drift won't be detected.
    metadata Map<String,Object>
    Metadata associated with this secret read from Vault.
    mount String
    Path where KV-V2 engine is mounted.
    name String
    Full name of the secret. For a nested secret the name is the nested path excluding the mount and data prefix. For example, for a secret at kvv2/data/foo/bar/baz the name is foo/bar/baz.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options Map<String,Object>
    An object that holds option settings.
    path String
    Full path where the KV-V2 secret will be written.
    cas number
    This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret.
    customMetadata SecretV2CustomMetadata
    A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
    data {[key: string]: any}
    A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
    dataJson string
    JSON-encoded string that will be written as the secret data at the given path.
    deleteAllVersions boolean
    If set to true, permanently deletes all versions for the specified key.
    disableRead boolean
    If set to true, disables reading secret from Vault; note: drift won't be detected.
    metadata {[key: string]: any}
    Metadata associated with this secret read from Vault.
    mount string
    Path where KV-V2 engine is mounted.
    name string
    Full name of the secret. For a nested secret the name is the nested path excluding the mount and data prefix. For example, for a secret at kvv2/data/foo/bar/baz the name is foo/bar/baz.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options {[key: string]: any}
    An object that holds option settings.
    path string
    Full path where the KV-V2 secret will be written.
    cas int
    This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret.
    custom_metadata SecretV2CustomMetadataArgs
    A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
    data Mapping[str, Any]
    A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
    data_json str
    JSON-encoded string that will be written as the secret data at the given path.
    delete_all_versions bool
    If set to true, permanently deletes all versions for the specified key.
    disable_read bool
    If set to true, disables reading secret from Vault; note: drift won't be detected.
    metadata Mapping[str, Any]
    Metadata associated with this secret read from Vault.
    mount str
    Path where KV-V2 engine is mounted.
    name str
    Full name of the secret. For a nested secret the name is the nested path excluding the mount and data prefix. For example, for a secret at kvv2/data/foo/bar/baz the name is foo/bar/baz.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options Mapping[str, Any]
    An object that holds option settings.
    path str
    Full path where the KV-V2 secret will be written.
    cas Number
    This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret.
    customMetadata Property Map
    A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info.
    data Map<Any>
    A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
    dataJson String
    JSON-encoded string that will be written as the secret data at the given path.
    deleteAllVersions Boolean
    If set to true, permanently deletes all versions for the specified key.
    disableRead Boolean
    If set to true, disables reading secret from Vault; note: drift won't be detected.
    metadata Map<Any>
    Metadata associated with this secret read from Vault.
    mount String
    Path where KV-V2 engine is mounted.
    name String
    Full name of the secret. For a nested secret the name is the nested path excluding the mount and data prefix. For example, for a secret at kvv2/data/foo/bar/baz the name is foo/bar/baz.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options Map<Any>
    An object that holds option settings.
    path String
    Full path where the KV-V2 secret will be written.

    Supporting Types

    SecretV2CustomMetadata, SecretV2CustomMetadataArgs

    CasRequired bool
    If true, all keys will require the cas parameter to be set on all write requests.
    Data Dictionary<string, object>
    A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
    DeleteVersionAfter int
    If set, specifies the length of time before a version is deleted.
    MaxVersions int
    The number of versions to keep per key.
    CasRequired bool
    If true, all keys will require the cas parameter to be set on all write requests.
    Data map[string]interface{}
    A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
    DeleteVersionAfter int
    If set, specifies the length of time before a version is deleted.
    MaxVersions int
    The number of versions to keep per key.
    casRequired Boolean
    If true, all keys will require the cas parameter to be set on all write requests.
    data Map<String,Object>
    A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
    deleteVersionAfter Integer
    If set, specifies the length of time before a version is deleted.
    maxVersions Integer
    The number of versions to keep per key.
    casRequired boolean
    If true, all keys will require the cas parameter to be set on all write requests.
    data {[key: string]: any}
    A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
    deleteVersionAfter number
    If set, specifies the length of time before a version is deleted.
    maxVersions number
    The number of versions to keep per key.
    cas_required bool
    If true, all keys will require the cas parameter to be set on all write requests.
    data Mapping[str, Any]
    A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
    delete_version_after int
    If set, specifies the length of time before a version is deleted.
    max_versions int
    The number of versions to keep per key.
    casRequired Boolean
    If true, all keys will require the cas parameter to be set on all write requests.
    data Map<Any>
    A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
    deleteVersionAfter Number
    If set, specifies the length of time before a version is deleted.
    maxVersions Number
    The number of versions to keep per key.

    Import

    KV-V2 secrets can be imported using the path, e.g.

     $ pulumi import vault:kv/secretV2:SecretV2 example kvv2/data/secret
    

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the vault Terraform Provider.
    vault logo
    HashiCorp Vault v5.20.0 published on Tuesday, Feb 20, 2024 by Pulumi