HashiCorp Vault v6.3.0, Aug 8 24

HashiCorp Vault v6.3.0 published on Thursday, Aug 8, 2024 by Pulumi

vault.secrets.SyncAwsDestination

Explore with Pulumi AI

HashiCorp Vault v6.3.0 published on Thursday, Aug 8, 2024 by Pulumi

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const aws = new vault.secrets.SyncAwsDestination("aws", {
    name: "aws-dest",
    accessKeyId: accessKeyId,
    secretAccessKey: secretAccessKey,
    region: "us-east-1",
    roleArn: "role-arn",
    externalId: "external-id",
    secretNameTemplate: "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
    customTags: {
        foo: "bar",
    },
});

import pulumi
import pulumi_vault as vault

aws = vault.secrets.SyncAwsDestination("aws",
    name="aws-dest",
    access_key_id=access_key_id,
    secret_access_key=secret_access_key,
    region="us-east-1",
    role_arn="role-arn",
    external_id="external-id",
    secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
    custom_tags={
        "foo": "bar",
    })

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/secrets"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := secrets.NewSyncAwsDestination(ctx, "aws", &secrets.SyncAwsDestinationArgs{
			Name:               pulumi.String("aws-dest"),
			AccessKeyId:        pulumi.Any(accessKeyId),
			SecretAccessKey:    pulumi.Any(secretAccessKey),
			Region:             pulumi.String("us-east-1"),
			RoleArn:            pulumi.String("role-arn"),
			ExternalId:         pulumi.String("external-id"),
			SecretNameTemplate: pulumi.String("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}"),
			CustomTags: pulumi.Map{
				"foo": pulumi.Any("bar"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var aws = new Vault.Secrets.SyncAwsDestination("aws", new()
    {
        Name = "aws-dest",
        AccessKeyId = accessKeyId,
        SecretAccessKey = secretAccessKey,
        Region = "us-east-1",
        RoleArn = "role-arn",
        ExternalId = "external-id",
        SecretNameTemplate = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
        CustomTags = 
        {
            { "foo", "bar" },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.secrets.SyncAwsDestination;
import com.pulumi.vault.secrets.SyncAwsDestinationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var aws = new SyncAwsDestination("aws", SyncAwsDestinationArgs.builder()
            .name("aws-dest")
            .accessKeyId(accessKeyId)
            .secretAccessKey(secretAccessKey)
            .region("us-east-1")
            .roleArn("role-arn")
            .externalId("external-id")
            .secretNameTemplate("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}")
            .customTags(Map.of("foo", "bar"))
            .build());

    }
}

resources:
  aws:
    type: vault:secrets:SyncAwsDestination
    properties:
      name: aws-dest
      accessKeyId: ${accessKeyId}
      secretAccessKey: ${secretAccessKey}
      region: us-east-1
      roleArn: role-arn
      externalId: external-id
      secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}
      customTags:
        foo: bar

Create SyncAwsDestination Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SyncAwsDestination(name: string, args?: SyncAwsDestinationArgs, opts?: CustomResourceOptions);

@overload
def SyncAwsDestination(resource_name: str,
                       args: Optional[SyncAwsDestinationArgs] = None,
                       opts: Optional[ResourceOptions] = None)

@overload
def SyncAwsDestination(resource_name: str,
                       opts: Optional[ResourceOptions] = None,
                       access_key_id: Optional[str] = None,
                       custom_tags: Optional[Mapping[str, Any]] = None,
                       external_id: Optional[str] = None,
                       granularity: Optional[str] = None,
                       name: Optional[str] = None,
                       namespace: Optional[str] = None,
                       region: Optional[str] = None,
                       role_arn: Optional[str] = None,
                       secret_access_key: Optional[str] = None,
                       secret_name_template: Optional[str] = None)

func NewSyncAwsDestination(ctx *Context, name string, args *SyncAwsDestinationArgs, opts ...ResourceOption) (*SyncAwsDestination, error)

public SyncAwsDestination(string name, SyncAwsDestinationArgs? args = null, CustomResourceOptions? opts = null)

public SyncAwsDestination(String name, SyncAwsDestinationArgs args)
public SyncAwsDestination(String name, SyncAwsDestinationArgs args, CustomResourceOptions options)

type: vault:secrets:SyncAwsDestination
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SyncAwsDestinationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SyncAwsDestinationArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SyncAwsDestinationArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SyncAwsDestinationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SyncAwsDestinationArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var syncAwsDestinationResource = new Vault.Secrets.SyncAwsDestination("syncAwsDestinationResource", new()
{
    AccessKeyId = "string",
    CustomTags = 
    {
        { "string", "any" },
    },
    ExternalId = "string",
    Granularity = "string",
    Name = "string",
    Namespace = "string",
    Region = "string",
    RoleArn = "string",
    SecretAccessKey = "string",
    SecretNameTemplate = "string",
});

example, err := secrets.NewSyncAwsDestination(ctx, "syncAwsDestinationResource", &secrets.SyncAwsDestinationArgs{
	AccessKeyId: pulumi.String("string"),
	CustomTags: pulumi.Map{
		"string": pulumi.Any("any"),
	},
	ExternalId:         pulumi.String("string"),
	Granularity:        pulumi.String("string"),
	Name:               pulumi.String("string"),
	Namespace:          pulumi.String("string"),
	Region:             pulumi.String("string"),
	RoleArn:            pulumi.String("string"),
	SecretAccessKey:    pulumi.String("string"),
	SecretNameTemplate: pulumi.String("string"),
})

var syncAwsDestinationResource = new SyncAwsDestination("syncAwsDestinationResource", SyncAwsDestinationArgs.builder()
    .accessKeyId("string")
    .customTags(Map.of("string", "any"))
    .externalId("string")
    .granularity("string")
    .name("string")
    .namespace("string")
    .region("string")
    .roleArn("string")
    .secretAccessKey("string")
    .secretNameTemplate("string")
    .build());

sync_aws_destination_resource = vault.secrets.SyncAwsDestination("syncAwsDestinationResource",
    access_key_id="string",
    custom_tags={
        "string": "any",
    },
    external_id="string",
    granularity="string",
    name="string",
    namespace="string",
    region="string",
    role_arn="string",
    secret_access_key="string",
    secret_name_template="string")

const syncAwsDestinationResource = new vault.secrets.SyncAwsDestination("syncAwsDestinationResource", {
    accessKeyId: "string",
    customTags: {
        string: "any",
    },
    externalId: "string",
    granularity: "string",
    name: "string",
    namespace: "string",
    region: "string",
    roleArn: "string",
    secretAccessKey: "string",
    secretNameTemplate: "string",
});

type: vault:secrets:SyncAwsDestination
properties:
    accessKeyId: string
    customTags:
        string: any
    externalId: string
    granularity: string
    name: string
    namespace: string
    region: string
    roleArn: string
    secretAccessKey: string
    secretNameTemplate: string

SyncAwsDestination Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The SyncAwsDestination resource accepts the following input properties:

AccessKeyId string: Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
CustomTags Dictionary<string, object>: Custom tags to set on the secret managed at the destination.
ExternalId string: Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
Granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
Name string: Unique name of the AWS destination.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
Region string: Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
RoleArn string: Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
SecretAccessKey string: Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
SecretNameTemplate string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.

AccessKeyId string: Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
CustomTags map[string]interface{}: Custom tags to set on the secret managed at the destination.
ExternalId string: Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
Granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
Name string: Unique name of the AWS destination.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
Region string: Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
RoleArn string: Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
SecretAccessKey string: Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
SecretNameTemplate string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.

accessKeyId String: Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
customTags Map<String,Object>: Custom tags to set on the secret managed at the destination.
externalId String: Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
granularity String: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
name String: Unique name of the AWS destination.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
region String: Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
roleArn String: Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
secretAccessKey String: Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
secretNameTemplate String: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.

accessKeyId string: Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
customTags {[key: string]: any}: Custom tags to set on the secret managed at the destination.
externalId string: Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
name string: Unique name of the AWS destination.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
region string: Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
roleArn string: Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
secretAccessKey string: Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
secretNameTemplate string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.

access_key_id str: Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
custom_tags Mapping[str, Any]: Custom tags to set on the secret managed at the destination.
external_id str: Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
granularity str: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
name str: Unique name of the AWS destination.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
region str: Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
role_arn str: Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
secret_access_key str: Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
secret_name_template str: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.

accessKeyId String: Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
customTags Map<Any>: Custom tags to set on the secret managed at the destination.
externalId String: Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
granularity String: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
name String: Unique name of the AWS destination.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
region String: Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
roleArn String: Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
secretAccessKey String: Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
secretNameTemplate String: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.

Outputs

All input properties are implicitly available as output properties. Additionally, the SyncAwsDestination resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
Type string: The type of the secrets destination (aws-sm).

Id string: The provider-assigned unique ID for this managed resource.
Type string: The type of the secrets destination (aws-sm).

id String: The provider-assigned unique ID for this managed resource.
type String: The type of the secrets destination (aws-sm).

id string: The provider-assigned unique ID for this managed resource.
type string: The type of the secrets destination (aws-sm).

id str: The provider-assigned unique ID for this managed resource.
type str: The type of the secrets destination (aws-sm).

id String: The provider-assigned unique ID for this managed resource.
type String: The type of the secrets destination (aws-sm).

Look up Existing SyncAwsDestination Resource

Get an existing SyncAwsDestination resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SyncAwsDestinationState, opts?: CustomResourceOptions): SyncAwsDestination

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        access_key_id: Optional[str] = None,
        custom_tags: Optional[Mapping[str, Any]] = None,
        external_id: Optional[str] = None,
        granularity: Optional[str] = None,
        name: Optional[str] = None,
        namespace: Optional[str] = None,
        region: Optional[str] = None,
        role_arn: Optional[str] = None,
        secret_access_key: Optional[str] = None,
        secret_name_template: Optional[str] = None,
        type: Optional[str] = None) -> SyncAwsDestination

func GetSyncAwsDestination(ctx *Context, name string, id IDInput, state *SyncAwsDestinationState, opts ...ResourceOption) (*SyncAwsDestination, error)

public static SyncAwsDestination Get(string name, Input<string> id, SyncAwsDestinationState? state, CustomResourceOptions? opts = null)

public static SyncAwsDestination get(String name, Output<String> id, SyncAwsDestinationState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccessKeyId string: Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
CustomTags Dictionary<string, object>: Custom tags to set on the secret managed at the destination.
ExternalId string: Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
Granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
Name string: Unique name of the AWS destination.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
Region string: Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
RoleArn string: Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
SecretAccessKey string: Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
SecretNameTemplate string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
Type string: The type of the secrets destination (aws-sm).

AccessKeyId string: Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
CustomTags map[string]interface{}: Custom tags to set on the secret managed at the destination.
ExternalId string: Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
Granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
Name string: Unique name of the AWS destination.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
Region string: Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
RoleArn string: Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
SecretAccessKey string: Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
SecretNameTemplate string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
Type string: The type of the secrets destination (aws-sm).

accessKeyId String: Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
customTags Map<String,Object>: Custom tags to set on the secret managed at the destination.
externalId String: Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
granularity String: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
name String: Unique name of the AWS destination.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
region String: Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
roleArn String: Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
secretAccessKey String: Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
secretNameTemplate String: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
type String: The type of the secrets destination (aws-sm).

accessKeyId string: Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
customTags {[key: string]: any}: Custom tags to set on the secret managed at the destination.
externalId string: Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
granularity string: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
name string: Unique name of the AWS destination.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
region string: Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
roleArn string: Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
secretAccessKey string: Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
secretNameTemplate string: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
type string: The type of the secrets destination (aws-sm).

access_key_id str: Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
custom_tags Mapping[str, Any]: Custom tags to set on the secret managed at the destination.
external_id str: Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
granularity str: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
name str: Unique name of the AWS destination.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
region str: Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
role_arn str: Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
secret_access_key str: Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
secret_name_template str: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
type str: The type of the secrets destination (aws-sm).

accessKeyId String: Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
customTags Map<Any>: Custom tags to set on the secret managed at the destination.
externalId String: Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
granularity String: Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
name String: Unique name of the AWS destination.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
region String: Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
roleArn String: Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
secretAccessKey String: Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
secretNameTemplate String: Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
type String: The type of the secrets destination (aws-sm).

Import

AWS Secrets sync destinations can be imported using the name, e.g.

$ pulumi import vault:secrets/syncAwsDestination:SyncAwsDestination aws aws-dest

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

HashiCorp Vault v6.3.0 published on Thursday, Aug 8, 2024 by Pulumi

pulumi/pulumi-vault

vault.secrets.SyncAwsDestination

On this page

On this page

Example Usage

Create SyncAwsDestination Resource

Constructor syntax

Parameters

Constructor example

SyncAwsDestination Resource Properties

Inputs

Outputs

Look up Existing SyncAwsDestination Resource

Import

Package Details

On this page

On this page