vault.secrets.SyncGcpDestination

HashiCorp Vault v7.8.0, Mar 31 26

Viewing docs for HashiCorp Vault v7.8.0
published on Tuesday, Mar 31, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

Viewing docs for HashiCorp Vault v7.8.0
published on Tuesday, Mar 31, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";

const gcp = new vault.secrets.SyncGcpDestination("gcp", {
    name: "gcp-dest",
    projectId: "gcp-project-id",
    credentials: std.file({
        input: credentialsFile,
    }).then(invoke => invoke.result),
    secretNameTemplate: "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
    customTags: {
        foo: "bar",
    },
});

import pulumi
import pulumi_std as std
import pulumi_vault as vault

gcp = vault.secrets.SyncGcpDestination("gcp",
    name="gcp-dest",
    project_id="gcp-project-id",
    credentials=std.file(input=credentials_file).result,
    secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
    custom_tags={
        "foo": "bar",
    })

package main

import (
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: credentialsFile,
		}, nil)
		if err != nil {
			return err
		}
		_, err = secrets.NewSyncGcpDestination(ctx, "gcp", &secrets.SyncGcpDestinationArgs{
			Name:               pulumi.String("gcp-dest"),
			ProjectId:          pulumi.String("gcp-project-id"),
			Credentials:        pulumi.String(invokeFile.Result),
			SecretNameTemplate: pulumi.String("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}"),
			CustomTags: pulumi.StringMap{
				"foo": pulumi.String("bar"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var gcp = new Vault.Secrets.SyncGcpDestination("gcp", new()
    {
        Name = "gcp-dest",
        ProjectId = "gcp-project-id",
        Credentials = Std.File.Invoke(new()
        {
            Input = credentialsFile,
        }).Apply(invoke => invoke.Result),
        SecretNameTemplate = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
        CustomTags = 
        {
            { "foo", "bar" },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.secrets.SyncGcpDestination;
import com.pulumi.vault.secrets.SyncGcpDestinationArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var gcp = new SyncGcpDestination("gcp", SyncGcpDestinationArgs.builder()
            .name("gcp-dest")
            .projectId("gcp-project-id")
            .credentials(StdFunctions.file(FileArgs.builder()
                .input(credentialsFile)
                .build()).result())
            .secretNameTemplate("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}")
            .customTags(Map.of("foo", "bar"))
            .build());

    }
}

resources:
  gcp:
    type: vault:secrets:SyncGcpDestination
    properties:
      name: gcp-dest
      projectId: gcp-project-id
      credentials:
        fn::invoke:
          function: std:file
          arguments:
            input: ${credentialsFile}
          return: result
      secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}
      customTags:
        foo: bar

Example coming soon!

With Networking Configuration (Vault 1.19+)

import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";

const gcpNetworking = new vault.secrets.SyncGcpDestination("gcp_networking", {
    name: "gcp-dest-networking",
    projectId: "gcp-project-id",
    credentials: std.file({
        input: credentialsFile,
    }).then(invoke => invoke.result),
    secretNameTemplate: "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
    allowedIpv4Addresses: [
        "10.0.0.0/8",
        "192.168.0.0/16",
    ],
    allowedIpv6Addresses: ["2001:db8::/32"],
    allowedPorts: [
        443,
        8443,
    ],
    disableStrictNetworking: false,
});

import pulumi
import pulumi_std as std
import pulumi_vault as vault

gcp_networking = vault.secrets.SyncGcpDestination("gcp_networking",
    name="gcp-dest-networking",
    project_id="gcp-project-id",
    credentials=std.file(input=credentials_file).result,
    secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
    allowed_ipv4_addresses=[
        "10.0.0.0/8",
        "192.168.0.0/16",
    ],
    allowed_ipv6_addresses=["2001:db8::/32"],
    allowed_ports=[
        443,
        8443,
    ],
    disable_strict_networking=False)

package main

import (
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: credentialsFile,
		}, nil)
		if err != nil {
			return err
		}
		_, err = secrets.NewSyncGcpDestination(ctx, "gcp_networking", &secrets.SyncGcpDestinationArgs{
			Name:               pulumi.String("gcp-dest-networking"),
			ProjectId:          pulumi.String("gcp-project-id"),
			Credentials:        pulumi.String(invokeFile.Result),
			SecretNameTemplate: pulumi.String("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}"),
			AllowedIpv4Addresses: pulumi.StringArray{
				pulumi.String("10.0.0.0/8"),
				pulumi.String("192.168.0.0/16"),
			},
			AllowedIpv6Addresses: pulumi.StringArray{
				pulumi.String("2001:db8::/32"),
			},
			AllowedPorts: pulumi.IntArray{
				pulumi.Int(443),
				pulumi.Int(8443),
			},
			DisableStrictNetworking: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var gcpNetworking = new Vault.Secrets.SyncGcpDestination("gcp_networking", new()
    {
        Name = "gcp-dest-networking",
        ProjectId = "gcp-project-id",
        Credentials = Std.File.Invoke(new()
        {
            Input = credentialsFile,
        }).Apply(invoke => invoke.Result),
        SecretNameTemplate = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
        AllowedIpv4Addresses = new[]
        {
            "10.0.0.0/8",
            "192.168.0.0/16",
        },
        AllowedIpv6Addresses = new[]
        {
            "2001:db8::/32",
        },
        AllowedPorts = new[]
        {
            443,
            8443,
        },
        DisableStrictNetworking = false,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.secrets.SyncGcpDestination;
import com.pulumi.vault.secrets.SyncGcpDestinationArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var gcpNetworking = new SyncGcpDestination("gcpNetworking", SyncGcpDestinationArgs.builder()
            .name("gcp-dest-networking")
            .projectId("gcp-project-id")
            .credentials(StdFunctions.file(FileArgs.builder()
                .input(credentialsFile)
                .build()).result())
            .secretNameTemplate("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}")
            .allowedIpv4Addresses(            
                "10.0.0.0/8",
                "192.168.0.0/16")
            .allowedIpv6Addresses("2001:db8::/32")
            .allowedPorts(            
                443,
                8443)
            .disableStrictNetworking(false)
            .build());

    }
}

resources:
  gcpNetworking:
    type: vault:secrets:SyncGcpDestination
    name: gcp_networking
    properties:
      name: gcp-dest-networking
      projectId: gcp-project-id
      credentials:
        fn::invoke:
          function: std:file
          arguments:
            input: ${credentialsFile}
          return: result
      secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}
      allowedIpv4Addresses:
        - 10.0.0.0/8
        - 192.168.0.0/16
      allowedIpv6Addresses:
        - 2001:db8::/32
      allowedPorts:
        - 443
        - 8443
      disableStrictNetworking: false

Example coming soon!

With Global Encryption (Vault 1.19+)

import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";

const gcpEncryption = new vault.secrets.SyncGcpDestination("gcp_encryption", {
    name: "gcp-dest-encryption",
    projectId: "gcp-project-id",
    credentials: std.file({
        input: credentialsFile,
    }).then(invoke => invoke.result),
    secretNameTemplate: "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
    globalKmsKey: "projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key",
});

import pulumi
import pulumi_std as std
import pulumi_vault as vault

gcp_encryption = vault.secrets.SyncGcpDestination("gcp_encryption",
    name="gcp-dest-encryption",
    project_id="gcp-project-id",
    credentials=std.file(input=credentials_file).result,
    secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
    global_kms_key="projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key")

package main

import (
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: credentialsFile,
		}, nil)
		if err != nil {
			return err
		}
		_, err = secrets.NewSyncGcpDestination(ctx, "gcp_encryption", &secrets.SyncGcpDestinationArgs{
			Name:               pulumi.String("gcp-dest-encryption"),
			ProjectId:          pulumi.String("gcp-project-id"),
			Credentials:        pulumi.String(invokeFile.Result),
			SecretNameTemplate: pulumi.String("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}"),
			GlobalKmsKey:       pulumi.String("projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var gcpEncryption = new Vault.Secrets.SyncGcpDestination("gcp_encryption", new()
    {
        Name = "gcp-dest-encryption",
        ProjectId = "gcp-project-id",
        Credentials = Std.File.Invoke(new()
        {
            Input = credentialsFile,
        }).Apply(invoke => invoke.Result),
        SecretNameTemplate = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
        GlobalKmsKey = "projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.secrets.SyncGcpDestination;
import com.pulumi.vault.secrets.SyncGcpDestinationArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var gcpEncryption = new SyncGcpDestination("gcpEncryption", SyncGcpDestinationArgs.builder()
            .name("gcp-dest-encryption")
            .projectId("gcp-project-id")
            .credentials(StdFunctions.file(FileArgs.builder()
                .input(credentialsFile)
                .build()).result())
            .secretNameTemplate("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}")
            .globalKmsKey("projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key")
            .build());

    }
}

resources:
  gcpEncryption:
    type: vault:secrets:SyncGcpDestination
    name: gcp_encryption
    properties:
      name: gcp-dest-encryption
      projectId: gcp-project-id
      credentials:
        fn::invoke:
          function: std:file
          arguments:
            input: ${credentialsFile}
          return: result
      secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}
      globalKmsKey: projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key

Example coming soon!

With Multi-Region Replication and Regional Encryption (Vault 1.19+)

import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";

const gcpReplicationEncryption = new vault.secrets.SyncGcpDestination("gcp_replication_encryption", {
    name: "gcp-dest-replication-encryption",
    projectId: "gcp-project-id",
    credentials: std.file({
        input: credentialsFile,
    }).then(invoke => invoke.result),
    secretNameTemplate: "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}_{{ .SecretKey | lowercase }}",
    granularity: "secret-key",
    locationalKmsKeys: {
        "us-central1": "projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key",
        "us-east1": "projects/my-project/locations/us-east1/keyRings/kr/cryptoKeys/key",
    },
    replicationLocations: [
        "us-central1",
        "us-east1",
    ],
});

import pulumi
import pulumi_std as std
import pulumi_vault as vault

gcp_replication_encryption = vault.secrets.SyncGcpDestination("gcp_replication_encryption",
    name="gcp-dest-replication-encryption",
    project_id="gcp-project-id",
    credentials=std.file(input=credentials_file).result,
    secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}_{{ .SecretKey | lowercase }}",
    granularity="secret-key",
    locational_kms_keys={
        "us-central1": "projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key",
        "us-east1": "projects/my-project/locations/us-east1/keyRings/kr/cryptoKeys/key",
    },
    replication_locations=[
        "us-central1",
        "us-east1",
    ])

package main

import (
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: credentialsFile,
		}, nil)
		if err != nil {
			return err
		}
		_, err = secrets.NewSyncGcpDestination(ctx, "gcp_replication_encryption", &secrets.SyncGcpDestinationArgs{
			Name:               pulumi.String("gcp-dest-replication-encryption"),
			ProjectId:          pulumi.String("gcp-project-id"),
			Credentials:        pulumi.String(invokeFile.Result),
			SecretNameTemplate: pulumi.String("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}_{{ .SecretKey | lowercase }}"),
			Granularity:        pulumi.String("secret-key"),
			LocationalKmsKeys: pulumi.StringMap{
				"us-central1": pulumi.String("projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key"),
				"us-east1":    pulumi.String("projects/my-project/locations/us-east1/keyRings/kr/cryptoKeys/key"),
			},
			ReplicationLocations: pulumi.StringArray{
				pulumi.String("us-central1"),
				pulumi.String("us-east1"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var gcpReplicationEncryption = new Vault.Secrets.SyncGcpDestination("gcp_replication_encryption", new()
    {
        Name = "gcp-dest-replication-encryption",
        ProjectId = "gcp-project-id",
        Credentials = Std.File.Invoke(new()
        {
            Input = credentialsFile,
        }).Apply(invoke => invoke.Result),
        SecretNameTemplate = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}_{{ .SecretKey | lowercase }}",
        Granularity = "secret-key",
        LocationalKmsKeys = 
        {
            { "us-central1", "projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key" },
            { "us-east1", "projects/my-project/locations/us-east1/keyRings/kr/cryptoKeys/key" },
        },
        ReplicationLocations = new[]
        {
            "us-central1",
            "us-east1",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.secrets.SyncGcpDestination;
import com.pulumi.vault.secrets.SyncGcpDestinationArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var gcpReplicationEncryption = new SyncGcpDestination("gcpReplicationEncryption", SyncGcpDestinationArgs.builder()
            .name("gcp-dest-replication-encryption")
            .projectId("gcp-project-id")
            .credentials(StdFunctions.file(FileArgs.builder()
                .input(credentialsFile)
                .build()).result())
            .secretNameTemplate("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}_{{ .SecretKey | lowercase }}")
            .granularity("secret-key")
            .locationalKmsKeys(Map.ofEntries(
                Map.entry("us-central1", "projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key"),
                Map.entry("us-east1", "projects/my-project/locations/us-east1/keyRings/kr/cryptoKeys/key")
            ))
            .replicationLocations(            
                "us-central1",
                "us-east1")
            .build());

    }
}

resources:
  gcpReplicationEncryption:
    type: vault:secrets:SyncGcpDestination
    name: gcp_replication_encryption
    properties:
      name: gcp-dest-replication-encryption
      projectId: gcp-project-id
      credentials:
        fn::invoke:
          function: std:file
          arguments:
            input: ${credentialsFile}
          return: result
      secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}_{{ .SecretKey | lowercase }}
      granularity: secret-key
      locationalKmsKeys:
        us-central1: projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key
        us-east1: projects/my-project/locations/us-east1/keyRings/kr/cryptoKeys/key
      replicationLocations:
        - us-central1
        - us-east1

Example coming soon!

Using Workload Identity Federation (Vault 2.0.0+)

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const gcpWif = new vault.secrets.SyncGcpDestination("gcp_wif", {
    name: "gcp-dest-wif",
    serviceAccountEmail: serviceAccountEmail,
    identityTokenAudienceWo: identityTokenAudience,
    identityTokenAudienceWoVersion: 1,
    identityTokenTtl: 3600,
    identityTokenKeyWo: "my-key",
    identityTokenKeyWoVersion: 1,
    granularity: "secret-path",
});

import pulumi
import pulumi_vault as vault

gcp_wif = vault.secrets.SyncGcpDestination("gcp_wif",
    name="gcp-dest-wif",
    service_account_email=service_account_email,
    identity_token_audience_wo=identity_token_audience,
    identity_token_audience_wo_version=1,
    identity_token_ttl=3600,
    identity_token_key_wo="my-key",
    identity_token_key_wo_version=1,
    granularity="secret-path")

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := secrets.NewSyncGcpDestination(ctx, "gcp_wif", &secrets.SyncGcpDestinationArgs{
			Name:                           pulumi.String("gcp-dest-wif"),
			ServiceAccountEmail:            pulumi.Any(serviceAccountEmail),
			IdentityTokenAudienceWo:        pulumi.Any(identityTokenAudience),
			IdentityTokenAudienceWoVersion: pulumi.Int(1),
			IdentityTokenTtl:               pulumi.Int(3600),
			IdentityTokenKeyWo:             pulumi.String("my-key"),
			IdentityTokenKeyWoVersion:      pulumi.Int(1),
			Granularity:                    pulumi.String("secret-path"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var gcpWif = new Vault.Secrets.SyncGcpDestination("gcp_wif", new()
    {
        Name = "gcp-dest-wif",
        ServiceAccountEmail = serviceAccountEmail,
        IdentityTokenAudienceWo = identityTokenAudience,
        IdentityTokenAudienceWoVersion = 1,
        IdentityTokenTtl = 3600,
        IdentityTokenKeyWo = "my-key",
        IdentityTokenKeyWoVersion = 1,
        Granularity = "secret-path",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.secrets.SyncGcpDestination;
import com.pulumi.vault.secrets.SyncGcpDestinationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var gcpWif = new SyncGcpDestination("gcpWif", SyncGcpDestinationArgs.builder()
            .name("gcp-dest-wif")
            .serviceAccountEmail(serviceAccountEmail)
            .identityTokenAudienceWo(identityTokenAudience)
            .identityTokenAudienceWoVersion(1)
            .identityTokenTtl(3600)
            .identityTokenKeyWo("my-key")
            .identityTokenKeyWoVersion(1)
            .granularity("secret-path")
            .build());

    }
}

resources:
  gcpWif:
    type: vault:secrets:SyncGcpDestination
    name: gcp_wif
    properties:
      name: gcp-dest-wif
      serviceAccountEmail: ${serviceAccountEmail}
      identityTokenAudienceWo: ${identityTokenAudience}
      identityTokenAudienceWoVersion: 1
      identityTokenTtl: 3600
      identityTokenKeyWo: my-key
      identityTokenKeyWoVersion: 1
      granularity: secret-path

Example coming soon!

Create SyncGcpDestination Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SyncGcpDestination(name: string, args?: SyncGcpDestinationArgs, opts?: CustomResourceOptions);

@overload
def SyncGcpDestination(resource_name: str,
                       args: Optional[SyncGcpDestinationArgs] = None,
                       opts: Optional[ResourceOptions] = None)

@overload
def SyncGcpDestination(resource_name: str,
                       opts: Optional[ResourceOptions] = None,
                       allowed_ipv4_addresses: Optional[Sequence[str]] = None,
                       allowed_ipv6_addresses: Optional[Sequence[str]] = None,
                       allowed_ports: Optional[Sequence[int]] = None,
                       credentials: Optional[str] = None,
                       custom_tags: Optional[Mapping[str, str]] = None,
                       disable_strict_networking: Optional[bool] = None,
                       global_kms_key: Optional[str] = None,
                       granularity: Optional[str] = None,
                       identity_token_audience_wo: Optional[str] = None,
                       identity_token_audience_wo_version: Optional[int] = None,
                       identity_token_key_wo: Optional[str] = None,
                       identity_token_key_wo_version: Optional[int] = None,
                       identity_token_ttl: Optional[int] = None,
                       locational_kms_keys: Optional[Mapping[str, str]] = None,
                       name: Optional[str] = None,
                       namespace: Optional[str] = None,
                       project_id: Optional[str] = None,
                       replication_locations: Optional[Sequence[str]] = None,
                       secret_name_template: Optional[str] = None,
                       service_account_email: Optional[str] = None)

func NewSyncGcpDestination(ctx *Context, name string, args *SyncGcpDestinationArgs, opts ...ResourceOption) (*SyncGcpDestination, error)

public SyncGcpDestination(string name, SyncGcpDestinationArgs? args = null, CustomResourceOptions? opts = null)

public SyncGcpDestination(String name, SyncGcpDestinationArgs args)
public SyncGcpDestination(String name, SyncGcpDestinationArgs args, CustomResourceOptions options)

type: vault:secrets:SyncGcpDestination
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

resource "vault_secrets_syncgcpdestination" "name" {
    # resource properties
}

Parameters

name string: The unique name of the resource.
args SyncGcpDestinationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SyncGcpDestinationArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SyncGcpDestinationArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SyncGcpDestinationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SyncGcpDestinationArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var syncGcpDestinationResource = new Vault.Secrets.SyncGcpDestination("syncGcpDestinationResource", new()
{
    AllowedIpv4Addresses = new[]
    {
        "string",
    },
    AllowedIpv6Addresses = new[]
    {
        "string",
    },
    AllowedPorts = new[]
    {
        0,
    },
    Credentials = "string",
    CustomTags = 
    {
        { "string", "string" },
    },
    DisableStrictNetworking = false,
    GlobalKmsKey = "string",
    Granularity = "string",
    IdentityTokenAudienceWo = "string",
    IdentityTokenAudienceWoVersion = 0,
    IdentityTokenKeyWo = "string",
    IdentityTokenKeyWoVersion = 0,
    IdentityTokenTtl = 0,
    LocationalKmsKeys = 
    {
        { "string", "string" },
    },
    Name = "string",
    Namespace = "string",
    ProjectId = "string",
    ReplicationLocations = new[]
    {
        "string",
    },
    SecretNameTemplate = "string",
    ServiceAccountEmail = "string",
});

example, err := secrets.NewSyncGcpDestination(ctx, "syncGcpDestinationResource", &secrets.SyncGcpDestinationArgs{
	AllowedIpv4Addresses: pulumi.StringArray{
		pulumi.String("string"),
	},
	AllowedIpv6Addresses: pulumi.StringArray{
		pulumi.String("string"),
	},
	AllowedPorts: pulumi.IntArray{
		pulumi.Int(0),
	},
	Credentials: pulumi.String("string"),
	CustomTags: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	DisableStrictNetworking:        pulumi.Bool(false),
	GlobalKmsKey:                   pulumi.String("string"),
	Granularity:                    pulumi.String("string"),
	IdentityTokenAudienceWo:        pulumi.String("string"),
	IdentityTokenAudienceWoVersion: pulumi.Int(0),
	IdentityTokenKeyWo:             pulumi.String("string"),
	IdentityTokenKeyWoVersion:      pulumi.Int(0),
	IdentityTokenTtl:               pulumi.Int(0),
	LocationalKmsKeys: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	Name:      pulumi.String("string"),
	Namespace: pulumi.String("string"),
	ProjectId: pulumi.String("string"),
	ReplicationLocations: pulumi.StringArray{
		pulumi.String("string"),
	},
	SecretNameTemplate:  pulumi.String("string"),
	ServiceAccountEmail: pulumi.String("string"),
})

resource "vault_secrets_syncgcpdestination" "syncGcpDestinationResource" {
  allowed_ipv4_addresses = ["string"]
  allowed_ipv6_addresses = ["string"]
  allowed_ports          = [0]
  credentials            = "string"
  custom_tags = {
    "string" = "string"
  }
  disable_strict_networking          = false
  global_kms_key                     = "string"
  granularity                        = "string"
  identity_token_audience_wo         = "string"
  identity_token_audience_wo_version = 0
  identity_token_key_wo              = "string"
  identity_token_key_wo_version      = 0
  identity_token_ttl                 = 0
  locational_kms_keys = {
    "string" = "string"
  }
  name                  = "string"
  namespace             = "string"
  project_id            = "string"
  replication_locations = ["string"]
  secret_name_template  = "string"
  service_account_email = "string"
}

var syncGcpDestinationResource = new SyncGcpDestination("syncGcpDestinationResource", SyncGcpDestinationArgs.builder()
    .allowedIpv4Addresses("string")
    .allowedIpv6Addresses("string")
    .allowedPorts(0)
    .credentials("string")
    .customTags(Map.of("string", "string"))
    .disableStrictNetworking(false)
    .globalKmsKey("string")
    .granularity("string")
    .identityTokenAudienceWo("string")
    .identityTokenAudienceWoVersion(0)
    .identityTokenKeyWo("string")
    .identityTokenKeyWoVersion(0)
    .identityTokenTtl(0)
    .locationalKmsKeys(Map.of("string", "string"))
    .name("string")
    .namespace("string")
    .projectId("string")
    .replicationLocations("string")
    .secretNameTemplate("string")
    .serviceAccountEmail("string")
    .build());

sync_gcp_destination_resource = vault.secrets.SyncGcpDestination("syncGcpDestinationResource",
    allowed_ipv4_addresses=["string"],
    allowed_ipv6_addresses=["string"],
    allowed_ports=[0],
    credentials="string",
    custom_tags={
        "string": "string",
    },
    disable_strict_networking=False,
    global_kms_key="string",
    granularity="string",
    identity_token_audience_wo="string",
    identity_token_audience_wo_version=0,
    identity_token_key_wo="string",
    identity_token_key_wo_version=0,
    identity_token_ttl=0,
    locational_kms_keys={
        "string": "string",
    },
    name="string",
    namespace="string",
    project_id="string",
    replication_locations=["string"],
    secret_name_template="string",
    service_account_email="string")

const syncGcpDestinationResource = new vault.secrets.SyncGcpDestination("syncGcpDestinationResource", {
    allowedIpv4Addresses: ["string"],
    allowedIpv6Addresses: ["string"],
    allowedPorts: [0],
    credentials: "string",
    customTags: {
        string: "string",
    },
    disableStrictNetworking: false,
    globalKmsKey: "string",
    granularity: "string",
    identityTokenAudienceWo: "string",
    identityTokenAudienceWoVersion: 0,
    identityTokenKeyWo: "string",
    identityTokenKeyWoVersion: 0,
    identityTokenTtl: 0,
    locationalKmsKeys: {
        string: "string",
    },
    name: "string",
    namespace: "string",
    projectId: "string",
    replicationLocations: ["string"],
    secretNameTemplate: "string",
    serviceAccountEmail: "string",
});

type: vault:secrets:SyncGcpDestination
properties:
    allowedIpv4Addresses:
        - string
    allowedIpv6Addresses:
        - string
    allowedPorts:
        - 0
    credentials: string
    customTags:
        string: string
    disableStrictNetworking: false
    globalKmsKey: string
    granularity: string
    identityTokenAudienceWo: string
    identityTokenAudienceWoVersion: 0
    identityTokenKeyWo: string
    identityTokenKeyWoVersion: 0
    identityTokenTtl: 0
    locationalKmsKeys:
        string: string
    name: string
    namespace: string
    projectId: string
    replicationLocations:
        - string
    secretNameTemplate: string
    serviceAccountEmail: string

SyncGcpDestination Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The SyncGcpDestination resource accepts the following input properties:

AllowedIpv4Addresses List<string>: Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
AllowedIpv6Addresses List<string>: Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
AllowedPorts List<int>: Allowed ports for outbound network connectivity. If not set, all ports are allowed.
Credentials string: JSON-encoded credentials to use to connect to GCP. Can be omitted and directly provided to Vault using the GOOGLE_APPLICATION_CREDENTIALS environment variable.
CustomTags Dictionary<string, string>: Custom tags to set on the secret managed at the destination.
DisableStrictNetworking bool: Disable strict networking requirements.
GlobalKmsKey string: Global KMS key for encryption.
Granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
IdentityTokenAudienceWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The audience claim value for identity tokens. This is a write-only field and will not be read back from Vault.
IdentityTokenAudienceWoVersion int: A version counter for the write-only identityTokenAudienceWo field. Incrementing this value will trigger an update.
IdentityTokenKeyWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The key to use for signing identity tokens. This is a write-only field and will not be read back from Vault.
IdentityTokenKeyWoVersion int: A version counter for the write-only identityTokenKeyWo field. Incrementing this value will trigger an update.
IdentityTokenTtl int: The TTL of generated tokens.
LocationalKmsKeys Dictionary<string, string>: Locational KMS keys for encryption.
Name string: Unique name of the GCP destination.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
ProjectId string: The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
ReplicationLocations List<string>: Replication locations for secrets.
SecretNameTemplate string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
ServiceAccountEmail string: Service Account to impersonate for workload identity federation.

AllowedIpv4Addresses []string: Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
AllowedIpv6Addresses []string: Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
AllowedPorts []int: Allowed ports for outbound network connectivity. If not set, all ports are allowed.
Credentials string: JSON-encoded credentials to use to connect to GCP. Can be omitted and directly provided to Vault using the GOOGLE_APPLICATION_CREDENTIALS environment variable.
CustomTags map[string]string: Custom tags to set on the secret managed at the destination.
DisableStrictNetworking bool: Disable strict networking requirements.
GlobalKmsKey string: Global KMS key for encryption.
Granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
IdentityTokenAudienceWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The audience claim value for identity tokens. This is a write-only field and will not be read back from Vault.
IdentityTokenAudienceWoVersion int: A version counter for the write-only identityTokenAudienceWo field. Incrementing this value will trigger an update.
IdentityTokenKeyWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The key to use for signing identity tokens. This is a write-only field and will not be read back from Vault.
IdentityTokenKeyWoVersion int: A version counter for the write-only identityTokenKeyWo field. Incrementing this value will trigger an update.
IdentityTokenTtl int: The TTL of generated tokens.
LocationalKmsKeys map[string]string: Locational KMS keys for encryption.
Name string: Unique name of the GCP destination.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
ProjectId string: The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
ReplicationLocations []string: Replication locations for secrets.
SecretNameTemplate string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
ServiceAccountEmail string: Service Account to impersonate for workload identity federation.

allowed_ipv4_addresses list(string): Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
allowed_ipv6_addresses list(string): Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
allowed_ports list(number): Allowed ports for outbound network connectivity. If not set, all ports are allowed.
credentials string: JSON-encoded credentials to use to connect to GCP. Can be omitted and directly provided to Vault using the GOOGLE_APPLICATION_CREDENTIALS environment variable.
custom_tags map(string): Custom tags to set on the secret managed at the destination.
disable_strict_networking bool: Disable strict networking requirements.
global_kms_key string: Global KMS key for encryption.
granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
identity_token_audience_wo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The audience claim value for identity tokens. This is a write-only field and will not be read back from Vault.
identity_token_audience_wo_version number: A version counter for the write-only identityTokenAudienceWo field. Incrementing this value will trigger an update.
identity_token_key_wo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The key to use for signing identity tokens. This is a write-only field and will not be read back from Vault.
identity_token_key_wo_version number: A version counter for the write-only identityTokenKeyWo field. Incrementing this value will trigger an update.
identity_token_ttl number: The TTL of generated tokens.
locational_kms_keys map(string): Locational KMS keys for encryption.
name string: Unique name of the GCP destination.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
project_id string: The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
replication_locations list(string): Replication locations for secrets.
secret_name_template string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
service_account_email string: Service Account to impersonate for workload identity federation.

allowedIpv4Addresses List<String>: Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
allowedIpv6Addresses List<String>: Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
allowedPorts List<Integer>: Allowed ports for outbound network connectivity. If not set, all ports are allowed.
credentials String: JSON-encoded credentials to use to connect to GCP. Can be omitted and directly provided to Vault using the GOOGLE_APPLICATION_CREDENTIALS environment variable.
customTags Map<String,String>: Custom tags to set on the secret managed at the destination.
disableStrictNetworking Boolean: Disable strict networking requirements.
globalKmsKey String: Global KMS key for encryption.
granularity String: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
identityTokenAudienceWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The audience claim value for identity tokens. This is a write-only field and will not be read back from Vault.
identityTokenAudienceWoVersion Integer: A version counter for the write-only identityTokenAudienceWo field. Incrementing this value will trigger an update.
identityTokenKeyWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The key to use for signing identity tokens. This is a write-only field and will not be read back from Vault.
identityTokenKeyWoVersion Integer: A version counter for the write-only identityTokenKeyWo field. Incrementing this value will trigger an update.
identityTokenTtl Integer: The TTL of generated tokens.
locationalKmsKeys Map<String,String>: Locational KMS keys for encryption.
name String: Unique name of the GCP destination.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
projectId String: The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
replicationLocations List<String>: Replication locations for secrets.
secretNameTemplate String: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
serviceAccountEmail String: Service Account to impersonate for workload identity federation.

allowedIpv4Addresses string[]: Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
allowedIpv6Addresses string[]: Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
allowedPorts number[]: Allowed ports for outbound network connectivity. If not set, all ports are allowed.
credentials string: JSON-encoded credentials to use to connect to GCP. Can be omitted and directly provided to Vault using the GOOGLE_APPLICATION_CREDENTIALS environment variable.
customTags {[key: string]: string}: Custom tags to set on the secret managed at the destination.
disableStrictNetworking boolean: Disable strict networking requirements.
globalKmsKey string: Global KMS key for encryption.
granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
identityTokenAudienceWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The audience claim value for identity tokens. This is a write-only field and will not be read back from Vault.
identityTokenAudienceWoVersion number: A version counter for the write-only identityTokenAudienceWo field. Incrementing this value will trigger an update.
identityTokenKeyWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The key to use for signing identity tokens. This is a write-only field and will not be read back from Vault.
identityTokenKeyWoVersion number: A version counter for the write-only identityTokenKeyWo field. Incrementing this value will trigger an update.
identityTokenTtl number: The TTL of generated tokens.
locationalKmsKeys {[key: string]: string}: Locational KMS keys for encryption.
name string: Unique name of the GCP destination.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
projectId string: The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
replicationLocations string[]: Replication locations for secrets.
secretNameTemplate string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
serviceAccountEmail string: Service Account to impersonate for workload identity federation.

allowed_ipv4_addresses Sequence[str]: Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
allowed_ipv6_addresses Sequence[str]: Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
allowed_ports Sequence[int]: Allowed ports for outbound network connectivity. If not set, all ports are allowed.
credentials str: JSON-encoded credentials to use to connect to GCP. Can be omitted and directly provided to Vault using the GOOGLE_APPLICATION_CREDENTIALS environment variable.
custom_tags Mapping[str, str]: Custom tags to set on the secret managed at the destination.
disable_strict_networking bool: Disable strict networking requirements.
global_kms_key str: Global KMS key for encryption.
granularity str: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
identity_token_audience_wo str: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The audience claim value for identity tokens. This is a write-only field and will not be read back from Vault.
identity_token_audience_wo_version int: A version counter for the write-only identityTokenAudienceWo field. Incrementing this value will trigger an update.
identity_token_key_wo str: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The key to use for signing identity tokens. This is a write-only field and will not be read back from Vault.
identity_token_key_wo_version int: A version counter for the write-only identityTokenKeyWo field. Incrementing this value will trigger an update.
identity_token_ttl int: The TTL of generated tokens.
locational_kms_keys Mapping[str, str]: Locational KMS keys for encryption.
name str: Unique name of the GCP destination.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
project_id str: The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
replication_locations Sequence[str]: Replication locations for secrets.
secret_name_template str: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
service_account_email str: Service Account to impersonate for workload identity federation.

allowedIpv4Addresses List<String>: Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
allowedIpv6Addresses List<String>: Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
allowedPorts List<Number>: Allowed ports for outbound network connectivity. If not set, all ports are allowed.
credentials String: JSON-encoded credentials to use to connect to GCP. Can be omitted and directly provided to Vault using the GOOGLE_APPLICATION_CREDENTIALS environment variable.
customTags Map<String>: Custom tags to set on the secret managed at the destination.
disableStrictNetworking Boolean: Disable strict networking requirements.
globalKmsKey String: Global KMS key for encryption.
granularity String: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
identityTokenAudienceWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The audience claim value for identity tokens. This is a write-only field and will not be read back from Vault.
identityTokenAudienceWoVersion Number: A version counter for the write-only identityTokenAudienceWo field. Incrementing this value will trigger an update.
identityTokenKeyWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The key to use for signing identity tokens. This is a write-only field and will not be read back from Vault.
identityTokenKeyWoVersion Number: A version counter for the write-only identityTokenKeyWo field. Incrementing this value will trigger an update.
identityTokenTtl Number: The TTL of generated tokens.
locationalKmsKeys Map<String>: Locational KMS keys for encryption.
name String: Unique name of the GCP destination.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
projectId String: The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
replicationLocations List<String>: Replication locations for secrets.
secretNameTemplate String: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
serviceAccountEmail String: Service Account to impersonate for workload identity federation.

Outputs

All input properties are implicitly available as output properties. Additionally, the SyncGcpDestination resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
Type string: The type of the secrets destination (gcp-sm).

Id string: The provider-assigned unique ID for this managed resource.
Type string: The type of the secrets destination (gcp-sm).

id string: The provider-assigned unique ID for this managed resource.
type string: The type of the secrets destination (gcp-sm).

id String: The provider-assigned unique ID for this managed resource.
type String: The type of the secrets destination (gcp-sm).

id string: The provider-assigned unique ID for this managed resource.
type string: The type of the secrets destination (gcp-sm).

id str: The provider-assigned unique ID for this managed resource.
type str: The type of the secrets destination (gcp-sm).

id String: The provider-assigned unique ID for this managed resource.
type String: The type of the secrets destination (gcp-sm).

Look up Existing SyncGcpDestination Resource

Get an existing SyncGcpDestination resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SyncGcpDestinationState, opts?: CustomResourceOptions): SyncGcpDestination

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        allowed_ipv4_addresses: Optional[Sequence[str]] = None,
        allowed_ipv6_addresses: Optional[Sequence[str]] = None,
        allowed_ports: Optional[Sequence[int]] = None,
        credentials: Optional[str] = None,
        custom_tags: Optional[Mapping[str, str]] = None,
        disable_strict_networking: Optional[bool] = None,
        global_kms_key: Optional[str] = None,
        granularity: Optional[str] = None,
        identity_token_audience_wo: Optional[str] = None,
        identity_token_audience_wo_version: Optional[int] = None,
        identity_token_key_wo: Optional[str] = None,
        identity_token_key_wo_version: Optional[int] = None,
        identity_token_ttl: Optional[int] = None,
        locational_kms_keys: Optional[Mapping[str, str]] = None,
        name: Optional[str] = None,
        namespace: Optional[str] = None,
        project_id: Optional[str] = None,
        replication_locations: Optional[Sequence[str]] = None,
        secret_name_template: Optional[str] = None,
        service_account_email: Optional[str] = None,
        type: Optional[str] = None) -> SyncGcpDestination

func GetSyncGcpDestination(ctx *Context, name string, id IDInput, state *SyncGcpDestinationState, opts ...ResourceOption) (*SyncGcpDestination, error)

public static SyncGcpDestination Get(string name, Input<string> id, SyncGcpDestinationState? state, CustomResourceOptions? opts = null)

public static SyncGcpDestination get(String name, Output<String> id, SyncGcpDestinationState state, CustomResourceOptions options)

resources:  _:    type: vault:secrets:SyncGcpDestination    get:      id: ${id}

import {
  to = vault_secrets_syncgcpdestination.example
  id = "${id}"
}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AllowedIpv4Addresses List<string>: Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
AllowedIpv6Addresses List<string>: Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
AllowedPorts List<int>: Allowed ports for outbound network connectivity. If not set, all ports are allowed.
Credentials string: JSON-encoded credentials to use to connect to GCP. Can be omitted and directly provided to Vault using the GOOGLE_APPLICATION_CREDENTIALS environment variable.
CustomTags Dictionary<string, string>: Custom tags to set on the secret managed at the destination.
DisableStrictNetworking bool: Disable strict networking requirements.
GlobalKmsKey string: Global KMS key for encryption.
Granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
IdentityTokenAudienceWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The audience claim value for identity tokens. This is a write-only field and will not be read back from Vault.
IdentityTokenAudienceWoVersion int: A version counter for the write-only identityTokenAudienceWo field. Incrementing this value will trigger an update.
IdentityTokenKeyWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The key to use for signing identity tokens. This is a write-only field and will not be read back from Vault.
IdentityTokenKeyWoVersion int: A version counter for the write-only identityTokenKeyWo field. Incrementing this value will trigger an update.
IdentityTokenTtl int: The TTL of generated tokens.
LocationalKmsKeys Dictionary<string, string>: Locational KMS keys for encryption.
Name string: Unique name of the GCP destination.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
ProjectId string: The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
ReplicationLocations List<string>: Replication locations for secrets.
SecretNameTemplate string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
ServiceAccountEmail string: Service Account to impersonate for workload identity federation.
Type string: The type of the secrets destination (gcp-sm).

AllowedIpv4Addresses []string: Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
AllowedIpv6Addresses []string: Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
AllowedPorts []int: Allowed ports for outbound network connectivity. If not set, all ports are allowed.
Credentials string: JSON-encoded credentials to use to connect to GCP. Can be omitted and directly provided to Vault using the GOOGLE_APPLICATION_CREDENTIALS environment variable.
CustomTags map[string]string: Custom tags to set on the secret managed at the destination.
DisableStrictNetworking bool: Disable strict networking requirements.
GlobalKmsKey string: Global KMS key for encryption.
Granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
IdentityTokenAudienceWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The audience claim value for identity tokens. This is a write-only field and will not be read back from Vault.
IdentityTokenAudienceWoVersion int: A version counter for the write-only identityTokenAudienceWo field. Incrementing this value will trigger an update.
IdentityTokenKeyWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The key to use for signing identity tokens. This is a write-only field and will not be read back from Vault.
IdentityTokenKeyWoVersion int: A version counter for the write-only identityTokenKeyWo field. Incrementing this value will trigger an update.
IdentityTokenTtl int: The TTL of generated tokens.
LocationalKmsKeys map[string]string: Locational KMS keys for encryption.
Name string: Unique name of the GCP destination.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
ProjectId string: The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
ReplicationLocations []string: Replication locations for secrets.
SecretNameTemplate string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
ServiceAccountEmail string: Service Account to impersonate for workload identity federation.
Type string: The type of the secrets destination (gcp-sm).

allowed_ipv4_addresses list(string): Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
allowed_ipv6_addresses list(string): Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
allowed_ports list(number): Allowed ports for outbound network connectivity. If not set, all ports are allowed.
credentials string: JSON-encoded credentials to use to connect to GCP. Can be omitted and directly provided to Vault using the GOOGLE_APPLICATION_CREDENTIALS environment variable.
custom_tags map(string): Custom tags to set on the secret managed at the destination.
disable_strict_networking bool: Disable strict networking requirements.
global_kms_key string: Global KMS key for encryption.
granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
identity_token_audience_wo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The audience claim value for identity tokens. This is a write-only field and will not be read back from Vault.
identity_token_audience_wo_version number: A version counter for the write-only identityTokenAudienceWo field. Incrementing this value will trigger an update.
identity_token_key_wo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The key to use for signing identity tokens. This is a write-only field and will not be read back from Vault.
identity_token_key_wo_version number: A version counter for the write-only identityTokenKeyWo field. Incrementing this value will trigger an update.
identity_token_ttl number: The TTL of generated tokens.
locational_kms_keys map(string): Locational KMS keys for encryption.
name string: Unique name of the GCP destination.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
project_id string: The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
replication_locations list(string): Replication locations for secrets.
secret_name_template string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
service_account_email string: Service Account to impersonate for workload identity federation.
type string: The type of the secrets destination (gcp-sm).

allowedIpv4Addresses List<String>: Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
allowedIpv6Addresses List<String>: Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
allowedPorts List<Integer>: Allowed ports for outbound network connectivity. If not set, all ports are allowed.
credentials String: JSON-encoded credentials to use to connect to GCP. Can be omitted and directly provided to Vault using the GOOGLE_APPLICATION_CREDENTIALS environment variable.
customTags Map<String,String>: Custom tags to set on the secret managed at the destination.
disableStrictNetworking Boolean: Disable strict networking requirements.
globalKmsKey String: Global KMS key for encryption.
granularity String: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
identityTokenAudienceWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The audience claim value for identity tokens. This is a write-only field and will not be read back from Vault.
identityTokenAudienceWoVersion Integer: A version counter for the write-only identityTokenAudienceWo field. Incrementing this value will trigger an update.
identityTokenKeyWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The key to use for signing identity tokens. This is a write-only field and will not be read back from Vault.
identityTokenKeyWoVersion Integer: A version counter for the write-only identityTokenKeyWo field. Incrementing this value will trigger an update.
identityTokenTtl Integer: The TTL of generated tokens.
locationalKmsKeys Map<String,String>: Locational KMS keys for encryption.
name String: Unique name of the GCP destination.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
projectId String: The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
replicationLocations List<String>: Replication locations for secrets.
secretNameTemplate String: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
serviceAccountEmail String: Service Account to impersonate for workload identity federation.
type String: The type of the secrets destination (gcp-sm).

allowedIpv4Addresses string[]: Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
allowedIpv6Addresses string[]: Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
allowedPorts number[]: Allowed ports for outbound network connectivity. If not set, all ports are allowed.
credentials string: JSON-encoded credentials to use to connect to GCP. Can be omitted and directly provided to Vault using the GOOGLE_APPLICATION_CREDENTIALS environment variable.
customTags {[key: string]: string}: Custom tags to set on the secret managed at the destination.
disableStrictNetworking boolean: Disable strict networking requirements.
globalKmsKey string: Global KMS key for encryption.
granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
identityTokenAudienceWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The audience claim value for identity tokens. This is a write-only field and will not be read back from Vault.
identityTokenAudienceWoVersion number: A version counter for the write-only identityTokenAudienceWo field. Incrementing this value will trigger an update.
identityTokenKeyWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The key to use for signing identity tokens. This is a write-only field and will not be read back from Vault.
identityTokenKeyWoVersion number: A version counter for the write-only identityTokenKeyWo field. Incrementing this value will trigger an update.
identityTokenTtl number: The TTL of generated tokens.
locationalKmsKeys {[key: string]: string}: Locational KMS keys for encryption.
name string: Unique name of the GCP destination.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
projectId string: The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
replicationLocations string[]: Replication locations for secrets.
secretNameTemplate string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
serviceAccountEmail string: Service Account to impersonate for workload identity federation.
type string: The type of the secrets destination (gcp-sm).

allowed_ipv4_addresses Sequence[str]: Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
allowed_ipv6_addresses Sequence[str]: Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
allowed_ports Sequence[int]: Allowed ports for outbound network connectivity. If not set, all ports are allowed.
credentials str: JSON-encoded credentials to use to connect to GCP. Can be omitted and directly provided to Vault using the GOOGLE_APPLICATION_CREDENTIALS environment variable.
custom_tags Mapping[str, str]: Custom tags to set on the secret managed at the destination.
disable_strict_networking bool: Disable strict networking requirements.
global_kms_key str: Global KMS key for encryption.
granularity str: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
identity_token_audience_wo str: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The audience claim value for identity tokens. This is a write-only field and will not be read back from Vault.
identity_token_audience_wo_version int: A version counter for the write-only identityTokenAudienceWo field. Incrementing this value will trigger an update.
identity_token_key_wo str: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The key to use for signing identity tokens. This is a write-only field and will not be read back from Vault.
identity_token_key_wo_version int: A version counter for the write-only identityTokenKeyWo field. Incrementing this value will trigger an update.
identity_token_ttl int: The TTL of generated tokens.
locational_kms_keys Mapping[str, str]: Locational KMS keys for encryption.
name str: Unique name of the GCP destination.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
project_id str: The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
replication_locations Sequence[str]: Replication locations for secrets.
secret_name_template str: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
service_account_email str: Service Account to impersonate for workload identity federation.
type str: The type of the secrets destination (gcp-sm).

allowedIpv4Addresses List<String>: Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed.
allowedIpv6Addresses List<String>: Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed.
allowedPorts List<Number>: Allowed ports for outbound network connectivity. If not set, all ports are allowed.
credentials String: JSON-encoded credentials to use to connect to GCP. Can be omitted and directly provided to Vault using the GOOGLE_APPLICATION_CREDENTIALS environment variable.
customTags Map<String>: Custom tags to set on the secret managed at the destination.
disableStrictNetworking Boolean: Disable strict networking requirements.
globalKmsKey String: Global KMS key for encryption.
granularity String: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
identityTokenAudienceWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The audience claim value for identity tokens. This is a write-only field and will not be read back from Vault.
identityTokenAudienceWoVersion Number: A version counter for the write-only identityTokenAudienceWo field. Incrementing this value will trigger an update.
identityTokenKeyWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. The key to use for signing identity tokens. This is a write-only field and will not be read back from Vault.
identityTokenKeyWoVersion Number: A version counter for the write-only identityTokenKeyWo field. Incrementing this value will trigger an update.
identityTokenTtl Number: The TTL of generated tokens.
locationalKmsKeys Map<String>: Locational KMS keys for encryption.
name String: Unique name of the GCP destination.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
projectId String: The target project to manage secrets in. If set, overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
replicationLocations List<String>: Replication locations for secrets.
secretNameTemplate String: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
serviceAccountEmail String: Service Account to impersonate for workload identity federation.
type String: The type of the secrets destination (gcp-sm).

Import

GCP Secrets sync destinations can be imported using the name, e.g.

$ pulumi import vault:secrets/syncGcpDestination:SyncGcpDestination gcp gcp-dest

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

Viewing docs for HashiCorp Vault v7.8.0
published on Tuesday, Mar 31, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

vault.secrets.SyncGcpDestination

On this page

On this page

Example Usage

With Networking Configuration (Vault 1.19+)

With Global Encryption (Vault 1.19+)

With Multi-Region Replication and Regional Encryption (Vault 1.19+)

Using Workload Identity Federation (Vault 2.0.0+)

Create SyncGcpDestination Resource

Constructor syntax

Parameters

Constructor example

SyncGcpDestination Resource Properties

Inputs

Outputs

Look up Existing SyncGcpDestination Resource

Import

Package Details

On this page

On this page