1. Packages
  2. Pulumi Vault Provider
  3. API Docs
  4. kubernetes
  5. SecretBackend
HashiCorp Vault v6.4.0 published on Wednesday, Nov 20, 2024 by Pulumi

vault.kubernetes.SecretBackend

Explore with Pulumi AI

vault logo
HashiCorp Vault v6.4.0 published on Wednesday, Nov 20, 2024 by Pulumi

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as std from "@pulumi/std";
    import * as vault from "@pulumi/vault";
    
    const config = new vault.kubernetes.SecretBackend("config", {
        path: "kubernetes",
        description: "kubernetes secrets engine description",
        defaultLeaseTtlSeconds: 43200,
        maxLeaseTtlSeconds: 86400,
        kubernetesHost: "https://127.0.0.1:61233",
        kubernetesCaCert: std.file({
            input: "/path/to/cert",
        }).then(invoke => invoke.result),
        serviceAccountJwt: std.file({
            input: "/path/to/token",
        }).then(invoke => invoke.result),
        disableLocalCaJwt: false,
    });
    
    import pulumi
    import pulumi_std as std
    import pulumi_vault as vault
    
    config = vault.kubernetes.SecretBackend("config",
        path="kubernetes",
        description="kubernetes secrets engine description",
        default_lease_ttl_seconds=43200,
        max_lease_ttl_seconds=86400,
        kubernetes_host="https://127.0.0.1:61233",
        kubernetes_ca_cert=std.file(input="/path/to/cert").result,
        service_account_jwt=std.file(input="/path/to/token").result,
        disable_local_ca_jwt=False)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-std/sdk/go/std"
    	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		invokeFile, err := std.File(ctx, &std.FileArgs{
    			Input: "/path/to/cert",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		invokeFile1, err := std.File(ctx, &std.FileArgs{
    			Input: "/path/to/token",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
    			Path:                   pulumi.String("kubernetes"),
    			Description:            pulumi.String("kubernetes secrets engine description"),
    			DefaultLeaseTtlSeconds: pulumi.Int(43200),
    			MaxLeaseTtlSeconds:     pulumi.Int(86400),
    			KubernetesHost:         pulumi.String("https://127.0.0.1:61233"),
    			KubernetesCaCert:       pulumi.String(invokeFile.Result),
    			ServiceAccountJwt:      pulumi.String(invokeFile1.Result),
    			DisableLocalCaJwt:      pulumi.Bool(false),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Std = Pulumi.Std;
    using Vault = Pulumi.Vault;
    
    return await Deployment.RunAsync(() => 
    {
        var config = new Vault.Kubernetes.SecretBackend("config", new()
        {
            Path = "kubernetes",
            Description = "kubernetes secrets engine description",
            DefaultLeaseTtlSeconds = 43200,
            MaxLeaseTtlSeconds = 86400,
            KubernetesHost = "https://127.0.0.1:61233",
            KubernetesCaCert = Std.File.Invoke(new()
            {
                Input = "/path/to/cert",
            }).Apply(invoke => invoke.Result),
            ServiceAccountJwt = Std.File.Invoke(new()
            {
                Input = "/path/to/token",
            }).Apply(invoke => invoke.Result),
            DisableLocalCaJwt = false,
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.vault.kubernetes.SecretBackend;
    import com.pulumi.vault.kubernetes.SecretBackendArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var config = new SecretBackend("config", SecretBackendArgs.builder()
                .path("kubernetes")
                .description("kubernetes secrets engine description")
                .defaultLeaseTtlSeconds(43200)
                .maxLeaseTtlSeconds(86400)
                .kubernetesHost("https://127.0.0.1:61233")
                .kubernetesCaCert(StdFunctions.file(FileArgs.builder()
                    .input("/path/to/cert")
                    .build()).result())
                .serviceAccountJwt(StdFunctions.file(FileArgs.builder()
                    .input("/path/to/token")
                    .build()).result())
                .disableLocalCaJwt(false)
                .build());
    
        }
    }
    
    resources:
      config:
        type: vault:kubernetes:SecretBackend
        properties:
          path: kubernetes
          description: kubernetes secrets engine description
          defaultLeaseTtlSeconds: 43200
          maxLeaseTtlSeconds: 86400
          kubernetesHost: https://127.0.0.1:61233
          kubernetesCaCert:
            fn::invoke:
              Function: std:file
              Arguments:
                input: /path/to/cert
              Return: result
          serviceAccountJwt:
            fn::invoke:
              Function: std:file
              Arguments:
                input: /path/to/token
              Return: result
          disableLocalCaJwt: false
    

    Create SecretBackend Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new SecretBackend(name: string, args: SecretBackendArgs, opts?: CustomResourceOptions);
    @overload
    def SecretBackend(resource_name: str,
                      args: SecretBackendArgs,
                      opts: Optional[ResourceOptions] = None)
    
    @overload
    def SecretBackend(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      path: Optional[str] = None,
                      kubernetes_ca_cert: Optional[str] = None,
                      delegated_auth_accessors: Optional[Sequence[str]] = None,
                      kubernetes_host: Optional[str] = None,
                      local: Optional[bool] = None,
                      listing_visibility: Optional[str] = None,
                      description: Optional[str] = None,
                      disable_local_ca_jwt: Optional[bool] = None,
                      external_entropy_access: Optional[bool] = None,
                      identity_token_key: Optional[str] = None,
                      allowed_managed_keys: Optional[Sequence[str]] = None,
                      audit_non_hmac_response_keys: Optional[Sequence[str]] = None,
                      audit_non_hmac_request_keys: Optional[Sequence[str]] = None,
                      default_lease_ttl_seconds: Optional[int] = None,
                      max_lease_ttl_seconds: Optional[int] = None,
                      namespace: Optional[str] = None,
                      options: Optional[Mapping[str, str]] = None,
                      passthrough_request_headers: Optional[Sequence[str]] = None,
                      allowed_response_headers: Optional[Sequence[str]] = None,
                      plugin_version: Optional[str] = None,
                      seal_wrap: Optional[bool] = None,
                      service_account_jwt: Optional[str] = None)
    func NewSecretBackend(ctx *Context, name string, args SecretBackendArgs, opts ...ResourceOption) (*SecretBackend, error)
    public SecretBackend(string name, SecretBackendArgs args, CustomResourceOptions? opts = null)
    public SecretBackend(String name, SecretBackendArgs args)
    public SecretBackend(String name, SecretBackendArgs args, CustomResourceOptions options)
    
    type: vault:kubernetes:SecretBackend
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var examplesecretBackendResourceResourceFromKubernetessecretBackend = new Vault.Kubernetes.SecretBackend("examplesecretBackendResourceResourceFromKubernetessecretBackend", new()
    {
        Path = "string",
        KubernetesCaCert = "string",
        DelegatedAuthAccessors = new[]
        {
            "string",
        },
        KubernetesHost = "string",
        Local = false,
        ListingVisibility = "string",
        Description = "string",
        DisableLocalCaJwt = false,
        ExternalEntropyAccess = false,
        IdentityTokenKey = "string",
        AllowedManagedKeys = new[]
        {
            "string",
        },
        AuditNonHmacResponseKeys = new[]
        {
            "string",
        },
        AuditNonHmacRequestKeys = new[]
        {
            "string",
        },
        DefaultLeaseTtlSeconds = 0,
        MaxLeaseTtlSeconds = 0,
        Namespace = "string",
        Options = 
        {
            { "string", "string" },
        },
        PassthroughRequestHeaders = new[]
        {
            "string",
        },
        AllowedResponseHeaders = new[]
        {
            "string",
        },
        PluginVersion = "string",
        SealWrap = false,
        ServiceAccountJwt = "string",
    });
    
    example, err := kubernetes.NewSecretBackend(ctx, "examplesecretBackendResourceResourceFromKubernetessecretBackend", &kubernetes.SecretBackendArgs{
    	Path:             pulumi.String("string"),
    	KubernetesCaCert: pulumi.String("string"),
    	DelegatedAuthAccessors: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	KubernetesHost:        pulumi.String("string"),
    	Local:                 pulumi.Bool(false),
    	ListingVisibility:     pulumi.String("string"),
    	Description:           pulumi.String("string"),
    	DisableLocalCaJwt:     pulumi.Bool(false),
    	ExternalEntropyAccess: pulumi.Bool(false),
    	IdentityTokenKey:      pulumi.String("string"),
    	AllowedManagedKeys: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	AuditNonHmacResponseKeys: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	AuditNonHmacRequestKeys: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	DefaultLeaseTtlSeconds: pulumi.Int(0),
    	MaxLeaseTtlSeconds:     pulumi.Int(0),
    	Namespace:              pulumi.String("string"),
    	Options: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	PassthroughRequestHeaders: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	AllowedResponseHeaders: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	PluginVersion:     pulumi.String("string"),
    	SealWrap:          pulumi.Bool(false),
    	ServiceAccountJwt: pulumi.String("string"),
    })
    
    var examplesecretBackendResourceResourceFromKubernetessecretBackend = new SecretBackend("examplesecretBackendResourceResourceFromKubernetessecretBackend", SecretBackendArgs.builder()
        .path("string")
        .kubernetesCaCert("string")
        .delegatedAuthAccessors("string")
        .kubernetesHost("string")
        .local(false)
        .listingVisibility("string")
        .description("string")
        .disableLocalCaJwt(false)
        .externalEntropyAccess(false)
        .identityTokenKey("string")
        .allowedManagedKeys("string")
        .auditNonHmacResponseKeys("string")
        .auditNonHmacRequestKeys("string")
        .defaultLeaseTtlSeconds(0)
        .maxLeaseTtlSeconds(0)
        .namespace("string")
        .options(Map.of("string", "string"))
        .passthroughRequestHeaders("string")
        .allowedResponseHeaders("string")
        .pluginVersion("string")
        .sealWrap(false)
        .serviceAccountJwt("string")
        .build());
    
    examplesecret_backend_resource_resource_from_kubernetessecret_backend = vault.kubernetes.SecretBackend("examplesecretBackendResourceResourceFromKubernetessecretBackend",
        path="string",
        kubernetes_ca_cert="string",
        delegated_auth_accessors=["string"],
        kubernetes_host="string",
        local=False,
        listing_visibility="string",
        description="string",
        disable_local_ca_jwt=False,
        external_entropy_access=False,
        identity_token_key="string",
        allowed_managed_keys=["string"],
        audit_non_hmac_response_keys=["string"],
        audit_non_hmac_request_keys=["string"],
        default_lease_ttl_seconds=0,
        max_lease_ttl_seconds=0,
        namespace="string",
        options={
            "string": "string",
        },
        passthrough_request_headers=["string"],
        allowed_response_headers=["string"],
        plugin_version="string",
        seal_wrap=False,
        service_account_jwt="string")
    
    const examplesecretBackendResourceResourceFromKubernetessecretBackend = new vault.kubernetes.SecretBackend("examplesecretBackendResourceResourceFromKubernetessecretBackend", {
        path: "string",
        kubernetesCaCert: "string",
        delegatedAuthAccessors: ["string"],
        kubernetesHost: "string",
        local: false,
        listingVisibility: "string",
        description: "string",
        disableLocalCaJwt: false,
        externalEntropyAccess: false,
        identityTokenKey: "string",
        allowedManagedKeys: ["string"],
        auditNonHmacResponseKeys: ["string"],
        auditNonHmacRequestKeys: ["string"],
        defaultLeaseTtlSeconds: 0,
        maxLeaseTtlSeconds: 0,
        namespace: "string",
        options: {
            string: "string",
        },
        passthroughRequestHeaders: ["string"],
        allowedResponseHeaders: ["string"],
        pluginVersion: "string",
        sealWrap: false,
        serviceAccountJwt: "string",
    });
    
    type: vault:kubernetes:SecretBackend
    properties:
        allowedManagedKeys:
            - string
        allowedResponseHeaders:
            - string
        auditNonHmacRequestKeys:
            - string
        auditNonHmacResponseKeys:
            - string
        defaultLeaseTtlSeconds: 0
        delegatedAuthAccessors:
            - string
        description: string
        disableLocalCaJwt: false
        externalEntropyAccess: false
        identityTokenKey: string
        kubernetesCaCert: string
        kubernetesHost: string
        listingVisibility: string
        local: false
        maxLeaseTtlSeconds: 0
        namespace: string
        options:
            string: string
        passthroughRequestHeaders:
            - string
        path: string
        pluginVersion: string
        sealWrap: false
        serviceAccountJwt: string
    

    SecretBackend Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The SecretBackend resource accepts the following input properties:

    Path string
    Where the secret backend will be mounted
    AllowedManagedKeys List<string>
    List of managed key registry entry names that the mount in question is allowed to access
    AllowedResponseHeaders List<string>
    List of headers to allow and pass from the request to the plugin
    AuditNonHmacRequestKeys List<string>
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    AuditNonHmacResponseKeys List<string>
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    DefaultLeaseTtlSeconds int
    Default lease duration for tokens and secrets in seconds
    DelegatedAuthAccessors List<string>
    List of headers to allow and pass from the request to the plugin
    Description string
    Human-friendly description of the mount
    DisableLocalCaJwt bool
    Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
    ExternalEntropyAccess bool
    Enable the secrets engine to access Vault's external entropy source
    IdentityTokenKey string
    The key to use for signing plugin workload identity tokens
    KubernetesCaCert string
    A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
    KubernetesHost string
    The Kubernetes API URL to connect to. Required if the standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on.
    ListingVisibility string
    Specifies whether to show this mount in the UI-specific listing endpoint
    Local bool
    Local mount flag that can be explicitly set to true to enforce local mount in HA environment
    MaxLeaseTtlSeconds int
    Maximum possible lease duration for tokens and secrets in seconds
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Options Dictionary<string, string>
    Specifies mount type specific options that are passed to the backend
    PassthroughRequestHeaders List<string>
    List of headers to allow and pass from the request to the plugin
    PluginVersion string
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    SealWrap bool
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    ServiceAccountJwt string
    The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
    Path string
    Where the secret backend will be mounted
    AllowedManagedKeys []string
    List of managed key registry entry names that the mount in question is allowed to access
    AllowedResponseHeaders []string
    List of headers to allow and pass from the request to the plugin
    AuditNonHmacRequestKeys []string
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    AuditNonHmacResponseKeys []string
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    DefaultLeaseTtlSeconds int
    Default lease duration for tokens and secrets in seconds
    DelegatedAuthAccessors []string
    List of headers to allow and pass from the request to the plugin
    Description string
    Human-friendly description of the mount
    DisableLocalCaJwt bool
    Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
    ExternalEntropyAccess bool
    Enable the secrets engine to access Vault's external entropy source
    IdentityTokenKey string
    The key to use for signing plugin workload identity tokens
    KubernetesCaCert string
    A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
    KubernetesHost string
    The Kubernetes API URL to connect to. Required if the standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on.
    ListingVisibility string
    Specifies whether to show this mount in the UI-specific listing endpoint
    Local bool
    Local mount flag that can be explicitly set to true to enforce local mount in HA environment
    MaxLeaseTtlSeconds int
    Maximum possible lease duration for tokens and secrets in seconds
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Options map[string]string
    Specifies mount type specific options that are passed to the backend
    PassthroughRequestHeaders []string
    List of headers to allow and pass from the request to the plugin
    PluginVersion string
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    SealWrap bool
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    ServiceAccountJwt string
    The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
    path String
    Where the secret backend will be mounted
    allowedManagedKeys List<String>
    List of managed key registry entry names that the mount in question is allowed to access
    allowedResponseHeaders List<String>
    List of headers to allow and pass from the request to the plugin
    auditNonHmacRequestKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    auditNonHmacResponseKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    defaultLeaseTtlSeconds Integer
    Default lease duration for tokens and secrets in seconds
    delegatedAuthAccessors List<String>
    List of headers to allow and pass from the request to the plugin
    description String
    Human-friendly description of the mount
    disableLocalCaJwt Boolean
    Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
    externalEntropyAccess Boolean
    Enable the secrets engine to access Vault's external entropy source
    identityTokenKey String
    The key to use for signing plugin workload identity tokens
    kubernetesCaCert String
    A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
    kubernetesHost String
    The Kubernetes API URL to connect to. Required if the standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on.
    listingVisibility String
    Specifies whether to show this mount in the UI-specific listing endpoint
    local Boolean
    Local mount flag that can be explicitly set to true to enforce local mount in HA environment
    maxLeaseTtlSeconds Integer
    Maximum possible lease duration for tokens and secrets in seconds
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options Map<String,String>
    Specifies mount type specific options that are passed to the backend
    passthroughRequestHeaders List<String>
    List of headers to allow and pass from the request to the plugin
    pluginVersion String
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    sealWrap Boolean
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    serviceAccountJwt String
    The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
    path string
    Where the secret backend will be mounted
    allowedManagedKeys string[]
    List of managed key registry entry names that the mount in question is allowed to access
    allowedResponseHeaders string[]
    List of headers to allow and pass from the request to the plugin
    auditNonHmacRequestKeys string[]
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    auditNonHmacResponseKeys string[]
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    defaultLeaseTtlSeconds number
    Default lease duration for tokens and secrets in seconds
    delegatedAuthAccessors string[]
    List of headers to allow and pass from the request to the plugin
    description string
    Human-friendly description of the mount
    disableLocalCaJwt boolean
    Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
    externalEntropyAccess boolean
    Enable the secrets engine to access Vault's external entropy source
    identityTokenKey string
    The key to use for signing plugin workload identity tokens
    kubernetesCaCert string
    A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
    kubernetesHost string
    The Kubernetes API URL to connect to. Required if the standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on.
    listingVisibility string
    Specifies whether to show this mount in the UI-specific listing endpoint
    local boolean
    Local mount flag that can be explicitly set to true to enforce local mount in HA environment
    maxLeaseTtlSeconds number
    Maximum possible lease duration for tokens and secrets in seconds
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options {[key: string]: string}
    Specifies mount type specific options that are passed to the backend
    passthroughRequestHeaders string[]
    List of headers to allow and pass from the request to the plugin
    pluginVersion string
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    sealWrap boolean
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    serviceAccountJwt string
    The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
    path str
    Where the secret backend will be mounted
    allowed_managed_keys Sequence[str]
    List of managed key registry entry names that the mount in question is allowed to access
    allowed_response_headers Sequence[str]
    List of headers to allow and pass from the request to the plugin
    audit_non_hmac_request_keys Sequence[str]
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    audit_non_hmac_response_keys Sequence[str]
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    default_lease_ttl_seconds int
    Default lease duration for tokens and secrets in seconds
    delegated_auth_accessors Sequence[str]
    List of headers to allow and pass from the request to the plugin
    description str
    Human-friendly description of the mount
    disable_local_ca_jwt bool
    Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
    external_entropy_access bool
    Enable the secrets engine to access Vault's external entropy source
    identity_token_key str
    The key to use for signing plugin workload identity tokens
    kubernetes_ca_cert str
    A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
    kubernetes_host str
    The Kubernetes API URL to connect to. Required if the standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on.
    listing_visibility str
    Specifies whether to show this mount in the UI-specific listing endpoint
    local bool
    Local mount flag that can be explicitly set to true to enforce local mount in HA environment
    max_lease_ttl_seconds int
    Maximum possible lease duration for tokens and secrets in seconds
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options Mapping[str, str]
    Specifies mount type specific options that are passed to the backend
    passthrough_request_headers Sequence[str]
    List of headers to allow and pass from the request to the plugin
    plugin_version str
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    seal_wrap bool
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    service_account_jwt str
    The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
    path String
    Where the secret backend will be mounted
    allowedManagedKeys List<String>
    List of managed key registry entry names that the mount in question is allowed to access
    allowedResponseHeaders List<String>
    List of headers to allow and pass from the request to the plugin
    auditNonHmacRequestKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    auditNonHmacResponseKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    defaultLeaseTtlSeconds Number
    Default lease duration for tokens and secrets in seconds
    delegatedAuthAccessors List<String>
    List of headers to allow and pass from the request to the plugin
    description String
    Human-friendly description of the mount
    disableLocalCaJwt Boolean
    Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
    externalEntropyAccess Boolean
    Enable the secrets engine to access Vault's external entropy source
    identityTokenKey String
    The key to use for signing plugin workload identity tokens
    kubernetesCaCert String
    A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
    kubernetesHost String
    The Kubernetes API URL to connect to. Required if the standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on.
    listingVisibility String
    Specifies whether to show this mount in the UI-specific listing endpoint
    local Boolean
    Local mount flag that can be explicitly set to true to enforce local mount in HA environment
    maxLeaseTtlSeconds Number
    Maximum possible lease duration for tokens and secrets in seconds
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options Map<String>
    Specifies mount type specific options that are passed to the backend
    passthroughRequestHeaders List<String>
    List of headers to allow and pass from the request to the plugin
    pluginVersion String
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    sealWrap Boolean
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    serviceAccountJwt String
    The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the SecretBackend resource produces the following output properties:

    Accessor string
    Accessor of the mount
    Id string
    The provider-assigned unique ID for this managed resource.
    Accessor string
    Accessor of the mount
    Id string
    The provider-assigned unique ID for this managed resource.
    accessor String
    Accessor of the mount
    id String
    The provider-assigned unique ID for this managed resource.
    accessor string
    Accessor of the mount
    id string
    The provider-assigned unique ID for this managed resource.
    accessor str
    Accessor of the mount
    id str
    The provider-assigned unique ID for this managed resource.
    accessor String
    Accessor of the mount
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing SecretBackend Resource

    Get an existing SecretBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: SecretBackendState, opts?: CustomResourceOptions): SecretBackend
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            accessor: Optional[str] = None,
            allowed_managed_keys: Optional[Sequence[str]] = None,
            allowed_response_headers: Optional[Sequence[str]] = None,
            audit_non_hmac_request_keys: Optional[Sequence[str]] = None,
            audit_non_hmac_response_keys: Optional[Sequence[str]] = None,
            default_lease_ttl_seconds: Optional[int] = None,
            delegated_auth_accessors: Optional[Sequence[str]] = None,
            description: Optional[str] = None,
            disable_local_ca_jwt: Optional[bool] = None,
            external_entropy_access: Optional[bool] = None,
            identity_token_key: Optional[str] = None,
            kubernetes_ca_cert: Optional[str] = None,
            kubernetes_host: Optional[str] = None,
            listing_visibility: Optional[str] = None,
            local: Optional[bool] = None,
            max_lease_ttl_seconds: Optional[int] = None,
            namespace: Optional[str] = None,
            options: Optional[Mapping[str, str]] = None,
            passthrough_request_headers: Optional[Sequence[str]] = None,
            path: Optional[str] = None,
            plugin_version: Optional[str] = None,
            seal_wrap: Optional[bool] = None,
            service_account_jwt: Optional[str] = None) -> SecretBackend
    func GetSecretBackend(ctx *Context, name string, id IDInput, state *SecretBackendState, opts ...ResourceOption) (*SecretBackend, error)
    public static SecretBackend Get(string name, Input<string> id, SecretBackendState? state, CustomResourceOptions? opts = null)
    public static SecretBackend get(String name, Output<String> id, SecretBackendState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Accessor string
    Accessor of the mount
    AllowedManagedKeys List<string>
    List of managed key registry entry names that the mount in question is allowed to access
    AllowedResponseHeaders List<string>
    List of headers to allow and pass from the request to the plugin
    AuditNonHmacRequestKeys List<string>
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    AuditNonHmacResponseKeys List<string>
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    DefaultLeaseTtlSeconds int
    Default lease duration for tokens and secrets in seconds
    DelegatedAuthAccessors List<string>
    List of headers to allow and pass from the request to the plugin
    Description string
    Human-friendly description of the mount
    DisableLocalCaJwt bool
    Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
    ExternalEntropyAccess bool
    Enable the secrets engine to access Vault's external entropy source
    IdentityTokenKey string
    The key to use for signing plugin workload identity tokens
    KubernetesCaCert string
    A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
    KubernetesHost string
    The Kubernetes API URL to connect to. Required if the standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on.
    ListingVisibility string
    Specifies whether to show this mount in the UI-specific listing endpoint
    Local bool
    Local mount flag that can be explicitly set to true to enforce local mount in HA environment
    MaxLeaseTtlSeconds int
    Maximum possible lease duration for tokens and secrets in seconds
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Options Dictionary<string, string>
    Specifies mount type specific options that are passed to the backend
    PassthroughRequestHeaders List<string>
    List of headers to allow and pass from the request to the plugin
    Path string
    Where the secret backend will be mounted
    PluginVersion string
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    SealWrap bool
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    ServiceAccountJwt string
    The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
    Accessor string
    Accessor of the mount
    AllowedManagedKeys []string
    List of managed key registry entry names that the mount in question is allowed to access
    AllowedResponseHeaders []string
    List of headers to allow and pass from the request to the plugin
    AuditNonHmacRequestKeys []string
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    AuditNonHmacResponseKeys []string
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    DefaultLeaseTtlSeconds int
    Default lease duration for tokens and secrets in seconds
    DelegatedAuthAccessors []string
    List of headers to allow and pass from the request to the plugin
    Description string
    Human-friendly description of the mount
    DisableLocalCaJwt bool
    Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
    ExternalEntropyAccess bool
    Enable the secrets engine to access Vault's external entropy source
    IdentityTokenKey string
    The key to use for signing plugin workload identity tokens
    KubernetesCaCert string
    A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
    KubernetesHost string
    The Kubernetes API URL to connect to. Required if the standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on.
    ListingVisibility string
    Specifies whether to show this mount in the UI-specific listing endpoint
    Local bool
    Local mount flag that can be explicitly set to true to enforce local mount in HA environment
    MaxLeaseTtlSeconds int
    Maximum possible lease duration for tokens and secrets in seconds
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Options map[string]string
    Specifies mount type specific options that are passed to the backend
    PassthroughRequestHeaders []string
    List of headers to allow and pass from the request to the plugin
    Path string
    Where the secret backend will be mounted
    PluginVersion string
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    SealWrap bool
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    ServiceAccountJwt string
    The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
    accessor String
    Accessor of the mount
    allowedManagedKeys List<String>
    List of managed key registry entry names that the mount in question is allowed to access
    allowedResponseHeaders List<String>
    List of headers to allow and pass from the request to the plugin
    auditNonHmacRequestKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    auditNonHmacResponseKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    defaultLeaseTtlSeconds Integer
    Default lease duration for tokens and secrets in seconds
    delegatedAuthAccessors List<String>
    List of headers to allow and pass from the request to the plugin
    description String
    Human-friendly description of the mount
    disableLocalCaJwt Boolean
    Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
    externalEntropyAccess Boolean
    Enable the secrets engine to access Vault's external entropy source
    identityTokenKey String
    The key to use for signing plugin workload identity tokens
    kubernetesCaCert String
    A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
    kubernetesHost String
    The Kubernetes API URL to connect to. Required if the standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on.
    listingVisibility String
    Specifies whether to show this mount in the UI-specific listing endpoint
    local Boolean
    Local mount flag that can be explicitly set to true to enforce local mount in HA environment
    maxLeaseTtlSeconds Integer
    Maximum possible lease duration for tokens and secrets in seconds
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options Map<String,String>
    Specifies mount type specific options that are passed to the backend
    passthroughRequestHeaders List<String>
    List of headers to allow and pass from the request to the plugin
    path String
    Where the secret backend will be mounted
    pluginVersion String
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    sealWrap Boolean
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    serviceAccountJwt String
    The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
    accessor string
    Accessor of the mount
    allowedManagedKeys string[]
    List of managed key registry entry names that the mount in question is allowed to access
    allowedResponseHeaders string[]
    List of headers to allow and pass from the request to the plugin
    auditNonHmacRequestKeys string[]
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    auditNonHmacResponseKeys string[]
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    defaultLeaseTtlSeconds number
    Default lease duration for tokens and secrets in seconds
    delegatedAuthAccessors string[]
    List of headers to allow and pass from the request to the plugin
    description string
    Human-friendly description of the mount
    disableLocalCaJwt boolean
    Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
    externalEntropyAccess boolean
    Enable the secrets engine to access Vault's external entropy source
    identityTokenKey string
    The key to use for signing plugin workload identity tokens
    kubernetesCaCert string
    A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
    kubernetesHost string
    The Kubernetes API URL to connect to. Required if the standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on.
    listingVisibility string
    Specifies whether to show this mount in the UI-specific listing endpoint
    local boolean
    Local mount flag that can be explicitly set to true to enforce local mount in HA environment
    maxLeaseTtlSeconds number
    Maximum possible lease duration for tokens and secrets in seconds
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options {[key: string]: string}
    Specifies mount type specific options that are passed to the backend
    passthroughRequestHeaders string[]
    List of headers to allow and pass from the request to the plugin
    path string
    Where the secret backend will be mounted
    pluginVersion string
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    sealWrap boolean
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    serviceAccountJwt string
    The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
    accessor str
    Accessor of the mount
    allowed_managed_keys Sequence[str]
    List of managed key registry entry names that the mount in question is allowed to access
    allowed_response_headers Sequence[str]
    List of headers to allow and pass from the request to the plugin
    audit_non_hmac_request_keys Sequence[str]
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    audit_non_hmac_response_keys Sequence[str]
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    default_lease_ttl_seconds int
    Default lease duration for tokens and secrets in seconds
    delegated_auth_accessors Sequence[str]
    List of headers to allow and pass from the request to the plugin
    description str
    Human-friendly description of the mount
    disable_local_ca_jwt bool
    Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
    external_entropy_access bool
    Enable the secrets engine to access Vault's external entropy source
    identity_token_key str
    The key to use for signing plugin workload identity tokens
    kubernetes_ca_cert str
    A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
    kubernetes_host str
    The Kubernetes API URL to connect to. Required if the standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on.
    listing_visibility str
    Specifies whether to show this mount in the UI-specific listing endpoint
    local bool
    Local mount flag that can be explicitly set to true to enforce local mount in HA environment
    max_lease_ttl_seconds int
    Maximum possible lease duration for tokens and secrets in seconds
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options Mapping[str, str]
    Specifies mount type specific options that are passed to the backend
    passthrough_request_headers Sequence[str]
    List of headers to allow and pass from the request to the plugin
    path str
    Where the secret backend will be mounted
    plugin_version str
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    seal_wrap bool
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    service_account_jwt str
    The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
    accessor String
    Accessor of the mount
    allowedManagedKeys List<String>
    List of managed key registry entry names that the mount in question is allowed to access
    allowedResponseHeaders List<String>
    List of headers to allow and pass from the request to the plugin
    auditNonHmacRequestKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    auditNonHmacResponseKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    defaultLeaseTtlSeconds Number
    Default lease duration for tokens and secrets in seconds
    delegatedAuthAccessors List<String>
    List of headers to allow and pass from the request to the plugin
    description String
    Human-friendly description of the mount
    disableLocalCaJwt Boolean
    Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
    externalEntropyAccess Boolean
    Enable the secrets engine to access Vault's external entropy source
    identityTokenKey String
    The key to use for signing plugin workload identity tokens
    kubernetesCaCert String
    A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
    kubernetesHost String
    The Kubernetes API URL to connect to. Required if the standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on.
    listingVisibility String
    Specifies whether to show this mount in the UI-specific listing endpoint
    local Boolean
    Local mount flag that can be explicitly set to true to enforce local mount in HA environment
    maxLeaseTtlSeconds Number
    Maximum possible lease duration for tokens and secrets in seconds
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options Map<String>
    Specifies mount type specific options that are passed to the backend
    passthroughRequestHeaders List<String>
    List of headers to allow and pass from the request to the plugin
    path String
    Where the secret backend will be mounted
    pluginVersion String
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    sealWrap Boolean
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    serviceAccountJwt String
    The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.

    Import

    The Kubernetes secret backend can be imported using its path e.g.

    $ pulumi import vault:kubernetes/secretBackend:SecretBackend config kubernetes
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the vault Terraform Provider.
    vault logo
    HashiCorp Vault v6.4.0 published on Wednesday, Nov 20, 2024 by Pulumi