HashiCorp Vault v6.4.0 published on Wednesday, Nov 20, 2024 by Pulumi
vault.kubernetes.getServiceAccountToken
Explore with Pulumi AI
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const config = new vault.kubernetes.SecretBackend("config", {
path: "kubernetes",
description: "kubernetes secrets engine description",
kubernetesHost: "https://127.0.0.1:61233",
kubernetesCaCert: std.file({
input: "/path/to/cert",
}).then(invoke => invoke.result),
serviceAccountJwt: std.file({
input: "/path/to/token",
}).then(invoke => invoke.result),
disableLocalCaJwt: false,
});
const role = new vault.kubernetes.SecretBackendRole("role", {
backend: config.path,
name: "service-account-name-role",
allowedKubernetesNamespaces: ["*"],
tokenMaxTtl: 43200,
tokenDefaultTtl: 21600,
serviceAccountName: "test-service-account-with-generated-token",
extraLabels: {
id: "abc123",
name: "some_name",
},
extraAnnotations: {
env: "development",
location: "earth",
},
});
const token = vault.kubernetes.getServiceAccountTokenOutput({
backend: config.path,
role: role.name,
kubernetesNamespace: "test",
clusterRoleBinding: false,
ttl: "1h",
});
import pulumi
import pulumi_std as std
import pulumi_vault as vault
config = vault.kubernetes.SecretBackend("config",
path="kubernetes",
description="kubernetes secrets engine description",
kubernetes_host="https://127.0.0.1:61233",
kubernetes_ca_cert=std.file(input="/path/to/cert").result,
service_account_jwt=std.file(input="/path/to/token").result,
disable_local_ca_jwt=False)
role = vault.kubernetes.SecretBackendRole("role",
backend=config.path,
name="service-account-name-role",
allowed_kubernetes_namespaces=["*"],
token_max_ttl=43200,
token_default_ttl=21600,
service_account_name="test-service-account-with-generated-token",
extra_labels={
"id": "abc123",
"name": "some_name",
},
extra_annotations={
"env": "development",
"location": "earth",
})
token = vault.kubernetes.get_service_account_token_output(backend=config.path,
role=role.name,
kubernetes_namespace="test",
cluster_role_binding=False,
ttl="1h")
package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/cert",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/token",
}, nil)
if err != nil {
return err
}
config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
Path: pulumi.String("kubernetes"),
Description: pulumi.String("kubernetes secrets engine description"),
KubernetesHost: pulumi.String("https://127.0.0.1:61233"),
KubernetesCaCert: pulumi.String(invokeFile.Result),
ServiceAccountJwt: pulumi.String(invokeFile1.Result),
DisableLocalCaJwt: pulumi.Bool(false),
})
if err != nil {
return err
}
role, err := kubernetes.NewSecretBackendRole(ctx, "role", &kubernetes.SecretBackendRoleArgs{
Backend: config.Path,
Name: pulumi.String("service-account-name-role"),
AllowedKubernetesNamespaces: pulumi.StringArray{
pulumi.String("*"),
},
TokenMaxTtl: pulumi.Int(43200),
TokenDefaultTtl: pulumi.Int(21600),
ServiceAccountName: pulumi.String("test-service-account-with-generated-token"),
ExtraLabels: pulumi.StringMap{
"id": pulumi.String("abc123"),
"name": pulumi.String("some_name"),
},
ExtraAnnotations: pulumi.StringMap{
"env": pulumi.String("development"),
"location": pulumi.String("earth"),
},
})
if err != nil {
return err
}
_ = kubernetes.GetServiceAccountTokenOutput(ctx, kubernetes.GetServiceAccountTokenOutputArgs{
Backend: config.Path,
Role: role.Name,
KubernetesNamespace: pulumi.String("test"),
ClusterRoleBinding: pulumi.Bool(false),
Ttl: pulumi.String("1h"),
}, nil)
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var config = new Vault.Kubernetes.SecretBackend("config", new()
{
Path = "kubernetes",
Description = "kubernetes secrets engine description",
KubernetesHost = "https://127.0.0.1:61233",
KubernetesCaCert = Std.File.Invoke(new()
{
Input = "/path/to/cert",
}).Apply(invoke => invoke.Result),
ServiceAccountJwt = Std.File.Invoke(new()
{
Input = "/path/to/token",
}).Apply(invoke => invoke.Result),
DisableLocalCaJwt = false,
});
var role = new Vault.Kubernetes.SecretBackendRole("role", new()
{
Backend = config.Path,
Name = "service-account-name-role",
AllowedKubernetesNamespaces = new[]
{
"*",
},
TokenMaxTtl = 43200,
TokenDefaultTtl = 21600,
ServiceAccountName = "test-service-account-with-generated-token",
ExtraLabels =
{
{ "id", "abc123" },
{ "name", "some_name" },
},
ExtraAnnotations =
{
{ "env", "development" },
{ "location", "earth" },
},
});
var token = Vault.Kubernetes.GetServiceAccountToken.Invoke(new()
{
Backend = config.Path,
Role = role.Name,
KubernetesNamespace = "test",
ClusterRoleBinding = false,
Ttl = "1h",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.kubernetes.SecretBackend;
import com.pulumi.vault.kubernetes.SecretBackendArgs;
import com.pulumi.vault.kubernetes.SecretBackendRole;
import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
import com.pulumi.vault.kubernetes.KubernetesFunctions;
import com.pulumi.vault.kubernetes.inputs.GetServiceAccountTokenArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var config = new SecretBackend("config", SecretBackendArgs.builder()
.path("kubernetes")
.description("kubernetes secrets engine description")
.kubernetesHost("https://127.0.0.1:61233")
.kubernetesCaCert(StdFunctions.file(FileArgs.builder()
.input("/path/to/cert")
.build()).result())
.serviceAccountJwt(StdFunctions.file(FileArgs.builder()
.input("/path/to/token")
.build()).result())
.disableLocalCaJwt(false)
.build());
var role = new SecretBackendRole("role", SecretBackendRoleArgs.builder()
.backend(config.path())
.name("service-account-name-role")
.allowedKubernetesNamespaces("*")
.tokenMaxTtl(43200)
.tokenDefaultTtl(21600)
.serviceAccountName("test-service-account-with-generated-token")
.extraLabels(Map.ofEntries(
Map.entry("id", "abc123"),
Map.entry("name", "some_name")
))
.extraAnnotations(Map.ofEntries(
Map.entry("env", "development"),
Map.entry("location", "earth")
))
.build());
final var token = KubernetesFunctions.getServiceAccountToken(GetServiceAccountTokenArgs.builder()
.backend(config.path())
.role(role.name())
.kubernetesNamespace("test")
.clusterRoleBinding(false)
.ttl("1h")
.build());
}
}
resources:
config:
type: vault:kubernetes:SecretBackend
properties:
path: kubernetes
description: kubernetes secrets engine description
kubernetesHost: https://127.0.0.1:61233
kubernetesCaCert:
fn::invoke:
Function: std:file
Arguments:
input: /path/to/cert
Return: result
serviceAccountJwt:
fn::invoke:
Function: std:file
Arguments:
input: /path/to/token
Return: result
disableLocalCaJwt: false
role:
type: vault:kubernetes:SecretBackendRole
properties:
backend: ${config.path}
name: service-account-name-role
allowedKubernetesNamespaces:
- '*'
tokenMaxTtl: 43200
tokenDefaultTtl: 21600
serviceAccountName: test-service-account-with-generated-token
extraLabels:
id: abc123
name: some_name
extraAnnotations:
env: development
location: earth
variables:
token:
fn::invoke:
Function: vault:kubernetes:getServiceAccountToken
Arguments:
backend: ${config.path}
role: ${role.name}
kubernetesNamespace: test
clusterRoleBinding: false
ttl: 1h
Using getServiceAccountToken
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getServiceAccountToken(args: GetServiceAccountTokenArgs, opts?: InvokeOptions): Promise<GetServiceAccountTokenResult>
function getServiceAccountTokenOutput(args: GetServiceAccountTokenOutputArgs, opts?: InvokeOptions): Output<GetServiceAccountTokenResult>
def get_service_account_token(backend: Optional[str] = None,
cluster_role_binding: Optional[bool] = None,
kubernetes_namespace: Optional[str] = None,
namespace: Optional[str] = None,
role: Optional[str] = None,
ttl: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetServiceAccountTokenResult
def get_service_account_token_output(backend: Optional[pulumi.Input[str]] = None,
cluster_role_binding: Optional[pulumi.Input[bool]] = None,
kubernetes_namespace: Optional[pulumi.Input[str]] = None,
namespace: Optional[pulumi.Input[str]] = None,
role: Optional[pulumi.Input[str]] = None,
ttl: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetServiceAccountTokenResult]
func GetServiceAccountToken(ctx *Context, args *GetServiceAccountTokenArgs, opts ...InvokeOption) (*GetServiceAccountTokenResult, error)
func GetServiceAccountTokenOutput(ctx *Context, args *GetServiceAccountTokenOutputArgs, opts ...InvokeOption) GetServiceAccountTokenResultOutput
> Note: This function is named GetServiceAccountToken
in the Go SDK.
public static class GetServiceAccountToken
{
public static Task<GetServiceAccountTokenResult> InvokeAsync(GetServiceAccountTokenArgs args, InvokeOptions? opts = null)
public static Output<GetServiceAccountTokenResult> Invoke(GetServiceAccountTokenInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetServiceAccountTokenResult> getServiceAccountToken(GetServiceAccountTokenArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
function: vault:kubernetes/getServiceAccountToken:getServiceAccountToken
arguments:
# arguments dictionary
The following arguments are supported:
- Backend string
- The Kubernetes secret backend to generate service account tokens from.
- Kubernetes
Namespace string - The name of the Kubernetes namespace in which to generate the credentials.
- Role string
- The name of the Kubernetes secret backend role to generate service account tokens from.
- Cluster
Role boolBinding - If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
- Namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Ttl string
- The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
- Backend string
- The Kubernetes secret backend to generate service account tokens from.
- Kubernetes
Namespace string - The name of the Kubernetes namespace in which to generate the credentials.
- Role string
- The name of the Kubernetes secret backend role to generate service account tokens from.
- Cluster
Role boolBinding - If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
- Namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Ttl string
- The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
- backend String
- The Kubernetes secret backend to generate service account tokens from.
- kubernetes
Namespace String - The name of the Kubernetes namespace in which to generate the credentials.
- role String
- The name of the Kubernetes secret backend role to generate service account tokens from.
- cluster
Role BooleanBinding - If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
- namespace String
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - ttl String
- The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
- backend string
- The Kubernetes secret backend to generate service account tokens from.
- kubernetes
Namespace string - The name of the Kubernetes namespace in which to generate the credentials.
- role string
- The name of the Kubernetes secret backend role to generate service account tokens from.
- cluster
Role booleanBinding - If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
- namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - ttl string
- The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
- backend str
- The Kubernetes secret backend to generate service account tokens from.
- kubernetes_
namespace str - The name of the Kubernetes namespace in which to generate the credentials.
- role str
- The name of the Kubernetes secret backend role to generate service account tokens from.
- cluster_
role_ boolbinding - If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
- namespace str
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - ttl str
- The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
- backend String
- The Kubernetes secret backend to generate service account tokens from.
- kubernetes
Namespace String - The name of the Kubernetes namespace in which to generate the credentials.
- role String
- The name of the Kubernetes secret backend role to generate service account tokens from.
- cluster
Role BooleanBinding - If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
- namespace String
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - ttl String
- The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
getServiceAccountToken Result
The following output properties are available:
- Backend string
- Id string
- The provider-assigned unique ID for this managed resource.
- Kubernetes
Namespace string - Lease
Duration int - The duration of the lease in seconds.
- Lease
Id string - The lease identifier assigned by Vault.
- Lease
Renewable bool - True if the duration of this lease can be extended through renewal.
- Role string
- Service
Account stringName - The name of the service account associated with the token.
- Service
Account stringNamespace - The Kubernetes namespace that the service account resides in.
- Service
Account stringToken - The Kubernetes service account token.
- Cluster
Role boolBinding - Namespace string
- Ttl string
- Backend string
- Id string
- The provider-assigned unique ID for this managed resource.
- Kubernetes
Namespace string - Lease
Duration int - The duration of the lease in seconds.
- Lease
Id string - The lease identifier assigned by Vault.
- Lease
Renewable bool - True if the duration of this lease can be extended through renewal.
- Role string
- Service
Account stringName - The name of the service account associated with the token.
- Service
Account stringNamespace - The Kubernetes namespace that the service account resides in.
- Service
Account stringToken - The Kubernetes service account token.
- Cluster
Role boolBinding - Namespace string
- Ttl string
- backend String
- id String
- The provider-assigned unique ID for this managed resource.
- kubernetes
Namespace String - lease
Duration Integer - The duration of the lease in seconds.
- lease
Id String - The lease identifier assigned by Vault.
- lease
Renewable Boolean - True if the duration of this lease can be extended through renewal.
- role String
- service
Account StringName - The name of the service account associated with the token.
- service
Account StringNamespace - The Kubernetes namespace that the service account resides in.
- service
Account StringToken - The Kubernetes service account token.
- cluster
Role BooleanBinding - namespace String
- ttl String
- backend string
- id string
- The provider-assigned unique ID for this managed resource.
- kubernetes
Namespace string - lease
Duration number - The duration of the lease in seconds.
- lease
Id string - The lease identifier assigned by Vault.
- lease
Renewable boolean - True if the duration of this lease can be extended through renewal.
- role string
- service
Account stringName - The name of the service account associated with the token.
- service
Account stringNamespace - The Kubernetes namespace that the service account resides in.
- service
Account stringToken - The Kubernetes service account token.
- cluster
Role booleanBinding - namespace string
- ttl string
- backend str
- id str
- The provider-assigned unique ID for this managed resource.
- kubernetes_
namespace str - lease_
duration int - The duration of the lease in seconds.
- lease_
id str - The lease identifier assigned by Vault.
- lease_
renewable bool - True if the duration of this lease can be extended through renewal.
- role str
- service_
account_ strname - The name of the service account associated with the token.
- service_
account_ strnamespace - The Kubernetes namespace that the service account resides in.
- service_
account_ strtoken - The Kubernetes service account token.
- cluster_
role_ boolbinding - namespace str
- ttl str
- backend String
- id String
- The provider-assigned unique ID for this managed resource.
- kubernetes
Namespace String - lease
Duration Number - The duration of the lease in seconds.
- lease
Id String - The lease identifier assigned by Vault.
- lease
Renewable Boolean - True if the duration of this lease can be extended through renewal.
- role String
- service
Account StringName - The name of the service account associated with the token.
- service
Account StringNamespace - The Kubernetes namespace that the service account resides in.
- service
Account StringToken - The Kubernetes service account token.
- cluster
Role BooleanBinding - namespace String
- ttl String
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vault
Terraform Provider.