1. Packages
  2. Pulumi Vault Provider
  3. API Docs
  4. aws
  5. SecretBackendRole
HashiCorp Vault v6.4.0 published on Wednesday, Nov 20, 2024 by Pulumi

vault.aws.SecretBackendRole

Explore with Pulumi AI

vault logo
HashiCorp Vault v6.4.0 published on Wednesday, Nov 20, 2024 by Pulumi

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as vault from "@pulumi/vault";
    
    const aws = new vault.aws.SecretBackend("aws", {
        accessKey: "AKIA.....",
        secretKey: "AWS secret key",
    });
    const role = new vault.aws.SecretBackendRole("role", {
        backend: aws.path,
        name: "deploy",
        credentialType: "iam_user",
        policyDocument: `{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "iam:*",
          "Resource": "*"
        }
      ]
    }
    `,
    });
    
    import pulumi
    import pulumi_vault as vault
    
    aws = vault.aws.SecretBackend("aws",
        access_key="AKIA.....",
        secret_key="AWS secret key")
    role = vault.aws.SecretBackendRole("role",
        backend=aws.path,
        name="deploy",
        credential_type="iam_user",
        policy_document="""{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "iam:*",
          "Resource": "*"
        }
      ]
    }
    """)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/aws"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		aws, err := aws.NewSecretBackend(ctx, "aws", &aws.SecretBackendArgs{
    			AccessKey: pulumi.String("AKIA....."),
    			SecretKey: pulumi.String("AWS secret key"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = aws.NewSecretBackendRole(ctx, "role", &aws.SecretBackendRoleArgs{
    			Backend:        aws.Path,
    			Name:           pulumi.String("deploy"),
    			CredentialType: pulumi.String("iam_user"),
    			PolicyDocument: pulumi.String(`{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "iam:*",
          "Resource": "*"
        }
      ]
    }
    `),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Vault = Pulumi.Vault;
    
    return await Deployment.RunAsync(() => 
    {
        var aws = new Vault.Aws.SecretBackend("aws", new()
        {
            AccessKey = "AKIA.....",
            SecretKey = "AWS secret key",
        });
    
        var role = new Vault.Aws.SecretBackendRole("role", new()
        {
            Backend = aws.Path,
            Name = "deploy",
            CredentialType = "iam_user",
            PolicyDocument = @"{
      ""Version"": ""2012-10-17"",
      ""Statement"": [
        {
          ""Effect"": ""Allow"",
          ""Action"": ""iam:*"",
          ""Resource"": ""*""
        }
      ]
    }
    ",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.vault.aws.SecretBackend;
    import com.pulumi.vault.aws.SecretBackendArgs;
    import com.pulumi.vault.aws.SecretBackendRole;
    import com.pulumi.vault.aws.SecretBackendRoleArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var aws = new SecretBackend("aws", SecretBackendArgs.builder()
                .accessKey("AKIA.....")
                .secretKey("AWS secret key")
                .build());
    
            var role = new SecretBackendRole("role", SecretBackendRoleArgs.builder()
                .backend(aws.path())
                .name("deploy")
                .credentialType("iam_user")
                .policyDocument("""
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "iam:*",
          "Resource": "*"
        }
      ]
    }
                """)
                .build());
    
        }
    }
    
    resources:
      aws:
        type: vault:aws:SecretBackend
        properties:
          accessKey: AKIA.....
          secretKey: AWS secret key
      role:
        type: vault:aws:SecretBackendRole
        properties:
          backend: ${aws.path}
          name: deploy
          credentialType: iam_user
          policyDocument: |
            {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": "iam:*",
                  "Resource": "*"
                }
              ]
            }        
    

    Create SecretBackendRole Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new SecretBackendRole(name: string, args: SecretBackendRoleArgs, opts?: CustomResourceOptions);
    @overload
    def SecretBackendRole(resource_name: str,
                          args: SecretBackendRoleArgs,
                          opts: Optional[ResourceOptions] = None)
    
    @overload
    def SecretBackendRole(resource_name: str,
                          opts: Optional[ResourceOptions] = None,
                          backend: Optional[str] = None,
                          credential_type: Optional[str] = None,
                          default_sts_ttl: Optional[int] = None,
                          external_id: Optional[str] = None,
                          iam_groups: Optional[Sequence[str]] = None,
                          iam_tags: Optional[Mapping[str, str]] = None,
                          max_sts_ttl: Optional[int] = None,
                          name: Optional[str] = None,
                          namespace: Optional[str] = None,
                          permissions_boundary_arn: Optional[str] = None,
                          policy_arns: Optional[Sequence[str]] = None,
                          policy_document: Optional[str] = None,
                          role_arns: Optional[Sequence[str]] = None,
                          session_tags: Optional[Mapping[str, str]] = None,
                          user_path: Optional[str] = None)
    func NewSecretBackendRole(ctx *Context, name string, args SecretBackendRoleArgs, opts ...ResourceOption) (*SecretBackendRole, error)
    public SecretBackendRole(string name, SecretBackendRoleArgs args, CustomResourceOptions? opts = null)
    public SecretBackendRole(String name, SecretBackendRoleArgs args)
    public SecretBackendRole(String name, SecretBackendRoleArgs args, CustomResourceOptions options)
    
    type: vault:aws:SecretBackendRole
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var secretBackendRoleResource = new Vault.Aws.SecretBackendRole("secretBackendRoleResource", new()
    {
        Backend = "string",
        CredentialType = "string",
        DefaultStsTtl = 0,
        ExternalId = "string",
        IamGroups = new[]
        {
            "string",
        },
        IamTags = 
        {
            { "string", "string" },
        },
        MaxStsTtl = 0,
        Name = "string",
        Namespace = "string",
        PermissionsBoundaryArn = "string",
        PolicyArns = new[]
        {
            "string",
        },
        PolicyDocument = "string",
        RoleArns = new[]
        {
            "string",
        },
        SessionTags = 
        {
            { "string", "string" },
        },
        UserPath = "string",
    });
    
    example, err := aws.NewSecretBackendRole(ctx, "secretBackendRoleResource", &aws.SecretBackendRoleArgs{
    	Backend:        pulumi.String("string"),
    	CredentialType: pulumi.String("string"),
    	DefaultStsTtl:  pulumi.Int(0),
    	ExternalId:     pulumi.String("string"),
    	IamGroups: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	IamTags: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	MaxStsTtl:              pulumi.Int(0),
    	Name:                   pulumi.String("string"),
    	Namespace:              pulumi.String("string"),
    	PermissionsBoundaryArn: pulumi.String("string"),
    	PolicyArns: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	PolicyDocument: pulumi.String("string"),
    	RoleArns: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	SessionTags: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	UserPath: pulumi.String("string"),
    })
    
    var secretBackendRoleResource = new SecretBackendRole("secretBackendRoleResource", SecretBackendRoleArgs.builder()
        .backend("string")
        .credentialType("string")
        .defaultStsTtl(0)
        .externalId("string")
        .iamGroups("string")
        .iamTags(Map.of("string", "string"))
        .maxStsTtl(0)
        .name("string")
        .namespace("string")
        .permissionsBoundaryArn("string")
        .policyArns("string")
        .policyDocument("string")
        .roleArns("string")
        .sessionTags(Map.of("string", "string"))
        .userPath("string")
        .build());
    
    secret_backend_role_resource = vault.aws.SecretBackendRole("secretBackendRoleResource",
        backend="string",
        credential_type="string",
        default_sts_ttl=0,
        external_id="string",
        iam_groups=["string"],
        iam_tags={
            "string": "string",
        },
        max_sts_ttl=0,
        name="string",
        namespace="string",
        permissions_boundary_arn="string",
        policy_arns=["string"],
        policy_document="string",
        role_arns=["string"],
        session_tags={
            "string": "string",
        },
        user_path="string")
    
    const secretBackendRoleResource = new vault.aws.SecretBackendRole("secretBackendRoleResource", {
        backend: "string",
        credentialType: "string",
        defaultStsTtl: 0,
        externalId: "string",
        iamGroups: ["string"],
        iamTags: {
            string: "string",
        },
        maxStsTtl: 0,
        name: "string",
        namespace: "string",
        permissionsBoundaryArn: "string",
        policyArns: ["string"],
        policyDocument: "string",
        roleArns: ["string"],
        sessionTags: {
            string: "string",
        },
        userPath: "string",
    });
    
    type: vault:aws:SecretBackendRole
    properties:
        backend: string
        credentialType: string
        defaultStsTtl: 0
        externalId: string
        iamGroups:
            - string
        iamTags:
            string: string
        maxStsTtl: 0
        name: string
        namespace: string
        permissionsBoundaryArn: string
        policyArns:
            - string
        policyDocument: string
        roleArns:
            - string
        sessionTags:
            string: string
        userPath: string
    

    SecretBackendRole Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The SecretBackendRole resource accepts the following input properties:

    Backend string
    The path the AWS secret backend is mounted at, with no leading or trailing /s.
    CredentialType string
    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
    DefaultStsTtl int
    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
    ExternalId string
    External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
    IamGroups List<string>
    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
    IamTags Dictionary<string, string>
    A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
    MaxStsTtl int
    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
    Name string
    The name to identify this role within the backend. Must be unique within the backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    PermissionsBoundaryArn string
    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
    PolicyArns List<string>
    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
    PolicyDocument string
    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
    RoleArns List<string>
    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
    SessionTags Dictionary<string, string>
    A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
    UserPath string
    The path for the user name. Valid only when credential_type is iam_user. Default is /.
    Backend string
    The path the AWS secret backend is mounted at, with no leading or trailing /s.
    CredentialType string
    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
    DefaultStsTtl int
    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
    ExternalId string
    External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
    IamGroups []string
    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
    IamTags map[string]string
    A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
    MaxStsTtl int
    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
    Name string
    The name to identify this role within the backend. Must be unique within the backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    PermissionsBoundaryArn string
    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
    PolicyArns []string
    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
    PolicyDocument string
    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
    RoleArns []string
    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
    SessionTags map[string]string
    A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
    UserPath string
    The path for the user name. Valid only when credential_type is iam_user. Default is /.
    backend String
    The path the AWS secret backend is mounted at, with no leading or trailing /s.
    credentialType String
    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
    defaultStsTtl Integer
    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
    externalId String
    External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
    iamGroups List<String>
    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
    iamTags Map<String,String>
    A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
    maxStsTtl Integer
    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
    name String
    The name to identify this role within the backend. Must be unique within the backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    permissionsBoundaryArn String
    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
    policyArns List<String>
    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
    policyDocument String
    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
    roleArns List<String>
    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
    sessionTags Map<String,String>
    A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
    userPath String
    The path for the user name. Valid only when credential_type is iam_user. Default is /.
    backend string
    The path the AWS secret backend is mounted at, with no leading or trailing /s.
    credentialType string
    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
    defaultStsTtl number
    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
    externalId string
    External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
    iamGroups string[]
    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
    iamTags {[key: string]: string}
    A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
    maxStsTtl number
    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
    name string
    The name to identify this role within the backend. Must be unique within the backend.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    permissionsBoundaryArn string
    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
    policyArns string[]
    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
    policyDocument string
    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
    roleArns string[]
    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
    sessionTags {[key: string]: string}
    A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
    userPath string
    The path for the user name. Valid only when credential_type is iam_user. Default is /.
    backend str
    The path the AWS secret backend is mounted at, with no leading or trailing /s.
    credential_type str
    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
    default_sts_ttl int
    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
    external_id str
    External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
    iam_groups Sequence[str]
    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
    iam_tags Mapping[str, str]
    A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
    max_sts_ttl int
    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
    name str
    The name to identify this role within the backend. Must be unique within the backend.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    permissions_boundary_arn str
    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
    policy_arns Sequence[str]
    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
    policy_document str
    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
    role_arns Sequence[str]
    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
    session_tags Mapping[str, str]
    A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
    user_path str
    The path for the user name. Valid only when credential_type is iam_user. Default is /.
    backend String
    The path the AWS secret backend is mounted at, with no leading or trailing /s.
    credentialType String
    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
    defaultStsTtl Number
    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
    externalId String
    External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
    iamGroups List<String>
    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
    iamTags Map<String>
    A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
    maxStsTtl Number
    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
    name String
    The name to identify this role within the backend. Must be unique within the backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    permissionsBoundaryArn String
    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
    policyArns List<String>
    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
    policyDocument String
    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
    roleArns List<String>
    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
    sessionTags Map<String>
    A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
    userPath String
    The path for the user name. Valid only when credential_type is iam_user. Default is /.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the SecretBackendRole resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing SecretBackendRole Resource

    Get an existing SecretBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: SecretBackendRoleState, opts?: CustomResourceOptions): SecretBackendRole
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            backend: Optional[str] = None,
            credential_type: Optional[str] = None,
            default_sts_ttl: Optional[int] = None,
            external_id: Optional[str] = None,
            iam_groups: Optional[Sequence[str]] = None,
            iam_tags: Optional[Mapping[str, str]] = None,
            max_sts_ttl: Optional[int] = None,
            name: Optional[str] = None,
            namespace: Optional[str] = None,
            permissions_boundary_arn: Optional[str] = None,
            policy_arns: Optional[Sequence[str]] = None,
            policy_document: Optional[str] = None,
            role_arns: Optional[Sequence[str]] = None,
            session_tags: Optional[Mapping[str, str]] = None,
            user_path: Optional[str] = None) -> SecretBackendRole
    func GetSecretBackendRole(ctx *Context, name string, id IDInput, state *SecretBackendRoleState, opts ...ResourceOption) (*SecretBackendRole, error)
    public static SecretBackendRole Get(string name, Input<string> id, SecretBackendRoleState? state, CustomResourceOptions? opts = null)
    public static SecretBackendRole get(String name, Output<String> id, SecretBackendRoleState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Backend string
    The path the AWS secret backend is mounted at, with no leading or trailing /s.
    CredentialType string
    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
    DefaultStsTtl int
    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
    ExternalId string
    External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
    IamGroups List<string>
    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
    IamTags Dictionary<string, string>
    A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
    MaxStsTtl int
    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
    Name string
    The name to identify this role within the backend. Must be unique within the backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    PermissionsBoundaryArn string
    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
    PolicyArns List<string>
    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
    PolicyDocument string
    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
    RoleArns List<string>
    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
    SessionTags Dictionary<string, string>
    A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
    UserPath string
    The path for the user name. Valid only when credential_type is iam_user. Default is /.
    Backend string
    The path the AWS secret backend is mounted at, with no leading or trailing /s.
    CredentialType string
    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
    DefaultStsTtl int
    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
    ExternalId string
    External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
    IamGroups []string
    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
    IamTags map[string]string
    A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
    MaxStsTtl int
    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
    Name string
    The name to identify this role within the backend. Must be unique within the backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    PermissionsBoundaryArn string
    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
    PolicyArns []string
    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
    PolicyDocument string
    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
    RoleArns []string
    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
    SessionTags map[string]string
    A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
    UserPath string
    The path for the user name. Valid only when credential_type is iam_user. Default is /.
    backend String
    The path the AWS secret backend is mounted at, with no leading or trailing /s.
    credentialType String
    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
    defaultStsTtl Integer
    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
    externalId String
    External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
    iamGroups List<String>
    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
    iamTags Map<String,String>
    A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
    maxStsTtl Integer
    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
    name String
    The name to identify this role within the backend. Must be unique within the backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    permissionsBoundaryArn String
    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
    policyArns List<String>
    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
    policyDocument String
    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
    roleArns List<String>
    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
    sessionTags Map<String,String>
    A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
    userPath String
    The path for the user name. Valid only when credential_type is iam_user. Default is /.
    backend string
    The path the AWS secret backend is mounted at, with no leading or trailing /s.
    credentialType string
    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
    defaultStsTtl number
    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
    externalId string
    External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
    iamGroups string[]
    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
    iamTags {[key: string]: string}
    A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
    maxStsTtl number
    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
    name string
    The name to identify this role within the backend. Must be unique within the backend.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    permissionsBoundaryArn string
    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
    policyArns string[]
    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
    policyDocument string
    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
    roleArns string[]
    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
    sessionTags {[key: string]: string}
    A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
    userPath string
    The path for the user name. Valid only when credential_type is iam_user. Default is /.
    backend str
    The path the AWS secret backend is mounted at, with no leading or trailing /s.
    credential_type str
    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
    default_sts_ttl int
    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
    external_id str
    External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
    iam_groups Sequence[str]
    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
    iam_tags Mapping[str, str]
    A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
    max_sts_ttl int
    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
    name str
    The name to identify this role within the backend. Must be unique within the backend.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    permissions_boundary_arn str
    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
    policy_arns Sequence[str]
    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
    policy_document str
    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
    role_arns Sequence[str]
    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
    session_tags Mapping[str, str]
    A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
    user_path str
    The path for the user name. Valid only when credential_type is iam_user. Default is /.
    backend String
    The path the AWS secret backend is mounted at, with no leading or trailing /s.
    credentialType String
    Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.
    defaultStsTtl Number
    The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.
    externalId String
    External ID to set for assume role creds. Valid only when credential_type is set to assumed_role.
    iamGroups List<String>
    A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.
    iamTags Map<String>
    A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
    maxStsTtl Number
    The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.
    name String
    The name to identify this role within the backend. Must be unique within the backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    permissionsBoundaryArn String
    The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.
    policyArns List<String>
    Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.
    policyDocument String
    The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.
    roleArns List<String>
    Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.
    sessionTags Map<String>
    A map of strings representing key/value pairs to be set during assume role creds creation. Valid only when credential_type is set to assumed_role.
    userPath String
    The path for the user name. Valid only when credential_type is iam_user. Default is /.

    Import

    AWS secret backend roles can be imported using the path, e.g.

    $ pulumi import vault:aws/secretBackendRole:SecretBackendRole role aws/roles/deploy
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the vault Terraform Provider.
    vault logo
    HashiCorp Vault v6.4.0 published on Wednesday, Nov 20, 2024 by Pulumi