1. Packages
  2. Pulumi Vault Provider
  3. API Docs
  4. secrets
  5. SyncAwsDestination
HashiCorp Vault v6.4.0 published on Wednesday, Nov 20, 2024 by Pulumi

vault.secrets.SyncAwsDestination

Explore with Pulumi AI

vault logo
HashiCorp Vault v6.4.0 published on Wednesday, Nov 20, 2024 by Pulumi

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as vault from "@pulumi/vault";
    
    const aws = new vault.secrets.SyncAwsDestination("aws", {
        name: "aws-dest",
        accessKeyId: accessKeyId,
        secretAccessKey: secretAccessKey,
        region: "us-east-1",
        roleArn: "role-arn",
        externalId: "external-id",
        secretNameTemplate: "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
        customTags: {
            foo: "bar",
        },
    });
    
    import pulumi
    import pulumi_vault as vault
    
    aws = vault.secrets.SyncAwsDestination("aws",
        name="aws-dest",
        access_key_id=access_key_id,
        secret_access_key=secret_access_key,
        region="us-east-1",
        role_arn="role-arn",
        external_id="external-id",
        secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
        custom_tags={
            "foo": "bar",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/secrets"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := secrets.NewSyncAwsDestination(ctx, "aws", &secrets.SyncAwsDestinationArgs{
    			Name:               pulumi.String("aws-dest"),
    			AccessKeyId:        pulumi.Any(accessKeyId),
    			SecretAccessKey:    pulumi.Any(secretAccessKey),
    			Region:             pulumi.String("us-east-1"),
    			RoleArn:            pulumi.String("role-arn"),
    			ExternalId:         pulumi.String("external-id"),
    			SecretNameTemplate: pulumi.String("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}"),
    			CustomTags: pulumi.StringMap{
    				"foo": pulumi.String("bar"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Vault = Pulumi.Vault;
    
    return await Deployment.RunAsync(() => 
    {
        var aws = new Vault.Secrets.SyncAwsDestination("aws", new()
        {
            Name = "aws-dest",
            AccessKeyId = accessKeyId,
            SecretAccessKey = secretAccessKey,
            Region = "us-east-1",
            RoleArn = "role-arn",
            ExternalId = "external-id",
            SecretNameTemplate = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
            CustomTags = 
            {
                { "foo", "bar" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.vault.secrets.SyncAwsDestination;
    import com.pulumi.vault.secrets.SyncAwsDestinationArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var aws = new SyncAwsDestination("aws", SyncAwsDestinationArgs.builder()
                .name("aws-dest")
                .accessKeyId(accessKeyId)
                .secretAccessKey(secretAccessKey)
                .region("us-east-1")
                .roleArn("role-arn")
                .externalId("external-id")
                .secretNameTemplate("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}")
                .customTags(Map.of("foo", "bar"))
                .build());
    
        }
    }
    
    resources:
      aws:
        type: vault:secrets:SyncAwsDestination
        properties:
          name: aws-dest
          accessKeyId: ${accessKeyId}
          secretAccessKey: ${secretAccessKey}
          region: us-east-1
          roleArn: role-arn
          externalId: external-id
          secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}
          customTags:
            foo: bar
    

    Create SyncAwsDestination Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new SyncAwsDestination(name: string, args?: SyncAwsDestinationArgs, opts?: CustomResourceOptions);
    @overload
    def SyncAwsDestination(resource_name: str,
                           args: Optional[SyncAwsDestinationArgs] = None,
                           opts: Optional[ResourceOptions] = None)
    
    @overload
    def SyncAwsDestination(resource_name: str,
                           opts: Optional[ResourceOptions] = None,
                           access_key_id: Optional[str] = None,
                           custom_tags: Optional[Mapping[str, str]] = None,
                           external_id: Optional[str] = None,
                           granularity: Optional[str] = None,
                           name: Optional[str] = None,
                           namespace: Optional[str] = None,
                           region: Optional[str] = None,
                           role_arn: Optional[str] = None,
                           secret_access_key: Optional[str] = None,
                           secret_name_template: Optional[str] = None)
    func NewSyncAwsDestination(ctx *Context, name string, args *SyncAwsDestinationArgs, opts ...ResourceOption) (*SyncAwsDestination, error)
    public SyncAwsDestination(string name, SyncAwsDestinationArgs? args = null, CustomResourceOptions? opts = null)
    public SyncAwsDestination(String name, SyncAwsDestinationArgs args)
    public SyncAwsDestination(String name, SyncAwsDestinationArgs args, CustomResourceOptions options)
    
    type: vault:secrets:SyncAwsDestination
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args SyncAwsDestinationArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args SyncAwsDestinationArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args SyncAwsDestinationArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args SyncAwsDestinationArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args SyncAwsDestinationArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var syncAwsDestinationResource = new Vault.Secrets.SyncAwsDestination("syncAwsDestinationResource", new()
    {
        AccessKeyId = "string",
        CustomTags = 
        {
            { "string", "string" },
        },
        ExternalId = "string",
        Granularity = "string",
        Name = "string",
        Namespace = "string",
        Region = "string",
        RoleArn = "string",
        SecretAccessKey = "string",
        SecretNameTemplate = "string",
    });
    
    example, err := secrets.NewSyncAwsDestination(ctx, "syncAwsDestinationResource", &secrets.SyncAwsDestinationArgs{
    	AccessKeyId: pulumi.String("string"),
    	CustomTags: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	ExternalId:         pulumi.String("string"),
    	Granularity:        pulumi.String("string"),
    	Name:               pulumi.String("string"),
    	Namespace:          pulumi.String("string"),
    	Region:             pulumi.String("string"),
    	RoleArn:            pulumi.String("string"),
    	SecretAccessKey:    pulumi.String("string"),
    	SecretNameTemplate: pulumi.String("string"),
    })
    
    var syncAwsDestinationResource = new SyncAwsDestination("syncAwsDestinationResource", SyncAwsDestinationArgs.builder()
        .accessKeyId("string")
        .customTags(Map.of("string", "string"))
        .externalId("string")
        .granularity("string")
        .name("string")
        .namespace("string")
        .region("string")
        .roleArn("string")
        .secretAccessKey("string")
        .secretNameTemplate("string")
        .build());
    
    sync_aws_destination_resource = vault.secrets.SyncAwsDestination("syncAwsDestinationResource",
        access_key_id="string",
        custom_tags={
            "string": "string",
        },
        external_id="string",
        granularity="string",
        name="string",
        namespace="string",
        region="string",
        role_arn="string",
        secret_access_key="string",
        secret_name_template="string")
    
    const syncAwsDestinationResource = new vault.secrets.SyncAwsDestination("syncAwsDestinationResource", {
        accessKeyId: "string",
        customTags: {
            string: "string",
        },
        externalId: "string",
        granularity: "string",
        name: "string",
        namespace: "string",
        region: "string",
        roleArn: "string",
        secretAccessKey: "string",
        secretNameTemplate: "string",
    });
    
    type: vault:secrets:SyncAwsDestination
    properties:
        accessKeyId: string
        customTags:
            string: string
        externalId: string
        granularity: string
        name: string
        namespace: string
        region: string
        roleArn: string
        secretAccessKey: string
        secretNameTemplate: string
    

    SyncAwsDestination Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The SyncAwsDestination resource accepts the following input properties:

    AccessKeyId string
    Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
    CustomTags Dictionary<string, string>
    Custom tags to set on the secret managed at the destination.
    ExternalId string
    Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
    Granularity string
    Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
    Name string
    Unique name of the AWS destination.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
    Region string
    Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
    RoleArn string
    Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
    SecretAccessKey string
    Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
    SecretNameTemplate string
    Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
    AccessKeyId string
    Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
    CustomTags map[string]string
    Custom tags to set on the secret managed at the destination.
    ExternalId string
    Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
    Granularity string
    Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
    Name string
    Unique name of the AWS destination.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
    Region string
    Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
    RoleArn string
    Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
    SecretAccessKey string
    Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
    SecretNameTemplate string
    Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
    accessKeyId String
    Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
    customTags Map<String,String>
    Custom tags to set on the secret managed at the destination.
    externalId String
    Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
    granularity String
    Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
    name String
    Unique name of the AWS destination.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
    region String
    Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
    roleArn String
    Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
    secretAccessKey String
    Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
    secretNameTemplate String
    Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
    accessKeyId string
    Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
    customTags {[key: string]: string}
    Custom tags to set on the secret managed at the destination.
    externalId string
    Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
    granularity string
    Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
    name string
    Unique name of the AWS destination.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
    region string
    Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
    roleArn string
    Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
    secretAccessKey string
    Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
    secretNameTemplate string
    Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
    access_key_id str
    Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
    custom_tags Mapping[str, str]
    Custom tags to set on the secret managed at the destination.
    external_id str
    Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
    granularity str
    Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
    name str
    Unique name of the AWS destination.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
    region str
    Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
    role_arn str
    Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
    secret_access_key str
    Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
    secret_name_template str
    Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
    accessKeyId String
    Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
    customTags Map<String>
    Custom tags to set on the secret managed at the destination.
    externalId String
    Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
    granularity String
    Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
    name String
    Unique name of the AWS destination.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
    region String
    Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
    roleArn String
    Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
    secretAccessKey String
    Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
    secretNameTemplate String
    Template describing how to generate external secret names. Supports a subset of the Go Template syntax.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the SyncAwsDestination resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Type string
    The type of the secrets destination (aws-sm).
    Id string
    The provider-assigned unique ID for this managed resource.
    Type string
    The type of the secrets destination (aws-sm).
    id String
    The provider-assigned unique ID for this managed resource.
    type String
    The type of the secrets destination (aws-sm).
    id string
    The provider-assigned unique ID for this managed resource.
    type string
    The type of the secrets destination (aws-sm).
    id str
    The provider-assigned unique ID for this managed resource.
    type str
    The type of the secrets destination (aws-sm).
    id String
    The provider-assigned unique ID for this managed resource.
    type String
    The type of the secrets destination (aws-sm).

    Look up Existing SyncAwsDestination Resource

    Get an existing SyncAwsDestination resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: SyncAwsDestinationState, opts?: CustomResourceOptions): SyncAwsDestination
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            access_key_id: Optional[str] = None,
            custom_tags: Optional[Mapping[str, str]] = None,
            external_id: Optional[str] = None,
            granularity: Optional[str] = None,
            name: Optional[str] = None,
            namespace: Optional[str] = None,
            region: Optional[str] = None,
            role_arn: Optional[str] = None,
            secret_access_key: Optional[str] = None,
            secret_name_template: Optional[str] = None,
            type: Optional[str] = None) -> SyncAwsDestination
    func GetSyncAwsDestination(ctx *Context, name string, id IDInput, state *SyncAwsDestinationState, opts ...ResourceOption) (*SyncAwsDestination, error)
    public static SyncAwsDestination Get(string name, Input<string> id, SyncAwsDestinationState? state, CustomResourceOptions? opts = null)
    public static SyncAwsDestination get(String name, Output<String> id, SyncAwsDestinationState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AccessKeyId string
    Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
    CustomTags Dictionary<string, string>
    Custom tags to set on the secret managed at the destination.
    ExternalId string
    Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
    Granularity string
    Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
    Name string
    Unique name of the AWS destination.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
    Region string
    Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
    RoleArn string
    Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
    SecretAccessKey string
    Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
    SecretNameTemplate string
    Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
    Type string
    The type of the secrets destination (aws-sm).
    AccessKeyId string
    Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
    CustomTags map[string]string
    Custom tags to set on the secret managed at the destination.
    ExternalId string
    Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
    Granularity string
    Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
    Name string
    Unique name of the AWS destination.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
    Region string
    Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
    RoleArn string
    Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
    SecretAccessKey string
    Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
    SecretNameTemplate string
    Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
    Type string
    The type of the secrets destination (aws-sm).
    accessKeyId String
    Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
    customTags Map<String,String>
    Custom tags to set on the secret managed at the destination.
    externalId String
    Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
    granularity String
    Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
    name String
    Unique name of the AWS destination.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
    region String
    Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
    roleArn String
    Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
    secretAccessKey String
    Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
    secretNameTemplate String
    Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
    type String
    The type of the secrets destination (aws-sm).
    accessKeyId string
    Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
    customTags {[key: string]: string}
    Custom tags to set on the secret managed at the destination.
    externalId string
    Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
    granularity string
    Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
    name string
    Unique name of the AWS destination.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
    region string
    Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
    roleArn string
    Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
    secretAccessKey string
    Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
    secretNameTemplate string
    Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
    type string
    The type of the secrets destination (aws-sm).
    access_key_id str
    Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
    custom_tags Mapping[str, str]
    Custom tags to set on the secret managed at the destination.
    external_id str
    Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
    granularity str
    Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
    name str
    Unique name of the AWS destination.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
    region str
    Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
    role_arn str
    Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
    secret_access_key str
    Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
    secret_name_template str
    Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
    type str
    The type of the secrets destination (aws-sm).
    accessKeyId String
    Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
    customTags Map<String>
    Custom tags to set on the secret managed at the destination.
    externalId String
    Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
    granularity String
    Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
    name String
    Unique name of the AWS destination.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
    region String
    Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
    roleArn String
    Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
    secretAccessKey String
    Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
    secretNameTemplate String
    Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
    type String
    The type of the secrets destination (aws-sm).

    Import

    AWS Secrets sync destinations can be imported using the name, e.g.

    $ pulumi import vault:secrets/syncAwsDestination:SyncAwsDestination aws aws-dest
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the vault Terraform Provider.
    vault logo
    HashiCorp Vault v6.4.0 published on Wednesday, Nov 20, 2024 by Pulumi