vault.kubernetes.SecretBackendRole
Explore with Pulumi AI
Example Usage
Example using service_account_name
mode:
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const config = new vault.kubernetes.SecretBackend("config", {
path: "kubernetes",
description: "kubernetes secrets engine description",
kubernetesHost: "https://127.0.0.1:61233",
kubernetesCaCert: std.file({
input: "/path/to/cert",
}).then(invoke => invoke.result),
serviceAccountJwt: std.file({
input: "/path/to/token",
}).then(invoke => invoke.result),
disableLocalCaJwt: false,
});
const sa_example = new vault.kubernetes.SecretBackendRole("sa-example", {
backend: config.path,
name: "service-account-name-role",
allowedKubernetesNamespaces: ["*"],
tokenMaxTtl: 43200,
tokenDefaultTtl: 21600,
serviceAccountName: "test-service-account-with-generated-token",
extraLabels: {
id: "abc123",
name: "some_name",
},
extraAnnotations: {
env: "development",
location: "earth",
},
});
import pulumi
import pulumi_std as std
import pulumi_vault as vault
config = vault.kubernetes.SecretBackend("config",
path="kubernetes",
description="kubernetes secrets engine description",
kubernetes_host="https://127.0.0.1:61233",
kubernetes_ca_cert=std.file(input="/path/to/cert").result,
service_account_jwt=std.file(input="/path/to/token").result,
disable_local_ca_jwt=False)
sa_example = vault.kubernetes.SecretBackendRole("sa-example",
backend=config.path,
name="service-account-name-role",
allowed_kubernetes_namespaces=["*"],
token_max_ttl=43200,
token_default_ttl=21600,
service_account_name="test-service-account-with-generated-token",
extra_labels={
"id": "abc123",
"name": "some_name",
},
extra_annotations={
"env": "development",
"location": "earth",
})
package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/cert",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/token",
}, nil)
if err != nil {
return err
}
config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
Path: pulumi.String("kubernetes"),
Description: pulumi.String("kubernetes secrets engine description"),
KubernetesHost: pulumi.String("https://127.0.0.1:61233"),
KubernetesCaCert: pulumi.String(invokeFile.Result),
ServiceAccountJwt: pulumi.String(invokeFile1.Result),
DisableLocalCaJwt: pulumi.Bool(false),
})
if err != nil {
return err
}
_, err = kubernetes.NewSecretBackendRole(ctx, "sa-example", &kubernetes.SecretBackendRoleArgs{
Backend: config.Path,
Name: pulumi.String("service-account-name-role"),
AllowedKubernetesNamespaces: pulumi.StringArray{
pulumi.String("*"),
},
TokenMaxTtl: pulumi.Int(43200),
TokenDefaultTtl: pulumi.Int(21600),
ServiceAccountName: pulumi.String("test-service-account-with-generated-token"),
ExtraLabels: pulumi.StringMap{
"id": pulumi.String("abc123"),
"name": pulumi.String("some_name"),
},
ExtraAnnotations: pulumi.StringMap{
"env": pulumi.String("development"),
"location": pulumi.String("earth"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var config = new Vault.Kubernetes.SecretBackend("config", new()
{
Path = "kubernetes",
Description = "kubernetes secrets engine description",
KubernetesHost = "https://127.0.0.1:61233",
KubernetesCaCert = Std.File.Invoke(new()
{
Input = "/path/to/cert",
}).Apply(invoke => invoke.Result),
ServiceAccountJwt = Std.File.Invoke(new()
{
Input = "/path/to/token",
}).Apply(invoke => invoke.Result),
DisableLocalCaJwt = false,
});
var sa_example = new Vault.Kubernetes.SecretBackendRole("sa-example", new()
{
Backend = config.Path,
Name = "service-account-name-role",
AllowedKubernetesNamespaces = new[]
{
"*",
},
TokenMaxTtl = 43200,
TokenDefaultTtl = 21600,
ServiceAccountName = "test-service-account-with-generated-token",
ExtraLabels =
{
{ "id", "abc123" },
{ "name", "some_name" },
},
ExtraAnnotations =
{
{ "env", "development" },
{ "location", "earth" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.kubernetes.SecretBackend;
import com.pulumi.vault.kubernetes.SecretBackendArgs;
import com.pulumi.vault.kubernetes.SecretBackendRole;
import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var config = new SecretBackend("config", SecretBackendArgs.builder()
.path("kubernetes")
.description("kubernetes secrets engine description")
.kubernetesHost("https://127.0.0.1:61233")
.kubernetesCaCert(StdFunctions.file(FileArgs.builder()
.input("/path/to/cert")
.build()).result())
.serviceAccountJwt(StdFunctions.file(FileArgs.builder()
.input("/path/to/token")
.build()).result())
.disableLocalCaJwt(false)
.build());
var sa_example = new SecretBackendRole("sa-example", SecretBackendRoleArgs.builder()
.backend(config.path())
.name("service-account-name-role")
.allowedKubernetesNamespaces("*")
.tokenMaxTtl(43200)
.tokenDefaultTtl(21600)
.serviceAccountName("test-service-account-with-generated-token")
.extraLabels(Map.ofEntries(
Map.entry("id", "abc123"),
Map.entry("name", "some_name")
))
.extraAnnotations(Map.ofEntries(
Map.entry("env", "development"),
Map.entry("location", "earth")
))
.build());
}
}
resources:
config:
type: vault:kubernetes:SecretBackend
properties:
path: kubernetes
description: kubernetes secrets engine description
kubernetesHost: https://127.0.0.1:61233
kubernetesCaCert:
fn::invoke:
Function: std:file
Arguments:
input: /path/to/cert
Return: result
serviceAccountJwt:
fn::invoke:
Function: std:file
Arguments:
input: /path/to/token
Return: result
disableLocalCaJwt: false
sa-example:
type: vault:kubernetes:SecretBackendRole
properties:
backend: ${config.path}
name: service-account-name-role
allowedKubernetesNamespaces:
- '*'
tokenMaxTtl: 43200
tokenDefaultTtl: 21600
serviceAccountName: test-service-account-with-generated-token
extraLabels:
id: abc123
name: some_name
extraAnnotations:
env: development
location: earth
Example using kubernetes_role_name
mode:
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const config = new vault.kubernetes.SecretBackend("config", {
path: "kubernetes",
description: "kubernetes secrets engine description",
kubernetesHost: "https://127.0.0.1:61233",
kubernetesCaCert: std.file({
input: "/path/to/cert",
}).then(invoke => invoke.result),
serviceAccountJwt: std.file({
input: "/path/to/token",
}).then(invoke => invoke.result),
disableLocalCaJwt: false,
});
const name_example = new vault.kubernetes.SecretBackendRole("name-example", {
backend: config.path,
name: "service-account-name-role",
allowedKubernetesNamespaces: ["*"],
tokenMaxTtl: 43200,
tokenDefaultTtl: 21600,
kubernetesRoleName: "vault-k8s-secrets-role",
extraLabels: {
id: "abc123",
name: "some_name",
},
extraAnnotations: {
env: "development",
location: "earth",
},
});
import pulumi
import pulumi_std as std
import pulumi_vault as vault
config = vault.kubernetes.SecretBackend("config",
path="kubernetes",
description="kubernetes secrets engine description",
kubernetes_host="https://127.0.0.1:61233",
kubernetes_ca_cert=std.file(input="/path/to/cert").result,
service_account_jwt=std.file(input="/path/to/token").result,
disable_local_ca_jwt=False)
name_example = vault.kubernetes.SecretBackendRole("name-example",
backend=config.path,
name="service-account-name-role",
allowed_kubernetes_namespaces=["*"],
token_max_ttl=43200,
token_default_ttl=21600,
kubernetes_role_name="vault-k8s-secrets-role",
extra_labels={
"id": "abc123",
"name": "some_name",
},
extra_annotations={
"env": "development",
"location": "earth",
})
package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/cert",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/token",
}, nil)
if err != nil {
return err
}
config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
Path: pulumi.String("kubernetes"),
Description: pulumi.String("kubernetes secrets engine description"),
KubernetesHost: pulumi.String("https://127.0.0.1:61233"),
KubernetesCaCert: pulumi.String(invokeFile.Result),
ServiceAccountJwt: pulumi.String(invokeFile1.Result),
DisableLocalCaJwt: pulumi.Bool(false),
})
if err != nil {
return err
}
_, err = kubernetes.NewSecretBackendRole(ctx, "name-example", &kubernetes.SecretBackendRoleArgs{
Backend: config.Path,
Name: pulumi.String("service-account-name-role"),
AllowedKubernetesNamespaces: pulumi.StringArray{
pulumi.String("*"),
},
TokenMaxTtl: pulumi.Int(43200),
TokenDefaultTtl: pulumi.Int(21600),
KubernetesRoleName: pulumi.String("vault-k8s-secrets-role"),
ExtraLabels: pulumi.StringMap{
"id": pulumi.String("abc123"),
"name": pulumi.String("some_name"),
},
ExtraAnnotations: pulumi.StringMap{
"env": pulumi.String("development"),
"location": pulumi.String("earth"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var config = new Vault.Kubernetes.SecretBackend("config", new()
{
Path = "kubernetes",
Description = "kubernetes secrets engine description",
KubernetesHost = "https://127.0.0.1:61233",
KubernetesCaCert = Std.File.Invoke(new()
{
Input = "/path/to/cert",
}).Apply(invoke => invoke.Result),
ServiceAccountJwt = Std.File.Invoke(new()
{
Input = "/path/to/token",
}).Apply(invoke => invoke.Result),
DisableLocalCaJwt = false,
});
var name_example = new Vault.Kubernetes.SecretBackendRole("name-example", new()
{
Backend = config.Path,
Name = "service-account-name-role",
AllowedKubernetesNamespaces = new[]
{
"*",
},
TokenMaxTtl = 43200,
TokenDefaultTtl = 21600,
KubernetesRoleName = "vault-k8s-secrets-role",
ExtraLabels =
{
{ "id", "abc123" },
{ "name", "some_name" },
},
ExtraAnnotations =
{
{ "env", "development" },
{ "location", "earth" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.kubernetes.SecretBackend;
import com.pulumi.vault.kubernetes.SecretBackendArgs;
import com.pulumi.vault.kubernetes.SecretBackendRole;
import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var config = new SecretBackend("config", SecretBackendArgs.builder()
.path("kubernetes")
.description("kubernetes secrets engine description")
.kubernetesHost("https://127.0.0.1:61233")
.kubernetesCaCert(StdFunctions.file(FileArgs.builder()
.input("/path/to/cert")
.build()).result())
.serviceAccountJwt(StdFunctions.file(FileArgs.builder()
.input("/path/to/token")
.build()).result())
.disableLocalCaJwt(false)
.build());
var name_example = new SecretBackendRole("name-example", SecretBackendRoleArgs.builder()
.backend(config.path())
.name("service-account-name-role")
.allowedKubernetesNamespaces("*")
.tokenMaxTtl(43200)
.tokenDefaultTtl(21600)
.kubernetesRoleName("vault-k8s-secrets-role")
.extraLabels(Map.ofEntries(
Map.entry("id", "abc123"),
Map.entry("name", "some_name")
))
.extraAnnotations(Map.ofEntries(
Map.entry("env", "development"),
Map.entry("location", "earth")
))
.build());
}
}
resources:
config:
type: vault:kubernetes:SecretBackend
properties:
path: kubernetes
description: kubernetes secrets engine description
kubernetesHost: https://127.0.0.1:61233
kubernetesCaCert:
fn::invoke:
Function: std:file
Arguments:
input: /path/to/cert
Return: result
serviceAccountJwt:
fn::invoke:
Function: std:file
Arguments:
input: /path/to/token
Return: result
disableLocalCaJwt: false
name-example:
type: vault:kubernetes:SecretBackendRole
properties:
backend: ${config.path}
name: service-account-name-role
allowedKubernetesNamespaces:
- '*'
tokenMaxTtl: 43200
tokenDefaultTtl: 21600
kubernetesRoleName: vault-k8s-secrets-role
extraLabels:
id: abc123
name: some_name
extraAnnotations:
env: development
location: earth
Example using generated_role_rules
mode:
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const config = new vault.kubernetes.SecretBackend("config", {
path: "kubernetes",
description: "kubernetes secrets engine description",
kubernetesHost: "https://127.0.0.1:61233",
kubernetesCaCert: std.file({
input: "/path/to/cert",
}).then(invoke => invoke.result),
serviceAccountJwt: std.file({
input: "/path/to/token",
}).then(invoke => invoke.result),
disableLocalCaJwt: false,
});
const rules_example = new vault.kubernetes.SecretBackendRole("rules-example", {
backend: config.path,
name: "service-account-name-role",
allowedKubernetesNamespaces: ["*"],
tokenMaxTtl: 43200,
tokenDefaultTtl: 21600,
kubernetesRoleType: "Role",
generatedRoleRules: `rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
`,
extraLabels: {
id: "abc123",
name: "some_name",
},
extraAnnotations: {
env: "development",
location: "earth",
},
});
import pulumi
import pulumi_std as std
import pulumi_vault as vault
config = vault.kubernetes.SecretBackend("config",
path="kubernetes",
description="kubernetes secrets engine description",
kubernetes_host="https://127.0.0.1:61233",
kubernetes_ca_cert=std.file(input="/path/to/cert").result,
service_account_jwt=std.file(input="/path/to/token").result,
disable_local_ca_jwt=False)
rules_example = vault.kubernetes.SecretBackendRole("rules-example",
backend=config.path,
name="service-account-name-role",
allowed_kubernetes_namespaces=["*"],
token_max_ttl=43200,
token_default_ttl=21600,
kubernetes_role_type="Role",
generated_role_rules="""rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
""",
extra_labels={
"id": "abc123",
"name": "some_name",
},
extra_annotations={
"env": "development",
"location": "earth",
})
package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/cert",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/token",
}, nil)
if err != nil {
return err
}
config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
Path: pulumi.String("kubernetes"),
Description: pulumi.String("kubernetes secrets engine description"),
KubernetesHost: pulumi.String("https://127.0.0.1:61233"),
KubernetesCaCert: pulumi.String(invokeFile.Result),
ServiceAccountJwt: pulumi.String(invokeFile1.Result),
DisableLocalCaJwt: pulumi.Bool(false),
})
if err != nil {
return err
}
_, err = kubernetes.NewSecretBackendRole(ctx, "rules-example", &kubernetes.SecretBackendRoleArgs{
Backend: config.Path,
Name: pulumi.String("service-account-name-role"),
AllowedKubernetesNamespaces: pulumi.StringArray{
pulumi.String("*"),
},
TokenMaxTtl: pulumi.Int(43200),
TokenDefaultTtl: pulumi.Int(21600),
KubernetesRoleType: pulumi.String("Role"),
GeneratedRoleRules: pulumi.String("rules:\n- apiGroups: [\"\"]\n resources: [\"pods\"]\n verbs: [\"list\"]\n"),
ExtraLabels: pulumi.StringMap{
"id": pulumi.String("abc123"),
"name": pulumi.String("some_name"),
},
ExtraAnnotations: pulumi.StringMap{
"env": pulumi.String("development"),
"location": pulumi.String("earth"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var config = new Vault.Kubernetes.SecretBackend("config", new()
{
Path = "kubernetes",
Description = "kubernetes secrets engine description",
KubernetesHost = "https://127.0.0.1:61233",
KubernetesCaCert = Std.File.Invoke(new()
{
Input = "/path/to/cert",
}).Apply(invoke => invoke.Result),
ServiceAccountJwt = Std.File.Invoke(new()
{
Input = "/path/to/token",
}).Apply(invoke => invoke.Result),
DisableLocalCaJwt = false,
});
var rules_example = new Vault.Kubernetes.SecretBackendRole("rules-example", new()
{
Backend = config.Path,
Name = "service-account-name-role",
AllowedKubernetesNamespaces = new[]
{
"*",
},
TokenMaxTtl = 43200,
TokenDefaultTtl = 21600,
KubernetesRoleType = "Role",
GeneratedRoleRules = @"rules:
- apiGroups: [""""]
resources: [""pods""]
verbs: [""list""]
",
ExtraLabels =
{
{ "id", "abc123" },
{ "name", "some_name" },
},
ExtraAnnotations =
{
{ "env", "development" },
{ "location", "earth" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.kubernetes.SecretBackend;
import com.pulumi.vault.kubernetes.SecretBackendArgs;
import com.pulumi.vault.kubernetes.SecretBackendRole;
import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var config = new SecretBackend("config", SecretBackendArgs.builder()
.path("kubernetes")
.description("kubernetes secrets engine description")
.kubernetesHost("https://127.0.0.1:61233")
.kubernetesCaCert(StdFunctions.file(FileArgs.builder()
.input("/path/to/cert")
.build()).result())
.serviceAccountJwt(StdFunctions.file(FileArgs.builder()
.input("/path/to/token")
.build()).result())
.disableLocalCaJwt(false)
.build());
var rules_example = new SecretBackendRole("rules-example", SecretBackendRoleArgs.builder()
.backend(config.path())
.name("service-account-name-role")
.allowedKubernetesNamespaces("*")
.tokenMaxTtl(43200)
.tokenDefaultTtl(21600)
.kubernetesRoleType("Role")
.generatedRoleRules("""
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
""")
.extraLabels(Map.ofEntries(
Map.entry("id", "abc123"),
Map.entry("name", "some_name")
))
.extraAnnotations(Map.ofEntries(
Map.entry("env", "development"),
Map.entry("location", "earth")
))
.build());
}
}
resources:
config:
type: vault:kubernetes:SecretBackend
properties:
path: kubernetes
description: kubernetes secrets engine description
kubernetesHost: https://127.0.0.1:61233
kubernetesCaCert:
fn::invoke:
Function: std:file
Arguments:
input: /path/to/cert
Return: result
serviceAccountJwt:
fn::invoke:
Function: std:file
Arguments:
input: /path/to/token
Return: result
disableLocalCaJwt: false
rules-example:
type: vault:kubernetes:SecretBackendRole
properties:
backend: ${config.path}
name: service-account-name-role
allowedKubernetesNamespaces:
- '*'
tokenMaxTtl: 43200
tokenDefaultTtl: 21600
kubernetesRoleType: Role
generatedRoleRules: |
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
extraLabels:
id: abc123
name: some_name
extraAnnotations:
env: development
location: earth
Create SecretBackendRole Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SecretBackendRole(name: string, args: SecretBackendRoleArgs, opts?: CustomResourceOptions);
@overload
def SecretBackendRole(resource_name: str,
args: SecretBackendRoleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def SecretBackendRole(resource_name: str,
opts: Optional[ResourceOptions] = None,
backend: Optional[str] = None,
kubernetes_role_name: Optional[str] = None,
allowed_kubernetes_namespaces: Optional[Sequence[str]] = None,
extra_annotations: Optional[Mapping[str, str]] = None,
extra_labels: Optional[Mapping[str, str]] = None,
generated_role_rules: Optional[str] = None,
allowed_kubernetes_namespace_selector: Optional[str] = None,
kubernetes_role_type: Optional[str] = None,
name: Optional[str] = None,
name_template: Optional[str] = None,
namespace: Optional[str] = None,
service_account_name: Optional[str] = None,
token_default_ttl: Optional[int] = None,
token_max_ttl: Optional[int] = None)
func NewSecretBackendRole(ctx *Context, name string, args SecretBackendRoleArgs, opts ...ResourceOption) (*SecretBackendRole, error)
public SecretBackendRole(string name, SecretBackendRoleArgs args, CustomResourceOptions? opts = null)
public SecretBackendRole(String name, SecretBackendRoleArgs args)
public SecretBackendRole(String name, SecretBackendRoleArgs args, CustomResourceOptions options)
type: vault:kubernetes:SecretBackendRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SecretBackendRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SecretBackendRoleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SecretBackendRoleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecretBackendRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SecretBackendRoleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole = new Vault.Kubernetes.SecretBackendRole("examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole", new()
{
Backend = "string",
KubernetesRoleName = "string",
AllowedKubernetesNamespaces = new[]
{
"string",
},
ExtraAnnotations =
{
{ "string", "string" },
},
ExtraLabels =
{
{ "string", "string" },
},
GeneratedRoleRules = "string",
AllowedKubernetesNamespaceSelector = "string",
KubernetesRoleType = "string",
Name = "string",
NameTemplate = "string",
Namespace = "string",
ServiceAccountName = "string",
TokenDefaultTtl = 0,
TokenMaxTtl = 0,
});
example, err := kubernetes.NewSecretBackendRole(ctx, "examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole", &kubernetes.SecretBackendRoleArgs{
Backend: pulumi.String("string"),
KubernetesRoleName: pulumi.String("string"),
AllowedKubernetesNamespaces: pulumi.StringArray{
pulumi.String("string"),
},
ExtraAnnotations: pulumi.StringMap{
"string": pulumi.String("string"),
},
ExtraLabels: pulumi.StringMap{
"string": pulumi.String("string"),
},
GeneratedRoleRules: pulumi.String("string"),
AllowedKubernetesNamespaceSelector: pulumi.String("string"),
KubernetesRoleType: pulumi.String("string"),
Name: pulumi.String("string"),
NameTemplate: pulumi.String("string"),
Namespace: pulumi.String("string"),
ServiceAccountName: pulumi.String("string"),
TokenDefaultTtl: pulumi.Int(0),
TokenMaxTtl: pulumi.Int(0),
})
var examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole = new SecretBackendRole("examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole", SecretBackendRoleArgs.builder()
.backend("string")
.kubernetesRoleName("string")
.allowedKubernetesNamespaces("string")
.extraAnnotations(Map.of("string", "string"))
.extraLabels(Map.of("string", "string"))
.generatedRoleRules("string")
.allowedKubernetesNamespaceSelector("string")
.kubernetesRoleType("string")
.name("string")
.nameTemplate("string")
.namespace("string")
.serviceAccountName("string")
.tokenDefaultTtl(0)
.tokenMaxTtl(0)
.build());
examplesecret_backend_role_resource_resource_from_kubernetessecret_backend_role = vault.kubernetes.SecretBackendRole("examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole",
backend="string",
kubernetes_role_name="string",
allowed_kubernetes_namespaces=["string"],
extra_annotations={
"string": "string",
},
extra_labels={
"string": "string",
},
generated_role_rules="string",
allowed_kubernetes_namespace_selector="string",
kubernetes_role_type="string",
name="string",
name_template="string",
namespace="string",
service_account_name="string",
token_default_ttl=0,
token_max_ttl=0)
const examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole = new vault.kubernetes.SecretBackendRole("examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole", {
backend: "string",
kubernetesRoleName: "string",
allowedKubernetesNamespaces: ["string"],
extraAnnotations: {
string: "string",
},
extraLabels: {
string: "string",
},
generatedRoleRules: "string",
allowedKubernetesNamespaceSelector: "string",
kubernetesRoleType: "string",
name: "string",
nameTemplate: "string",
namespace: "string",
serviceAccountName: "string",
tokenDefaultTtl: 0,
tokenMaxTtl: 0,
});
type: vault:kubernetes:SecretBackendRole
properties:
allowedKubernetesNamespaceSelector: string
allowedKubernetesNamespaces:
- string
backend: string
extraAnnotations:
string: string
extraLabels:
string: string
generatedRoleRules: string
kubernetesRoleName: string
kubernetesRoleType: string
name: string
nameTemplate: string
namespace: string
serviceAccountName: string
tokenDefaultTtl: 0
tokenMaxTtl: 0
SecretBackendRole Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The SecretBackendRole resource accepts the following input properties:
- Backend string
- The path of the Kubernetes Secrets Engine backend mount to create the role in.
- Allowed
Kubernetes stringNamespace Selector - A label selector for Kubernetes namespaces
in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
of type LabelSelector.
If set with
allowed_kubernetes_namespace
, the conditions areOR
ed. - Allowed
Kubernetes List<string>Namespaces - The list of Kubernetes namespaces this role
can generate credentials for. If set to
*
all namespaces are allowed. If set withallowed_kubernetes_namespace_selector
, the conditions areOR
ed. - Extra
Annotations Dictionary<string, string> - Additional annotations to apply to all generated Kubernetes objects.
- Extra
Labels Dictionary<string, string> Additional labels to apply to all generated Kubernetes objects.
This resource also directly accepts all vault.Mount fields.
- Generated
Role stringRules - The Role or ClusterRole rules to use when generating
a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with
service_account_name
andkubernetes_role_name
. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. - Kubernetes
Role stringName - The pre-existing Role or ClusterRole to bind a
generated service account to. Mutually exclusive with
service_account_name
andgenerated_role_rules
. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. - Kubernetes
Role stringType - Specifies whether the Kubernetes role is a Role or ClusterRole.
- Name string
- The name of the role.
- Name
Template string - The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Service
Account stringName - The pre-existing service account to generate tokens for.
Mutually exclusive with
kubernetes_role_name
andgenerated_role_rules
. If set, only a Kubernetes token will be created when credentials are requested. - Token
Default intTtl - The default TTL for generated Kubernetes tokens in seconds.
- Token
Max intTtl - The maximum TTL for generated Kubernetes tokens in seconds.
- Backend string
- The path of the Kubernetes Secrets Engine backend mount to create the role in.
- Allowed
Kubernetes stringNamespace Selector - A label selector for Kubernetes namespaces
in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
of type LabelSelector.
If set with
allowed_kubernetes_namespace
, the conditions areOR
ed. - Allowed
Kubernetes []stringNamespaces - The list of Kubernetes namespaces this role
can generate credentials for. If set to
*
all namespaces are allowed. If set withallowed_kubernetes_namespace_selector
, the conditions areOR
ed. - Extra
Annotations map[string]string - Additional annotations to apply to all generated Kubernetes objects.
- Extra
Labels map[string]string Additional labels to apply to all generated Kubernetes objects.
This resource also directly accepts all vault.Mount fields.
- Generated
Role stringRules - The Role or ClusterRole rules to use when generating
a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with
service_account_name
andkubernetes_role_name
. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. - Kubernetes
Role stringName - The pre-existing Role or ClusterRole to bind a
generated service account to. Mutually exclusive with
service_account_name
andgenerated_role_rules
. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. - Kubernetes
Role stringType - Specifies whether the Kubernetes role is a Role or ClusterRole.
- Name string
- The name of the role.
- Name
Template string - The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Service
Account stringName - The pre-existing service account to generate tokens for.
Mutually exclusive with
kubernetes_role_name
andgenerated_role_rules
. If set, only a Kubernetes token will be created when credentials are requested. - Token
Default intTtl - The default TTL for generated Kubernetes tokens in seconds.
- Token
Max intTtl - The maximum TTL for generated Kubernetes tokens in seconds.
- backend String
- The path of the Kubernetes Secrets Engine backend mount to create the role in.
- allowed
Kubernetes StringNamespace Selector - A label selector for Kubernetes namespaces
in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
of type LabelSelector.
If set with
allowed_kubernetes_namespace
, the conditions areOR
ed. - allowed
Kubernetes List<String>Namespaces - The list of Kubernetes namespaces this role
can generate credentials for. If set to
*
all namespaces are allowed. If set withallowed_kubernetes_namespace_selector
, the conditions areOR
ed. - extra
Annotations Map<String,String> - Additional annotations to apply to all generated Kubernetes objects.
- extra
Labels Map<String,String> Additional labels to apply to all generated Kubernetes objects.
This resource also directly accepts all vault.Mount fields.
- generated
Role StringRules - The Role or ClusterRole rules to use when generating
a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with
service_account_name
andkubernetes_role_name
. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. - kubernetes
Role StringName - The pre-existing Role or ClusterRole to bind a
generated service account to. Mutually exclusive with
service_account_name
andgenerated_role_rules
. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. - kubernetes
Role StringType - Specifies whether the Kubernetes role is a Role or ClusterRole.
- name String
- The name of the role.
- name
Template String - The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - service
Account StringName - The pre-existing service account to generate tokens for.
Mutually exclusive with
kubernetes_role_name
andgenerated_role_rules
. If set, only a Kubernetes token will be created when credentials are requested. - token
Default IntegerTtl - The default TTL for generated Kubernetes tokens in seconds.
- token
Max IntegerTtl - The maximum TTL for generated Kubernetes tokens in seconds.
- backend string
- The path of the Kubernetes Secrets Engine backend mount to create the role in.
- allowed
Kubernetes stringNamespace Selector - A label selector for Kubernetes namespaces
in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
of type LabelSelector.
If set with
allowed_kubernetes_namespace
, the conditions areOR
ed. - allowed
Kubernetes string[]Namespaces - The list of Kubernetes namespaces this role
can generate credentials for. If set to
*
all namespaces are allowed. If set withallowed_kubernetes_namespace_selector
, the conditions areOR
ed. - extra
Annotations {[key: string]: string} - Additional annotations to apply to all generated Kubernetes objects.
- extra
Labels {[key: string]: string} Additional labels to apply to all generated Kubernetes objects.
This resource also directly accepts all vault.Mount fields.
- generated
Role stringRules - The Role or ClusterRole rules to use when generating
a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with
service_account_name
andkubernetes_role_name
. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. - kubernetes
Role stringName - The pre-existing Role or ClusterRole to bind a
generated service account to. Mutually exclusive with
service_account_name
andgenerated_role_rules
. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. - kubernetes
Role stringType - Specifies whether the Kubernetes role is a Role or ClusterRole.
- name string
- The name of the role.
- name
Template string - The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - service
Account stringName - The pre-existing service account to generate tokens for.
Mutually exclusive with
kubernetes_role_name
andgenerated_role_rules
. If set, only a Kubernetes token will be created when credentials are requested. - token
Default numberTtl - The default TTL for generated Kubernetes tokens in seconds.
- token
Max numberTtl - The maximum TTL for generated Kubernetes tokens in seconds.
- backend str
- The path of the Kubernetes Secrets Engine backend mount to create the role in.
- allowed_
kubernetes_ strnamespace_ selector - A label selector for Kubernetes namespaces
in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
of type LabelSelector.
If set with
allowed_kubernetes_namespace
, the conditions areOR
ed. - allowed_
kubernetes_ Sequence[str]namespaces - The list of Kubernetes namespaces this role
can generate credentials for. If set to
*
all namespaces are allowed. If set withallowed_kubernetes_namespace_selector
, the conditions areOR
ed. - extra_
annotations Mapping[str, str] - Additional annotations to apply to all generated Kubernetes objects.
- extra_
labels Mapping[str, str] Additional labels to apply to all generated Kubernetes objects.
This resource also directly accepts all vault.Mount fields.
- generated_
role_ strrules - The Role or ClusterRole rules to use when generating
a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with
service_account_name
andkubernetes_role_name
. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. - kubernetes_
role_ strname - The pre-existing Role or ClusterRole to bind a
generated service account to. Mutually exclusive with
service_account_name
andgenerated_role_rules
. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. - kubernetes_
role_ strtype - Specifies whether the Kubernetes role is a Role or ClusterRole.
- name str
- The name of the role.
- name_
template str - The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - service_
account_ strname - The pre-existing service account to generate tokens for.
Mutually exclusive with
kubernetes_role_name
andgenerated_role_rules
. If set, only a Kubernetes token will be created when credentials are requested. - token_
default_ intttl - The default TTL for generated Kubernetes tokens in seconds.
- token_
max_ intttl - The maximum TTL for generated Kubernetes tokens in seconds.
- backend String
- The path of the Kubernetes Secrets Engine backend mount to create the role in.
- allowed
Kubernetes StringNamespace Selector - A label selector for Kubernetes namespaces
in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
of type LabelSelector.
If set with
allowed_kubernetes_namespace
, the conditions areOR
ed. - allowed
Kubernetes List<String>Namespaces - The list of Kubernetes namespaces this role
can generate credentials for. If set to
*
all namespaces are allowed. If set withallowed_kubernetes_namespace_selector
, the conditions areOR
ed. - extra
Annotations Map<String> - Additional annotations to apply to all generated Kubernetes objects.
- extra
Labels Map<String> Additional labels to apply to all generated Kubernetes objects.
This resource also directly accepts all vault.Mount fields.
- generated
Role StringRules - The Role or ClusterRole rules to use when generating
a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with
service_account_name
andkubernetes_role_name
. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. - kubernetes
Role StringName - The pre-existing Role or ClusterRole to bind a
generated service account to. Mutually exclusive with
service_account_name
andgenerated_role_rules
. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. - kubernetes
Role StringType - Specifies whether the Kubernetes role is a Role or ClusterRole.
- name String
- The name of the role.
- name
Template String - The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - service
Account StringName - The pre-existing service account to generate tokens for.
Mutually exclusive with
kubernetes_role_name
andgenerated_role_rules
. If set, only a Kubernetes token will be created when credentials are requested. - token
Default NumberTtl - The default TTL for generated Kubernetes tokens in seconds.
- token
Max NumberTtl - The maximum TTL for generated Kubernetes tokens in seconds.
Outputs
All input properties are implicitly available as output properties. Additionally, the SecretBackendRole resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing SecretBackendRole Resource
Get an existing SecretBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SecretBackendRoleState, opts?: CustomResourceOptions): SecretBackendRole
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
allowed_kubernetes_namespace_selector: Optional[str] = None,
allowed_kubernetes_namespaces: Optional[Sequence[str]] = None,
backend: Optional[str] = None,
extra_annotations: Optional[Mapping[str, str]] = None,
extra_labels: Optional[Mapping[str, str]] = None,
generated_role_rules: Optional[str] = None,
kubernetes_role_name: Optional[str] = None,
kubernetes_role_type: Optional[str] = None,
name: Optional[str] = None,
name_template: Optional[str] = None,
namespace: Optional[str] = None,
service_account_name: Optional[str] = None,
token_default_ttl: Optional[int] = None,
token_max_ttl: Optional[int] = None) -> SecretBackendRole
func GetSecretBackendRole(ctx *Context, name string, id IDInput, state *SecretBackendRoleState, opts ...ResourceOption) (*SecretBackendRole, error)
public static SecretBackendRole Get(string name, Input<string> id, SecretBackendRoleState? state, CustomResourceOptions? opts = null)
public static SecretBackendRole get(String name, Output<String> id, SecretBackendRoleState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Allowed
Kubernetes stringNamespace Selector - A label selector for Kubernetes namespaces
in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
of type LabelSelector.
If set with
allowed_kubernetes_namespace
, the conditions areOR
ed. - Allowed
Kubernetes List<string>Namespaces - The list of Kubernetes namespaces this role
can generate credentials for. If set to
*
all namespaces are allowed. If set withallowed_kubernetes_namespace_selector
, the conditions areOR
ed. - Backend string
- The path of the Kubernetes Secrets Engine backend mount to create the role in.
- Extra
Annotations Dictionary<string, string> - Additional annotations to apply to all generated Kubernetes objects.
- Extra
Labels Dictionary<string, string> Additional labels to apply to all generated Kubernetes objects.
This resource also directly accepts all vault.Mount fields.
- Generated
Role stringRules - The Role or ClusterRole rules to use when generating
a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with
service_account_name
andkubernetes_role_name
. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. - Kubernetes
Role stringName - The pre-existing Role or ClusterRole to bind a
generated service account to. Mutually exclusive with
service_account_name
andgenerated_role_rules
. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. - Kubernetes
Role stringType - Specifies whether the Kubernetes role is a Role or ClusterRole.
- Name string
- The name of the role.
- Name
Template string - The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Service
Account stringName - The pre-existing service account to generate tokens for.
Mutually exclusive with
kubernetes_role_name
andgenerated_role_rules
. If set, only a Kubernetes token will be created when credentials are requested. - Token
Default intTtl - The default TTL for generated Kubernetes tokens in seconds.
- Token
Max intTtl - The maximum TTL for generated Kubernetes tokens in seconds.
- Allowed
Kubernetes stringNamespace Selector - A label selector for Kubernetes namespaces
in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
of type LabelSelector.
If set with
allowed_kubernetes_namespace
, the conditions areOR
ed. - Allowed
Kubernetes []stringNamespaces - The list of Kubernetes namespaces this role
can generate credentials for. If set to
*
all namespaces are allowed. If set withallowed_kubernetes_namespace_selector
, the conditions areOR
ed. - Backend string
- The path of the Kubernetes Secrets Engine backend mount to create the role in.
- Extra
Annotations map[string]string - Additional annotations to apply to all generated Kubernetes objects.
- Extra
Labels map[string]string Additional labels to apply to all generated Kubernetes objects.
This resource also directly accepts all vault.Mount fields.
- Generated
Role stringRules - The Role or ClusterRole rules to use when generating
a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with
service_account_name
andkubernetes_role_name
. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. - Kubernetes
Role stringName - The pre-existing Role or ClusterRole to bind a
generated service account to. Mutually exclusive with
service_account_name
andgenerated_role_rules
. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. - Kubernetes
Role stringType - Specifies whether the Kubernetes role is a Role or ClusterRole.
- Name string
- The name of the role.
- Name
Template string - The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Service
Account stringName - The pre-existing service account to generate tokens for.
Mutually exclusive with
kubernetes_role_name
andgenerated_role_rules
. If set, only a Kubernetes token will be created when credentials are requested. - Token
Default intTtl - The default TTL for generated Kubernetes tokens in seconds.
- Token
Max intTtl - The maximum TTL for generated Kubernetes tokens in seconds.
- allowed
Kubernetes StringNamespace Selector - A label selector for Kubernetes namespaces
in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
of type LabelSelector.
If set with
allowed_kubernetes_namespace
, the conditions areOR
ed. - allowed
Kubernetes List<String>Namespaces - The list of Kubernetes namespaces this role
can generate credentials for. If set to
*
all namespaces are allowed. If set withallowed_kubernetes_namespace_selector
, the conditions areOR
ed. - backend String
- The path of the Kubernetes Secrets Engine backend mount to create the role in.
- extra
Annotations Map<String,String> - Additional annotations to apply to all generated Kubernetes objects.
- extra
Labels Map<String,String> Additional labels to apply to all generated Kubernetes objects.
This resource also directly accepts all vault.Mount fields.
- generated
Role StringRules - The Role or ClusterRole rules to use when generating
a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with
service_account_name
andkubernetes_role_name
. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. - kubernetes
Role StringName - The pre-existing Role or ClusterRole to bind a
generated service account to. Mutually exclusive with
service_account_name
andgenerated_role_rules
. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. - kubernetes
Role StringType - Specifies whether the Kubernetes role is a Role or ClusterRole.
- name String
- The name of the role.
- name
Template String - The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - service
Account StringName - The pre-existing service account to generate tokens for.
Mutually exclusive with
kubernetes_role_name
andgenerated_role_rules
. If set, only a Kubernetes token will be created when credentials are requested. - token
Default IntegerTtl - The default TTL for generated Kubernetes tokens in seconds.
- token
Max IntegerTtl - The maximum TTL for generated Kubernetes tokens in seconds.
- allowed
Kubernetes stringNamespace Selector - A label selector for Kubernetes namespaces
in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
of type LabelSelector.
If set with
allowed_kubernetes_namespace
, the conditions areOR
ed. - allowed
Kubernetes string[]Namespaces - The list of Kubernetes namespaces this role
can generate credentials for. If set to
*
all namespaces are allowed. If set withallowed_kubernetes_namespace_selector
, the conditions areOR
ed. - backend string
- The path of the Kubernetes Secrets Engine backend mount to create the role in.
- extra
Annotations {[key: string]: string} - Additional annotations to apply to all generated Kubernetes objects.
- extra
Labels {[key: string]: string} Additional labels to apply to all generated Kubernetes objects.
This resource also directly accepts all vault.Mount fields.
- generated
Role stringRules - The Role or ClusterRole rules to use when generating
a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with
service_account_name
andkubernetes_role_name
. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. - kubernetes
Role stringName - The pre-existing Role or ClusterRole to bind a
generated service account to. Mutually exclusive with
service_account_name
andgenerated_role_rules
. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. - kubernetes
Role stringType - Specifies whether the Kubernetes role is a Role or ClusterRole.
- name string
- The name of the role.
- name
Template string - The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - service
Account stringName - The pre-existing service account to generate tokens for.
Mutually exclusive with
kubernetes_role_name
andgenerated_role_rules
. If set, only a Kubernetes token will be created when credentials are requested. - token
Default numberTtl - The default TTL for generated Kubernetes tokens in seconds.
- token
Max numberTtl - The maximum TTL for generated Kubernetes tokens in seconds.
- allowed_
kubernetes_ strnamespace_ selector - A label selector for Kubernetes namespaces
in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
of type LabelSelector.
If set with
allowed_kubernetes_namespace
, the conditions areOR
ed. - allowed_
kubernetes_ Sequence[str]namespaces - The list of Kubernetes namespaces this role
can generate credentials for. If set to
*
all namespaces are allowed. If set withallowed_kubernetes_namespace_selector
, the conditions areOR
ed. - backend str
- The path of the Kubernetes Secrets Engine backend mount to create the role in.
- extra_
annotations Mapping[str, str] - Additional annotations to apply to all generated Kubernetes objects.
- extra_
labels Mapping[str, str] Additional labels to apply to all generated Kubernetes objects.
This resource also directly accepts all vault.Mount fields.
- generated_
role_ strrules - The Role or ClusterRole rules to use when generating
a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with
service_account_name
andkubernetes_role_name
. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. - kubernetes_
role_ strname - The pre-existing Role or ClusterRole to bind a
generated service account to. Mutually exclusive with
service_account_name
andgenerated_role_rules
. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. - kubernetes_
role_ strtype - Specifies whether the Kubernetes role is a Role or ClusterRole.
- name str
- The name of the role.
- name_
template str - The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - service_
account_ strname - The pre-existing service account to generate tokens for.
Mutually exclusive with
kubernetes_role_name
andgenerated_role_rules
. If set, only a Kubernetes token will be created when credentials are requested. - token_
default_ intttl - The default TTL for generated Kubernetes tokens in seconds.
- token_
max_ intttl - The maximum TTL for generated Kubernetes tokens in seconds.
- allowed
Kubernetes StringNamespace Selector - A label selector for Kubernetes namespaces
in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
of type LabelSelector.
If set with
allowed_kubernetes_namespace
, the conditions areOR
ed. - allowed
Kubernetes List<String>Namespaces - The list of Kubernetes namespaces this role
can generate credentials for. If set to
*
all namespaces are allowed. If set withallowed_kubernetes_namespace_selector
, the conditions areOR
ed. - backend String
- The path of the Kubernetes Secrets Engine backend mount to create the role in.
- extra
Annotations Map<String> - Additional annotations to apply to all generated Kubernetes objects.
- extra
Labels Map<String> Additional labels to apply to all generated Kubernetes objects.
This resource also directly accepts all vault.Mount fields.
- generated
Role StringRules - The Role or ClusterRole rules to use when generating
a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with
service_account_name
andkubernetes_role_name
. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. - kubernetes
Role StringName - The pre-existing Role or ClusterRole to bind a
generated service account to. Mutually exclusive with
service_account_name
andgenerated_role_rules
. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. - kubernetes
Role StringType - Specifies whether the Kubernetes role is a Role or ClusterRole.
- name String
- The name of the role.
- name
Template String - The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - service
Account StringName - The pre-existing service account to generate tokens for.
Mutually exclusive with
kubernetes_role_name
andgenerated_role_rules
. If set, only a Kubernetes token will be created when credentials are requested. - token
Default NumberTtl - The default TTL for generated Kubernetes tokens in seconds.
- token
Max NumberTtl - The maximum TTL for generated Kubernetes tokens in seconds.
Import
The Kubernetes secret backend role can be imported using the full path to the role
of the form: <backend_path>/roles/<role_name>
e.g.
$ pulumi import vault:kubernetes/secretBackendRole:SecretBackendRole example kubernetes kubernetes/roles/example-role
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vault
Terraform Provider.