vault.secrets.SyncAwsDestination
Explore with Pulumi AI
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const aws = new vault.secrets.SyncAwsDestination("aws", {
name: "aws-dest",
accessKeyId: accessKeyId,
secretAccessKey: secretAccessKey,
region: "us-east-1",
roleArn: "role-arn",
externalId: "external-id",
secretNameTemplate: "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
customTags: {
foo: "bar",
},
});
import pulumi
import pulumi_vault as vault
aws = vault.secrets.SyncAwsDestination("aws",
name="aws-dest",
access_key_id=access_key_id,
secret_access_key=secret_access_key,
region="us-east-1",
role_arn="role-arn",
external_id="external-id",
secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
custom_tags={
"foo": "bar",
})
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/secrets"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := secrets.NewSyncAwsDestination(ctx, "aws", &secrets.SyncAwsDestinationArgs{
Name: pulumi.String("aws-dest"),
AccessKeyId: pulumi.Any(accessKeyId),
SecretAccessKey: pulumi.Any(secretAccessKey),
Region: pulumi.String("us-east-1"),
RoleArn: pulumi.String("role-arn"),
ExternalId: pulumi.String("external-id"),
SecretNameTemplate: pulumi.String("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}"),
CustomTags: pulumi.StringMap{
"foo": pulumi.String("bar"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var aws = new Vault.Secrets.SyncAwsDestination("aws", new()
{
Name = "aws-dest",
AccessKeyId = accessKeyId,
SecretAccessKey = secretAccessKey,
Region = "us-east-1",
RoleArn = "role-arn",
ExternalId = "external-id",
SecretNameTemplate = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
CustomTags =
{
{ "foo", "bar" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.secrets.SyncAwsDestination;
import com.pulumi.vault.secrets.SyncAwsDestinationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var aws = new SyncAwsDestination("aws", SyncAwsDestinationArgs.builder()
.name("aws-dest")
.accessKeyId(accessKeyId)
.secretAccessKey(secretAccessKey)
.region("us-east-1")
.roleArn("role-arn")
.externalId("external-id")
.secretNameTemplate("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}")
.customTags(Map.of("foo", "bar"))
.build());
}
}
resources:
aws:
type: vault:secrets:SyncAwsDestination
properties:
name: aws-dest
accessKeyId: ${accessKeyId}
secretAccessKey: ${secretAccessKey}
region: us-east-1
roleArn: role-arn
externalId: external-id
secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}
customTags:
foo: bar
Create SyncAwsDestination Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SyncAwsDestination(name: string, args?: SyncAwsDestinationArgs, opts?: CustomResourceOptions);
@overload
def SyncAwsDestination(resource_name: str,
args: Optional[SyncAwsDestinationArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def SyncAwsDestination(resource_name: str,
opts: Optional[ResourceOptions] = None,
access_key_id: Optional[str] = None,
custom_tags: Optional[Mapping[str, str]] = None,
external_id: Optional[str] = None,
granularity: Optional[str] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
region: Optional[str] = None,
role_arn: Optional[str] = None,
secret_access_key: Optional[str] = None,
secret_name_template: Optional[str] = None)
func NewSyncAwsDestination(ctx *Context, name string, args *SyncAwsDestinationArgs, opts ...ResourceOption) (*SyncAwsDestination, error)
public SyncAwsDestination(string name, SyncAwsDestinationArgs? args = null, CustomResourceOptions? opts = null)
public SyncAwsDestination(String name, SyncAwsDestinationArgs args)
public SyncAwsDestination(String name, SyncAwsDestinationArgs args, CustomResourceOptions options)
type: vault:secrets:SyncAwsDestination
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SyncAwsDestinationArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SyncAwsDestinationArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SyncAwsDestinationArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SyncAwsDestinationArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SyncAwsDestinationArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var syncAwsDestinationResource = new Vault.Secrets.SyncAwsDestination("syncAwsDestinationResource", new()
{
AccessKeyId = "string",
CustomTags =
{
{ "string", "string" },
},
ExternalId = "string",
Granularity = "string",
Name = "string",
Namespace = "string",
Region = "string",
RoleArn = "string",
SecretAccessKey = "string",
SecretNameTemplate = "string",
});
example, err := secrets.NewSyncAwsDestination(ctx, "syncAwsDestinationResource", &secrets.SyncAwsDestinationArgs{
AccessKeyId: pulumi.String("string"),
CustomTags: pulumi.StringMap{
"string": pulumi.String("string"),
},
ExternalId: pulumi.String("string"),
Granularity: pulumi.String("string"),
Name: pulumi.String("string"),
Namespace: pulumi.String("string"),
Region: pulumi.String("string"),
RoleArn: pulumi.String("string"),
SecretAccessKey: pulumi.String("string"),
SecretNameTemplate: pulumi.String("string"),
})
var syncAwsDestinationResource = new SyncAwsDestination("syncAwsDestinationResource", SyncAwsDestinationArgs.builder()
.accessKeyId("string")
.customTags(Map.of("string", "string"))
.externalId("string")
.granularity("string")
.name("string")
.namespace("string")
.region("string")
.roleArn("string")
.secretAccessKey("string")
.secretNameTemplate("string")
.build());
sync_aws_destination_resource = vault.secrets.SyncAwsDestination("syncAwsDestinationResource",
access_key_id="string",
custom_tags={
"string": "string",
},
external_id="string",
granularity="string",
name="string",
namespace="string",
region="string",
role_arn="string",
secret_access_key="string",
secret_name_template="string")
const syncAwsDestinationResource = new vault.secrets.SyncAwsDestination("syncAwsDestinationResource", {
accessKeyId: "string",
customTags: {
string: "string",
},
externalId: "string",
granularity: "string",
name: "string",
namespace: "string",
region: "string",
roleArn: "string",
secretAccessKey: "string",
secretNameTemplate: "string",
});
type: vault:secrets:SyncAwsDestination
properties:
accessKeyId: string
customTags:
string: string
externalId: string
granularity: string
name: string
namespace: string
region: string
roleArn: string
secretAccessKey: string
secretNameTemplate: string
SyncAwsDestination Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The SyncAwsDestination resource accepts the following input properties:
- Access
Key stringId - Access key id to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_ACCESS_KEY_ID
environment variable. - Dictionary<string, string>
- Custom tags to set on the secret managed at the destination.
- External
Id string - Optional extra protection that must match the trust policy granting access to the
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
denied errors. Ignored if the
role_arn
field is empty. - Granularity string
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-path
andsecret-key
. - Name string
- Unique name of the AWS destination.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. - Region string
- Region where to manage the secrets manager entries.
Can be omitted and directly provided to Vault using the
AWS_REGION
environment variable. - Role
Arn string - Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
- Secret
Access stringKey - Secret access key to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_SECRET_ACCESS_KEY
environment variable. - Secret
Name stringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- Access
Key stringId - Access key id to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_ACCESS_KEY_ID
environment variable. - map[string]string
- Custom tags to set on the secret managed at the destination.
- External
Id string - Optional extra protection that must match the trust policy granting access to the
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
denied errors. Ignored if the
role_arn
field is empty. - Granularity string
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-path
andsecret-key
. - Name string
- Unique name of the AWS destination.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. - Region string
- Region where to manage the secrets manager entries.
Can be omitted and directly provided to Vault using the
AWS_REGION
environment variable. - Role
Arn string - Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
- Secret
Access stringKey - Secret access key to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_SECRET_ACCESS_KEY
environment variable. - Secret
Name stringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- access
Key StringId - Access key id to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_ACCESS_KEY_ID
environment variable. - Map<String,String>
- Custom tags to set on the secret managed at the destination.
- external
Id String - Optional extra protection that must match the trust policy granting access to the
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
denied errors. Ignored if the
role_arn
field is empty. - granularity String
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-path
andsecret-key
. - name String
- Unique name of the AWS destination.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. - region String
- Region where to manage the secrets manager entries.
Can be omitted and directly provided to Vault using the
AWS_REGION
environment variable. - role
Arn String - Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
- secret
Access StringKey - Secret access key to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_SECRET_ACCESS_KEY
environment variable. - secret
Name StringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- access
Key stringId - Access key id to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_ACCESS_KEY_ID
environment variable. - {[key: string]: string}
- Custom tags to set on the secret managed at the destination.
- external
Id string - Optional extra protection that must match the trust policy granting access to the
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
denied errors. Ignored if the
role_arn
field is empty. - granularity string
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-path
andsecret-key
. - name string
- Unique name of the AWS destination.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. - region string
- Region where to manage the secrets manager entries.
Can be omitted and directly provided to Vault using the
AWS_REGION
environment variable. - role
Arn string - Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
- secret
Access stringKey - Secret access key to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_SECRET_ACCESS_KEY
environment variable. - secret
Name stringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- access_
key_ strid - Access key id to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_ACCESS_KEY_ID
environment variable. - Mapping[str, str]
- Custom tags to set on the secret managed at the destination.
- external_
id str - Optional extra protection that must match the trust policy granting access to the
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
denied errors. Ignored if the
role_arn
field is empty. - granularity str
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-path
andsecret-key
. - name str
- Unique name of the AWS destination.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. - region str
- Region where to manage the secrets manager entries.
Can be omitted and directly provided to Vault using the
AWS_REGION
environment variable. - role_
arn str - Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
- secret_
access_ strkey - Secret access key to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_SECRET_ACCESS_KEY
environment variable. - secret_
name_ strtemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- access
Key StringId - Access key id to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_ACCESS_KEY_ID
environment variable. - Map<String>
- Custom tags to set on the secret managed at the destination.
- external
Id String - Optional extra protection that must match the trust policy granting access to the
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
denied errors. Ignored if the
role_arn
field is empty. - granularity String
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-path
andsecret-key
. - name String
- Unique name of the AWS destination.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. - region String
- Region where to manage the secrets manager entries.
Can be omitted and directly provided to Vault using the
AWS_REGION
environment variable. - role
Arn String - Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
- secret
Access StringKey - Secret access key to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_SECRET_ACCESS_KEY
environment variable. - secret
Name StringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
Outputs
All input properties are implicitly available as output properties. Additionally, the SyncAwsDestination resource produces the following output properties:
Look up Existing SyncAwsDestination Resource
Get an existing SyncAwsDestination resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SyncAwsDestinationState, opts?: CustomResourceOptions): SyncAwsDestination
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
access_key_id: Optional[str] = None,
custom_tags: Optional[Mapping[str, str]] = None,
external_id: Optional[str] = None,
granularity: Optional[str] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
region: Optional[str] = None,
role_arn: Optional[str] = None,
secret_access_key: Optional[str] = None,
secret_name_template: Optional[str] = None,
type: Optional[str] = None) -> SyncAwsDestination
func GetSyncAwsDestination(ctx *Context, name string, id IDInput, state *SyncAwsDestinationState, opts ...ResourceOption) (*SyncAwsDestination, error)
public static SyncAwsDestination Get(string name, Input<string> id, SyncAwsDestinationState? state, CustomResourceOptions? opts = null)
public static SyncAwsDestination get(String name, Output<String> id, SyncAwsDestinationState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Access
Key stringId - Access key id to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_ACCESS_KEY_ID
environment variable. - Dictionary<string, string>
- Custom tags to set on the secret managed at the destination.
- External
Id string - Optional extra protection that must match the trust policy granting access to the
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
denied errors. Ignored if the
role_arn
field is empty. - Granularity string
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-path
andsecret-key
. - Name string
- Unique name of the AWS destination.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. - Region string
- Region where to manage the secrets manager entries.
Can be omitted and directly provided to Vault using the
AWS_REGION
environment variable. - Role
Arn string - Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
- Secret
Access stringKey - Secret access key to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_SECRET_ACCESS_KEY
environment variable. - Secret
Name stringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- Type string
- The type of the secrets destination (
aws-sm
).
- Access
Key stringId - Access key id to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_ACCESS_KEY_ID
environment variable. - map[string]string
- Custom tags to set on the secret managed at the destination.
- External
Id string - Optional extra protection that must match the trust policy granting access to the
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
denied errors. Ignored if the
role_arn
field is empty. - Granularity string
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-path
andsecret-key
. - Name string
- Unique name of the AWS destination.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. - Region string
- Region where to manage the secrets manager entries.
Can be omitted and directly provided to Vault using the
AWS_REGION
environment variable. - Role
Arn string - Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
- Secret
Access stringKey - Secret access key to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_SECRET_ACCESS_KEY
environment variable. - Secret
Name stringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- Type string
- The type of the secrets destination (
aws-sm
).
- access
Key StringId - Access key id to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_ACCESS_KEY_ID
environment variable. - Map<String,String>
- Custom tags to set on the secret managed at the destination.
- external
Id String - Optional extra protection that must match the trust policy granting access to the
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
denied errors. Ignored if the
role_arn
field is empty. - granularity String
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-path
andsecret-key
. - name String
- Unique name of the AWS destination.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. - region String
- Region where to manage the secrets manager entries.
Can be omitted and directly provided to Vault using the
AWS_REGION
environment variable. - role
Arn String - Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
- secret
Access StringKey - Secret access key to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_SECRET_ACCESS_KEY
environment variable. - secret
Name StringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- type String
- The type of the secrets destination (
aws-sm
).
- access
Key stringId - Access key id to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_ACCESS_KEY_ID
environment variable. - {[key: string]: string}
- Custom tags to set on the secret managed at the destination.
- external
Id string - Optional extra protection that must match the trust policy granting access to the
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
denied errors. Ignored if the
role_arn
field is empty. - granularity string
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-path
andsecret-key
. - name string
- Unique name of the AWS destination.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. - region string
- Region where to manage the secrets manager entries.
Can be omitted and directly provided to Vault using the
AWS_REGION
environment variable. - role
Arn string - Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
- secret
Access stringKey - Secret access key to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_SECRET_ACCESS_KEY
environment variable. - secret
Name stringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- type string
- The type of the secrets destination (
aws-sm
).
- access_
key_ strid - Access key id to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_ACCESS_KEY_ID
environment variable. - Mapping[str, str]
- Custom tags to set on the secret managed at the destination.
- external_
id str - Optional extra protection that must match the trust policy granting access to the
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
denied errors. Ignored if the
role_arn
field is empty. - granularity str
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-path
andsecret-key
. - name str
- Unique name of the AWS destination.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. - region str
- Region where to manage the secrets manager entries.
Can be omitted and directly provided to Vault using the
AWS_REGION
environment variable. - role_
arn str - Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
- secret_
access_ strkey - Secret access key to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_SECRET_ACCESS_KEY
environment variable. - secret_
name_ strtemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- type str
- The type of the secrets destination (
aws-sm
).
- access
Key StringId - Access key id to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_ACCESS_KEY_ID
environment variable. - Map<String>
- Custom tags to set on the secret managed at the destination.
- external
Id String - Optional extra protection that must match the trust policy granting access to the
AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.
The field is mutable with no special condition, but users must be careful that the new value fits with the trust
relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access
denied errors. Ignored if the
role_arn
field is empty. - granularity String
- Determines what level of information is synced as a distinct resource
at the destination. Supports
secret-path
andsecret-key
. - name String
- Unique name of the AWS destination.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. - region String
- Region where to manage the secrets manager entries.
Can be omitted and directly provided to Vault using the
AWS_REGION
environment variable. - role
Arn String - Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
- secret
Access StringKey - Secret access key to authenticate against the AWS secrets manager.
Can be omitted and directly provided to Vault using the
AWS_SECRET_ACCESS_KEY
environment variable. - secret
Name StringTemplate - Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
- type String
- The type of the secrets destination (
aws-sm
).
Import
AWS Secrets sync destinations can be imported using the name
, e.g.
$ pulumi import vault:secrets/syncAwsDestination:SyncAwsDestination aws aws-dest
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vault
Terraform Provider.