1. Docs
  2. Reference
  3. API
  4. @pulumi/vault
  5. appRole

Module appRole

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-vault repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-vault repo.

Resources

Functions

Others

Resources

Resource AuthBackendLogin

class AuthBackendLogin extends CustomResource

Logs into Vault using the AppRole auth backend. See the Vault documentation for more information.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const approle = new vault.AuthBackend("approle", {
    type: "approle",
});
const example = new vault.appRole.AuthBackendRole("example", {
    backend: approle.path,
    policies: [
        "default",
        "dev",
        "prod",
    ],
    roleName: "test-role",
});
const id = new vault.appRole.AuthBackendRoleSecretID("id", {
    backend: approle.path,
    roleName: example.roleName,
});
const login = new vault.appRole.AuthBackendLogin("login", {
    backend: approle.path,
    roleId: example.roleId,
    secretId: id.secretId,
});

constructor

new AuthBackendLogin(name: string, args: AuthBackendLoginArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackendLogin resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendLoginState, opts?: pulumi.CustomResourceOptions): AuthBackendLogin

Get an existing AuthBackendLogin resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackendLogin

Returns true if the given object is an instance of AuthBackendLogin. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property accessor

public accessor: pulumi.Output<string>;

The accessor for the token.

property backend

public backend: pulumi.Output<string | undefined>;

The unique path of the Vault backend to log in with.

property clientToken

public clientToken: pulumi.Output<string>;

The Vault token created.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property leaseDuration

public leaseDuration: pulumi.Output<number>;

How long the token is valid for, in seconds.

property leaseStarted

public leaseStarted: pulumi.Output<string>;

The date and time the lease started, in RFC 3339 format.

property metadata

public metadata: pulumi.Output<{[key: string]: string}>;

The metadata associated with the token.

property policies

public policies: pulumi.Output<string[]>;

A list of policies applied to the token.

property renewable

public renewable: pulumi.Output<boolean>;

Whether the token is renewable or not.

property roleId

public roleId: pulumi.Output<string>;

The ID of the role to log in with.

property secretId

public secretId: pulumi.Output<string | undefined>;

The secret ID of the role to log in with. Required unless bindSecretId is set to false on the role.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource AuthBackendRole

class AuthBackendRole extends CustomResource

Manages an AppRole auth backend role in a Vault server. See the Vault documentation for more information.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const approle = new vault.AuthBackend("approle", {type: "approle"});
const example = new vault.appRole.AuthBackendRole("example", {
    backend: approle.path,
    roleName: "test-role",
    tokenPolicies: [
        "default",
        "dev",
        "prod",
    ],
});

constructor

new AuthBackendRole(name: string, args: AuthBackendRoleArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackendRole resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendRoleState, opts?: pulumi.CustomResourceOptions): AuthBackendRole

Get an existing AuthBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackendRole

Returns true if the given object is an instance of AuthBackendRole. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property backend

public backend: pulumi.Output<string | undefined>;

The unique name of the auth backend to configure. Defaults to approle.

property bindSecretId

public bindSecretId: pulumi.Output<boolean | undefined>;

Whether or not to require secretId to be presented when logging in using this AppRole. Defaults to true.

property boundCidrLists

public boundCidrLists: pulumi.Output<string[] | undefined>;

If set, specifies blocks of IP addresses which can perform the login operation.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property period

public period: pulumi.Output<number | undefined>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property policies

public policies: pulumi.Output<string[] | undefined>;

An array of strings specifying the policies to be set on tokens issued using this role.

property roleId

public roleId: pulumi.Output<string>;

The RoleID of this role. If not specified, one will be auto-generated.

property roleName

public roleName: pulumi.Output<string>;

The name of the role.

property secretIdBoundCidrs

public secretIdBoundCidrs: pulumi.Output<string[] | undefined>;

If set, specifies blocks of IP addresses which can perform the login operation.

property secretIdNumUses

public secretIdNumUses: pulumi.Output<number | undefined>;

The number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. A value of zero will allow unlimited uses.

property secretIdTtl

public secretIdTtl: pulumi.Output<number | undefined>;

The number of seconds after which any SecretID expires.

property tokenBoundCidrs

public tokenBoundCidrs: pulumi.Output<string[] | undefined>;

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

public tokenExplicitMaxTtl: pulumi.Output<number | undefined>;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

public tokenMaxTtl: pulumi.Output<number | undefined>;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

public tokenNoDefaultPolicy: pulumi.Output<boolean | undefined>;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

public tokenNumUses: pulumi.Output<number | undefined>;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

public tokenPeriod: pulumi.Output<number | undefined>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property tokenPolicies

public tokenPolicies: pulumi.Output<string[] | undefined>;

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

public tokenTtl: pulumi.Output<number | undefined>;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

public tokenType: pulumi.Output<string | undefined>;

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource AuthBackendRoleSecretID

class AuthBackendRoleSecretID extends CustomResource

Manages an AppRole auth backend SecretID in a Vault server. See the Vault documentation for more information.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const approle = new vault.AuthBackend("approle", {
    type: "approle",
});
const example = new vault.appRole.AuthBackendRole("example", {
    backend: approle.path,
    policies: [
        "default",
        "dev",
        "prod",
    ],
    roleName: "test-role",
});
const id = new vault.appRole.AuthBackendRoleSecretID("id", {
    backend: approle.path,
    metadata: `{
  "hello": "world"
}
`,
    roleName: example.roleName,
});

constructor

new AuthBackendRoleSecretID(name: string, args: AuthBackendRoleSecretIDArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackendRoleSecretID resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendRoleSecretIDState, opts?: pulumi.CustomResourceOptions): AuthBackendRoleSecretID

Get an existing AuthBackendRoleSecretID resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackendRoleSecretID

Returns true if the given object is an instance of AuthBackendRoleSecretID. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property accessor

public accessor: pulumi.Output<string>;

The unique ID for this SecretID that can be safely logged.

property backend

public backend: pulumi.Output<string | undefined>;

Unique name of the auth backend to configure.

property cidrLists

public cidrLists: pulumi.Output<string[] | undefined>;

If set, specifies blocks of IP addresses which can perform the login operation using this SecretID.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property metadata

public metadata: pulumi.Output<string | undefined>;

A JSON-encoded string containing metadata in key-value pairs to be set on tokens issued with this SecretID.

property roleName

public roleName: pulumi.Output<string>;

The name of the role to create the SecretID for.

property secretId

public secretId: pulumi.Output<string>;

The SecretID to be created. If set, uses “Push” mode. Defaults to Vault auto-generating SecretIDs.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property wrappingAccessor

public wrappingAccessor: pulumi.Output<string>;

The unique ID for the response-wrapped SecretID that can be safely logged.

property wrappingToken

public wrappingToken: pulumi.Output<string>;

The token used to retrieve a response-wrapped SecretID.

property wrappingTtl

public wrappingTtl: pulumi.Output<string | undefined>;

If set, the SecretID response will be response-wrapped and available for the duration specified. Only a single unwrapping of the token is allowed.

Functions

Function getAuthBackendRoleId

getAuthBackendRoleId(args: GetAuthBackendRoleIdArgs, opts?: pulumi.InvokeOptions): Promise<GetAuthBackendRoleIdResult>

Reads the Role ID of an AppRole from a Vault server.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const role = pulumi.output(vault.appRole.getAuthBackendRoleId({
    backend: "my-approle-backend",
    roleName: "my-role",
}, { async: true }));

export const roleId = role.roleId;

Others

interface AuthBackendLoginArgs

interface AuthBackendLoginArgs

The set of arguments for constructing a AuthBackendLogin resource.

property backend

backend?: pulumi.Input<string>;

The unique path of the Vault backend to log in with.

property roleId

roleId: pulumi.Input<string>;

The ID of the role to log in with.

property secretId

secretId?: pulumi.Input<string>;

The secret ID of the role to log in with. Required unless bindSecretId is set to false on the role.

interface AuthBackendLoginState

interface AuthBackendLoginState

Input properties used for looking up and filtering AuthBackendLogin resources.

property accessor

accessor?: pulumi.Input<string>;

The accessor for the token.

property backend

backend?: pulumi.Input<string>;

The unique path of the Vault backend to log in with.

property clientToken

clientToken?: pulumi.Input<string>;

The Vault token created.

property leaseDuration

leaseDuration?: pulumi.Input<number>;

How long the token is valid for, in seconds.

property leaseStarted

leaseStarted?: pulumi.Input<string>;

The date and time the lease started, in RFC 3339 format.

property metadata

metadata?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

The metadata associated with the token.

property policies

policies?: pulumi.Input<pulumi.Input<string>[]>;

A list of policies applied to the token.

property renewable

renewable?: pulumi.Input<boolean>;

Whether the token is renewable or not.

property roleId

roleId?: pulumi.Input<string>;

The ID of the role to log in with.

property secretId

secretId?: pulumi.Input<string>;

The secret ID of the role to log in with. Required unless bindSecretId is set to false on the role.

interface AuthBackendRoleArgs

interface AuthBackendRoleArgs

The set of arguments for constructing a AuthBackendRole resource.

property backend

backend?: pulumi.Input<string>;

The unique name of the auth backend to configure. Defaults to approle.

property bindSecretId

bindSecretId?: pulumi.Input<boolean>;

Whether or not to require secretId to be presented when logging in using this AppRole. Defaults to true.

property boundCidrLists

DEPRECATED use secret_id_bound_cidrs instead
boundCidrLists?: pulumi.Input<pulumi.Input<string>[]>;

If set, specifies blocks of IP addresses which can perform the login operation.

property period

DEPRECATED use token_period instead if you are running Vault >= 1.2
period?: pulumi.Input<number>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property policies

DEPRECATED use token_policies instead if you are running Vault >= 1.2
policies?: pulumi.Input<pulumi.Input<string>[]>;

An array of strings specifying the policies to be set on tokens issued using this role.

property roleId

roleId?: pulumi.Input<string>;

The RoleID of this role. If not specified, one will be auto-generated.

property roleName

roleName: pulumi.Input<string>;

The name of the role.

property secretIdBoundCidrs

secretIdBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;

If set, specifies blocks of IP addresses which can perform the login operation.

property secretIdNumUses

secretIdNumUses?: pulumi.Input<number>;

The number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. A value of zero will allow unlimited uses.

property secretIdTtl

secretIdTtl?: pulumi.Input<number>;

The number of seconds after which any SecretID expires.

property tokenBoundCidrs

tokenBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

tokenExplicitMaxTtl?: pulumi.Input<number>;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

tokenMaxTtl?: pulumi.Input<number>;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

tokenNoDefaultPolicy?: pulumi.Input<boolean>;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

tokenNumUses?: pulumi.Input<number>;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

tokenPeriod?: pulumi.Input<number>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property tokenPolicies

tokenPolicies?: pulumi.Input<pulumi.Input<string>[]>;

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

tokenTtl?: pulumi.Input<number>;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

tokenType?: pulumi.Input<string>;

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

interface AuthBackendRoleSecretIDArgs

interface AuthBackendRoleSecretIDArgs

The set of arguments for constructing a AuthBackendRoleSecretID resource.

property backend

backend?: pulumi.Input<string>;

Unique name of the auth backend to configure.

property cidrLists

cidrLists?: pulumi.Input<pulumi.Input<string>[]>;

If set, specifies blocks of IP addresses which can perform the login operation using this SecretID.

property metadata

metadata?: pulumi.Input<string>;

A JSON-encoded string containing metadata in key-value pairs to be set on tokens issued with this SecretID.

property roleName

roleName: pulumi.Input<string>;

The name of the role to create the SecretID for.

property secretId

secretId?: pulumi.Input<string>;

The SecretID to be created. If set, uses “Push” mode. Defaults to Vault auto-generating SecretIDs.

property wrappingTtl

wrappingTtl?: pulumi.Input<string>;

If set, the SecretID response will be response-wrapped and available for the duration specified. Only a single unwrapping of the token is allowed.

interface AuthBackendRoleSecretIDState

interface AuthBackendRoleSecretIDState

Input properties used for looking up and filtering AuthBackendRoleSecretID resources.

property accessor

accessor?: pulumi.Input<string>;

The unique ID for this SecretID that can be safely logged.

property backend

backend?: pulumi.Input<string>;

Unique name of the auth backend to configure.

property cidrLists

cidrLists?: pulumi.Input<pulumi.Input<string>[]>;

If set, specifies blocks of IP addresses which can perform the login operation using this SecretID.

property metadata

metadata?: pulumi.Input<string>;

A JSON-encoded string containing metadata in key-value pairs to be set on tokens issued with this SecretID.

property roleName

roleName?: pulumi.Input<string>;

The name of the role to create the SecretID for.

property secretId

secretId?: pulumi.Input<string>;

The SecretID to be created. If set, uses “Push” mode. Defaults to Vault auto-generating SecretIDs.

property wrappingAccessor

wrappingAccessor?: pulumi.Input<string>;

The unique ID for the response-wrapped SecretID that can be safely logged.

property wrappingToken

wrappingToken?: pulumi.Input<string>;

The token used to retrieve a response-wrapped SecretID.

property wrappingTtl

wrappingTtl?: pulumi.Input<string>;

If set, the SecretID response will be response-wrapped and available for the duration specified. Only a single unwrapping of the token is allowed.

interface AuthBackendRoleState

interface AuthBackendRoleState

Input properties used for looking up and filtering AuthBackendRole resources.

property backend

backend?: pulumi.Input<string>;

The unique name of the auth backend to configure. Defaults to approle.

property bindSecretId

bindSecretId?: pulumi.Input<boolean>;

Whether or not to require secretId to be presented when logging in using this AppRole. Defaults to true.

property boundCidrLists

DEPRECATED use secret_id_bound_cidrs instead
boundCidrLists?: pulumi.Input<pulumi.Input<string>[]>;

If set, specifies blocks of IP addresses which can perform the login operation.

property period

DEPRECATED use token_period instead if you are running Vault >= 1.2
period?: pulumi.Input<number>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property policies

DEPRECATED use token_policies instead if you are running Vault >= 1.2
policies?: pulumi.Input<pulumi.Input<string>[]>;

An array of strings specifying the policies to be set on tokens issued using this role.

property roleId

roleId?: pulumi.Input<string>;

The RoleID of this role. If not specified, one will be auto-generated.

property roleName

roleName?: pulumi.Input<string>;

The name of the role.

property secretIdBoundCidrs

secretIdBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;

If set, specifies blocks of IP addresses which can perform the login operation.

property secretIdNumUses

secretIdNumUses?: pulumi.Input<number>;

The number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. A value of zero will allow unlimited uses.

property secretIdTtl

secretIdTtl?: pulumi.Input<number>;

The number of seconds after which any SecretID expires.

property tokenBoundCidrs

tokenBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

tokenExplicitMaxTtl?: pulumi.Input<number>;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

tokenMaxTtl?: pulumi.Input<number>;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

tokenNoDefaultPolicy?: pulumi.Input<boolean>;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

tokenNumUses?: pulumi.Input<number>;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

tokenPeriod?: pulumi.Input<number>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property tokenPolicies

tokenPolicies?: pulumi.Input<pulumi.Input<string>[]>;

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

tokenTtl?: pulumi.Input<number>;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

tokenType?: pulumi.Input<string>;

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

interface GetAuthBackendRoleIdArgs

interface GetAuthBackendRoleIdArgs

A collection of arguments for invoking getAuthBackendRoleId.

property backend

backend?: undefined | string;

The unique name for the AppRole backend the role to retrieve a RoleID for resides in. Defaults to “approle”.

property roleName

roleName: string;

The name of the role to retrieve the Role ID for.

interface GetAuthBackendRoleIdResult

interface GetAuthBackendRoleIdResult

A collection of values returned by getAuthBackendRoleId.

property backend

backend?: undefined | string;

property id

id: string;

The provider-assigned unique ID for this managed resource.

property roleId

roleId: string;

The RoleID of the role.

property roleName

roleName: string;