Docs Home
HashiCorp Vault v6.4.0 published on Wednesday, Nov 20, 2024 by Pulumi
vault.Mount
Explore with Pulumi AI
This resource enables a new secrets engine at the given path.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const example = new vault.Mount("example", {
path: "dummy",
type: "generic",
description: "This is an example mount",
});
import pulumi
import pulumi_vault as vault
example = vault.Mount("example",
path="dummy",
type="generic",
description="This is an example mount")
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vault.NewMount(ctx, "example", &vault.MountArgs{
Path: pulumi.String("dummy"),
Type: pulumi.String("generic"),
Description: pulumi.String("This is an example mount"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var example = new Vault.Mount("example", new()
{
Path = "dummy",
Type = "generic",
Description = "This is an example mount",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Mount("example", MountArgs.builder()
.path("dummy")
.type("generic")
.description("This is an example mount")
.build());
}
}
resources:
example:
type: vault:Mount
properties:
path: dummy
type: generic
description: This is an example mount
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const kvv2_example = new vault.Mount("kvv2-example", {
path: "version2-example",
type: "kv-v2",
options: {
version: "2",
type: "kv-v2",
},
description: "This is an example KV Version 2 secret engine mount",
});
import pulumi
import pulumi_vault as vault
kvv2_example = vault.Mount("kvv2-example",
path="version2-example",
type="kv-v2",
options={
"version": "2",
"type": "kv-v2",
},
description="This is an example KV Version 2 secret engine mount")
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vault.NewMount(ctx, "kvv2-example", &vault.MountArgs{
Path: pulumi.String("version2-example"),
Type: pulumi.String("kv-v2"),
Options: pulumi.StringMap{
"version": pulumi.String("2"),
"type": pulumi.String("kv-v2"),
},
Description: pulumi.String("This is an example KV Version 2 secret engine mount"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var kvv2_example = new Vault.Mount("kvv2-example", new()
{
Path = "version2-example",
Type = "kv-v2",
Options =
{
{ "version", "2" },
{ "type", "kv-v2" },
},
Description = "This is an example KV Version 2 secret engine mount",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var kvv2_example = new Mount("kvv2-example", MountArgs.builder()
.path("version2-example")
.type("kv-v2")
.options(Map.ofEntries(
Map.entry("version", "2"),
Map.entry("type", "kv-v2")
))
.description("This is an example KV Version 2 secret engine mount")
.build());
}
}
resources:
kvv2-example:
type: vault:Mount
properties:
path: version2-example
type: kv-v2
options:
version: '2'
type: kv-v2
description: This is an example KV Version 2 secret engine mount
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const transit_example = new vault.Mount("transit-example", {
path: "transit-example",
type: "transit",
description: "This is an example transit secret engine mount",
options: {
convergent_encryption: "false",
},
});
import pulumi
import pulumi_vault as vault
transit_example = vault.Mount("transit-example",
path="transit-example",
type="transit",
description="This is an example transit secret engine mount",
options={
"convergent_encryption": "false",
})
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vault.NewMount(ctx, "transit-example", &vault.MountArgs{
Path: pulumi.String("transit-example"),
Type: pulumi.String("transit"),
Description: pulumi.String("This is an example transit secret engine mount"),
Options: pulumi.StringMap{
"convergent_encryption": pulumi.String("false"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var transit_example = new Vault.Mount("transit-example", new()
{
Path = "transit-example",
Type = "transit",
Description = "This is an example transit secret engine mount",
Options =
{
{ "convergent_encryption", "false" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var transit_example = new Mount("transit-example", MountArgs.builder()
.path("transit-example")
.type("transit")
.description("This is an example transit secret engine mount")
.options(Map.of("convergent_encryption", false))
.build());
}
}
resources:
transit-example:
type: vault:Mount
properties:
path: transit-example
type: transit
description: This is an example transit secret engine mount
options:
convergent_encryption: false
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const pki_example = new vault.Mount("pki-example", {
path: "pki-example",
type: "pki",
description: "This is an example PKI mount",
defaultLeaseTtlSeconds: 3600,
maxLeaseTtlSeconds: 86400,
});
import pulumi
import pulumi_vault as vault
pki_example = vault.Mount("pki-example",
path="pki-example",
type="pki",
description="This is an example PKI mount",
default_lease_ttl_seconds=3600,
max_lease_ttl_seconds=86400)
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vault.NewMount(ctx, "pki-example", &vault.MountArgs{
Path: pulumi.String("pki-example"),
Type: pulumi.String("pki"),
Description: pulumi.String("This is an example PKI mount"),
DefaultLeaseTtlSeconds: pulumi.Int(3600),
MaxLeaseTtlSeconds: pulumi.Int(86400),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var pki_example = new Vault.Mount("pki-example", new()
{
Path = "pki-example",
Type = "pki",
Description = "This is an example PKI mount",
DefaultLeaseTtlSeconds = 3600,
MaxLeaseTtlSeconds = 86400,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pki_example = new Mount("pki-example", MountArgs.builder()
.path("pki-example")
.type("pki")
.description("This is an example PKI mount")
.defaultLeaseTtlSeconds(3600)
.maxLeaseTtlSeconds(86400)
.build());
}
}
resources:
pki-example:
type: vault:Mount
properties:
path: pki-example
type: pki
description: This is an example PKI mount
defaultLeaseTtlSeconds: 3600
maxLeaseTtlSeconds: 86400
Create Mount Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Mount(name: string, args: MountArgs, opts?: CustomResourceOptions);@overload
def Mount(resource_name: str,
args: MountArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Mount(resource_name: str,
opts: Optional[ResourceOptions] = None,
path: Optional[str] = None,
type: Optional[str] = None,
identity_token_key: Optional[str] = None,
max_lease_ttl_seconds: Optional[int] = None,
default_lease_ttl_seconds: Optional[int] = None,
delegated_auth_accessors: Optional[Sequence[str]] = None,
description: Optional[str] = None,
external_entropy_access: Optional[bool] = None,
allowed_managed_keys: Optional[Sequence[str]] = None,
listing_visibility: Optional[str] = None,
local: Optional[bool] = None,
audit_non_hmac_response_keys: Optional[Sequence[str]] = None,
namespace: Optional[str] = None,
options: Optional[Mapping[str, str]] = None,
passthrough_request_headers: Optional[Sequence[str]] = None,
audit_non_hmac_request_keys: Optional[Sequence[str]] = None,
plugin_version: Optional[str] = None,
seal_wrap: Optional[bool] = None,
allowed_response_headers: Optional[Sequence[str]] = None)func NewMount(ctx *Context, name string, args MountArgs, opts ...ResourceOption) (*Mount, error)public Mount(string name, MountArgs args, CustomResourceOptions? opts = null)type: vault:Mount
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args MountArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args MountArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args MountArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args MountArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args MountArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var mountResource = new Vault.Mount("mountResource", new()
{
Path = "string",
Type = "string",
IdentityTokenKey = "string",
MaxLeaseTtlSeconds = 0,
DefaultLeaseTtlSeconds = 0,
DelegatedAuthAccessors = new[]
{
"string",
},
Description = "string",
ExternalEntropyAccess = false,
AllowedManagedKeys = new[]
{
"string",
},
ListingVisibility = "string",
Local = false,
AuditNonHmacResponseKeys = new[]
{
"string",
},
Namespace = "string",
Options =
{
{ "string", "string" },
},
PassthroughRequestHeaders = new[]
{
"string",
},
AuditNonHmacRequestKeys = new[]
{
"string",
},
PluginVersion = "string",
SealWrap = false,
AllowedResponseHeaders = new[]
{
"string",
},
});
example, err := vault.NewMount(ctx, "mountResource", &vault.MountArgs{
Path: pulumi.String("string"),
Type: pulumi.String("string"),
IdentityTokenKey: pulumi.String("string"),
MaxLeaseTtlSeconds: pulumi.Int(0),
DefaultLeaseTtlSeconds: pulumi.Int(0),
DelegatedAuthAccessors: pulumi.StringArray{
pulumi.String("string"),
},
Description: pulumi.String("string"),
ExternalEntropyAccess: pulumi.Bool(false),
AllowedManagedKeys: pulumi.StringArray{
pulumi.String("string"),
},
ListingVisibility: pulumi.String("string"),
Local: pulumi.Bool(false),
AuditNonHmacResponseKeys: pulumi.StringArray{
pulumi.String("string"),
},
Namespace: pulumi.String("string"),
Options: pulumi.StringMap{
"string": pulumi.String("string"),
},
PassthroughRequestHeaders: pulumi.StringArray{
pulumi.String("string"),
},
AuditNonHmacRequestKeys: pulumi.StringArray{
pulumi.String("string"),
},
PluginVersion: pulumi.String("string"),
SealWrap: pulumi.Bool(false),
AllowedResponseHeaders: pulumi.StringArray{
pulumi.String("string"),
},
})
var mountResource = new Mount("mountResource", MountArgs.builder()
.path("string")
.type("string")
.identityTokenKey("string")
.maxLeaseTtlSeconds(0)
.defaultLeaseTtlSeconds(0)
.delegatedAuthAccessors("string")
.description("string")
.externalEntropyAccess(false)
.allowedManagedKeys("string")
.listingVisibility("string")
.local(false)
.auditNonHmacResponseKeys("string")
.namespace("string")
.options(Map.of("string", "string"))
.passthroughRequestHeaders("string")
.auditNonHmacRequestKeys("string")
.pluginVersion("string")
.sealWrap(false)
.allowedResponseHeaders("string")
.build());
mount_resource = vault.Mount("mountResource",
path="string",
type="string",
identity_token_key="string",
max_lease_ttl_seconds=0,
default_lease_ttl_seconds=0,
delegated_auth_accessors=["string"],
description="string",
external_entropy_access=False,
allowed_managed_keys=["string"],
listing_visibility="string",
local=False,
audit_non_hmac_response_keys=["string"],
namespace="string",
options={
"string": "string",
},
passthrough_request_headers=["string"],
audit_non_hmac_request_keys=["string"],
plugin_version="string",
seal_wrap=False,
allowed_response_headers=["string"])
const mountResource = new vault.Mount("mountResource", {
path: "string",
type: "string",
identityTokenKey: "string",
maxLeaseTtlSeconds: 0,
defaultLeaseTtlSeconds: 0,
delegatedAuthAccessors: ["string"],
description: "string",
externalEntropyAccess: false,
allowedManagedKeys: ["string"],
listingVisibility: "string",
local: false,
auditNonHmacResponseKeys: ["string"],
namespace: "string",
options: {
string: "string",
},
passthroughRequestHeaders: ["string"],
auditNonHmacRequestKeys: ["string"],
pluginVersion: "string",
sealWrap: false,
allowedResponseHeaders: ["string"],
});
type: vault:Mount
properties:
allowedManagedKeys:
- string
allowedResponseHeaders:
- string
auditNonHmacRequestKeys:
- string
auditNonHmacResponseKeys:
- string
defaultLeaseTtlSeconds: 0
delegatedAuthAccessors:
- string
description: string
externalEntropyAccess: false
identityTokenKey: string
listingVisibility: string
local: false
maxLeaseTtlSeconds: 0
namespace: string
options:
string: string
passthroughRequestHeaders:
- string
path: string
pluginVersion: string
sealWrap: false
type: string
Mount Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Mount resource accepts the following input properties:
- Path string
- Where the secret backend will be mounted
- Type string
- Type of the backend, such as "aws"
- Allowed
Managed List<string>Keys - Set of managed key registry entry names that the mount in question is allowed to access
- Allowed
Response List<string>Headers - List of headers to allow, allowing a plugin to include them in the response.
- Audit
Non List<string>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non List<string>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Default
Lease intTtl Seconds - Default lease duration for tokens and secrets in seconds
- Delegated
Auth List<string>Accessors - List of allowed authentication mount accessors the backend can request delegated authentication for.
- Description string
- Human-friendly description of the mount
- External
Entropy boolAccess - Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
- Identity
Token stringKey - The key to use for signing plugin workload identity tokens. If not provided, this will default to Vault's OIDC default key.
- Listing
Visibility string - Specifies whether to show this mount in the UI-specific
listing endpoint. Valid values are
unauthorhidden. If not set, behaves likehidden. - Local bool
- Boolean flag that can be explicitly set to true to enforce local mount in HA environment
- Max
Lease intTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Options Dictionary<string, string>
- Specifies mount type specific options that are passed to the backend
- Passthrough
Request List<string>Headers - List of headers to allow and pass from the request to the plugin.
- Plugin
Version string - Specifies the semantic version of the plugin to use, e.g. "v1.0.0". If unspecified, the server will select any matching unversioned plugin that may have been registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence.
- Seal
Wrap bool - Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- Path string
- Where the secret backend will be mounted
- Type string
- Type of the backend, such as "aws"
- Allowed
Managed []stringKeys - Set of managed key registry entry names that the mount in question is allowed to access
- Allowed
Response []stringHeaders - List of headers to allow, allowing a plugin to include them in the response.
- Audit
Non []stringHmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non []stringHmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Default
Lease intTtl Seconds - Default lease duration for tokens and secrets in seconds
- Delegated
Auth []stringAccessors - List of allowed authentication mount accessors the backend can request delegated authentication for.
- Description string
- Human-friendly description of the mount
- External
Entropy boolAccess - Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
- Identity
Token stringKey - The key to use for signing plugin workload identity tokens. If not provided, this will default to Vault's OIDC default key.
- Listing
Visibility string - Specifies whether to show this mount in the UI-specific
listing endpoint. Valid values are
unauthorhidden. If not set, behaves likehidden. - Local bool
- Boolean flag that can be explicitly set to true to enforce local mount in HA environment
- Max
Lease intTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Options map[string]string
- Specifies mount type specific options that are passed to the backend
- Passthrough
Request []stringHeaders - List of headers to allow and pass from the request to the plugin.
- Plugin
Version string - Specifies the semantic version of the plugin to use, e.g. "v1.0.0". If unspecified, the server will select any matching unversioned plugin that may have been registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence.
- Seal
Wrap bool - Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- path String
- Where the secret backend will be mounted
- type String
- Type of the backend, such as "aws"
- allowed
Managed List<String>Keys - Set of managed key registry entry names that the mount in question is allowed to access
- allowed
Response List<String>Headers - List of headers to allow, allowing a plugin to include them in the response.
- audit
Non List<String>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease IntegerTtl Seconds - Default lease duration for tokens and secrets in seconds
- delegated
Auth List<String>Accessors - List of allowed authentication mount accessors the backend can request delegated authentication for.
- description String
- Human-friendly description of the mount
- external
Entropy BooleanAccess - Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
- identity
Token StringKey - The key to use for signing plugin workload identity tokens. If not provided, this will default to Vault's OIDC default key.
- listing
Visibility String - Specifies whether to show this mount in the UI-specific
listing endpoint. Valid values are
unauthorhidden. If not set, behaves likehidden. - local Boolean
- Boolean flag that can be explicitly set to true to enforce local mount in HA environment
- max
Lease IntegerTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Map<String,String>
- Specifies mount type specific options that are passed to the backend
- passthrough
Request List<String>Headers - List of headers to allow and pass from the request to the plugin.
- plugin
Version String - Specifies the semantic version of the plugin to use, e.g. "v1.0.0". If unspecified, the server will select any matching unversioned plugin that may have been registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence.
- seal
Wrap Boolean - Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- path string
- Where the secret backend will be mounted
- type string
- Type of the backend, such as "aws"
- allowed
Managed string[]Keys - Set of managed key registry entry names that the mount in question is allowed to access
- allowed
Response string[]Headers - List of headers to allow, allowing a plugin to include them in the response.
- audit
Non string[]Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non string[]Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease numberTtl Seconds - Default lease duration for tokens and secrets in seconds
- delegated
Auth string[]Accessors - List of allowed authentication mount accessors the backend can request delegated authentication for.
- description string
- Human-friendly description of the mount
- external
Entropy booleanAccess - Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
- identity
Token stringKey - The key to use for signing plugin workload identity tokens. If not provided, this will default to Vault's OIDC default key.
- listing
Visibility string - Specifies whether to show this mount in the UI-specific
listing endpoint. Valid values are
unauthorhidden. If not set, behaves likehidden. - local boolean
- Boolean flag that can be explicitly set to true to enforce local mount in HA environment
- max
Lease numberTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options {[key: string]: string}
- Specifies mount type specific options that are passed to the backend
- passthrough
Request string[]Headers - List of headers to allow and pass from the request to the plugin.
- plugin
Version string - Specifies the semantic version of the plugin to use, e.g. "v1.0.0". If unspecified, the server will select any matching unversioned plugin that may have been registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence.
- seal
Wrap boolean - Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- path str
- Where the secret backend will be mounted
- type str
- Type of the backend, such as "aws"
- allowed_
managed_ Sequence[str]keys - Set of managed key registry entry names that the mount in question is allowed to access
- allowed_
response_ Sequence[str]headers - List of headers to allow, allowing a plugin to include them in the response.
- audit_
non_ Sequence[str]hmac_ request_ keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit_
non_ Sequence[str]hmac_ response_ keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default_
lease_ intttl_ seconds - Default lease duration for tokens and secrets in seconds
- delegated_
auth_ Sequence[str]accessors - List of allowed authentication mount accessors the backend can request delegated authentication for.
- description str
- Human-friendly description of the mount
- external_
entropy_ boolaccess - Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
- identity_
token_ strkey - The key to use for signing plugin workload identity tokens. If not provided, this will default to Vault's OIDC default key.
- listing_
visibility str - Specifies whether to show this mount in the UI-specific
listing endpoint. Valid values are
unauthorhidden. If not set, behaves likehidden. - local bool
- Boolean flag that can be explicitly set to true to enforce local mount in HA environment
- max_
lease_ intttl_ seconds - Maximum possible lease duration for tokens and secrets in seconds
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Mapping[str, str]
- Specifies mount type specific options that are passed to the backend
- passthrough_
request_ Sequence[str]headers - List of headers to allow and pass from the request to the plugin.
- plugin_
version str - Specifies the semantic version of the plugin to use, e.g. "v1.0.0". If unspecified, the server will select any matching unversioned plugin that may have been registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence.
- seal_
wrap bool - Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- path String
- Where the secret backend will be mounted
- type String
- Type of the backend, such as "aws"
- allowed
Managed List<String>Keys - Set of managed key registry entry names that the mount in question is allowed to access
- allowed
Response List<String>Headers - List of headers to allow, allowing a plugin to include them in the response.
- audit
Non List<String>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease NumberTtl Seconds - Default lease duration for tokens and secrets in seconds
- delegated
Auth List<String>Accessors - List of allowed authentication mount accessors the backend can request delegated authentication for.
- description String
- Human-friendly description of the mount
- external
Entropy BooleanAccess - Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
- identity
Token StringKey - The key to use for signing plugin workload identity tokens. If not provided, this will default to Vault's OIDC default key.
- listing
Visibility String - Specifies whether to show this mount in the UI-specific
listing endpoint. Valid values are
unauthorhidden. If not set, behaves likehidden. - local Boolean
- Boolean flag that can be explicitly set to true to enforce local mount in HA environment
- max
Lease NumberTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Map<String>
- Specifies mount type specific options that are passed to the backend
- passthrough
Request List<String>Headers - List of headers to allow and pass from the request to the plugin.
- plugin
Version String - Specifies the semantic version of the plugin to use, e.g. "v1.0.0". If unspecified, the server will select any matching unversioned plugin that may have been registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence.
- seal
Wrap Boolean - Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
Outputs
All input properties are implicitly available as output properties. Additionally, the Mount resource produces the following output properties:
Look up Existing Mount Resource
Get an existing Mount resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: MountState, opts?: CustomResourceOptions): Mount@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
accessor: Optional[str] = None,
allowed_managed_keys: Optional[Sequence[str]] = None,
allowed_response_headers: Optional[Sequence[str]] = None,
audit_non_hmac_request_keys: Optional[Sequence[str]] = None,
audit_non_hmac_response_keys: Optional[Sequence[str]] = None,
default_lease_ttl_seconds: Optional[int] = None,
delegated_auth_accessors: Optional[Sequence[str]] = None,
description: Optional[str] = None,
external_entropy_access: Optional[bool] = None,
identity_token_key: Optional[str] = None,
listing_visibility: Optional[str] = None,
local: Optional[bool] = None,
max_lease_ttl_seconds: Optional[int] = None,
namespace: Optional[str] = None,
options: Optional[Mapping[str, str]] = None,
passthrough_request_headers: Optional[Sequence[str]] = None,
path: Optional[str] = None,
plugin_version: Optional[str] = None,
seal_wrap: Optional[bool] = None,
type: Optional[str] = None) -> Mountfunc GetMount(ctx *Context, name string, id IDInput, state *MountState, opts ...ResourceOption) (*Mount, error)public static Mount Get(string name, Input<string> id, MountState? state, CustomResourceOptions? opts = null)public static Mount get(String name, Output<String> id, MountState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Accessor string
- The accessor for this mount.
- Allowed
Managed List<string>Keys - Set of managed key registry entry names that the mount in question is allowed to access
- Allowed
Response List<string>Headers - List of headers to allow, allowing a plugin to include them in the response.
- Audit
Non List<string>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non List<string>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Default
Lease intTtl Seconds - Default lease duration for tokens and secrets in seconds
- Delegated
Auth List<string>Accessors - List of allowed authentication mount accessors the backend can request delegated authentication for.
- Description string
- Human-friendly description of the mount
- External
Entropy boolAccess - Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
- Identity
Token stringKey - The key to use for signing plugin workload identity tokens. If not provided, this will default to Vault's OIDC default key.
- Listing
Visibility string - Specifies whether to show this mount in the UI-specific
listing endpoint. Valid values are
unauthorhidden. If not set, behaves likehidden. - Local bool
- Boolean flag that can be explicitly set to true to enforce local mount in HA environment
- Max
Lease intTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Options Dictionary<string, string>
- Specifies mount type specific options that are passed to the backend
- Passthrough
Request List<string>Headers - List of headers to allow and pass from the request to the plugin.
- Path string
- Where the secret backend will be mounted
- Plugin
Version string - Specifies the semantic version of the plugin to use, e.g. "v1.0.0". If unspecified, the server will select any matching unversioned plugin that may have been registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence.
- Seal
Wrap bool - Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- Type string
- Type of the backend, such as "aws"
- Accessor string
- The accessor for this mount.
- Allowed
Managed []stringKeys - Set of managed key registry entry names that the mount in question is allowed to access
- Allowed
Response []stringHeaders - List of headers to allow, allowing a plugin to include them in the response.
- Audit
Non []stringHmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non []stringHmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Default
Lease intTtl Seconds - Default lease duration for tokens and secrets in seconds
- Delegated
Auth []stringAccessors - List of allowed authentication mount accessors the backend can request delegated authentication for.
- Description string
- Human-friendly description of the mount
- External
Entropy boolAccess - Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
- Identity
Token stringKey - The key to use for signing plugin workload identity tokens. If not provided, this will default to Vault's OIDC default key.
- Listing
Visibility string - Specifies whether to show this mount in the UI-specific
listing endpoint. Valid values are
unauthorhidden. If not set, behaves likehidden. - Local bool
- Boolean flag that can be explicitly set to true to enforce local mount in HA environment
- Max
Lease intTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Options map[string]string
- Specifies mount type specific options that are passed to the backend
- Passthrough
Request []stringHeaders - List of headers to allow and pass from the request to the plugin.
- Path string
- Where the secret backend will be mounted
- Plugin
Version string - Specifies the semantic version of the plugin to use, e.g. "v1.0.0". If unspecified, the server will select any matching unversioned plugin that may have been registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence.
- Seal
Wrap bool - Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- Type string
- Type of the backend, such as "aws"
- accessor String
- The accessor for this mount.
- allowed
Managed List<String>Keys - Set of managed key registry entry names that the mount in question is allowed to access
- allowed
Response List<String>Headers - List of headers to allow, allowing a plugin to include them in the response.
- audit
Non List<String>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease IntegerTtl Seconds - Default lease duration for tokens and secrets in seconds
- delegated
Auth List<String>Accessors - List of allowed authentication mount accessors the backend can request delegated authentication for.
- description String
- Human-friendly description of the mount
- external
Entropy BooleanAccess - Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
- identity
Token StringKey - The key to use for signing plugin workload identity tokens. If not provided, this will default to Vault's OIDC default key.
- listing
Visibility String - Specifies whether to show this mount in the UI-specific
listing endpoint. Valid values are
unauthorhidden. If not set, behaves likehidden. - local Boolean
- Boolean flag that can be explicitly set to true to enforce local mount in HA environment
- max
Lease IntegerTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Map<String,String>
- Specifies mount type specific options that are passed to the backend
- passthrough
Request List<String>Headers - List of headers to allow and pass from the request to the plugin.
- path String
- Where the secret backend will be mounted
- plugin
Version String - Specifies the semantic version of the plugin to use, e.g. "v1.0.0". If unspecified, the server will select any matching unversioned plugin that may have been registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence.
- seal
Wrap Boolean - Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- type String
- Type of the backend, such as "aws"
- accessor string
- The accessor for this mount.
- allowed
Managed string[]Keys - Set of managed key registry entry names that the mount in question is allowed to access
- allowed
Response string[]Headers - List of headers to allow, allowing a plugin to include them in the response.
- audit
Non string[]Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non string[]Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease numberTtl Seconds - Default lease duration for tokens and secrets in seconds
- delegated
Auth string[]Accessors - List of allowed authentication mount accessors the backend can request delegated authentication for.
- description string
- Human-friendly description of the mount
- external
Entropy booleanAccess - Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
- identity
Token stringKey - The key to use for signing plugin workload identity tokens. If not provided, this will default to Vault's OIDC default key.
- listing
Visibility string - Specifies whether to show this mount in the UI-specific
listing endpoint. Valid values are
unauthorhidden. If not set, behaves likehidden. - local boolean
- Boolean flag that can be explicitly set to true to enforce local mount in HA environment
- max
Lease numberTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options {[key: string]: string}
- Specifies mount type specific options that are passed to the backend
- passthrough
Request string[]Headers - List of headers to allow and pass from the request to the plugin.
- path string
- Where the secret backend will be mounted
- plugin
Version string - Specifies the semantic version of the plugin to use, e.g. "v1.0.0". If unspecified, the server will select any matching unversioned plugin that may have been registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence.
- seal
Wrap boolean - Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- type string
- Type of the backend, such as "aws"
- accessor str
- The accessor for this mount.
- allowed_
managed_ Sequence[str]keys - Set of managed key registry entry names that the mount in question is allowed to access
- allowed_
response_ Sequence[str]headers - List of headers to allow, allowing a plugin to include them in the response.
- audit_
non_ Sequence[str]hmac_ request_ keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit_
non_ Sequence[str]hmac_ response_ keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default_
lease_ intttl_ seconds - Default lease duration for tokens and secrets in seconds
- delegated_
auth_ Sequence[str]accessors - List of allowed authentication mount accessors the backend can request delegated authentication for.
- description str
- Human-friendly description of the mount
- external_
entropy_ boolaccess - Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
- identity_
token_ strkey - The key to use for signing plugin workload identity tokens. If not provided, this will default to Vault's OIDC default key.
- listing_
visibility str - Specifies whether to show this mount in the UI-specific
listing endpoint. Valid values are
unauthorhidden. If not set, behaves likehidden. - local bool
- Boolean flag that can be explicitly set to true to enforce local mount in HA environment
- max_
lease_ intttl_ seconds - Maximum possible lease duration for tokens and secrets in seconds
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Mapping[str, str]
- Specifies mount type specific options that are passed to the backend
- passthrough_
request_ Sequence[str]headers - List of headers to allow and pass from the request to the plugin.
- path str
- Where the secret backend will be mounted
- plugin_
version str - Specifies the semantic version of the plugin to use, e.g. "v1.0.0". If unspecified, the server will select any matching unversioned plugin that may have been registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence.
- seal_
wrap bool - Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- type str
- Type of the backend, such as "aws"
- accessor String
- The accessor for this mount.
- allowed
Managed List<String>Keys - Set of managed key registry entry names that the mount in question is allowed to access
- allowed
Response List<String>Headers - List of headers to allow, allowing a plugin to include them in the response.
- audit
Non List<String>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease NumberTtl Seconds - Default lease duration for tokens and secrets in seconds
- delegated
Auth List<String>Accessors - List of allowed authentication mount accessors the backend can request delegated authentication for.
- description String
- Human-friendly description of the mount
- external
Entropy BooleanAccess - Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
- identity
Token StringKey - The key to use for signing plugin workload identity tokens. If not provided, this will default to Vault's OIDC default key.
- listing
Visibility String - Specifies whether to show this mount in the UI-specific
listing endpoint. Valid values are
unauthorhidden. If not set, behaves likehidden. - local Boolean
- Boolean flag that can be explicitly set to true to enforce local mount in HA environment
- max
Lease NumberTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Map<String>
- Specifies mount type specific options that are passed to the backend
- passthrough
Request List<String>Headers - List of headers to allow and pass from the request to the plugin.
- path String
- Where the secret backend will be mounted
- plugin
Version String - Specifies the semantic version of the plugin to use, e.g. "v1.0.0". If unspecified, the server will select any matching unversioned plugin that may have been registered, the latest versioned plugin registered, or a built-in plugin in that order of precedence.
- seal
Wrap Boolean - Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- type String
- Type of the backend, such as "aws"
Import
Mounts can be imported using the path, e.g.
$ pulumi import vault:index/mount:Mount example dummy
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.