Docs Home
Packages
HashiCorp Vault v6.3.0 published on Thursday, Aug 8, 2024 by Pulumi
vault.kubernetes.SecretBackend
Explore with Pulumi AI
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const config = new vault.kubernetes.SecretBackend("config", {
path: "kubernetes",
description: "kubernetes secrets engine description",
defaultLeaseTtlSeconds: 43200,
maxLeaseTtlSeconds: 86400,
kubernetesHost: "https://127.0.0.1:61233",
kubernetesCaCert: std.file({
input: "/path/to/cert",
}).then(invoke => invoke.result),
serviceAccountJwt: std.file({
input: "/path/to/token",
}).then(invoke => invoke.result),
disableLocalCaJwt: false,
});
import pulumi
import pulumi_std as std
import pulumi_vault as vault
config = vault.kubernetes.SecretBackend("config",
path="kubernetes",
description="kubernetes secrets engine description",
default_lease_ttl_seconds=43200,
max_lease_ttl_seconds=86400,
kubernetes_host="https://127.0.0.1:61233",
kubernetes_ca_cert=std.file(input="/path/to/cert").result,
service_account_jwt=std.file(input="/path/to/token").result,
disable_local_ca_jwt=False)
package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/cert",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/token",
}, nil)
if err != nil {
return err
}
_, err = kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
Path: pulumi.String("kubernetes"),
Description: pulumi.String("kubernetes secrets engine description"),
DefaultLeaseTtlSeconds: pulumi.Int(43200),
MaxLeaseTtlSeconds: pulumi.Int(86400),
KubernetesHost: pulumi.String("https://127.0.0.1:61233"),
KubernetesCaCert: pulumi.String(invokeFile.Result),
ServiceAccountJwt: pulumi.String(invokeFile1.Result),
DisableLocalCaJwt: pulumi.Bool(false),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var config = new Vault.Kubernetes.SecretBackend("config", new()
{
Path = "kubernetes",
Description = "kubernetes secrets engine description",
DefaultLeaseTtlSeconds = 43200,
MaxLeaseTtlSeconds = 86400,
KubernetesHost = "https://127.0.0.1:61233",
KubernetesCaCert = Std.File.Invoke(new()
{
Input = "/path/to/cert",
}).Apply(invoke => invoke.Result),
ServiceAccountJwt = Std.File.Invoke(new()
{
Input = "/path/to/token",
}).Apply(invoke => invoke.Result),
DisableLocalCaJwt = false,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.kubernetes.SecretBackend;
import com.pulumi.vault.kubernetes.SecretBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var config = new SecretBackend("config", SecretBackendArgs.builder()
.path("kubernetes")
.description("kubernetes secrets engine description")
.defaultLeaseTtlSeconds(43200)
.maxLeaseTtlSeconds(86400)
.kubernetesHost("https://127.0.0.1:61233")
.kubernetesCaCert(StdFunctions.file(FileArgs.builder()
.input("/path/to/cert")
.build()).result())
.serviceAccountJwt(StdFunctions.file(FileArgs.builder()
.input("/path/to/token")
.build()).result())
.disableLocalCaJwt(false)
.build());
}
}
resources:
config:
type: vault:kubernetes:SecretBackend
properties:
path: kubernetes
description: kubernetes secrets engine description
defaultLeaseTtlSeconds: 43200
maxLeaseTtlSeconds: 86400
kubernetesHost: https://127.0.0.1:61233
kubernetesCaCert:
fn::invoke:
Function: std:file
Arguments:
input: /path/to/cert
Return: result
serviceAccountJwt:
fn::invoke:
Function: std:file
Arguments:
input: /path/to/token
Return: result
disableLocalCaJwt: false
Create SecretBackend Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SecretBackend(name: string, args: SecretBackendArgs, opts?: CustomResourceOptions);@overload
def SecretBackend(resource_name: str,
args: SecretBackendArgs,
opts: Optional[ResourceOptions] = None)
@overload
def SecretBackend(resource_name: str,
opts: Optional[ResourceOptions] = None,
path: Optional[str] = None,
kubernetes_ca_cert: Optional[str] = None,
delegated_auth_accessors: Optional[Sequence[str]] = None,
kubernetes_host: Optional[str] = None,
local: Optional[bool] = None,
listing_visibility: Optional[str] = None,
description: Optional[str] = None,
disable_local_ca_jwt: Optional[bool] = None,
external_entropy_access: Optional[bool] = None,
identity_token_key: Optional[str] = None,
allowed_managed_keys: Optional[Sequence[str]] = None,
audit_non_hmac_response_keys: Optional[Sequence[str]] = None,
audit_non_hmac_request_keys: Optional[Sequence[str]] = None,
default_lease_ttl_seconds: Optional[int] = None,
max_lease_ttl_seconds: Optional[int] = None,
namespace: Optional[str] = None,
options: Optional[Mapping[str, Any]] = None,
passthrough_request_headers: Optional[Sequence[str]] = None,
allowed_response_headers: Optional[Sequence[str]] = None,
plugin_version: Optional[str] = None,
seal_wrap: Optional[bool] = None,
service_account_jwt: Optional[str] = None)func NewSecretBackend(ctx *Context, name string, args SecretBackendArgs, opts ...ResourceOption) (*SecretBackend, error)public SecretBackend(string name, SecretBackendArgs args, CustomResourceOptions? opts = null)
public SecretBackend(String name, SecretBackendArgs args)
public SecretBackend(String name, SecretBackendArgs args, CustomResourceOptions options)
type: vault:kubernetes:SecretBackend
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var examplesecretBackendResourceResourceFromKubernetessecretBackend = new Vault.Kubernetes.SecretBackend("examplesecretBackendResourceResourceFromKubernetessecretBackend", new()
{
Path = "string",
KubernetesCaCert = "string",
DelegatedAuthAccessors = new[]
{
"string",
},
KubernetesHost = "string",
Local = false,
ListingVisibility = "string",
Description = "string",
DisableLocalCaJwt = false,
ExternalEntropyAccess = false,
IdentityTokenKey = "string",
AllowedManagedKeys = new[]
{
"string",
},
AuditNonHmacResponseKeys = new[]
{
"string",
},
AuditNonHmacRequestKeys = new[]
{
"string",
},
DefaultLeaseTtlSeconds = 0,
MaxLeaseTtlSeconds = 0,
Namespace = "string",
Options =
{
{ "string", "any" },
},
PassthroughRequestHeaders = new[]
{
"string",
},
AllowedResponseHeaders = new[]
{
"string",
},
PluginVersion = "string",
SealWrap = false,
ServiceAccountJwt = "string",
});
example, err := kubernetes.NewSecretBackend(ctx, "examplesecretBackendResourceResourceFromKubernetessecretBackend", &kubernetes.SecretBackendArgs{
Path: pulumi.String("string"),
KubernetesCaCert: pulumi.String("string"),
DelegatedAuthAccessors: pulumi.StringArray{
pulumi.String("string"),
},
KubernetesHost: pulumi.String("string"),
Local: pulumi.Bool(false),
ListingVisibility: pulumi.String("string"),
Description: pulumi.String("string"),
DisableLocalCaJwt: pulumi.Bool(false),
ExternalEntropyAccess: pulumi.Bool(false),
IdentityTokenKey: pulumi.String("string"),
AllowedManagedKeys: pulumi.StringArray{
pulumi.String("string"),
},
AuditNonHmacResponseKeys: pulumi.StringArray{
pulumi.String("string"),
},
AuditNonHmacRequestKeys: pulumi.StringArray{
pulumi.String("string"),
},
DefaultLeaseTtlSeconds: pulumi.Int(0),
MaxLeaseTtlSeconds: pulumi.Int(0),
Namespace: pulumi.String("string"),
Options: pulumi.Map{
"string": pulumi.Any("any"),
},
PassthroughRequestHeaders: pulumi.StringArray{
pulumi.String("string"),
},
AllowedResponseHeaders: pulumi.StringArray{
pulumi.String("string"),
},
PluginVersion: pulumi.String("string"),
SealWrap: pulumi.Bool(false),
ServiceAccountJwt: pulumi.String("string"),
})
var examplesecretBackendResourceResourceFromKubernetessecretBackend = new SecretBackend("examplesecretBackendResourceResourceFromKubernetessecretBackend", SecretBackendArgs.builder()
.path("string")
.kubernetesCaCert("string")
.delegatedAuthAccessors("string")
.kubernetesHost("string")
.local(false)
.listingVisibility("string")
.description("string")
.disableLocalCaJwt(false)
.externalEntropyAccess(false)
.identityTokenKey("string")
.allowedManagedKeys("string")
.auditNonHmacResponseKeys("string")
.auditNonHmacRequestKeys("string")
.defaultLeaseTtlSeconds(0)
.maxLeaseTtlSeconds(0)
.namespace("string")
.options(Map.of("string", "any"))
.passthroughRequestHeaders("string")
.allowedResponseHeaders("string")
.pluginVersion("string")
.sealWrap(false)
.serviceAccountJwt("string")
.build());
examplesecret_backend_resource_resource_from_kubernetessecret_backend = vault.kubernetes.SecretBackend("examplesecretBackendResourceResourceFromKubernetessecretBackend",
path="string",
kubernetes_ca_cert="string",
delegated_auth_accessors=["string"],
kubernetes_host="string",
local=False,
listing_visibility="string",
description="string",
disable_local_ca_jwt=False,
external_entropy_access=False,
identity_token_key="string",
allowed_managed_keys=["string"],
audit_non_hmac_response_keys=["string"],
audit_non_hmac_request_keys=["string"],
default_lease_ttl_seconds=0,
max_lease_ttl_seconds=0,
namespace="string",
options={
"string": "any",
},
passthrough_request_headers=["string"],
allowed_response_headers=["string"],
plugin_version="string",
seal_wrap=False,
service_account_jwt="string")
const examplesecretBackendResourceResourceFromKubernetessecretBackend = new vault.kubernetes.SecretBackend("examplesecretBackendResourceResourceFromKubernetessecretBackend", {
path: "string",
kubernetesCaCert: "string",
delegatedAuthAccessors: ["string"],
kubernetesHost: "string",
local: false,
listingVisibility: "string",
description: "string",
disableLocalCaJwt: false,
externalEntropyAccess: false,
identityTokenKey: "string",
allowedManagedKeys: ["string"],
auditNonHmacResponseKeys: ["string"],
auditNonHmacRequestKeys: ["string"],
defaultLeaseTtlSeconds: 0,
maxLeaseTtlSeconds: 0,
namespace: "string",
options: {
string: "any",
},
passthroughRequestHeaders: ["string"],
allowedResponseHeaders: ["string"],
pluginVersion: "string",
sealWrap: false,
serviceAccountJwt: "string",
});
type: vault:kubernetes:SecretBackend
properties:
allowedManagedKeys:
- string
allowedResponseHeaders:
- string
auditNonHmacRequestKeys:
- string
auditNonHmacResponseKeys:
- string
defaultLeaseTtlSeconds: 0
delegatedAuthAccessors:
- string
description: string
disableLocalCaJwt: false
externalEntropyAccess: false
identityTokenKey: string
kubernetesCaCert: string
kubernetesHost: string
listingVisibility: string
local: false
maxLeaseTtlSeconds: 0
namespace: string
options:
string: any
passthroughRequestHeaders:
- string
path: string
pluginVersion: string
sealWrap: false
serviceAccountJwt: string
SecretBackend Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The SecretBackend resource accepts the following input properties:
- Path string
- Where the secret backend will be mounted
- Allowed
Managed List<string>Keys - List of managed key registry entry names that the mount in question is allowed to access
- Allowed
Response List<string>Headers - List of headers to allow and pass from the request to the plugin
- Audit
Non List<string>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non List<string>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Default
Lease intTtl Seconds - Default lease duration for tokens and secrets in seconds
- Delegated
Auth List<string>Accessors - List of headers to allow and pass from the request to the plugin
- Description string
- Human-friendly description of the mount
- Disable
Local boolCa Jwt - Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
- External
Entropy boolAccess - Enable the secrets engine to access Vault's external entropy source
- Identity
Token stringKey - The key to use for signing plugin workload identity tokens
- Kubernetes
Ca stringCert - A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
- Kubernetes
Host string - The Kubernetes API URL to connect to. Required if the
standard pod environment variables
KUBERNETES_SERVICE_HOSTorKUBERNETES_SERVICE_PORTare not set on the host that Vault is running on. - Listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint
- Local bool
- Local mount flag that can be explicitly set to true to enforce local mount in HA environment
- Max
Lease intTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Options Dictionary<string, object>
- Specifies mount type specific options that are passed to the backend
- Passthrough
Request List<string>Headers - List of headers to allow and pass from the request to the plugin
- Plugin
Version string - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- Seal
Wrap bool - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- Service
Account stringJwt - The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
- Path string
- Where the secret backend will be mounted
- Allowed
Managed []stringKeys - List of managed key registry entry names that the mount in question is allowed to access
- Allowed
Response []stringHeaders - List of headers to allow and pass from the request to the plugin
- Audit
Non []stringHmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non []stringHmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Default
Lease intTtl Seconds - Default lease duration for tokens and secrets in seconds
- Delegated
Auth []stringAccessors - List of headers to allow and pass from the request to the plugin
- Description string
- Human-friendly description of the mount
- Disable
Local boolCa Jwt - Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
- External
Entropy boolAccess - Enable the secrets engine to access Vault's external entropy source
- Identity
Token stringKey - The key to use for signing plugin workload identity tokens
- Kubernetes
Ca stringCert - A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
- Kubernetes
Host string - The Kubernetes API URL to connect to. Required if the
standard pod environment variables
KUBERNETES_SERVICE_HOSTorKUBERNETES_SERVICE_PORTare not set on the host that Vault is running on. - Listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint
- Local bool
- Local mount flag that can be explicitly set to true to enforce local mount in HA environment
- Max
Lease intTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Options map[string]interface{}
- Specifies mount type specific options that are passed to the backend
- Passthrough
Request []stringHeaders - List of headers to allow and pass from the request to the plugin
- Plugin
Version string - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- Seal
Wrap bool - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- Service
Account stringJwt - The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
- path String
- Where the secret backend will be mounted
- allowed
Managed List<String>Keys - List of managed key registry entry names that the mount in question is allowed to access
- allowed
Response List<String>Headers - List of headers to allow and pass from the request to the plugin
- audit
Non List<String>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease IntegerTtl Seconds - Default lease duration for tokens and secrets in seconds
- delegated
Auth List<String>Accessors - List of headers to allow and pass from the request to the plugin
- description String
- Human-friendly description of the mount
- disable
Local BooleanCa Jwt - Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
- external
Entropy BooleanAccess - Enable the secrets engine to access Vault's external entropy source
- identity
Token StringKey - The key to use for signing plugin workload identity tokens
- kubernetes
Ca StringCert - A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
- kubernetes
Host String - The Kubernetes API URL to connect to. Required if the
standard pod environment variables
KUBERNETES_SERVICE_HOSTorKUBERNETES_SERVICE_PORTare not set on the host that Vault is running on. - listing
Visibility String - Specifies whether to show this mount in the UI-specific listing endpoint
- local Boolean
- Local mount flag that can be explicitly set to true to enforce local mount in HA environment
- max
Lease IntegerTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Map<String,Object>
- Specifies mount type specific options that are passed to the backend
- passthrough
Request List<String>Headers - List of headers to allow and pass from the request to the plugin
- plugin
Version String - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- seal
Wrap Boolean - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- service
Account StringJwt - The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
- path string
- Where the secret backend will be mounted
- allowed
Managed string[]Keys - List of managed key registry entry names that the mount in question is allowed to access
- allowed
Response string[]Headers - List of headers to allow and pass from the request to the plugin
- audit
Non string[]Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non string[]Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease numberTtl Seconds - Default lease duration for tokens and secrets in seconds
- delegated
Auth string[]Accessors - List of headers to allow and pass from the request to the plugin
- description string
- Human-friendly description of the mount
- disable
Local booleanCa Jwt - Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
- external
Entropy booleanAccess - Enable the secrets engine to access Vault's external entropy source
- identity
Token stringKey - The key to use for signing plugin workload identity tokens
- kubernetes
Ca stringCert - A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
- kubernetes
Host string - The Kubernetes API URL to connect to. Required if the
standard pod environment variables
KUBERNETES_SERVICE_HOSTorKUBERNETES_SERVICE_PORTare not set on the host that Vault is running on. - listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint
- local boolean
- Local mount flag that can be explicitly set to true to enforce local mount in HA environment
- max
Lease numberTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options {[key: string]: any}
- Specifies mount type specific options that are passed to the backend
- passthrough
Request string[]Headers - List of headers to allow and pass from the request to the plugin
- plugin
Version string - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- seal
Wrap boolean - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- service
Account stringJwt - The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
- path str
- Where the secret backend will be mounted
- allowed_
managed_ Sequence[str]keys - List of managed key registry entry names that the mount in question is allowed to access
- allowed_
response_ Sequence[str]headers - List of headers to allow and pass from the request to the plugin
- audit_
non_ Sequence[str]hmac_ request_ keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit_
non_ Sequence[str]hmac_ response_ keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default_
lease_ intttl_ seconds - Default lease duration for tokens and secrets in seconds
- delegated_
auth_ Sequence[str]accessors - List of headers to allow and pass from the request to the plugin
- description str
- Human-friendly description of the mount
- disable_
local_ boolca_ jwt - Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
- external_
entropy_ boolaccess - Enable the secrets engine to access Vault's external entropy source
- identity_
token_ strkey - The key to use for signing plugin workload identity tokens
- kubernetes_
ca_ strcert - A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
- kubernetes_
host str - The Kubernetes API URL to connect to. Required if the
standard pod environment variables
KUBERNETES_SERVICE_HOSTorKUBERNETES_SERVICE_PORTare not set on the host that Vault is running on. - listing_
visibility str - Specifies whether to show this mount in the UI-specific listing endpoint
- local bool
- Local mount flag that can be explicitly set to true to enforce local mount in HA environment
- max_
lease_ intttl_ seconds - Maximum possible lease duration for tokens and secrets in seconds
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Mapping[str, Any]
- Specifies mount type specific options that are passed to the backend
- passthrough_
request_ Sequence[str]headers - List of headers to allow and pass from the request to the plugin
- plugin_
version str - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- seal_
wrap bool - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- service_
account_ strjwt - The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
- path String
- Where the secret backend will be mounted
- allowed
Managed List<String>Keys - List of managed key registry entry names that the mount in question is allowed to access
- allowed
Response List<String>Headers - List of headers to allow and pass from the request to the plugin
- audit
Non List<String>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease NumberTtl Seconds - Default lease duration for tokens and secrets in seconds
- delegated
Auth List<String>Accessors - List of headers to allow and pass from the request to the plugin
- description String
- Human-friendly description of the mount
- disable
Local BooleanCa Jwt - Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
- external
Entropy BooleanAccess - Enable the secrets engine to access Vault's external entropy source
- identity
Token StringKey - The key to use for signing plugin workload identity tokens
- kubernetes
Ca StringCert - A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
- kubernetes
Host String - The Kubernetes API URL to connect to. Required if the
standard pod environment variables
KUBERNETES_SERVICE_HOSTorKUBERNETES_SERVICE_PORTare not set on the host that Vault is running on. - listing
Visibility String - Specifies whether to show this mount in the UI-specific listing endpoint
- local Boolean
- Local mount flag that can be explicitly set to true to enforce local mount in HA environment
- max
Lease NumberTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Map<Any>
- Specifies mount type specific options that are passed to the backend
- passthrough
Request List<String>Headers - List of headers to allow and pass from the request to the plugin
- plugin
Version String - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- seal
Wrap Boolean - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- service
Account StringJwt - The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
Outputs
All input properties are implicitly available as output properties. Additionally, the SecretBackend resource produces the following output properties:
Look up Existing SecretBackend Resource
Get an existing SecretBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SecretBackendState, opts?: CustomResourceOptions): SecretBackend@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
accessor: Optional[str] = None,
allowed_managed_keys: Optional[Sequence[str]] = None,
allowed_response_headers: Optional[Sequence[str]] = None,
audit_non_hmac_request_keys: Optional[Sequence[str]] = None,
audit_non_hmac_response_keys: Optional[Sequence[str]] = None,
default_lease_ttl_seconds: Optional[int] = None,
delegated_auth_accessors: Optional[Sequence[str]] = None,
description: Optional[str] = None,
disable_local_ca_jwt: Optional[bool] = None,
external_entropy_access: Optional[bool] = None,
identity_token_key: Optional[str] = None,
kubernetes_ca_cert: Optional[str] = None,
kubernetes_host: Optional[str] = None,
listing_visibility: Optional[str] = None,
local: Optional[bool] = None,
max_lease_ttl_seconds: Optional[int] = None,
namespace: Optional[str] = None,
options: Optional[Mapping[str, Any]] = None,
passthrough_request_headers: Optional[Sequence[str]] = None,
path: Optional[str] = None,
plugin_version: Optional[str] = None,
seal_wrap: Optional[bool] = None,
service_account_jwt: Optional[str] = None) -> SecretBackendfunc GetSecretBackend(ctx *Context, name string, id IDInput, state *SecretBackendState, opts ...ResourceOption) (*SecretBackend, error)public static SecretBackend Get(string name, Input<string> id, SecretBackendState? state, CustomResourceOptions? opts = null)public static SecretBackend get(String name, Output<String> id, SecretBackendState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Accessor string
- Accessor of the mount
- Allowed
Managed List<string>Keys - List of managed key registry entry names that the mount in question is allowed to access
- Allowed
Response List<string>Headers - List of headers to allow and pass from the request to the plugin
- Audit
Non List<string>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non List<string>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Default
Lease intTtl Seconds - Default lease duration for tokens and secrets in seconds
- Delegated
Auth List<string>Accessors - List of headers to allow and pass from the request to the plugin
- Description string
- Human-friendly description of the mount
- Disable
Local boolCa Jwt - Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
- External
Entropy boolAccess - Enable the secrets engine to access Vault's external entropy source
- Identity
Token stringKey - The key to use for signing plugin workload identity tokens
- Kubernetes
Ca stringCert - A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
- Kubernetes
Host string - The Kubernetes API URL to connect to. Required if the
standard pod environment variables
KUBERNETES_SERVICE_HOSTorKUBERNETES_SERVICE_PORTare not set on the host that Vault is running on. - Listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint
- Local bool
- Local mount flag that can be explicitly set to true to enforce local mount in HA environment
- Max
Lease intTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Options Dictionary<string, object>
- Specifies mount type specific options that are passed to the backend
- Passthrough
Request List<string>Headers - List of headers to allow and pass from the request to the plugin
- Path string
- Where the secret backend will be mounted
- Plugin
Version string - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- Seal
Wrap bool - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- Service
Account stringJwt - The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
- Accessor string
- Accessor of the mount
- Allowed
Managed []stringKeys - List of managed key registry entry names that the mount in question is allowed to access
- Allowed
Response []stringHeaders - List of headers to allow and pass from the request to the plugin
- Audit
Non []stringHmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non []stringHmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Default
Lease intTtl Seconds - Default lease duration for tokens and secrets in seconds
- Delegated
Auth []stringAccessors - List of headers to allow and pass from the request to the plugin
- Description string
- Human-friendly description of the mount
- Disable
Local boolCa Jwt - Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
- External
Entropy boolAccess - Enable the secrets engine to access Vault's external entropy source
- Identity
Token stringKey - The key to use for signing plugin workload identity tokens
- Kubernetes
Ca stringCert - A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
- Kubernetes
Host string - The Kubernetes API URL to connect to. Required if the
standard pod environment variables
KUBERNETES_SERVICE_HOSTorKUBERNETES_SERVICE_PORTare not set on the host that Vault is running on. - Listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint
- Local bool
- Local mount flag that can be explicitly set to true to enforce local mount in HA environment
- Max
Lease intTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Options map[string]interface{}
- Specifies mount type specific options that are passed to the backend
- Passthrough
Request []stringHeaders - List of headers to allow and pass from the request to the plugin
- Path string
- Where the secret backend will be mounted
- Plugin
Version string - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- Seal
Wrap bool - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- Service
Account stringJwt - The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
- accessor String
- Accessor of the mount
- allowed
Managed List<String>Keys - List of managed key registry entry names that the mount in question is allowed to access
- allowed
Response List<String>Headers - List of headers to allow and pass from the request to the plugin
- audit
Non List<String>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease IntegerTtl Seconds - Default lease duration for tokens and secrets in seconds
- delegated
Auth List<String>Accessors - List of headers to allow and pass from the request to the plugin
- description String
- Human-friendly description of the mount
- disable
Local BooleanCa Jwt - Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
- external
Entropy BooleanAccess - Enable the secrets engine to access Vault's external entropy source
- identity
Token StringKey - The key to use for signing plugin workload identity tokens
- kubernetes
Ca StringCert - A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
- kubernetes
Host String - The Kubernetes API URL to connect to. Required if the
standard pod environment variables
KUBERNETES_SERVICE_HOSTorKUBERNETES_SERVICE_PORTare not set on the host that Vault is running on. - listing
Visibility String - Specifies whether to show this mount in the UI-specific listing endpoint
- local Boolean
- Local mount flag that can be explicitly set to true to enforce local mount in HA environment
- max
Lease IntegerTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Map<String,Object>
- Specifies mount type specific options that are passed to the backend
- passthrough
Request List<String>Headers - List of headers to allow and pass from the request to the plugin
- path String
- Where the secret backend will be mounted
- plugin
Version String - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- seal
Wrap Boolean - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- service
Account StringJwt - The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
- accessor string
- Accessor of the mount
- allowed
Managed string[]Keys - List of managed key registry entry names that the mount in question is allowed to access
- allowed
Response string[]Headers - List of headers to allow and pass from the request to the plugin
- audit
Non string[]Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non string[]Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease numberTtl Seconds - Default lease duration for tokens and secrets in seconds
- delegated
Auth string[]Accessors - List of headers to allow and pass from the request to the plugin
- description string
- Human-friendly description of the mount
- disable
Local booleanCa Jwt - Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
- external
Entropy booleanAccess - Enable the secrets engine to access Vault's external entropy source
- identity
Token stringKey - The key to use for signing plugin workload identity tokens
- kubernetes
Ca stringCert - A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
- kubernetes
Host string - The Kubernetes API URL to connect to. Required if the
standard pod environment variables
KUBERNETES_SERVICE_HOSTorKUBERNETES_SERVICE_PORTare not set on the host that Vault is running on. - listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint
- local boolean
- Local mount flag that can be explicitly set to true to enforce local mount in HA environment
- max
Lease numberTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options {[key: string]: any}
- Specifies mount type specific options that are passed to the backend
- passthrough
Request string[]Headers - List of headers to allow and pass from the request to the plugin
- path string
- Where the secret backend will be mounted
- plugin
Version string - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- seal
Wrap boolean - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- service
Account stringJwt - The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
- accessor str
- Accessor of the mount
- allowed_
managed_ Sequence[str]keys - List of managed key registry entry names that the mount in question is allowed to access
- allowed_
response_ Sequence[str]headers - List of headers to allow and pass from the request to the plugin
- audit_
non_ Sequence[str]hmac_ request_ keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit_
non_ Sequence[str]hmac_ response_ keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default_
lease_ intttl_ seconds - Default lease duration for tokens and secrets in seconds
- delegated_
auth_ Sequence[str]accessors - List of headers to allow and pass from the request to the plugin
- description str
- Human-friendly description of the mount
- disable_
local_ boolca_ jwt - Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
- external_
entropy_ boolaccess - Enable the secrets engine to access Vault's external entropy source
- identity_
token_ strkey - The key to use for signing plugin workload identity tokens
- kubernetes_
ca_ strcert - A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
- kubernetes_
host str - The Kubernetes API URL to connect to. Required if the
standard pod environment variables
KUBERNETES_SERVICE_HOSTorKUBERNETES_SERVICE_PORTare not set on the host that Vault is running on. - listing_
visibility str - Specifies whether to show this mount in the UI-specific listing endpoint
- local bool
- Local mount flag that can be explicitly set to true to enforce local mount in HA environment
- max_
lease_ intttl_ seconds - Maximum possible lease duration for tokens and secrets in seconds
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Mapping[str, Any]
- Specifies mount type specific options that are passed to the backend
- passthrough_
request_ Sequence[str]headers - List of headers to allow and pass from the request to the plugin
- path str
- Where the secret backend will be mounted
- plugin_
version str - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- seal_
wrap bool - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- service_
account_ strjwt - The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
- accessor String
- Accessor of the mount
- allowed
Managed List<String>Keys - List of managed key registry entry names that the mount in question is allowed to access
- allowed
Response List<String>Headers - List of headers to allow and pass from the request to the plugin
- audit
Non List<String>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease NumberTtl Seconds - Default lease duration for tokens and secrets in seconds
- delegated
Auth List<String>Accessors - List of headers to allow and pass from the request to the plugin
- description String
- Human-friendly description of the mount
- disable
Local BooleanCa Jwt - Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.
- external
Entropy BooleanAccess - Enable the secrets engine to access Vault's external entropy source
- identity
Token StringKey - The key to use for signing plugin workload identity tokens
- kubernetes
Ca StringCert - A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.
- kubernetes
Host String - The Kubernetes API URL to connect to. Required if the
standard pod environment variables
KUBERNETES_SERVICE_HOSTorKUBERNETES_SERVICE_PORTare not set on the host that Vault is running on. - listing
Visibility String - Specifies whether to show this mount in the UI-specific listing endpoint
- local Boolean
- Local mount flag that can be explicitly set to true to enforce local mount in HA environment
- max
Lease NumberTtl Seconds - Maximum possible lease duration for tokens and secrets in seconds
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Map<Any>
- Specifies mount type specific options that are passed to the backend
- passthrough
Request List<String>Headers - List of headers to allow and pass from the request to the plugin
- path String
- Where the secret backend will be mounted
- plugin
Version String - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- seal
Wrap Boolean - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- service
Account StringJwt - The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.
Import
The Kubernetes secret backend can be imported using its path e.g.
$ pulumi import vault:kubernetes/secretBackend:SecretBackend config kubernetes
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.