HashiCorp Vault v6.2.0, Jun 21 24

HashiCorp Vault v6.2.0 published on Friday, Jun 21, 2024 by Pulumi

vault.kubernetes.SecretBackendRole

Explore with Pulumi AI

HashiCorp Vault v6.2.0 published on Friday, Jun 21, 2024 by Pulumi

pulumi/pulumi-vault

Example Usage

Example using service_account_name mode:

import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";

const config = new vault.kubernetes.SecretBackend("config", {
    path: "kubernetes",
    description: "kubernetes secrets engine description",
    kubernetesHost: "https://127.0.0.1:61233",
    kubernetesCaCert: std.file({
        input: "/path/to/cert",
    }).then(invoke => invoke.result),
    serviceAccountJwt: std.file({
        input: "/path/to/token",
    }).then(invoke => invoke.result),
    disableLocalCaJwt: false,
});
const sa_example = new vault.kubernetes.SecretBackendRole("sa-example", {
    backend: config.path,
    name: "service-account-name-role",
    allowedKubernetesNamespaces: ["*"],
    tokenMaxTtl: 43200,
    tokenDefaultTtl: 21600,
    serviceAccountName: "test-service-account-with-generated-token",
    extraLabels: {
        id: "abc123",
        name: "some_name",
    },
    extraAnnotations: {
        env: "development",
        location: "earth",
    },
});

import pulumi
import pulumi_std as std
import pulumi_vault as vault

config = vault.kubernetes.SecretBackend("config",
    path="kubernetes",
    description="kubernetes secrets engine description",
    kubernetes_host="https://127.0.0.1:61233",
    kubernetes_ca_cert=std.file(input="/path/to/cert").result,
    service_account_jwt=std.file(input="/path/to/token").result,
    disable_local_ca_jwt=False)
sa_example = vault.kubernetes.SecretBackendRole("sa-example",
    backend=config.path,
    name="service-account-name-role",
    allowed_kubernetes_namespaces=["*"],
    token_max_ttl=43200,
    token_default_ttl=21600,
    service_account_name="test-service-account-with-generated-token",
    extra_labels={
        "id": "abc123",
        "name": "some_name",
    },
    extra_annotations={
        "env": "development",
        "location": "earth",
    })

package main

import (
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "/path/to/cert",
		}, nil)
		if err != nil {
			return err
		}
		invokeFile1, err := std.File(ctx, &std.FileArgs{
			Input: "/path/to/token",
		}, nil)
		if err != nil {
			return err
		}
		config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
			Path:              pulumi.String("kubernetes"),
			Description:       pulumi.String("kubernetes secrets engine description"),
			KubernetesHost:    pulumi.String("https://127.0.0.1:61233"),
			KubernetesCaCert:  invokeFile.Result,
			ServiceAccountJwt: invokeFile1.Result,
			DisableLocalCaJwt: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		_, err = kubernetes.NewSecretBackendRole(ctx, "sa-example", &kubernetes.SecretBackendRoleArgs{
			Backend: config.Path,
			Name:    pulumi.String("service-account-name-role"),
			AllowedKubernetesNamespaces: pulumi.StringArray{
				pulumi.String("*"),
			},
			TokenMaxTtl:        pulumi.Int(43200),
			TokenDefaultTtl:    pulumi.Int(21600),
			ServiceAccountName: pulumi.String("test-service-account-with-generated-token"),
			ExtraLabels: pulumi.StringMap{
				"id":   pulumi.String("abc123"),
				"name": pulumi.String("some_name"),
			},
			ExtraAnnotations: pulumi.StringMap{
				"env":      pulumi.String("development"),
				"location": pulumi.String("earth"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var config = new Vault.Kubernetes.SecretBackend("config", new()
    {
        Path = "kubernetes",
        Description = "kubernetes secrets engine description",
        KubernetesHost = "https://127.0.0.1:61233",
        KubernetesCaCert = Std.File.Invoke(new()
        {
            Input = "/path/to/cert",
        }).Apply(invoke => invoke.Result),
        ServiceAccountJwt = Std.File.Invoke(new()
        {
            Input = "/path/to/token",
        }).Apply(invoke => invoke.Result),
        DisableLocalCaJwt = false,
    });

    var sa_example = new Vault.Kubernetes.SecretBackendRole("sa-example", new()
    {
        Backend = config.Path,
        Name = "service-account-name-role",
        AllowedKubernetesNamespaces = new[]
        {
            "*",
        },
        TokenMaxTtl = 43200,
        TokenDefaultTtl = 21600,
        ServiceAccountName = "test-service-account-with-generated-token",
        ExtraLabels = 
        {
            { "id", "abc123" },
            { "name", "some_name" },
        },
        ExtraAnnotations = 
        {
            { "env", "development" },
            { "location", "earth" },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.kubernetes.SecretBackend;
import com.pulumi.vault.kubernetes.SecretBackendArgs;
import com.pulumi.vault.kubernetes.SecretBackendRole;
import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var config = new SecretBackend("config", SecretBackendArgs.builder()
            .path("kubernetes")
            .description("kubernetes secrets engine description")
            .kubernetesHost("https://127.0.0.1:61233")
            .kubernetesCaCert(StdFunctions.file(FileArgs.builder()
                .input("/path/to/cert")
                .build()).result())
            .serviceAccountJwt(StdFunctions.file(FileArgs.builder()
                .input("/path/to/token")
                .build()).result())
            .disableLocalCaJwt(false)
            .build());

        var sa_example = new SecretBackendRole("sa-example", SecretBackendRoleArgs.builder()
            .backend(config.path())
            .name("service-account-name-role")
            .allowedKubernetesNamespaces("*")
            .tokenMaxTtl(43200)
            .tokenDefaultTtl(21600)
            .serviceAccountName("test-service-account-with-generated-token")
            .extraLabels(Map.ofEntries(
                Map.entry("id", "abc123"),
                Map.entry("name", "some_name")
            ))
            .extraAnnotations(Map.ofEntries(
                Map.entry("env", "development"),
                Map.entry("location", "earth")
            ))
            .build());

    }
}

resources:
  config:
    type: vault:kubernetes:SecretBackend
    properties:
      path: kubernetes
      description: kubernetes secrets engine description
      kubernetesHost: https://127.0.0.1:61233
      kubernetesCaCert:
        fn::invoke:
          Function: std:file
          Arguments:
            input: /path/to/cert
          Return: result
      serviceAccountJwt:
        fn::invoke:
          Function: std:file
          Arguments:
            input: /path/to/token
          Return: result
      disableLocalCaJwt: false
  sa-example:
    type: vault:kubernetes:SecretBackendRole
    properties:
      backend: ${config.path}
      name: service-account-name-role
      allowedKubernetesNamespaces:
        - '*'
      tokenMaxTtl: 43200
      tokenDefaultTtl: 21600
      serviceAccountName: test-service-account-with-generated-token
      extraLabels:
        id: abc123
        name: some_name
      extraAnnotations:
        env: development
        location: earth

Example using kubernetes_role_name mode:

import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";

const config = new vault.kubernetes.SecretBackend("config", {
    path: "kubernetes",
    description: "kubernetes secrets engine description",
    kubernetesHost: "https://127.0.0.1:61233",
    kubernetesCaCert: std.file({
        input: "/path/to/cert",
    }).then(invoke => invoke.result),
    serviceAccountJwt: std.file({
        input: "/path/to/token",
    }).then(invoke => invoke.result),
    disableLocalCaJwt: false,
});
const name_example = new vault.kubernetes.SecretBackendRole("name-example", {
    backend: config.path,
    name: "service-account-name-role",
    allowedKubernetesNamespaces: ["*"],
    tokenMaxTtl: 43200,
    tokenDefaultTtl: 21600,
    kubernetesRoleName: "vault-k8s-secrets-role",
    extraLabels: {
        id: "abc123",
        name: "some_name",
    },
    extraAnnotations: {
        env: "development",
        location: "earth",
    },
});

import pulumi
import pulumi_std as std
import pulumi_vault as vault

config = vault.kubernetes.SecretBackend("config",
    path="kubernetes",
    description="kubernetes secrets engine description",
    kubernetes_host="https://127.0.0.1:61233",
    kubernetes_ca_cert=std.file(input="/path/to/cert").result,
    service_account_jwt=std.file(input="/path/to/token").result,
    disable_local_ca_jwt=False)
name_example = vault.kubernetes.SecretBackendRole("name-example",
    backend=config.path,
    name="service-account-name-role",
    allowed_kubernetes_namespaces=["*"],
    token_max_ttl=43200,
    token_default_ttl=21600,
    kubernetes_role_name="vault-k8s-secrets-role",
    extra_labels={
        "id": "abc123",
        "name": "some_name",
    },
    extra_annotations={
        "env": "development",
        "location": "earth",
    })

package main

import (
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "/path/to/cert",
		}, nil)
		if err != nil {
			return err
		}
		invokeFile1, err := std.File(ctx, &std.FileArgs{
			Input: "/path/to/token",
		}, nil)
		if err != nil {
			return err
		}
		config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
			Path:              pulumi.String("kubernetes"),
			Description:       pulumi.String("kubernetes secrets engine description"),
			KubernetesHost:    pulumi.String("https://127.0.0.1:61233"),
			KubernetesCaCert:  invokeFile.Result,
			ServiceAccountJwt: invokeFile1.Result,
			DisableLocalCaJwt: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		_, err = kubernetes.NewSecretBackendRole(ctx, "name-example", &kubernetes.SecretBackendRoleArgs{
			Backend: config.Path,
			Name:    pulumi.String("service-account-name-role"),
			AllowedKubernetesNamespaces: pulumi.StringArray{
				pulumi.String("*"),
			},
			TokenMaxTtl:        pulumi.Int(43200),
			TokenDefaultTtl:    pulumi.Int(21600),
			KubernetesRoleName: pulumi.String("vault-k8s-secrets-role"),
			ExtraLabels: pulumi.StringMap{
				"id":   pulumi.String("abc123"),
				"name": pulumi.String("some_name"),
			},
			ExtraAnnotations: pulumi.StringMap{
				"env":      pulumi.String("development"),
				"location": pulumi.String("earth"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var config = new Vault.Kubernetes.SecretBackend("config", new()
    {
        Path = "kubernetes",
        Description = "kubernetes secrets engine description",
        KubernetesHost = "https://127.0.0.1:61233",
        KubernetesCaCert = Std.File.Invoke(new()
        {
            Input = "/path/to/cert",
        }).Apply(invoke => invoke.Result),
        ServiceAccountJwt = Std.File.Invoke(new()
        {
            Input = "/path/to/token",
        }).Apply(invoke => invoke.Result),
        DisableLocalCaJwt = false,
    });

    var name_example = new Vault.Kubernetes.SecretBackendRole("name-example", new()
    {
        Backend = config.Path,
        Name = "service-account-name-role",
        AllowedKubernetesNamespaces = new[]
        {
            "*",
        },
        TokenMaxTtl = 43200,
        TokenDefaultTtl = 21600,
        KubernetesRoleName = "vault-k8s-secrets-role",
        ExtraLabels = 
        {
            { "id", "abc123" },
            { "name", "some_name" },
        },
        ExtraAnnotations = 
        {
            { "env", "development" },
            { "location", "earth" },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.kubernetes.SecretBackend;
import com.pulumi.vault.kubernetes.SecretBackendArgs;
import com.pulumi.vault.kubernetes.SecretBackendRole;
import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var config = new SecretBackend("config", SecretBackendArgs.builder()
            .path("kubernetes")
            .description("kubernetes secrets engine description")
            .kubernetesHost("https://127.0.0.1:61233")
            .kubernetesCaCert(StdFunctions.file(FileArgs.builder()
                .input("/path/to/cert")
                .build()).result())
            .serviceAccountJwt(StdFunctions.file(FileArgs.builder()
                .input("/path/to/token")
                .build()).result())
            .disableLocalCaJwt(false)
            .build());

        var name_example = new SecretBackendRole("name-example", SecretBackendRoleArgs.builder()
            .backend(config.path())
            .name("service-account-name-role")
            .allowedKubernetesNamespaces("*")
            .tokenMaxTtl(43200)
            .tokenDefaultTtl(21600)
            .kubernetesRoleName("vault-k8s-secrets-role")
            .extraLabels(Map.ofEntries(
                Map.entry("id", "abc123"),
                Map.entry("name", "some_name")
            ))
            .extraAnnotations(Map.ofEntries(
                Map.entry("env", "development"),
                Map.entry("location", "earth")
            ))
            .build());

    }
}

resources:
  config:
    type: vault:kubernetes:SecretBackend
    properties:
      path: kubernetes
      description: kubernetes secrets engine description
      kubernetesHost: https://127.0.0.1:61233
      kubernetesCaCert:
        fn::invoke:
          Function: std:file
          Arguments:
            input: /path/to/cert
          Return: result
      serviceAccountJwt:
        fn::invoke:
          Function: std:file
          Arguments:
            input: /path/to/token
          Return: result
      disableLocalCaJwt: false
  name-example:
    type: vault:kubernetes:SecretBackendRole
    properties:
      backend: ${config.path}
      name: service-account-name-role
      allowedKubernetesNamespaces:
        - '*'
      tokenMaxTtl: 43200
      tokenDefaultTtl: 21600
      kubernetesRoleName: vault-k8s-secrets-role
      extraLabels:
        id: abc123
        name: some_name
      extraAnnotations:
        env: development
        location: earth

Example using generated_role_rules mode:

import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";

const config = new vault.kubernetes.SecretBackend("config", {
    path: "kubernetes",
    description: "kubernetes secrets engine description",
    kubernetesHost: "https://127.0.0.1:61233",
    kubernetesCaCert: std.file({
        input: "/path/to/cert",
    }).then(invoke => invoke.result),
    serviceAccountJwt: std.file({
        input: "/path/to/token",
    }).then(invoke => invoke.result),
    disableLocalCaJwt: false,
});
const rules_example = new vault.kubernetes.SecretBackendRole("rules-example", {
    backend: config.path,
    name: "service-account-name-role",
    allowedKubernetesNamespaces: ["*"],
    tokenMaxTtl: 43200,
    tokenDefaultTtl: 21600,
    kubernetesRoleType: "Role",
    generatedRoleRules: `rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list"]
`,
    extraLabels: {
        id: "abc123",
        name: "some_name",
    },
    extraAnnotations: {
        env: "development",
        location: "earth",
    },
});

import pulumi
import pulumi_std as std
import pulumi_vault as vault

config = vault.kubernetes.SecretBackend("config",
    path="kubernetes",
    description="kubernetes secrets engine description",
    kubernetes_host="https://127.0.0.1:61233",
    kubernetes_ca_cert=std.file(input="/path/to/cert").result,
    service_account_jwt=std.file(input="/path/to/token").result,
    disable_local_ca_jwt=False)
rules_example = vault.kubernetes.SecretBackendRole("rules-example",
    backend=config.path,
    name="service-account-name-role",
    allowed_kubernetes_namespaces=["*"],
    token_max_ttl=43200,
    token_default_ttl=21600,
    kubernetes_role_type="Role",
    generated_role_rules="""rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list"]
""",
    extra_labels={
        "id": "abc123",
        "name": "some_name",
    },
    extra_annotations={
        "env": "development",
        "location": "earth",
    })

package main

import (
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "/path/to/cert",
		}, nil)
		if err != nil {
			return err
		}
		invokeFile1, err := std.File(ctx, &std.FileArgs{
			Input: "/path/to/token",
		}, nil)
		if err != nil {
			return err
		}
		config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
			Path:              pulumi.String("kubernetes"),
			Description:       pulumi.String("kubernetes secrets engine description"),
			KubernetesHost:    pulumi.String("https://127.0.0.1:61233"),
			KubernetesCaCert:  invokeFile.Result,
			ServiceAccountJwt: invokeFile1.Result,
			DisableLocalCaJwt: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		_, err = kubernetes.NewSecretBackendRole(ctx, "rules-example", &kubernetes.SecretBackendRoleArgs{
			Backend: config.Path,
			Name:    pulumi.String("service-account-name-role"),
			AllowedKubernetesNamespaces: pulumi.StringArray{
				pulumi.String("*"),
			},
			TokenMaxTtl:        pulumi.Int(43200),
			TokenDefaultTtl:    pulumi.Int(21600),
			KubernetesRoleType: pulumi.String("Role"),
			GeneratedRoleRules: pulumi.String("rules:\n- apiGroups: [\"\"]\n  resources: [\"pods\"]\n  verbs: [\"list\"]\n"),
			ExtraLabels: pulumi.StringMap{
				"id":   pulumi.String("abc123"),
				"name": pulumi.String("some_name"),
			},
			ExtraAnnotations: pulumi.StringMap{
				"env":      pulumi.String("development"),
				"location": pulumi.String("earth"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var config = new Vault.Kubernetes.SecretBackend("config", new()
    {
        Path = "kubernetes",
        Description = "kubernetes secrets engine description",
        KubernetesHost = "https://127.0.0.1:61233",
        KubernetesCaCert = Std.File.Invoke(new()
        {
            Input = "/path/to/cert",
        }).Apply(invoke => invoke.Result),
        ServiceAccountJwt = Std.File.Invoke(new()
        {
            Input = "/path/to/token",
        }).Apply(invoke => invoke.Result),
        DisableLocalCaJwt = false,
    });

    var rules_example = new Vault.Kubernetes.SecretBackendRole("rules-example", new()
    {
        Backend = config.Path,
        Name = "service-account-name-role",
        AllowedKubernetesNamespaces = new[]
        {
            "*",
        },
        TokenMaxTtl = 43200,
        TokenDefaultTtl = 21600,
        KubernetesRoleType = "Role",
        GeneratedRoleRules = @"rules:
- apiGroups: [""""]
  resources: [""pods""]
  verbs: [""list""]
",
        ExtraLabels = 
        {
            { "id", "abc123" },
            { "name", "some_name" },
        },
        ExtraAnnotations = 
        {
            { "env", "development" },
            { "location", "earth" },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.kubernetes.SecretBackend;
import com.pulumi.vault.kubernetes.SecretBackendArgs;
import com.pulumi.vault.kubernetes.SecretBackendRole;
import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var config = new SecretBackend("config", SecretBackendArgs.builder()
            .path("kubernetes")
            .description("kubernetes secrets engine description")
            .kubernetesHost("https://127.0.0.1:61233")
            .kubernetesCaCert(StdFunctions.file(FileArgs.builder()
                .input("/path/to/cert")
                .build()).result())
            .serviceAccountJwt(StdFunctions.file(FileArgs.builder()
                .input("/path/to/token")
                .build()).result())
            .disableLocalCaJwt(false)
            .build());

        var rules_example = new SecretBackendRole("rules-example", SecretBackendRoleArgs.builder()
            .backend(config.path())
            .name("service-account-name-role")
            .allowedKubernetesNamespaces("*")
            .tokenMaxTtl(43200)
            .tokenDefaultTtl(21600)
            .kubernetesRoleType("Role")
            .generatedRoleRules("""
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list"]
            """)
            .extraLabels(Map.ofEntries(
                Map.entry("id", "abc123"),
                Map.entry("name", "some_name")
            ))
            .extraAnnotations(Map.ofEntries(
                Map.entry("env", "development"),
                Map.entry("location", "earth")
            ))
            .build());

    }
}

resources:
  config:
    type: vault:kubernetes:SecretBackend
    properties:
      path: kubernetes
      description: kubernetes secrets engine description
      kubernetesHost: https://127.0.0.1:61233
      kubernetesCaCert:
        fn::invoke:
          Function: std:file
          Arguments:
            input: /path/to/cert
          Return: result
      serviceAccountJwt:
        fn::invoke:
          Function: std:file
          Arguments:
            input: /path/to/token
          Return: result
      disableLocalCaJwt: false
  rules-example:
    type: vault:kubernetes:SecretBackendRole
    properties:
      backend: ${config.path}
      name: service-account-name-role
      allowedKubernetesNamespaces:
        - '*'
      tokenMaxTtl: 43200
      tokenDefaultTtl: 21600
      kubernetesRoleType: Role
      generatedRoleRules: |
        rules:
        - apiGroups: [""]
          resources: ["pods"]
          verbs: ["list"]        
      extraLabels:
        id: abc123
        name: some_name
      extraAnnotations:
        env: development
        location: earth

Create SecretBackendRole Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SecretBackendRole(name: string, args: SecretBackendRoleArgs, opts?: CustomResourceOptions);

@overload
def SecretBackendRole(resource_name: str,
                      args: SecretBackendRoleArgs,
                      opts: Optional[ResourceOptions] = None)

@overload
def SecretBackendRole(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      backend: Optional[str] = None,
                      kubernetes_role_name: Optional[str] = None,
                      allowed_kubernetes_namespaces: Optional[Sequence[str]] = None,
                      extra_annotations: Optional[Mapping[str, str]] = None,
                      extra_labels: Optional[Mapping[str, str]] = None,
                      generated_role_rules: Optional[str] = None,
                      allowed_kubernetes_namespace_selector: Optional[str] = None,
                      kubernetes_role_type: Optional[str] = None,
                      name: Optional[str] = None,
                      name_template: Optional[str] = None,
                      namespace: Optional[str] = None,
                      service_account_name: Optional[str] = None,
                      token_default_ttl: Optional[int] = None,
                      token_max_ttl: Optional[int] = None)

func NewSecretBackendRole(ctx *Context, name string, args SecretBackendRoleArgs, opts ...ResourceOption) (*SecretBackendRole, error)

public SecretBackendRole(string name, SecretBackendRoleArgs args, CustomResourceOptions? opts = null)

public SecretBackendRole(String name, SecretBackendRoleArgs args)
public SecretBackendRole(String name, SecretBackendRoleArgs args, CustomResourceOptions options)

type: vault:kubernetes:SecretBackendRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole = new Vault.Kubernetes.SecretBackendRole("examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole", new()
{
    Backend = "string",
    KubernetesRoleName = "string",
    AllowedKubernetesNamespaces = new[]
    {
        "string",
    },
    ExtraAnnotations = 
    {
        { "string", "string" },
    },
    ExtraLabels = 
    {
        { "string", "string" },
    },
    GeneratedRoleRules = "string",
    AllowedKubernetesNamespaceSelector = "string",
    KubernetesRoleType = "string",
    Name = "string",
    NameTemplate = "string",
    Namespace = "string",
    ServiceAccountName = "string",
    TokenDefaultTtl = 0,
    TokenMaxTtl = 0,
});

example, err := kubernetes.NewSecretBackendRole(ctx, "examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole", &kubernetes.SecretBackendRoleArgs{
	Backend:            pulumi.String("string"),
	KubernetesRoleName: pulumi.String("string"),
	AllowedKubernetesNamespaces: pulumi.StringArray{
		pulumi.String("string"),
	},
	ExtraAnnotations: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	ExtraLabels: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	GeneratedRoleRules:                 pulumi.String("string"),
	AllowedKubernetesNamespaceSelector: pulumi.String("string"),
	KubernetesRoleType:                 pulumi.String("string"),
	Name:                               pulumi.String("string"),
	NameTemplate:                       pulumi.String("string"),
	Namespace:                          pulumi.String("string"),
	ServiceAccountName:                 pulumi.String("string"),
	TokenDefaultTtl:                    pulumi.Int(0),
	TokenMaxTtl:                        pulumi.Int(0),
})

var examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole = new SecretBackendRole("examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole", SecretBackendRoleArgs.builder()
    .backend("string")
    .kubernetesRoleName("string")
    .allowedKubernetesNamespaces("string")
    .extraAnnotations(Map.of("string", "string"))
    .extraLabels(Map.of("string", "string"))
    .generatedRoleRules("string")
    .allowedKubernetesNamespaceSelector("string")
    .kubernetesRoleType("string")
    .name("string")
    .nameTemplate("string")
    .namespace("string")
    .serviceAccountName("string")
    .tokenDefaultTtl(0)
    .tokenMaxTtl(0)
    .build());

examplesecret_backend_role_resource_resource_from_kubernetessecret_backend_role = vault.kubernetes.SecretBackendRole("examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole",
    backend="string",
    kubernetes_role_name="string",
    allowed_kubernetes_namespaces=["string"],
    extra_annotations={
        "string": "string",
    },
    extra_labels={
        "string": "string",
    },
    generated_role_rules="string",
    allowed_kubernetes_namespace_selector="string",
    kubernetes_role_type="string",
    name="string",
    name_template="string",
    namespace="string",
    service_account_name="string",
    token_default_ttl=0,
    token_max_ttl=0)

const examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole = new vault.kubernetes.SecretBackendRole("examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole", {
    backend: "string",
    kubernetesRoleName: "string",
    allowedKubernetesNamespaces: ["string"],
    extraAnnotations: {
        string: "string",
    },
    extraLabels: {
        string: "string",
    },
    generatedRoleRules: "string",
    allowedKubernetesNamespaceSelector: "string",
    kubernetesRoleType: "string",
    name: "string",
    nameTemplate: "string",
    namespace: "string",
    serviceAccountName: "string",
    tokenDefaultTtl: 0,
    tokenMaxTtl: 0,
});

type: vault:kubernetes:SecretBackendRole
properties:
    allowedKubernetesNamespaceSelector: string
    allowedKubernetesNamespaces:
        - string
    backend: string
    extraAnnotations:
        string: string
    extraLabels:
        string: string
    generatedRoleRules: string
    kubernetesRoleName: string
    kubernetesRoleType: string
    name: string
    nameTemplate: string
    namespace: string
    serviceAccountName: string
    tokenDefaultTtl: 0
    tokenMaxTtl: 0

SecretBackendRole Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The SecretBackendRole resource accepts the following input properties:

Backend string

The path of the Kubernetes Secrets Engine backend mount to create the role in.

AllowedKubernetesNamespaceSelector string

A label selector for Kubernetes namespaces in which credentials can be generated. Accepts either a JSON or YAML object. The value should be of type LabelSelector. If set with allowed_kubernetes_namespace, the conditions are ORed.

AllowedKubernetesNamespaces List<string>

The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.

ExtraAnnotations Dictionary<string, string>

Additional annotations to apply to all generated Kubernetes objects.

ExtraLabels Dictionary<string, string>

Additional labels to apply to all generated Kubernetes objects.

This resource also directly accepts all vault.Mount fields.

GeneratedRoleRules string

The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.

KubernetesRoleName string

The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with service_account_name and generated_role_rules. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.

KubernetesRoleType string

Specifies whether the Kubernetes role is a Role or ClusterRole.

Name string

The name of the role.

NameTemplate string

The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.

Namespace string

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

ServiceAccountName string

The pre-existing service account to generate tokens for. Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a Kubernetes token will be created when credentials are requested.

TokenDefaultTtl int

The default TTL for generated Kubernetes tokens in seconds.

TokenMaxTtl int

The maximum TTL for generated Kubernetes tokens in seconds.

Backend string

The path of the Kubernetes Secrets Engine backend mount to create the role in.

AllowedKubernetesNamespaceSelector string

AllowedKubernetesNamespaces []string

The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.

ExtraAnnotations map[string]string

Additional annotations to apply to all generated Kubernetes objects.

ExtraLabels map[string]string

Additional labels to apply to all generated Kubernetes objects.

This resource also directly accepts all vault.Mount fields.

GeneratedRoleRules string

KubernetesRoleName string

KubernetesRoleType string

Specifies whether the Kubernetes role is a Role or ClusterRole.

Name string

The name of the role.

NameTemplate string

The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.

Namespace string

ServiceAccountName string

TokenDefaultTtl int

The default TTL for generated Kubernetes tokens in seconds.

TokenMaxTtl int

The maximum TTL for generated Kubernetes tokens in seconds.

backend String

The path of the Kubernetes Secrets Engine backend mount to create the role in.

allowedKubernetesNamespaceSelector String

allowedKubernetesNamespaces List<String>

The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.

extraAnnotations Map<String,String>

Additional annotations to apply to all generated Kubernetes objects.

extraLabels Map<String,String>

Additional labels to apply to all generated Kubernetes objects.

This resource also directly accepts all vault.Mount fields.

generatedRoleRules String

kubernetesRoleName String

kubernetesRoleType String

Specifies whether the Kubernetes role is a Role or ClusterRole.

name String

The name of the role.

nameTemplate String

The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.

namespace String

serviceAccountName String

tokenDefaultTtl Integer

The default TTL for generated Kubernetes tokens in seconds.

tokenMaxTtl Integer

The maximum TTL for generated Kubernetes tokens in seconds.

backend string

The path of the Kubernetes Secrets Engine backend mount to create the role in.

allowedKubernetesNamespaceSelector string

allowedKubernetesNamespaces string[]

The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.

extraAnnotations {[key: string]: string}

Additional annotations to apply to all generated Kubernetes objects.

extraLabels {[key: string]: string}

Additional labels to apply to all generated Kubernetes objects.

This resource also directly accepts all vault.Mount fields.

generatedRoleRules string

kubernetesRoleName string

kubernetesRoleType string

Specifies whether the Kubernetes role is a Role or ClusterRole.

name string

The name of the role.

nameTemplate string

The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.

namespace string

serviceAccountName string

tokenDefaultTtl number

The default TTL for generated Kubernetes tokens in seconds.

tokenMaxTtl number

The maximum TTL for generated Kubernetes tokens in seconds.

backend str

The path of the Kubernetes Secrets Engine backend mount to create the role in.

allowed_kubernetes_namespace_selector str

allowed_kubernetes_namespaces Sequence[str]

The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.

extra_annotations Mapping[str, str]

Additional annotations to apply to all generated Kubernetes objects.

extra_labels Mapping[str, str]

Additional labels to apply to all generated Kubernetes objects.

This resource also directly accepts all vault.Mount fields.

generated_role_rules str

kubernetes_role_name str

kubernetes_role_type str

Specifies whether the Kubernetes role is a Role or ClusterRole.

name str

The name of the role.

name_template str

The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.

namespace str

service_account_name str

token_default_ttl int

The default TTL for generated Kubernetes tokens in seconds.

token_max_ttl int

The maximum TTL for generated Kubernetes tokens in seconds.

backend String

The path of the Kubernetes Secrets Engine backend mount to create the role in.

allowedKubernetesNamespaceSelector String

allowedKubernetesNamespaces List<String>

The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.

extraAnnotations Map<String>

Additional annotations to apply to all generated Kubernetes objects.

extraLabels Map<String>

Additional labels to apply to all generated Kubernetes objects.

This resource also directly accepts all vault.Mount fields.

generatedRoleRules String

kubernetesRoleName String

kubernetesRoleType String

Specifies whether the Kubernetes role is a Role or ClusterRole.

name String

The name of the role.

nameTemplate String

The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.

namespace String

serviceAccountName String

tokenDefaultTtl Number

The default TTL for generated Kubernetes tokens in seconds.

tokenMaxTtl Number

The maximum TTL for generated Kubernetes tokens in seconds.

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretBackendRole resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing SecretBackendRole Resource

Get an existing SecretBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretBackendRoleState, opts?: CustomResourceOptions): SecretBackendRole

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        allowed_kubernetes_namespace_selector: Optional[str] = None,
        allowed_kubernetes_namespaces: Optional[Sequence[str]] = None,
        backend: Optional[str] = None,
        extra_annotations: Optional[Mapping[str, str]] = None,
        extra_labels: Optional[Mapping[str, str]] = None,
        generated_role_rules: Optional[str] = None,
        kubernetes_role_name: Optional[str] = None,
        kubernetes_role_type: Optional[str] = None,
        name: Optional[str] = None,
        name_template: Optional[str] = None,
        namespace: Optional[str] = None,
        service_account_name: Optional[str] = None,
        token_default_ttl: Optional[int] = None,
        token_max_ttl: Optional[int] = None) -> SecretBackendRole

func GetSecretBackendRole(ctx *Context, name string, id IDInput, state *SecretBackendRoleState, opts ...ResourceOption) (*SecretBackendRole, error)

public static SecretBackendRole Get(string name, Input<string> id, SecretBackendRoleState? state, CustomResourceOptions? opts = null)

public static SecretBackendRole get(String name, Output<String> id, SecretBackendRoleState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AllowedKubernetesNamespaceSelector string

AllowedKubernetesNamespaces List<string>

The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.

Backend string

The path of the Kubernetes Secrets Engine backend mount to create the role in.

ExtraAnnotations Dictionary<string, string>

Additional annotations to apply to all generated Kubernetes objects.

ExtraLabels Dictionary<string, string>

Additional labels to apply to all generated Kubernetes objects.

This resource also directly accepts all vault.Mount fields.

GeneratedRoleRules string

KubernetesRoleName string

KubernetesRoleType string

Specifies whether the Kubernetes role is a Role or ClusterRole.

Name string

The name of the role.

NameTemplate string

The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.

Namespace string

ServiceAccountName string

TokenDefaultTtl int

The default TTL for generated Kubernetes tokens in seconds.

TokenMaxTtl int

The maximum TTL for generated Kubernetes tokens in seconds.

AllowedKubernetesNamespaceSelector string

AllowedKubernetesNamespaces []string

The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.

Backend string

The path of the Kubernetes Secrets Engine backend mount to create the role in.

ExtraAnnotations map[string]string

Additional annotations to apply to all generated Kubernetes objects.

ExtraLabels map[string]string

Additional labels to apply to all generated Kubernetes objects.

This resource also directly accepts all vault.Mount fields.

GeneratedRoleRules string

KubernetesRoleName string

KubernetesRoleType string

Specifies whether the Kubernetes role is a Role or ClusterRole.

Name string

The name of the role.

NameTemplate string

The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.

Namespace string

ServiceAccountName string

TokenDefaultTtl int

The default TTL for generated Kubernetes tokens in seconds.

TokenMaxTtl int

The maximum TTL for generated Kubernetes tokens in seconds.

allowedKubernetesNamespaceSelector String

allowedKubernetesNamespaces List<String>

The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.

backend String

The path of the Kubernetes Secrets Engine backend mount to create the role in.

extraAnnotations Map<String,String>

Additional annotations to apply to all generated Kubernetes objects.

extraLabels Map<String,String>

Additional labels to apply to all generated Kubernetes objects.

This resource also directly accepts all vault.Mount fields.

generatedRoleRules String

kubernetesRoleName String

kubernetesRoleType String

Specifies whether the Kubernetes role is a Role or ClusterRole.

name String

The name of the role.

nameTemplate String

The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.

namespace String

serviceAccountName String

tokenDefaultTtl Integer

The default TTL for generated Kubernetes tokens in seconds.

tokenMaxTtl Integer

The maximum TTL for generated Kubernetes tokens in seconds.

allowedKubernetesNamespaceSelector string

allowedKubernetesNamespaces string[]

The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.

backend string

The path of the Kubernetes Secrets Engine backend mount to create the role in.

extraAnnotations {[key: string]: string}

Additional annotations to apply to all generated Kubernetes objects.

extraLabels {[key: string]: string}

Additional labels to apply to all generated Kubernetes objects.

This resource also directly accepts all vault.Mount fields.

generatedRoleRules string

kubernetesRoleName string

kubernetesRoleType string

Specifies whether the Kubernetes role is a Role or ClusterRole.

name string

The name of the role.

nameTemplate string

The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.

namespace string

serviceAccountName string

tokenDefaultTtl number

The default TTL for generated Kubernetes tokens in seconds.

tokenMaxTtl number

The maximum TTL for generated Kubernetes tokens in seconds.

allowed_kubernetes_namespace_selector str

allowed_kubernetes_namespaces Sequence[str]

The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.

backend str

The path of the Kubernetes Secrets Engine backend mount to create the role in.

extra_annotations Mapping[str, str]

Additional annotations to apply to all generated Kubernetes objects.

extra_labels Mapping[str, str]

Additional labels to apply to all generated Kubernetes objects.

This resource also directly accepts all vault.Mount fields.

generated_role_rules str

kubernetes_role_name str

kubernetes_role_type str

Specifies whether the Kubernetes role is a Role or ClusterRole.

name str

The name of the role.

name_template str

The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.

namespace str

service_account_name str

token_default_ttl int

The default TTL for generated Kubernetes tokens in seconds.

token_max_ttl int

The maximum TTL for generated Kubernetes tokens in seconds.

allowedKubernetesNamespaceSelector String

allowedKubernetesNamespaces List<String>

The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.

backend String

The path of the Kubernetes Secrets Engine backend mount to create the role in.

extraAnnotations Map<String>

Additional annotations to apply to all generated Kubernetes objects.

extraLabels Map<String>

Additional labels to apply to all generated Kubernetes objects.

This resource also directly accepts all vault.Mount fields.

generatedRoleRules String

kubernetesRoleName String

kubernetesRoleType String

Specifies whether the Kubernetes role is a Role or ClusterRole.

name String

The name of the role.

nameTemplate String

The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.

namespace String

serviceAccountName String

tokenDefaultTtl Number

The default TTL for generated Kubernetes tokens in seconds.

tokenMaxTtl Number

The maximum TTL for generated Kubernetes tokens in seconds.

Import

The Kubernetes secret backend role can be imported using the full path to the role

of the form: <backend_path>/roles/<role_name> e.g.

$ pulumi import vault:kubernetes/secretBackendRole:SecretBackendRole example kubernetes kubernetes/roles/example-role

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

HashiCorp Vault v6.2.0 published on Friday, Jun 21, 2024 by Pulumi

pulumi/pulumi-vault

vault.kubernetes.SecretBackendRole

On this page

On this page

Example Usage

Create SecretBackendRole Resource

Constructor syntax

Parameters

Constructor example

SecretBackendRole Resource Properties

Inputs

Outputs

Look up Existing SecretBackendRole Resource

Import

Package Details

On this page

On this page