Module aws

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-vault repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-vault repo.

Functions

getAccessCredentials

Others

Resources

Resource AuthBackendCert

class AuthBackendCert extends CustomResource

constructor

new AuthBackendCert(name: string, args: AuthBackendCertArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackendCert resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendCertState, opts?: pulumi.CustomResourceOptions): AuthBackendCert

Get an existing AuthBackendCert resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackendCert

Returns true if the given object is an instance of AuthBackendCert. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property awsPublicCert

public awsPublicCert: pulumi.Output<string>;

The Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata. You can find this key in the AWS documentation.

property backend

public backend: pulumi.Output<string | undefined>;

The path the AWS auth backend being configured was mounted at. Defaults to aws.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property type

public type: pulumi.Output<string | undefined>;

Either “pkcs7” or “identity”, indicating the type of document which can be verified using the given certificate. Defaults to “pkcs7”.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource AuthBackendClient

class AuthBackendClient extends CustomResource

constructor

new AuthBackendClient(name: string, args?: AuthBackendClientArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackendClient resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendClientState, opts?: pulumi.CustomResourceOptions): AuthBackendClient

Get an existing AuthBackendClient resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackendClient

Returns true if the given object is an instance of AuthBackendClient. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property accessKey

public accessKey: pulumi.Output<string | undefined>;

The AWS access key that Vault should use for the auth backend.

property backend

public backend: pulumi.Output<string | undefined>;

The path the AWS auth backend being configured was mounted at. Defaults to aws.

property ec2Endpoint

public ec2Endpoint: pulumi.Output<string | undefined>;

Override the URL Vault uses when making EC2 API calls.

property iamEndpoint

public iamEndpoint: pulumi.Output<string | undefined>;

Override the URL Vault uses when making IAM API calls.

property iamServerIdHeaderValue

public iamServerIdHeaderValue: pulumi.Output<string | undefined>;

The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property secretKey

public secretKey: pulumi.Output<string | undefined>;

The AWS secret key that Vault should use for the auth backend.

property stsEndpoint

public stsEndpoint: pulumi.Output<string | undefined>;

Override the URL Vault uses when making STS API calls.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource AuthBackendIdentityWhitelist

class AuthBackendIdentityWhitelist extends CustomResource

Configures the periodic tidying operation of the whitelisted identity entries.

For more information, see the Vault docs.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const exampleAuthBackend = new vault.AuthBackend("example", {
    type: "aws",
});
const exampleAuthBackendIdentityWhitelist = new vault.aws.AuthBackendIdentityWhitelist("example", {
    backend: exampleAuthBackend.path,
    safetyBuffer: 3600,
});

constructor

new AuthBackendIdentityWhitelist(name: string, args?: AuthBackendIdentityWhitelistArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackendIdentityWhitelist resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendIdentityWhitelistState, opts?: pulumi.CustomResourceOptions): AuthBackendIdentityWhitelist

Get an existing AuthBackendIdentityWhitelist resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackendIdentityWhitelist

Returns true if the given object is an instance of AuthBackendIdentityWhitelist. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property backend

public backend: pulumi.Output<string | undefined>;

The path of the AWS backend being configured.

property disablePeriodicTidy

public disablePeriodicTidy: pulumi.Output<boolean | undefined>;

If set to true, disables the periodic tidying of the identity-whitelist entries.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property safetyBuffer

public safetyBuffer: pulumi.Output<number | undefined>;

The amount of extra time, in minutes, that must have passed beyond the roletag expiration, before it is removed from the backend storage.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource AuthBackendLogin

class AuthBackendLogin extends CustomResource

Logs into a Vault server using an AWS auth backend. Login can be accomplished using a signed identity request from IAM or using ec2 instance metadata. For more information, see the Vault documentation.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const aws = new vault.AuthBackend("aws", {
    type: "aws",
});
const exampleAuthBackendClient = new vault.aws.AuthBackendClient("example", {
    accessKey: "123456789012",
    backend: aws.path,
    secretKey: "AWSSECRETKEYGOESHERE",
});
const exampleAuthBackendRole = new vault.aws.AuthBackendRole("example", {
    authType: "ec2",
    backend: aws.path,
    boundAccountId: "123456789012",
    boundAmiId: "ami-8c1be5f6",
    boundIamInstanceProfileArn: "arn:aws:iam::123456789012:instance-profile/MyProfile",
    boundSubnetId: "vpc-133128f1",
    boundVpcId: "vpc-b61106d4",
    maxTtl: 120,
    role: "test-role",
    tokenPolicies: [
        "default",
        "dev",
        "prod",
    ],
    ttl: 60,
}, { dependsOn: [exampleAuthBackendClient] });
const exampleAuthBackendLogin = new vault.aws.AuthBackendLogin("example", {
    backend: vault_auth_backend_example.path,
    identity: "BASE64ENCODEDIDENTITYDOCUMENT",
    role: exampleAuthBackendRole.role,
    signature: "BASE64ENCODEDSHA256IDENTITYDOCUMENTSIGNATURE",
});

constructor

new AuthBackendLogin(name: string, args?: AuthBackendLoginArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackendLogin resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendLoginState, opts?: pulumi.CustomResourceOptions): AuthBackendLogin

Get an existing AuthBackendLogin resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackendLogin

Returns true if the given object is an instance of AuthBackendLogin. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property accessor

public accessor: pulumi.Output<string>;

The token’s accessor.

property authType

public authType: pulumi.Output<string>;

The authentication type used to generate this token.

property backend

public backend: pulumi.Output<string | undefined>;

The unique name of the AWS auth backend. Defaults to ‘aws’.

property clientToken

public clientToken: pulumi.Output<string>;

The token returned by Vault.

property iamHttpRequestMethod

public iamHttpRequestMethod: pulumi.Output<string | undefined>;

The HTTP method used in the signed IAM request.

property iamRequestBody

public iamRequestBody: pulumi.Output<string | undefined>;

The base64-encoded body of the signed request.

property iamRequestHeaders

public iamRequestHeaders: pulumi.Output<string | undefined>;

The base64-encoded, JSON serialized representation of the GetCallerIdentity HTTP request headers.

property iamRequestUrl

public iamRequestUrl: pulumi.Output<string | undefined>;

The base64-encoded HTTP URL used in the signed request.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property identity

public identity: pulumi.Output<string | undefined>;

The base64-encoded EC2 instance identity document to authenticate with. Can be retrieved from the EC2 metadata server.

property leaseDuration

public leaseDuration: pulumi.Output<number>;

The duration in seconds the token will be valid, relative to the time in leaseStartTime.

property leaseStartTime

public leaseStartTime: pulumi.Output<string>;

Time at which the lease was read, using the clock of the system where Terraform was running

property metadata

public metadata: pulumi.Output<{[key: string]: any}>;

A map of information returned by the Vault server about the authentication used to generate this token.

property nonce

public nonce: pulumi.Output<string>;

The unique nonce to be used for login requests. Can be set to a user-specified value, or will contain the server-generated value once a token is issued. EC2 instances can only acquire a single token until the whitelist is tidied again unless they keep track of this nonce.

property pkcs7

public pkcs7: pulumi.Output<string | undefined>;

The PKCS#7 signature of the identity document to authenticate with, with all newline characters removed. Can be retrieved from the EC2 metadata server.

property policies

public policies: pulumi.Output<string[]>;

The Vault policies assigned to this token.

property renewable

public renewable: pulumi.Output<boolean>;

Set to true if the token can be extended through renewal.

property role

public role: pulumi.Output<string>;

The name of the AWS auth backend role to create tokens against.

property signature

public signature: pulumi.Output<string | undefined>;

The base64-encoded SHA256 RSA signature of the instance identity document to authenticate with, with all newline characters removed. Can be retrieved from the EC2 metadata server.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource AuthBackendRole

class AuthBackendRole extends CustomResource

Manages an AWS auth backend role in a Vault server. Roles constrain the instances or principals that can perform the login operation against the backend. See the Vault documentation for more information.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const aws = new vault.AuthBackend("aws", {type: "aws"});
const example = new vault.aws.AuthBackendRole("example", {
    backend: aws.path,
    role: "test-role",
    authType: "iam",
    boundAmiIds: ["ami-8c1be5f6"],
    boundAccountIds: ["123456789012"],
    boundVpcIds: ["vpc-b61106d4"],
    boundSubnetIds: ["vpc-133128f1"],
    boundIamRoleArns: ["arn:aws:iam::123456789012:role/MyRole"],
    boundIamInstanceProfileArns: ["arn:aws:iam::123456789012:instance-profile/MyProfile"],
    inferredEntityType: "ec2Instance",
    inferredAwsRegion: "us-east-1",
    tokenTtl: 60,
    tokenMaxTtl: 120,
    tokenPolicies: [
        "default",
        "dev",
        "prod",
    ],
});

constructor

new AuthBackendRole(name: string, args: AuthBackendRoleArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackendRole resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendRoleState, opts?: pulumi.CustomResourceOptions): AuthBackendRole

Get an existing AuthBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackendRole

Returns true if the given object is an instance of AuthBackendRole. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property allowInstanceMigration

public allowInstanceMigration: pulumi.Output<boolean | undefined>;

If set to true, allows migration of the underlying instance where the client resides.

property authType

public authType: pulumi.Output<string | undefined>;

The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam.

property backend

public backend: pulumi.Output<string | undefined>;

Unique name of the auth backend to configure.

property boundAccountIds

public boundAccountIds: pulumi.Output<string[] | undefined>;

If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID specified by this field. authType must be set to ec2 or inferredEntityType must be set to ec2Instance to use this constraint.

property boundAmiIds

public boundAmiIds: pulumi.Output<string[] | undefined>;

If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified by this field. authType must be set to ec2 or inferredEntityType must be set to ec2Instance to use this constraint.

property boundEc2InstanceIds

public boundEc2InstanceIds: pulumi.Output<string[] | undefined>;

Only EC2 instances that match this instance ID will be permitted to log in.

property boundIamInstanceProfileArns

public boundIamInstanceProfileArns: pulumi.Output<string[] | undefined>;

If set, defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile ARN which has a prefix that matches the value specified by this field. The value is prefix-matched as though it were a glob ending in *. authType must be set to ec2 or inferredEntityType must be set to ec2Instance to use this constraint.

property boundIamPrincipalArns

public boundIamPrincipalArns: pulumi.Output<string[] | undefined>;

If set, defines the IAM principal that must be authenticated when authType is set to iam. Wildcards are supported at the end of the ARN.

property boundIamRoleArns

public boundIamRoleArns: pulumi.Output<string[] | undefined>;

If set, defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN specified by this field. authType must be set to ec2 or inferredEntityType must be set to ec2Instance to use this constraint.

property boundRegions

public boundRegions: pulumi.Output<string[] | undefined>;

If set, defines a constraint on the EC2 instances that can perform the login operation that the region in their identity document must match the one specified by this field. authType must be set to ec2 or inferredEntityType must be set to ec2Instance to use this constraint.

property boundSubnetIds

public boundSubnetIds: pulumi.Output<string[] | undefined>;

If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID that matches the value specified by this field. authType must be set to ec2 or inferredEntityType must be set to ec2Instance to use this constraint.

property boundVpcIds

public boundVpcIds: pulumi.Output<string[] | undefined>;

If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value specified by this field. authType must be set to ec2 or inferredEntityType must be set to ec2Instance to use this constraint.

property disallowReauthentication

public disallowReauthentication: pulumi.Output<boolean | undefined>;

IF set to true, only allows a single token to be granted per instance ID. This can only be set when authType is set to ec2.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property inferredAwsRegion

public inferredAwsRegion: pulumi.Output<string | undefined>;

When inferredEntityType is set, this is the region to search for the inferred entities. Required if inferredEntityType is set. This only applies when authType is set to iam.

property inferredEntityType

public inferredEntityType: pulumi.Output<string | undefined>;

If set, instructs Vault to turn on inferencing. The only valid value is ec2Instance, which instructs Vault to infer that the role comes from an EC2 instance in an IAM instance profile. This only applies when authType is set to iam.

property maxTtl

public maxTtl: pulumi.Output<number | undefined>;

The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

property period

public period: pulumi.Output<number | undefined>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property policies

public policies: pulumi.Output<string[] | undefined>;

An array of strings specifying the policies to be set on tokens issued using this role.

property resolveAwsUniqueIds

public resolveAwsUniqueIds: pulumi.Output<boolean | undefined>;

If set to true, the boundIamPrincipalArns are resolved to AWS Unique IDs for the bound principal ARN. This field is ignored when a boundIamPrincipalArn ends in a wildcard. Resolving to unique IDs more closely mimics the behavior of AWS services in that if an IAM user or role is deleted and a new one is recreated with the same name, those new users or roles won’t get access to roles in Vault that were permissioned to the prior principals of the same name. Defaults to true. Once set to true, this cannot be changed to false without recreating the role.

property role

public role: pulumi.Output<string>;

The name of the role.

property roleTag

public roleTag: pulumi.Output<string | undefined>;

If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. authType must be set to ec2 or inferredEntityType must be set to ec2Instance to use this constraint.

property tokenBoundCidrs

public tokenBoundCidrs: pulumi.Output<string[] | undefined>;

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

public tokenExplicitMaxTtl: pulumi.Output<number | undefined>;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

public tokenMaxTtl: pulumi.Output<number | undefined>;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

public tokenNoDefaultPolicy: pulumi.Output<boolean | undefined>;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

public tokenNumUses: pulumi.Output<number | undefined>;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

public tokenPeriod: pulumi.Output<number | undefined>;

property tokenPolicies

public tokenPolicies: pulumi.Output<string[] | undefined>;

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

public tokenTtl: pulumi.Output<number | undefined>;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

public tokenType: pulumi.Output<string | undefined>;

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

property ttl

public ttl: pulumi.Output<number | undefined>;

The TTL period of tokens issued using this role, provided as a number of seconds.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource AuthBackendRoleTag

class AuthBackendRoleTag extends CustomResource

Reads role tag information from an AWS auth backend in Vault.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const aws = new vault.AuthBackend("aws", {
    path: "%s",
    type: "aws",
});
const role = new vault.aws.AuthBackendRole("role", {
    authType: "ec2",
    backend: aws.path,
    boundAccountId: "123456789012",
    policies: [
        "dev",
        "prod",
        "qa",
        "test",
    ],
    role: "%s",
    roleTag: "VaultRoleTag",
});
const test = new vault.aws.AuthBackendRoleTag("test", {
    backend: aws.path,
    instanceId: "i-1234567",
    maxTtl: "1h",
    policies: [
        "prod",
        "dev",
        "test",
    ],
    role: role.role,
});

constructor

new AuthBackendRoleTag(name: string, args: AuthBackendRoleTagArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackendRoleTag resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendRoleTagState, opts?: pulumi.CustomResourceOptions): AuthBackendRoleTag

Get an existing AuthBackendRoleTag resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackendRoleTag

Returns true if the given object is an instance of AuthBackendRoleTag. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property allowInstanceMigration

public allowInstanceMigration: pulumi.Output<boolean | undefined>;

If set, allows migration of the underlying instances where the client resides. Use with caution.

property backend

public backend: pulumi.Output<string | undefined>;

The path to the AWS auth backend to read role tags from, with no leading or trailing /s. Defaults to “aws”.

property disallowReauthentication

public disallowReauthentication: pulumi.Output<boolean | undefined>;

If set, only allows a single token to be granted per instance ID.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property instanceId

public instanceId: pulumi.Output<string | undefined>;

Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID.

property maxTtl

public maxTtl: pulumi.Output<string | undefined>;

The maximum TTL of the tokens issued using this role.

property policies

public policies: pulumi.Output<string[] | undefined>;

The policies to be associated with the tag. Must be a subset of the policies associated with the role.

property role

public role: pulumi.Output<string>;

The name of the AWS auth backend role to read role tags from, with no leading or trailing /s.

property tagKey

public tagKey: pulumi.Output<string>;

The key of the role tag.

property tagValue

public tagValue: pulumi.Output<string>;

The value to set the role key.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource AuthBackendRoletagBlacklist

class AuthBackendRoletagBlacklist extends CustomResource

Configures the periodic tidying operation of the blacklisted role tag entries.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const exampleAuthBackend = new vault.AuthBackend("example", {
    type: "aws",
});
const exampleAuthBackendRoletagBlacklist = new vault.aws.AuthBackendRoletagBlacklist("example", {
    backend: exampleAuthBackend.path,
    safetyBuffer: 360,
});

constructor

new AuthBackendRoletagBlacklist(name: string, args: AuthBackendRoletagBlacklistArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackendRoletagBlacklist resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendRoletagBlacklistState, opts?: pulumi.CustomResourceOptions): AuthBackendRoletagBlacklist

Get an existing AuthBackendRoletagBlacklist resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackendRoletagBlacklist

Returns true if the given object is an instance of AuthBackendRoletagBlacklist. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property backend

public backend: pulumi.Output<string>;

The path the AWS auth backend being configured was mounted at.

property disablePeriodicTidy

public disablePeriodicTidy: pulumi.Output<boolean | undefined>;

If set to true, disables the periodic tidying of the roletag blacklist entries. Defaults to false.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property safetyBuffer

public safetyBuffer: pulumi.Output<number | undefined>;

The amount of extra time that must have passed beyond the roletag expiration, before it is removed from the backend storage. Defaults to 259,200 seconds, or 72 hours.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource AuthBackendStsRole

class AuthBackendStsRole extends CustomResource

constructor

new AuthBackendStsRole(name: string, args: AuthBackendStsRoleArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackendStsRole resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendStsRoleState, opts?: pulumi.CustomResourceOptions): AuthBackendStsRole

Get an existing AuthBackendStsRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackendStsRole

Returns true if the given object is an instance of AuthBackendStsRole. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property accountId

public accountId: pulumi.Output<string>;

The AWS account ID to configure the STS role for.

property backend

public backend: pulumi.Output<string | undefined>;

The path the AWS auth backend being configured was mounted at. Defaults to aws.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property stsRole

public stsRole: pulumi.Output<string>;

The STS role to assume when verifying requests made by EC2 instances in the account specified by accountId.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource SecretBackend

class SecretBackend extends CustomResource

constructor

new SecretBackend(name: string, args?: SecretBackendArgs, opts?: pulumi.CustomResourceOptions)

Create a SecretBackend resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretBackendState, opts?: pulumi.CustomResourceOptions): SecretBackend

Get an existing SecretBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is SecretBackend

Returns true if the given object is an instance of SecretBackend. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property accessKey

public accessKey: pulumi.Output<string | undefined>;

The AWS Access Key ID this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.

property defaultLeaseTtlSeconds

public defaultLeaseTtlSeconds: pulumi.Output<number>;

The default TTL for credentials issued by this backend.

property description

public description: pulumi.Output<string | undefined>;

A human-friendly description for this backend.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property maxLeaseTtlSeconds

public maxLeaseTtlSeconds: pulumi.Output<number>;

The maximum TTL that can be requested for credentials issued by this backend.

property path

public path: pulumi.Output<string | undefined>;

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.

property region

public region: pulumi.Output<string>;

The AWS region for API calls. Defaults to us-east-1.

property secretKey

public secretKey: pulumi.Output<string | undefined>;

The AWS Secret Key this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource SecretBackendRole

class SecretBackendRole extends CustomResource

constructor

new SecretBackendRole(name: string, args: SecretBackendRoleArgs, opts?: pulumi.CustomResourceOptions)

Create a SecretBackendRole resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretBackendRoleState, opts?: pulumi.CustomResourceOptions): SecretBackendRole

Get an existing SecretBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is SecretBackendRole

Returns true if the given object is an instance of SecretBackendRole. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property backend

public backend: pulumi.Output<string>;

The path the AWS secret backend is mounted at, with no leading or trailing /s.

property credentialType

public credentialType: pulumi.Output<string>;

Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iamUser, assumedRole, or federationToken.

property defaultStsTtl

public defaultStsTtl: pulumi.Output<number>;

The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credentialType is one of assumedRole or federationToken.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property maxStsTtl

public maxStsTtl: pulumi.Output<number>;

The max allowed TTL in seconds for STS credentials (credentials TTL are capped to maxStsTtl). Valid only when credentialType is one of assumedRole or federationToken.

property name

public name: pulumi.Output<string>;

The name to identify this role within the backend. Must be unique within the backend.

property policyArns

public policyArns: pulumi.Output<string[] | undefined>;

Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iamUser, the policies will be attached to IAM users when they are requested. With assumedRole and federationToken, the policy ARNs will act as a filter on what the credentials can do, similar to policyDocument. When credentialType is iamUser or federationToken, at least one of policyDocument or policyArns must be specified.

property policyDocument

public policyDocument: pulumi.Output<string | undefined>;

The IAM policy document for the role. The behavior depends on the credential type. With iamUser, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumedRole and federationToken, the policy document will act as a filter on what the credentials can do, similar to policyArns.

property roleArns

public roleArns: pulumi.Output<string[] | undefined>;

Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credentialType is assumedRole and prohibited otherwise.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Functions

Function getAccessCredentials

getAccessCredentials(args: GetAccessCredentialsArgs, opts?: pulumi.InvokeOptions): Promise<GetAccessCredentialsResult>

Others

interface AuthBackendCertArgs

interface AuthBackendCertArgs

The set of arguments for constructing a AuthBackendCert resource.

property awsPublicCert

awsPublicCert: pulumi.Input<string>;

The Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata. You can find this key in the AWS documentation.

property backend

backend?: pulumi.Input<string>;

The path the AWS auth backend being configured was mounted at. Defaults to aws.

property certName

certName: pulumi.Input<string>;

The name of the certificate.

property type

type?: pulumi.Input<string>;

Either “pkcs7” or “identity”, indicating the type of document which can be verified using the given certificate. Defaults to “pkcs7”.

interface AuthBackendCertState

interface AuthBackendCertState

Input properties used for looking up and filtering AuthBackendCert resources.

property awsPublicCert

awsPublicCert?: pulumi.Input<string>;

The Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata. You can find this key in the AWS documentation.

property backend

backend?: pulumi.Input<string>;

The path the AWS auth backend being configured was mounted at. Defaults to aws.

property certName

certName?: pulumi.Input<string>;

The name of the certificate.

property type

type?: pulumi.Input<string>;

Either “pkcs7” or “identity”, indicating the type of document which can be verified using the given certificate. Defaults to “pkcs7”.

interface AuthBackendClientArgs

interface AuthBackendClientArgs

The set of arguments for constructing a AuthBackendClient resource.

property accessKey

accessKey?: pulumi.Input<string>;

The AWS access key that Vault should use for the auth backend.

property backend

backend?: pulumi.Input<string>;

The path the AWS auth backend being configured was mounted at. Defaults to aws.

property ec2Endpoint

ec2Endpoint?: pulumi.Input<string>;

Override the URL Vault uses when making EC2 API calls.

property iamEndpoint

iamEndpoint?: pulumi.Input<string>;

Override the URL Vault uses when making IAM API calls.

property iamServerIdHeaderValue

iamServerIdHeaderValue?: pulumi.Input<string>;

The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.

property secretKey

secretKey?: pulumi.Input<string>;

The AWS secret key that Vault should use for the auth backend.

property stsEndpoint

stsEndpoint?: pulumi.Input<string>;

Override the URL Vault uses when making STS API calls.

interface AuthBackendClientState

interface AuthBackendClientState

Input properties used for looking up and filtering AuthBackendClient resources.

property accessKey

accessKey?: pulumi.Input<string>;

The AWS access key that Vault should use for the auth backend.

property backend

backend?: pulumi.Input<string>;

The path the AWS auth backend being configured was mounted at. Defaults to aws.

property ec2Endpoint

ec2Endpoint?: pulumi.Input<string>;

Override the URL Vault uses when making EC2 API calls.

property iamEndpoint

iamEndpoint?: pulumi.Input<string>;

Override the URL Vault uses when making IAM API calls.

property iamServerIdHeaderValue

iamServerIdHeaderValue?: pulumi.Input<string>;

The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.

property secretKey

secretKey?: pulumi.Input<string>;

The AWS secret key that Vault should use for the auth backend.

property stsEndpoint

stsEndpoint?: pulumi.Input<string>;

Override the URL Vault uses when making STS API calls.

interface AuthBackendIdentityWhitelistArgs

interface AuthBackendIdentityWhitelistArgs

The set of arguments for constructing a AuthBackendIdentityWhitelist resource.

property backend

backend?: pulumi.Input<string>;

The path of the AWS backend being configured.

property disablePeriodicTidy

disablePeriodicTidy?: pulumi.Input<boolean>;

If set to true, disables the periodic tidying of the identity-whitelist entries.

property safetyBuffer

safetyBuffer?: pulumi.Input<number>;

The amount of extra time, in minutes, that must have passed beyond the roletag expiration, before it is removed from the backend storage.

interface AuthBackendIdentityWhitelistState

interface AuthBackendIdentityWhitelistState

Input properties used for looking up and filtering AuthBackendIdentityWhitelist resources.

property backend

backend?: pulumi.Input<string>;

The path of the AWS backend being configured.

property disablePeriodicTidy

disablePeriodicTidy?: pulumi.Input<boolean>;

If set to true, disables the periodic tidying of the identity-whitelist entries.

property safetyBuffer

safetyBuffer?: pulumi.Input<number>;

The amount of extra time, in minutes, that must have passed beyond the roletag expiration, before it is removed from the backend storage.

interface AuthBackendLoginArgs

interface AuthBackendLoginArgs

The set of arguments for constructing a AuthBackendLogin resource.

property backend

backend?: pulumi.Input<string>;

The unique name of the AWS auth backend. Defaults to ‘aws’.

property iamHttpRequestMethod

iamHttpRequestMethod?: pulumi.Input<string>;

The HTTP method used in the signed IAM request.

property iamRequestBody

iamRequestBody?: pulumi.Input<string>;

The base64-encoded body of the signed request.

property iamRequestHeaders

iamRequestHeaders?: pulumi.Input<string>;

The base64-encoded, JSON serialized representation of the GetCallerIdentity HTTP request headers.

property iamRequestUrl

iamRequestUrl?: pulumi.Input<string>;

The base64-encoded HTTP URL used in the signed request.

property identity

identity?: pulumi.Input<string>;

The base64-encoded EC2 instance identity document to authenticate with. Can be retrieved from the EC2 metadata server.

property nonce

nonce?: pulumi.Input<string>;

property pkcs7

pkcs7?: pulumi.Input<string>;

The PKCS#7 signature of the identity document to authenticate with, with all newline characters removed. Can be retrieved from the EC2 metadata server.

property role

role?: pulumi.Input<string>;

The name of the AWS auth backend role to create tokens against.

property signature

signature?: pulumi.Input<string>;

The base64-encoded SHA256 RSA signature of the instance identity document to authenticate with, with all newline characters removed. Can be retrieved from the EC2 metadata server.

interface AuthBackendLoginState

interface AuthBackendLoginState

Input properties used for looking up and filtering AuthBackendLogin resources.

property accessor

accessor?: pulumi.Input<string>;

The token’s accessor.

property authType

authType?: pulumi.Input<string>;

The authentication type used to generate this token.

property backend

backend?: pulumi.Input<string>;

The unique name of the AWS auth backend. Defaults to ‘aws’.

property clientToken

clientToken?: pulumi.Input<string>;

The token returned by Vault.

property iamHttpRequestMethod

iamHttpRequestMethod?: pulumi.Input<string>;

The HTTP method used in the signed IAM request.

property iamRequestBody

iamRequestBody?: pulumi.Input<string>;

The base64-encoded body of the signed request.

property iamRequestHeaders

iamRequestHeaders?: pulumi.Input<string>;

The base64-encoded, JSON serialized representation of the GetCallerIdentity HTTP request headers.

property iamRequestUrl

iamRequestUrl?: pulumi.Input<string>;

The base64-encoded HTTP URL used in the signed request.

property identity

identity?: pulumi.Input<string>;

The base64-encoded EC2 instance identity document to authenticate with. Can be retrieved from the EC2 metadata server.

property leaseDuration

leaseDuration?: pulumi.Input<number>;

The duration in seconds the token will be valid, relative to the time in leaseStartTime.

property leaseStartTime

leaseStartTime?: pulumi.Input<string>;

Time at which the lease was read, using the clock of the system where Terraform was running

property metadata

metadata?: pulumi.Input<{[key: string]: any}>;

A map of information returned by the Vault server about the authentication used to generate this token.

property nonce

nonce?: pulumi.Input<string>;

property pkcs7

pkcs7?: pulumi.Input<string>;

The PKCS#7 signature of the identity document to authenticate with, with all newline characters removed. Can be retrieved from the EC2 metadata server.

property policies

policies?: pulumi.Input<pulumi.Input<string>[]>;

The Vault policies assigned to this token.

property renewable

renewable?: pulumi.Input<boolean>;

Set to true if the token can be extended through renewal.

property role

role?: pulumi.Input<string>;

The name of the AWS auth backend role to create tokens against.

property signature

signature?: pulumi.Input<string>;

The base64-encoded SHA256 RSA signature of the instance identity document to authenticate with, with all newline characters removed. Can be retrieved from the EC2 metadata server.

interface AuthBackendRoleArgs

interface AuthBackendRoleArgs

The set of arguments for constructing a AuthBackendRole resource.

property allowInstanceMigration

allowInstanceMigration?: pulumi.Input<boolean>;

If set to true, allows migration of the underlying instance where the client resides.

property authType

authType?: pulumi.Input<string>;

The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam.

property backend

backend?: pulumi.Input<string>;

Unique name of the auth backend to configure.

property boundAccountIds

boundAccountIds?: pulumi.Input<pulumi.Input<string>[]>;

property boundAmiIds

boundAmiIds?: pulumi.Input<pulumi.Input<string>[]>;

property boundEc2InstanceIds

boundEc2InstanceIds?: pulumi.Input<pulumi.Input<string>[]>;

Only EC2 instances that match this instance ID will be permitted to log in.

property boundIamInstanceProfileArns

boundIamInstanceProfileArns?: pulumi.Input<pulumi.Input<string>[]>;

property boundIamPrincipalArns

boundIamPrincipalArns?: pulumi.Input<pulumi.Input<string>[]>;

If set, defines the IAM principal that must be authenticated when authType is set to iam. Wildcards are supported at the end of the ARN.

property boundIamRoleArns

boundIamRoleArns?: pulumi.Input<pulumi.Input<string>[]>;

property boundRegions

boundRegions?: pulumi.Input<pulumi.Input<string>[]>;

property boundSubnetIds

boundSubnetIds?: pulumi.Input<pulumi.Input<string>[]>;

property boundVpcIds

boundVpcIds?: pulumi.Input<pulumi.Input<string>[]>;

property disallowReauthentication

disallowReauthentication?: pulumi.Input<boolean>;

IF set to true, only allows a single token to be granted per instance ID. This can only be set when authType is set to ec2.

property inferredAwsRegion

inferredAwsRegion?: pulumi.Input<string>;

When inferredEntityType is set, this is the region to search for the inferred entities. Required if inferredEntityType is set. This only applies when authType is set to iam.

property inferredEntityType

inferredEntityType?: pulumi.Input<string>;

property maxTtl

DEPRECATED use token_max_ttl instead if you are running Vault >= 1.2

maxTtl?: pulumi.Input<number>;

The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

property period

DEPRECATED use token_period instead if you are running Vault >= 1.2

period?: pulumi.Input<number>;

property policies

DEPRECATED use token_policies instead if you are running Vault >= 1.2

policies?: pulumi.Input<pulumi.Input<string>[]>;

An array of strings specifying the policies to be set on tokens issued using this role.

property resolveAwsUniqueIds

resolveAwsUniqueIds?: pulumi.Input<boolean>;

property role

role: pulumi.Input<string>;

The name of the role.

property roleTag

roleTag?: pulumi.Input<string>;

property tokenBoundCidrs

tokenBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

tokenExplicitMaxTtl?: pulumi.Input<number>;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

tokenMaxTtl?: pulumi.Input<number>;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

tokenNoDefaultPolicy?: pulumi.Input<boolean>;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

tokenNumUses?: pulumi.Input<number>;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

tokenPeriod?: pulumi.Input<number>;

property tokenPolicies

tokenPolicies?: pulumi.Input<pulumi.Input<string>[]>;

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

tokenTtl?: pulumi.Input<number>;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

tokenType?: pulumi.Input<string>;

property ttl

DEPRECATED use token_ttl instead if you are running Vault >= 1.2

ttl?: pulumi.Input<number>;

The TTL period of tokens issued using this role, provided as a number of seconds.

interface AuthBackendRoleState

interface AuthBackendRoleState

Input properties used for looking up and filtering AuthBackendRole resources.

property allowInstanceMigration

allowInstanceMigration?: pulumi.Input<boolean>;

If set to true, allows migration of the underlying instance where the client resides.

property authType

authType?: pulumi.Input<string>;

The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam.

property backend

backend?: pulumi.Input<string>;

Unique name of the auth backend to configure.

property boundAccountIds

boundAccountIds?: pulumi.Input<pulumi.Input<string>[]>;

property boundAmiIds

boundAmiIds?: pulumi.Input<pulumi.Input<string>[]>;

property boundEc2InstanceIds

boundEc2InstanceIds?: pulumi.Input<pulumi.Input<string>[]>;

Only EC2 instances that match this instance ID will be permitted to log in.

property boundIamInstanceProfileArns

boundIamInstanceProfileArns?: pulumi.Input<pulumi.Input<string>[]>;

property boundIamPrincipalArns

boundIamPrincipalArns?: pulumi.Input<pulumi.Input<string>[]>;

If set, defines the IAM principal that must be authenticated when authType is set to iam. Wildcards are supported at the end of the ARN.

property boundIamRoleArns

boundIamRoleArns?: pulumi.Input<pulumi.Input<string>[]>;

property boundRegions

boundRegions?: pulumi.Input<pulumi.Input<string>[]>;

property boundSubnetIds

boundSubnetIds?: pulumi.Input<pulumi.Input<string>[]>;

property boundVpcIds

boundVpcIds?: pulumi.Input<pulumi.Input<string>[]>;

property disallowReauthentication

disallowReauthentication?: pulumi.Input<boolean>;

IF set to true, only allows a single token to be granted per instance ID. This can only be set when authType is set to ec2.

property inferredAwsRegion

inferredAwsRegion?: pulumi.Input<string>;

When inferredEntityType is set, this is the region to search for the inferred entities. Required if inferredEntityType is set. This only applies when authType is set to iam.

property inferredEntityType

inferredEntityType?: pulumi.Input<string>;

property maxTtl

DEPRECATED use token_max_ttl instead if you are running Vault >= 1.2

maxTtl?: pulumi.Input<number>;

The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

property period

DEPRECATED use token_period instead if you are running Vault >= 1.2

period?: pulumi.Input<number>;

property policies

DEPRECATED use token_policies instead if you are running Vault >= 1.2

policies?: pulumi.Input<pulumi.Input<string>[]>;

An array of strings specifying the policies to be set on tokens issued using this role.

property resolveAwsUniqueIds

resolveAwsUniqueIds?: pulumi.Input<boolean>;

property role

role?: pulumi.Input<string>;

The name of the role.

property roleTag

roleTag?: pulumi.Input<string>;

property tokenBoundCidrs

tokenBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

tokenExplicitMaxTtl?: pulumi.Input<number>;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

tokenMaxTtl?: pulumi.Input<number>;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

tokenNoDefaultPolicy?: pulumi.Input<boolean>;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

tokenNumUses?: pulumi.Input<number>;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

tokenPeriod?: pulumi.Input<number>;

property tokenPolicies

tokenPolicies?: pulumi.Input<pulumi.Input<string>[]>;

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

tokenTtl?: pulumi.Input<number>;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

tokenType?: pulumi.Input<string>;

property ttl

DEPRECATED use token_ttl instead if you are running Vault >= 1.2

ttl?: pulumi.Input<number>;

The TTL period of tokens issued using this role, provided as a number of seconds.

interface AuthBackendRoleTagArgs

interface AuthBackendRoleTagArgs

The set of arguments for constructing a AuthBackendRoleTag resource.

property allowInstanceMigration

allowInstanceMigration?: pulumi.Input<boolean>;

If set, allows migration of the underlying instances where the client resides. Use with caution.

property backend

backend?: pulumi.Input<string>;

The path to the AWS auth backend to read role tags from, with no leading or trailing /s. Defaults to “aws”.

property disallowReauthentication

disallowReauthentication?: pulumi.Input<boolean>;

If set, only allows a single token to be granted per instance ID.

property instanceId

instanceId?: pulumi.Input<string>;

Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID.

property maxTtl

maxTtl?: pulumi.Input<string>;

The maximum TTL of the tokens issued using this role.

property policies

policies?: pulumi.Input<pulumi.Input<string>[]>;

The policies to be associated with the tag. Must be a subset of the policies associated with the role.

property role

role: pulumi.Input<string>;

The name of the AWS auth backend role to read role tags from, with no leading or trailing /s.

interface AuthBackendRoletagBlacklistArgs

interface AuthBackendRoletagBlacklistArgs

The set of arguments for constructing a AuthBackendRoletagBlacklist resource.

property backend

backend: pulumi.Input<string>;

The path the AWS auth backend being configured was mounted at.

property disablePeriodicTidy

disablePeriodicTidy?: pulumi.Input<boolean>;

If set to true, disables the periodic tidying of the roletag blacklist entries. Defaults to false.

property safetyBuffer

safetyBuffer?: pulumi.Input<number>;

The amount of extra time that must have passed beyond the roletag expiration, before it is removed from the backend storage. Defaults to 259,200 seconds, or 72 hours.

interface AuthBackendRoletagBlacklistState

interface AuthBackendRoletagBlacklistState

Input properties used for looking up and filtering AuthBackendRoletagBlacklist resources.

property backend

backend?: pulumi.Input<string>;

The path the AWS auth backend being configured was mounted at.

property disablePeriodicTidy

disablePeriodicTidy?: pulumi.Input<boolean>;

If set to true, disables the periodic tidying of the roletag blacklist entries. Defaults to false.

property safetyBuffer

safetyBuffer?: pulumi.Input<number>;

The amount of extra time that must have passed beyond the roletag expiration, before it is removed from the backend storage. Defaults to 259,200 seconds, or 72 hours.

interface AuthBackendRoleTagState

interface AuthBackendRoleTagState

Input properties used for looking up and filtering AuthBackendRoleTag resources.

property allowInstanceMigration

allowInstanceMigration?: pulumi.Input<boolean>;

If set, allows migration of the underlying instances where the client resides. Use with caution.

property backend

backend?: pulumi.Input<string>;

The path to the AWS auth backend to read role tags from, with no leading or trailing /s. Defaults to “aws”.

property disallowReauthentication

disallowReauthentication?: pulumi.Input<boolean>;

If set, only allows a single token to be granted per instance ID.

property instanceId

instanceId?: pulumi.Input<string>;

Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID.

property maxTtl

maxTtl?: pulumi.Input<string>;

The maximum TTL of the tokens issued using this role.

property policies

policies?: pulumi.Input<pulumi.Input<string>[]>;

The policies to be associated with the tag. Must be a subset of the policies associated with the role.

property role

role?: pulumi.Input<string>;

The name of the AWS auth backend role to read role tags from, with no leading or trailing /s.

property tagKey

tagKey?: pulumi.Input<string>;

The key of the role tag.

property tagValue

tagValue?: pulumi.Input<string>;

The value to set the role key.

interface AuthBackendStsRoleArgs

interface AuthBackendStsRoleArgs

The set of arguments for constructing a AuthBackendStsRole resource.

property accountId

accountId: pulumi.Input<string>;

The AWS account ID to configure the STS role for.

property backend

backend?: pulumi.Input<string>;

The path the AWS auth backend being configured was mounted at. Defaults to aws.

property stsRole

stsRole: pulumi.Input<string>;

The STS role to assume when verifying requests made by EC2 instances in the account specified by accountId.

interface AuthBackendStsRoleState

interface AuthBackendStsRoleState

Input properties used for looking up and filtering AuthBackendStsRole resources.

property accountId

accountId?: pulumi.Input<string>;

The AWS account ID to configure the STS role for.

property backend

backend?: pulumi.Input<string>;

The path the AWS auth backend being configured was mounted at. Defaults to aws.

property stsRole

stsRole?: pulumi.Input<string>;

The STS role to assume when verifying requests made by EC2 instances in the account specified by accountId.

interface GetAccessCredentialsArgs

interface GetAccessCredentialsArgs

A collection of arguments for invoking getAccessCredentials.

property backend

backend: string;

The path to the AWS secret backend to read credentials from, with no leading or trailing /s.

property role

role: string;

The name of the AWS secret backend role to read credentials from, with no leading or trailing /s.

property roleArn

roleArn?: undefined | string;

The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.

property type

type?: undefined | string;

The type of credentials to read. Defaults to "creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to "sts", which will return a security token in addition to the keys.

interface GetAccessCredentialsResult

interface GetAccessCredentialsResult

A collection of values returned by getAccessCredentials.

property accessKey

accessKey: string;

The AWS Access Key ID returned by Vault.

property backend

backend: string;

property id

id: string;

The provider-assigned unique ID for this managed resource.

property leaseDuration

leaseDuration: number;

The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.

property leaseId

leaseId: string;

The lease identifier assigned by Vault.

property leaseRenewable

leaseRenewable: boolean;

property leaseStartTime

leaseStartTime: string;

property role

role: string;

property roleArn

roleArn?: undefined | string;

property secretKey

secretKey: string;

The AWS Secret Key returned by Vault.

property securityToken

securityToken: string;

The STS token returned by Vault, if any.

property type

type?: undefined | string;

interface SecretBackendArgs

interface SecretBackendArgs

The set of arguments for constructing a SecretBackend resource.

property accessKey

accessKey?: pulumi.Input<string>;

property defaultLeaseTtlSeconds

defaultLeaseTtlSeconds?: pulumi.Input<number>;

The default TTL for credentials issued by this backend.

property description

description?: pulumi.Input<string>;

A human-friendly description for this backend.

property maxLeaseTtlSeconds

maxLeaseTtlSeconds?: pulumi.Input<number>;

The maximum TTL that can be requested for credentials issued by this backend.

property path

path?: pulumi.Input<string>;

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.

property region

region?: pulumi.Input<string>;

The AWS region for API calls. Defaults to us-east-1.

property secretKey

secretKey?: pulumi.Input<string>;

interface SecretBackendRoleArgs

interface SecretBackendRoleArgs

The set of arguments for constructing a SecretBackendRole resource.

property backend

backend: pulumi.Input<string>;

The path the AWS secret backend is mounted at, with no leading or trailing /s.

property credentialType

credentialType: pulumi.Input<string>;

Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iamUser, assumedRole, or federationToken.

property defaultStsTtl

defaultStsTtl?: pulumi.Input<number>;

property maxStsTtl

maxStsTtl?: pulumi.Input<number>;

The max allowed TTL in seconds for STS credentials (credentials TTL are capped to maxStsTtl). Valid only when credentialType is one of assumedRole or federationToken.

property name

name?: pulumi.Input<string>;

The name to identify this role within the backend. Must be unique within the backend.

property policyArns

policyArns?: pulumi.Input<pulumi.Input<string>[]>;

property policyDocument

policyDocument?: pulumi.Input<string>;

property roleArns

roleArns?: pulumi.Input<pulumi.Input<string>[]>;

Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credentialType is assumedRole and prohibited otherwise.

interface SecretBackendRoleState

interface SecretBackendRoleState

Input properties used for looking up and filtering SecretBackendRole resources.

property backend

backend?: pulumi.Input<string>;

The path the AWS secret backend is mounted at, with no leading or trailing /s.

property credentialType

credentialType?: pulumi.Input<string>;

Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iamUser, assumedRole, or federationToken.

property defaultStsTtl

defaultStsTtl?: pulumi.Input<number>;

property maxStsTtl

maxStsTtl?: pulumi.Input<number>;

The max allowed TTL in seconds for STS credentials (credentials TTL are capped to maxStsTtl). Valid only when credentialType is one of assumedRole or federationToken.

property name

name?: pulumi.Input<string>;

The name to identify this role within the backend. Must be unique within the backend.

property policyArns

policyArns?: pulumi.Input<pulumi.Input<string>[]>;

property policyDocument

policyDocument?: pulumi.Input<string>;

property roleArns

roleArns?: pulumi.Input<pulumi.Input<string>[]>;

Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credentialType is assumedRole and prohibited otherwise.

interface SecretBackendState

interface SecretBackendState

Input properties used for looking up and filtering SecretBackend resources.

property accessKey

accessKey?: pulumi.Input<string>;

property defaultLeaseTtlSeconds

defaultLeaseTtlSeconds?: pulumi.Input<number>;

The default TTL for credentials issued by this backend.

property description

description?: pulumi.Input<string>;

A human-friendly description for this backend.

property maxLeaseTtlSeconds

maxLeaseTtlSeconds?: pulumi.Input<number>;

The maximum TTL that can be requested for credentials issued by this backend.

property path

path?: pulumi.Input<string>;

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.

property region

region?: pulumi.Input<string>;

The AWS region for API calls. Defaults to us-east-1.

property secretKey

secretKey?: pulumi.Input<string>;

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud

Module aws

Resources

Functions

Others

Resources

Example Usage

Example Usage

Example Usage

Example Usage

Example Usage