vault.aws.SecretBackendRole
Explore with Pulumi AI
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const aws = new vault.aws.SecretBackend("aws", {
accessKey: "AKIA.....",
secretKey: "AWS secret key",
});
const role = new vault.aws.SecretBackendRole("role", {
backend: aws.path,
name: "deploy",
credentialType: "iam_user",
policyDocument: `{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}
`,
});
import pulumi
import pulumi_vault as vault
aws = vault.aws.SecretBackend("aws",
access_key="AKIA.....",
secret_key="AWS secret key")
role = vault.aws.SecretBackendRole("role",
backend=aws.path,
name="deploy",
credential_type="iam_user",
policy_document="""{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}
""")
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/aws"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
aws, err := aws.NewSecretBackend(ctx, "aws", &aws.SecretBackendArgs{
AccessKey: pulumi.String("AKIA....."),
SecretKey: pulumi.String("AWS secret key"),
})
if err != nil {
return err
}
_, err = aws.NewSecretBackendRole(ctx, "role", &aws.SecretBackendRoleArgs{
Backend: aws.Path,
Name: pulumi.String("deploy"),
CredentialType: pulumi.String("iam_user"),
PolicyDocument: pulumi.String(`{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}
`),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var aws = new Vault.Aws.SecretBackend("aws", new()
{
AccessKey = "AKIA.....",
SecretKey = "AWS secret key",
});
var role = new Vault.Aws.SecretBackendRole("role", new()
{
Backend = aws.Path,
Name = "deploy",
CredentialType = "iam_user",
PolicyDocument = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
""Effect"": ""Allow"",
""Action"": ""iam:*"",
""Resource"": ""*""
}
]
}
",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.aws.SecretBackend;
import com.pulumi.vault.aws.SecretBackendArgs;
import com.pulumi.vault.aws.SecretBackendRole;
import com.pulumi.vault.aws.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var aws = new SecretBackend("aws", SecretBackendArgs.builder()
.accessKey("AKIA.....")
.secretKey("AWS secret key")
.build());
var role = new SecretBackendRole("role", SecretBackendRoleArgs.builder()
.backend(aws.path())
.name("deploy")
.credentialType("iam_user")
.policyDocument("""
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}
""")
.build());
}
}
resources:
aws:
type: vault:aws:SecretBackend
properties:
accessKey: AKIA.....
secretKey: AWS secret key
role:
type: vault:aws:SecretBackendRole
properties:
backend: ${aws.path}
name: deploy
credentialType: iam_user
policyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}
Create SecretBackendRole Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SecretBackendRole(name: string, args: SecretBackendRoleArgs, opts?: CustomResourceOptions);
@overload
def SecretBackendRole(resource_name: str,
args: SecretBackendRoleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def SecretBackendRole(resource_name: str,
opts: Optional[ResourceOptions] = None,
backend: Optional[str] = None,
credential_type: Optional[str] = None,
default_sts_ttl: Optional[int] = None,
external_id: Optional[str] = None,
iam_groups: Optional[Sequence[str]] = None,
iam_tags: Optional[Mapping[str, str]] = None,
max_sts_ttl: Optional[int] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
permissions_boundary_arn: Optional[str] = None,
policy_arns: Optional[Sequence[str]] = None,
policy_document: Optional[str] = None,
role_arns: Optional[Sequence[str]] = None,
session_tags: Optional[Mapping[str, str]] = None,
user_path: Optional[str] = None)
func NewSecretBackendRole(ctx *Context, name string, args SecretBackendRoleArgs, opts ...ResourceOption) (*SecretBackendRole, error)
public SecretBackendRole(string name, SecretBackendRoleArgs args, CustomResourceOptions? opts = null)
public SecretBackendRole(String name, SecretBackendRoleArgs args)
public SecretBackendRole(String name, SecretBackendRoleArgs args, CustomResourceOptions options)
type: vault:aws:SecretBackendRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SecretBackendRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SecretBackendRoleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SecretBackendRoleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecretBackendRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SecretBackendRoleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var secretBackendRoleResource = new Vault.Aws.SecretBackendRole("secretBackendRoleResource", new()
{
Backend = "string",
CredentialType = "string",
DefaultStsTtl = 0,
ExternalId = "string",
IamGroups = new[]
{
"string",
},
IamTags =
{
{ "string", "string" },
},
MaxStsTtl = 0,
Name = "string",
Namespace = "string",
PermissionsBoundaryArn = "string",
PolicyArns = new[]
{
"string",
},
PolicyDocument = "string",
RoleArns = new[]
{
"string",
},
SessionTags =
{
{ "string", "string" },
},
UserPath = "string",
});
example, err := aws.NewSecretBackendRole(ctx, "secretBackendRoleResource", &aws.SecretBackendRoleArgs{
Backend: pulumi.String("string"),
CredentialType: pulumi.String("string"),
DefaultStsTtl: pulumi.Int(0),
ExternalId: pulumi.String("string"),
IamGroups: pulumi.StringArray{
pulumi.String("string"),
},
IamTags: pulumi.StringMap{
"string": pulumi.String("string"),
},
MaxStsTtl: pulumi.Int(0),
Name: pulumi.String("string"),
Namespace: pulumi.String("string"),
PermissionsBoundaryArn: pulumi.String("string"),
PolicyArns: pulumi.StringArray{
pulumi.String("string"),
},
PolicyDocument: pulumi.String("string"),
RoleArns: pulumi.StringArray{
pulumi.String("string"),
},
SessionTags: pulumi.StringMap{
"string": pulumi.String("string"),
},
UserPath: pulumi.String("string"),
})
var secretBackendRoleResource = new SecretBackendRole("secretBackendRoleResource", SecretBackendRoleArgs.builder()
.backend("string")
.credentialType("string")
.defaultStsTtl(0)
.externalId("string")
.iamGroups("string")
.iamTags(Map.of("string", "string"))
.maxStsTtl(0)
.name("string")
.namespace("string")
.permissionsBoundaryArn("string")
.policyArns("string")
.policyDocument("string")
.roleArns("string")
.sessionTags(Map.of("string", "string"))
.userPath("string")
.build());
secret_backend_role_resource = vault.aws.SecretBackendRole("secretBackendRoleResource",
backend="string",
credential_type="string",
default_sts_ttl=0,
external_id="string",
iam_groups=["string"],
iam_tags={
"string": "string",
},
max_sts_ttl=0,
name="string",
namespace="string",
permissions_boundary_arn="string",
policy_arns=["string"],
policy_document="string",
role_arns=["string"],
session_tags={
"string": "string",
},
user_path="string")
const secretBackendRoleResource = new vault.aws.SecretBackendRole("secretBackendRoleResource", {
backend: "string",
credentialType: "string",
defaultStsTtl: 0,
externalId: "string",
iamGroups: ["string"],
iamTags: {
string: "string",
},
maxStsTtl: 0,
name: "string",
namespace: "string",
permissionsBoundaryArn: "string",
policyArns: ["string"],
policyDocument: "string",
roleArns: ["string"],
sessionTags: {
string: "string",
},
userPath: "string",
});
type: vault:aws:SecretBackendRole
properties:
backend: string
credentialType: string
defaultStsTtl: 0
externalId: string
iamGroups:
- string
iamTags:
string: string
maxStsTtl: 0
name: string
namespace: string
permissionsBoundaryArn: string
policyArns:
- string
policyDocument: string
roleArns:
- string
sessionTags:
string: string
userPath: string
SecretBackendRole Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The SecretBackendRole resource accepts the following input properties:
- Backend string
- The path the AWS secret backend is mounted at,
with no leading or trailing
/
s. - Credential
Type string - Specifies the type of credential to be used when
retrieving credentials from the role. Must be one of
iam_user
,assumed_role
, orfederation_token
. - Default
Sts intTtl - The default TTL in seconds for STS credentials.
When a TTL is not specified when STS credentials are requested,
and a default TTL is specified on the role,
then this default TTL will be used. Valid only when
credential_type
is one ofassumed_role
orfederation_token
. - External
Id string - External ID to set for assume role creds.
Valid only when
credential_type
is set toassumed_role
. - Iam
Groups List<string> - A list of IAM group names. IAM users generated
against this vault role will be added to these IAM Groups. For a credential
type of
assumed_role
orfederation_token
, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group iniam_groups
combined with thepolicy_document
andpolicy_arns
parameters. - Dictionary<string, string>
- A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
- Max
Sts intTtl - The max allowed TTL in seconds for STS credentials
(credentials TTL are capped to
max_sts_ttl
). Valid only whencredential_type
is one ofassumed_role
orfederation_token
. - Name string
- The name to identify this role within the backend. Must be unique within the backend.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Permissions
Boundary stringArn - The ARN of the AWS Permissions
Boundary to attach to IAM users created in the role. Valid only when
credential_type
isiam_user
. If not specified, then no permissions boundary policy will be attached. - Policy
Arns List<string> - Specifies a list of AWS managed policy ARNs. The
behavior depends on the credential type. With
iam_user
, the policies will be attached to IAM users when they are requested. Withassumed_role
andfederation_token
, the policy ARNs will act as a filter on what the credentials can do, similar topolicy_document
. Whencredential_type
isiam_user
orfederation_token
, at least one ofpolicy_document
orpolicy_arns
must be specified. - Policy
Document string - The IAM policy document for the role. The
behavior depends on the credential type. With
iam_user
, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. Withassumed_role
andfederation_token
, the policy document will act as a filter on what the credentials can do, similar topolicy_arns
. - Role
Arns List<string> - Specifies the ARNs of the AWS roles this Vault role
is allowed to assume. Required when
credential_type
isassumed_role
and prohibited otherwise. - Dictionary<string, string>
- A map of strings representing key/value pairs to be set
during assume role creds creation. Valid only when
credential_type
is set toassumed_role
. - User
Path string - The path for the user name. Valid only when
credential_type
isiam_user
. Default is/
.
- Backend string
- The path the AWS secret backend is mounted at,
with no leading or trailing
/
s. - Credential
Type string - Specifies the type of credential to be used when
retrieving credentials from the role. Must be one of
iam_user
,assumed_role
, orfederation_token
. - Default
Sts intTtl - The default TTL in seconds for STS credentials.
When a TTL is not specified when STS credentials are requested,
and a default TTL is specified on the role,
then this default TTL will be used. Valid only when
credential_type
is one ofassumed_role
orfederation_token
. - External
Id string - External ID to set for assume role creds.
Valid only when
credential_type
is set toassumed_role
. - Iam
Groups []string - A list of IAM group names. IAM users generated
against this vault role will be added to these IAM Groups. For a credential
type of
assumed_role
orfederation_token
, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group iniam_groups
combined with thepolicy_document
andpolicy_arns
parameters. - map[string]string
- A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
- Max
Sts intTtl - The max allowed TTL in seconds for STS credentials
(credentials TTL are capped to
max_sts_ttl
). Valid only whencredential_type
is one ofassumed_role
orfederation_token
. - Name string
- The name to identify this role within the backend. Must be unique within the backend.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Permissions
Boundary stringArn - The ARN of the AWS Permissions
Boundary to attach to IAM users created in the role. Valid only when
credential_type
isiam_user
. If not specified, then no permissions boundary policy will be attached. - Policy
Arns []string - Specifies a list of AWS managed policy ARNs. The
behavior depends on the credential type. With
iam_user
, the policies will be attached to IAM users when they are requested. Withassumed_role
andfederation_token
, the policy ARNs will act as a filter on what the credentials can do, similar topolicy_document
. Whencredential_type
isiam_user
orfederation_token
, at least one ofpolicy_document
orpolicy_arns
must be specified. - Policy
Document string - The IAM policy document for the role. The
behavior depends on the credential type. With
iam_user
, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. Withassumed_role
andfederation_token
, the policy document will act as a filter on what the credentials can do, similar topolicy_arns
. - Role
Arns []string - Specifies the ARNs of the AWS roles this Vault role
is allowed to assume. Required when
credential_type
isassumed_role
and prohibited otherwise. - map[string]string
- A map of strings representing key/value pairs to be set
during assume role creds creation. Valid only when
credential_type
is set toassumed_role
. - User
Path string - The path for the user name. Valid only when
credential_type
isiam_user
. Default is/
.
- backend String
- The path the AWS secret backend is mounted at,
with no leading or trailing
/
s. - credential
Type String - Specifies the type of credential to be used when
retrieving credentials from the role. Must be one of
iam_user
,assumed_role
, orfederation_token
. - default
Sts IntegerTtl - The default TTL in seconds for STS credentials.
When a TTL is not specified when STS credentials are requested,
and a default TTL is specified on the role,
then this default TTL will be used. Valid only when
credential_type
is one ofassumed_role
orfederation_token
. - external
Id String - External ID to set for assume role creds.
Valid only when
credential_type
is set toassumed_role
. - iam
Groups List<String> - A list of IAM group names. IAM users generated
against this vault role will be added to these IAM Groups. For a credential
type of
assumed_role
orfederation_token
, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group iniam_groups
combined with thepolicy_document
andpolicy_arns
parameters. - Map<String,String>
- A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
- max
Sts IntegerTtl - The max allowed TTL in seconds for STS credentials
(credentials TTL are capped to
max_sts_ttl
). Valid only whencredential_type
is one ofassumed_role
orfederation_token
. - name String
- The name to identify this role within the backend. Must be unique within the backend.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - permissions
Boundary StringArn - The ARN of the AWS Permissions
Boundary to attach to IAM users created in the role. Valid only when
credential_type
isiam_user
. If not specified, then no permissions boundary policy will be attached. - policy
Arns List<String> - Specifies a list of AWS managed policy ARNs. The
behavior depends on the credential type. With
iam_user
, the policies will be attached to IAM users when they are requested. Withassumed_role
andfederation_token
, the policy ARNs will act as a filter on what the credentials can do, similar topolicy_document
. Whencredential_type
isiam_user
orfederation_token
, at least one ofpolicy_document
orpolicy_arns
must be specified. - policy
Document String - The IAM policy document for the role. The
behavior depends on the credential type. With
iam_user
, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. Withassumed_role
andfederation_token
, the policy document will act as a filter on what the credentials can do, similar topolicy_arns
. - role
Arns List<String> - Specifies the ARNs of the AWS roles this Vault role
is allowed to assume. Required when
credential_type
isassumed_role
and prohibited otherwise. - Map<String,String>
- A map of strings representing key/value pairs to be set
during assume role creds creation. Valid only when
credential_type
is set toassumed_role
. - user
Path String - The path for the user name. Valid only when
credential_type
isiam_user
. Default is/
.
- backend string
- The path the AWS secret backend is mounted at,
with no leading or trailing
/
s. - credential
Type string - Specifies the type of credential to be used when
retrieving credentials from the role. Must be one of
iam_user
,assumed_role
, orfederation_token
. - default
Sts numberTtl - The default TTL in seconds for STS credentials.
When a TTL is not specified when STS credentials are requested,
and a default TTL is specified on the role,
then this default TTL will be used. Valid only when
credential_type
is one ofassumed_role
orfederation_token
. - external
Id string - External ID to set for assume role creds.
Valid only when
credential_type
is set toassumed_role
. - iam
Groups string[] - A list of IAM group names. IAM users generated
against this vault role will be added to these IAM Groups. For a credential
type of
assumed_role
orfederation_token
, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group iniam_groups
combined with thepolicy_document
andpolicy_arns
parameters. - {[key: string]: string}
- A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
- max
Sts numberTtl - The max allowed TTL in seconds for STS credentials
(credentials TTL are capped to
max_sts_ttl
). Valid only whencredential_type
is one ofassumed_role
orfederation_token
. - name string
- The name to identify this role within the backend. Must be unique within the backend.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - permissions
Boundary stringArn - The ARN of the AWS Permissions
Boundary to attach to IAM users created in the role. Valid only when
credential_type
isiam_user
. If not specified, then no permissions boundary policy will be attached. - policy
Arns string[] - Specifies a list of AWS managed policy ARNs. The
behavior depends on the credential type. With
iam_user
, the policies will be attached to IAM users when they are requested. Withassumed_role
andfederation_token
, the policy ARNs will act as a filter on what the credentials can do, similar topolicy_document
. Whencredential_type
isiam_user
orfederation_token
, at least one ofpolicy_document
orpolicy_arns
must be specified. - policy
Document string - The IAM policy document for the role. The
behavior depends on the credential type. With
iam_user
, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. Withassumed_role
andfederation_token
, the policy document will act as a filter on what the credentials can do, similar topolicy_arns
. - role
Arns string[] - Specifies the ARNs of the AWS roles this Vault role
is allowed to assume. Required when
credential_type
isassumed_role
and prohibited otherwise. - {[key: string]: string}
- A map of strings representing key/value pairs to be set
during assume role creds creation. Valid only when
credential_type
is set toassumed_role
. - user
Path string - The path for the user name. Valid only when
credential_type
isiam_user
. Default is/
.
- backend str
- The path the AWS secret backend is mounted at,
with no leading or trailing
/
s. - credential_
type str - Specifies the type of credential to be used when
retrieving credentials from the role. Must be one of
iam_user
,assumed_role
, orfederation_token
. - default_
sts_ intttl - The default TTL in seconds for STS credentials.
When a TTL is not specified when STS credentials are requested,
and a default TTL is specified on the role,
then this default TTL will be used. Valid only when
credential_type
is one ofassumed_role
orfederation_token
. - external_
id str - External ID to set for assume role creds.
Valid only when
credential_type
is set toassumed_role
. - iam_
groups Sequence[str] - A list of IAM group names. IAM users generated
against this vault role will be added to these IAM Groups. For a credential
type of
assumed_role
orfederation_token
, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group iniam_groups
combined with thepolicy_document
andpolicy_arns
parameters. - Mapping[str, str]
- A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
- max_
sts_ intttl - The max allowed TTL in seconds for STS credentials
(credentials TTL are capped to
max_sts_ttl
). Valid only whencredential_type
is one ofassumed_role
orfederation_token
. - name str
- The name to identify this role within the backend. Must be unique within the backend.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - permissions_
boundary_ strarn - The ARN of the AWS Permissions
Boundary to attach to IAM users created in the role. Valid only when
credential_type
isiam_user
. If not specified, then no permissions boundary policy will be attached. - policy_
arns Sequence[str] - Specifies a list of AWS managed policy ARNs. The
behavior depends on the credential type. With
iam_user
, the policies will be attached to IAM users when they are requested. Withassumed_role
andfederation_token
, the policy ARNs will act as a filter on what the credentials can do, similar topolicy_document
. Whencredential_type
isiam_user
orfederation_token
, at least one ofpolicy_document
orpolicy_arns
must be specified. - policy_
document str - The IAM policy document for the role. The
behavior depends on the credential type. With
iam_user
, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. Withassumed_role
andfederation_token
, the policy document will act as a filter on what the credentials can do, similar topolicy_arns
. - role_
arns Sequence[str] - Specifies the ARNs of the AWS roles this Vault role
is allowed to assume. Required when
credential_type
isassumed_role
and prohibited otherwise. - Mapping[str, str]
- A map of strings representing key/value pairs to be set
during assume role creds creation. Valid only when
credential_type
is set toassumed_role
. - user_
path str - The path for the user name. Valid only when
credential_type
isiam_user
. Default is/
.
- backend String
- The path the AWS secret backend is mounted at,
with no leading or trailing
/
s. - credential
Type String - Specifies the type of credential to be used when
retrieving credentials from the role. Must be one of
iam_user
,assumed_role
, orfederation_token
. - default
Sts NumberTtl - The default TTL in seconds for STS credentials.
When a TTL is not specified when STS credentials are requested,
and a default TTL is specified on the role,
then this default TTL will be used. Valid only when
credential_type
is one ofassumed_role
orfederation_token
. - external
Id String - External ID to set for assume role creds.
Valid only when
credential_type
is set toassumed_role
. - iam
Groups List<String> - A list of IAM group names. IAM users generated
against this vault role will be added to these IAM Groups. For a credential
type of
assumed_role
orfederation_token
, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group iniam_groups
combined with thepolicy_document
andpolicy_arns
parameters. - Map<String>
- A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
- max
Sts NumberTtl - The max allowed TTL in seconds for STS credentials
(credentials TTL are capped to
max_sts_ttl
). Valid only whencredential_type
is one ofassumed_role
orfederation_token
. - name String
- The name to identify this role within the backend. Must be unique within the backend.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - permissions
Boundary StringArn - The ARN of the AWS Permissions
Boundary to attach to IAM users created in the role. Valid only when
credential_type
isiam_user
. If not specified, then no permissions boundary policy will be attached. - policy
Arns List<String> - Specifies a list of AWS managed policy ARNs. The
behavior depends on the credential type. With
iam_user
, the policies will be attached to IAM users when they are requested. Withassumed_role
andfederation_token
, the policy ARNs will act as a filter on what the credentials can do, similar topolicy_document
. Whencredential_type
isiam_user
orfederation_token
, at least one ofpolicy_document
orpolicy_arns
must be specified. - policy
Document String - The IAM policy document for the role. The
behavior depends on the credential type. With
iam_user
, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. Withassumed_role
andfederation_token
, the policy document will act as a filter on what the credentials can do, similar topolicy_arns
. - role
Arns List<String> - Specifies the ARNs of the AWS roles this Vault role
is allowed to assume. Required when
credential_type
isassumed_role
and prohibited otherwise. - Map<String>
- A map of strings representing key/value pairs to be set
during assume role creds creation. Valid only when
credential_type
is set toassumed_role
. - user
Path String - The path for the user name. Valid only when
credential_type
isiam_user
. Default is/
.
Outputs
All input properties are implicitly available as output properties. Additionally, the SecretBackendRole resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing SecretBackendRole Resource
Get an existing SecretBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SecretBackendRoleState, opts?: CustomResourceOptions): SecretBackendRole
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
backend: Optional[str] = None,
credential_type: Optional[str] = None,
default_sts_ttl: Optional[int] = None,
external_id: Optional[str] = None,
iam_groups: Optional[Sequence[str]] = None,
iam_tags: Optional[Mapping[str, str]] = None,
max_sts_ttl: Optional[int] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
permissions_boundary_arn: Optional[str] = None,
policy_arns: Optional[Sequence[str]] = None,
policy_document: Optional[str] = None,
role_arns: Optional[Sequence[str]] = None,
session_tags: Optional[Mapping[str, str]] = None,
user_path: Optional[str] = None) -> SecretBackendRole
func GetSecretBackendRole(ctx *Context, name string, id IDInput, state *SecretBackendRoleState, opts ...ResourceOption) (*SecretBackendRole, error)
public static SecretBackendRole Get(string name, Input<string> id, SecretBackendRoleState? state, CustomResourceOptions? opts = null)
public static SecretBackendRole get(String name, Output<String> id, SecretBackendRoleState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Backend string
- The path the AWS secret backend is mounted at,
with no leading or trailing
/
s. - Credential
Type string - Specifies the type of credential to be used when
retrieving credentials from the role. Must be one of
iam_user
,assumed_role
, orfederation_token
. - Default
Sts intTtl - The default TTL in seconds for STS credentials.
When a TTL is not specified when STS credentials are requested,
and a default TTL is specified on the role,
then this default TTL will be used. Valid only when
credential_type
is one ofassumed_role
orfederation_token
. - External
Id string - External ID to set for assume role creds.
Valid only when
credential_type
is set toassumed_role
. - Iam
Groups List<string> - A list of IAM group names. IAM users generated
against this vault role will be added to these IAM Groups. For a credential
type of
assumed_role
orfederation_token
, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group iniam_groups
combined with thepolicy_document
andpolicy_arns
parameters. - Dictionary<string, string>
- A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
- Max
Sts intTtl - The max allowed TTL in seconds for STS credentials
(credentials TTL are capped to
max_sts_ttl
). Valid only whencredential_type
is one ofassumed_role
orfederation_token
. - Name string
- The name to identify this role within the backend. Must be unique within the backend.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Permissions
Boundary stringArn - The ARN of the AWS Permissions
Boundary to attach to IAM users created in the role. Valid only when
credential_type
isiam_user
. If not specified, then no permissions boundary policy will be attached. - Policy
Arns List<string> - Specifies a list of AWS managed policy ARNs. The
behavior depends on the credential type. With
iam_user
, the policies will be attached to IAM users when they are requested. Withassumed_role
andfederation_token
, the policy ARNs will act as a filter on what the credentials can do, similar topolicy_document
. Whencredential_type
isiam_user
orfederation_token
, at least one ofpolicy_document
orpolicy_arns
must be specified. - Policy
Document string - The IAM policy document for the role. The
behavior depends on the credential type. With
iam_user
, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. Withassumed_role
andfederation_token
, the policy document will act as a filter on what the credentials can do, similar topolicy_arns
. - Role
Arns List<string> - Specifies the ARNs of the AWS roles this Vault role
is allowed to assume. Required when
credential_type
isassumed_role
and prohibited otherwise. - Dictionary<string, string>
- A map of strings representing key/value pairs to be set
during assume role creds creation. Valid only when
credential_type
is set toassumed_role
. - User
Path string - The path for the user name. Valid only when
credential_type
isiam_user
. Default is/
.
- Backend string
- The path the AWS secret backend is mounted at,
with no leading or trailing
/
s. - Credential
Type string - Specifies the type of credential to be used when
retrieving credentials from the role. Must be one of
iam_user
,assumed_role
, orfederation_token
. - Default
Sts intTtl - The default TTL in seconds for STS credentials.
When a TTL is not specified when STS credentials are requested,
and a default TTL is specified on the role,
then this default TTL will be used. Valid only when
credential_type
is one ofassumed_role
orfederation_token
. - External
Id string - External ID to set for assume role creds.
Valid only when
credential_type
is set toassumed_role
. - Iam
Groups []string - A list of IAM group names. IAM users generated
against this vault role will be added to these IAM Groups. For a credential
type of
assumed_role
orfederation_token
, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group iniam_groups
combined with thepolicy_document
andpolicy_arns
parameters. - map[string]string
- A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
- Max
Sts intTtl - The max allowed TTL in seconds for STS credentials
(credentials TTL are capped to
max_sts_ttl
). Valid only whencredential_type
is one ofassumed_role
orfederation_token
. - Name string
- The name to identify this role within the backend. Must be unique within the backend.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Permissions
Boundary stringArn - The ARN of the AWS Permissions
Boundary to attach to IAM users created in the role. Valid only when
credential_type
isiam_user
. If not specified, then no permissions boundary policy will be attached. - Policy
Arns []string - Specifies a list of AWS managed policy ARNs. The
behavior depends on the credential type. With
iam_user
, the policies will be attached to IAM users when they are requested. Withassumed_role
andfederation_token
, the policy ARNs will act as a filter on what the credentials can do, similar topolicy_document
. Whencredential_type
isiam_user
orfederation_token
, at least one ofpolicy_document
orpolicy_arns
must be specified. - Policy
Document string - The IAM policy document for the role. The
behavior depends on the credential type. With
iam_user
, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. Withassumed_role
andfederation_token
, the policy document will act as a filter on what the credentials can do, similar topolicy_arns
. - Role
Arns []string - Specifies the ARNs of the AWS roles this Vault role
is allowed to assume. Required when
credential_type
isassumed_role
and prohibited otherwise. - map[string]string
- A map of strings representing key/value pairs to be set
during assume role creds creation. Valid only when
credential_type
is set toassumed_role
. - User
Path string - The path for the user name. Valid only when
credential_type
isiam_user
. Default is/
.
- backend String
- The path the AWS secret backend is mounted at,
with no leading or trailing
/
s. - credential
Type String - Specifies the type of credential to be used when
retrieving credentials from the role. Must be one of
iam_user
,assumed_role
, orfederation_token
. - default
Sts IntegerTtl - The default TTL in seconds for STS credentials.
When a TTL is not specified when STS credentials are requested,
and a default TTL is specified on the role,
then this default TTL will be used. Valid only when
credential_type
is one ofassumed_role
orfederation_token
. - external
Id String - External ID to set for assume role creds.
Valid only when
credential_type
is set toassumed_role
. - iam
Groups List<String> - A list of IAM group names. IAM users generated
against this vault role will be added to these IAM Groups. For a credential
type of
assumed_role
orfederation_token
, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group iniam_groups
combined with thepolicy_document
andpolicy_arns
parameters. - Map<String,String>
- A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
- max
Sts IntegerTtl - The max allowed TTL in seconds for STS credentials
(credentials TTL are capped to
max_sts_ttl
). Valid only whencredential_type
is one ofassumed_role
orfederation_token
. - name String
- The name to identify this role within the backend. Must be unique within the backend.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - permissions
Boundary StringArn - The ARN of the AWS Permissions
Boundary to attach to IAM users created in the role. Valid only when
credential_type
isiam_user
. If not specified, then no permissions boundary policy will be attached. - policy
Arns List<String> - Specifies a list of AWS managed policy ARNs. The
behavior depends on the credential type. With
iam_user
, the policies will be attached to IAM users when they are requested. Withassumed_role
andfederation_token
, the policy ARNs will act as a filter on what the credentials can do, similar topolicy_document
. Whencredential_type
isiam_user
orfederation_token
, at least one ofpolicy_document
orpolicy_arns
must be specified. - policy
Document String - The IAM policy document for the role. The
behavior depends on the credential type. With
iam_user
, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. Withassumed_role
andfederation_token
, the policy document will act as a filter on what the credentials can do, similar topolicy_arns
. - role
Arns List<String> - Specifies the ARNs of the AWS roles this Vault role
is allowed to assume. Required when
credential_type
isassumed_role
and prohibited otherwise. - Map<String,String>
- A map of strings representing key/value pairs to be set
during assume role creds creation. Valid only when
credential_type
is set toassumed_role
. - user
Path String - The path for the user name. Valid only when
credential_type
isiam_user
. Default is/
.
- backend string
- The path the AWS secret backend is mounted at,
with no leading or trailing
/
s. - credential
Type string - Specifies the type of credential to be used when
retrieving credentials from the role. Must be one of
iam_user
,assumed_role
, orfederation_token
. - default
Sts numberTtl - The default TTL in seconds for STS credentials.
When a TTL is not specified when STS credentials are requested,
and a default TTL is specified on the role,
then this default TTL will be used. Valid only when
credential_type
is one ofassumed_role
orfederation_token
. - external
Id string - External ID to set for assume role creds.
Valid only when
credential_type
is set toassumed_role
. - iam
Groups string[] - A list of IAM group names. IAM users generated
against this vault role will be added to these IAM Groups. For a credential
type of
assumed_role
orfederation_token
, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group iniam_groups
combined with thepolicy_document
andpolicy_arns
parameters. - {[key: string]: string}
- A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
- max
Sts numberTtl - The max allowed TTL in seconds for STS credentials
(credentials TTL are capped to
max_sts_ttl
). Valid only whencredential_type
is one ofassumed_role
orfederation_token
. - name string
- The name to identify this role within the backend. Must be unique within the backend.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - permissions
Boundary stringArn - The ARN of the AWS Permissions
Boundary to attach to IAM users created in the role. Valid only when
credential_type
isiam_user
. If not specified, then no permissions boundary policy will be attached. - policy
Arns string[] - Specifies a list of AWS managed policy ARNs. The
behavior depends on the credential type. With
iam_user
, the policies will be attached to IAM users when they are requested. Withassumed_role
andfederation_token
, the policy ARNs will act as a filter on what the credentials can do, similar topolicy_document
. Whencredential_type
isiam_user
orfederation_token
, at least one ofpolicy_document
orpolicy_arns
must be specified. - policy
Document string - The IAM policy document for the role. The
behavior depends on the credential type. With
iam_user
, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. Withassumed_role
andfederation_token
, the policy document will act as a filter on what the credentials can do, similar topolicy_arns
. - role
Arns string[] - Specifies the ARNs of the AWS roles this Vault role
is allowed to assume. Required when
credential_type
isassumed_role
and prohibited otherwise. - {[key: string]: string}
- A map of strings representing key/value pairs to be set
during assume role creds creation. Valid only when
credential_type
is set toassumed_role
. - user
Path string - The path for the user name. Valid only when
credential_type
isiam_user
. Default is/
.
- backend str
- The path the AWS secret backend is mounted at,
with no leading or trailing
/
s. - credential_
type str - Specifies the type of credential to be used when
retrieving credentials from the role. Must be one of
iam_user
,assumed_role
, orfederation_token
. - default_
sts_ intttl - The default TTL in seconds for STS credentials.
When a TTL is not specified when STS credentials are requested,
and a default TTL is specified on the role,
then this default TTL will be used. Valid only when
credential_type
is one ofassumed_role
orfederation_token
. - external_
id str - External ID to set for assume role creds.
Valid only when
credential_type
is set toassumed_role
. - iam_
groups Sequence[str] - A list of IAM group names. IAM users generated
against this vault role will be added to these IAM Groups. For a credential
type of
assumed_role
orfederation_token
, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group iniam_groups
combined with thepolicy_document
andpolicy_arns
parameters. - Mapping[str, str]
- A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
- max_
sts_ intttl - The max allowed TTL in seconds for STS credentials
(credentials TTL are capped to
max_sts_ttl
). Valid only whencredential_type
is one ofassumed_role
orfederation_token
. - name str
- The name to identify this role within the backend. Must be unique within the backend.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - permissions_
boundary_ strarn - The ARN of the AWS Permissions
Boundary to attach to IAM users created in the role. Valid only when
credential_type
isiam_user
. If not specified, then no permissions boundary policy will be attached. - policy_
arns Sequence[str] - Specifies a list of AWS managed policy ARNs. The
behavior depends on the credential type. With
iam_user
, the policies will be attached to IAM users when they are requested. Withassumed_role
andfederation_token
, the policy ARNs will act as a filter on what the credentials can do, similar topolicy_document
. Whencredential_type
isiam_user
orfederation_token
, at least one ofpolicy_document
orpolicy_arns
must be specified. - policy_
document str - The IAM policy document for the role. The
behavior depends on the credential type. With
iam_user
, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. Withassumed_role
andfederation_token
, the policy document will act as a filter on what the credentials can do, similar topolicy_arns
. - role_
arns Sequence[str] - Specifies the ARNs of the AWS roles this Vault role
is allowed to assume. Required when
credential_type
isassumed_role
and prohibited otherwise. - Mapping[str, str]
- A map of strings representing key/value pairs to be set
during assume role creds creation. Valid only when
credential_type
is set toassumed_role
. - user_
path str - The path for the user name. Valid only when
credential_type
isiam_user
. Default is/
.
- backend String
- The path the AWS secret backend is mounted at,
with no leading or trailing
/
s. - credential
Type String - Specifies the type of credential to be used when
retrieving credentials from the role. Must be one of
iam_user
,assumed_role
, orfederation_token
. - default
Sts NumberTtl - The default TTL in seconds for STS credentials.
When a TTL is not specified when STS credentials are requested,
and a default TTL is specified on the role,
then this default TTL will be used. Valid only when
credential_type
is one ofassumed_role
orfederation_token
. - external
Id String - External ID to set for assume role creds.
Valid only when
credential_type
is set toassumed_role
. - iam
Groups List<String> - A list of IAM group names. IAM users generated
against this vault role will be added to these IAM Groups. For a credential
type of
assumed_role
orfederation_token
, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group iniam_groups
combined with thepolicy_document
andpolicy_arns
parameters. - Map<String>
- A map of strings representing key/value pairs to be used as tags for any IAM user that is created by this role.
- max
Sts NumberTtl - The max allowed TTL in seconds for STS credentials
(credentials TTL are capped to
max_sts_ttl
). Valid only whencredential_type
is one ofassumed_role
orfederation_token
. - name String
- The name to identify this role within the backend. Must be unique within the backend.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - permissions
Boundary StringArn - The ARN of the AWS Permissions
Boundary to attach to IAM users created in the role. Valid only when
credential_type
isiam_user
. If not specified, then no permissions boundary policy will be attached. - policy
Arns List<String> - Specifies a list of AWS managed policy ARNs. The
behavior depends on the credential type. With
iam_user
, the policies will be attached to IAM users when they are requested. Withassumed_role
andfederation_token
, the policy ARNs will act as a filter on what the credentials can do, similar topolicy_document
. Whencredential_type
isiam_user
orfederation_token
, at least one ofpolicy_document
orpolicy_arns
must be specified. - policy
Document String - The IAM policy document for the role. The
behavior depends on the credential type. With
iam_user
, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. Withassumed_role
andfederation_token
, the policy document will act as a filter on what the credentials can do, similar topolicy_arns
. - role
Arns List<String> - Specifies the ARNs of the AWS roles this Vault role
is allowed to assume. Required when
credential_type
isassumed_role
and prohibited otherwise. - Map<String>
- A map of strings representing key/value pairs to be set
during assume role creds creation. Valid only when
credential_type
is set toassumed_role
. - user
Path String - The path for the user name. Valid only when
credential_type
isiam_user
. Default is/
.
Import
AWS secret backend roles can be imported using the path
, e.g.
$ pulumi import vault:aws/secretBackendRole:SecretBackendRole role aws/roles/deploy
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vault
Terraform Provider.