1. Docs
  2. Reference
  3. API
  4. @pulumi/vault
  5. gcp

Module gcp

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-vault repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-vault repo.

Resources

Others

Resources

Resource AuthBackend

class AuthBackend extends CustomResource

Provides a resource to configure the GCP auth backend within Vault.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as vault from "@pulumi/vault";

const gcp = new vault.gcp.AuthBackend("gcp", {
    credentials: fs.readFileSync("vault-gcp-credentials.json", "utf-8"),
});

constructor

new AuthBackend(name: string, args?: AuthBackendArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackend resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendState, opts?: pulumi.CustomResourceOptions): AuthBackend

Get an existing AuthBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackend

Returns true if the given object is an instance of AuthBackend. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property clientEmail

public clientEmail: pulumi.Output<string>;

The clients email associated with the credentials

property clientId

public clientId: pulumi.Output<string>;

The Client ID of the credentials

property credentials

public credentials: pulumi.Output<string | undefined>;

A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.

property description

public description: pulumi.Output<string | undefined>;

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property path

public path: pulumi.Output<string | undefined>;

property privateKeyId

public privateKeyId: pulumi.Output<string>;

The ID of the private key from the credentials

property projectId

public projectId: pulumi.Output<string>;

The GCP Project ID

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource AuthBackendRole

class AuthBackendRole extends CustomResource

Provides a resource to create a role in an GCP auth backend within Vault.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const gcpAuthBackend = new vault.AuthBackend("gcpAuthBackend", {
    path: "gcp",
    type: "gcp",
});
const gcpAuthBackendRole = new vault.gcp.AuthBackendRole("gcpAuthBackendRole", {
    backend: gcpAuthBackend.path,
    projectId: "foo-bar-baz",
    boundServiceAccounts: ["database-server@foo-bar-baz.iam.gserviceaccount.com"],
    tokenPolicies: ["database-server"],
});

constructor

new AuthBackendRole(name: string, args: AuthBackendRoleArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackendRole resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendRoleState, opts?: pulumi.CustomResourceOptions): AuthBackendRole

Get an existing AuthBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackendRole

Returns true if the given object is an instance of AuthBackendRole. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property addGroupAliases

public addGroupAliases: pulumi.Output<boolean>;

property allowGceInference

public allowGceInference: pulumi.Output<boolean>;

A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.

property backend

public backend: pulumi.Output<string | undefined>;

Path to the mounted GCP auth backend

property boundInstanceGroups

public boundInstanceGroups: pulumi.Output<string[]>;

The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either boundZones or boundRegions must be set too.

property boundLabels

public boundLabels: pulumi.Output<string[]>;

A comma-separated list of GCP labels formatted as "key:value" strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL’d, we recommend that this be used in conjunction with other restrictions.

property boundProjects

public boundProjects: pulumi.Output<string[] | undefined>;

GCP Projects that the role exists within

property boundRegions

public boundRegions: pulumi.Output<string[]>;

The list of regions that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a regional group and the group must belong to this region. If boundZones are provided, this attribute is ignored.

property boundServiceAccounts

public boundServiceAccounts: pulumi.Output<string[]>;

GCP Service Accounts allowed to issue tokens under this role. (Note: Required if role is iam)

property boundZones

public boundZones: pulumi.Output<string[]>;

The list of zones that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a zonal group and the group must belong to this zone.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property maxJwtExp

public maxJwtExp: pulumi.Output<string>;

The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter exp. The GCE metadata tokens currently do not allow the exp claim to be customized.

property maxTtl

public maxTtl: pulumi.Output<string>;

The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

property period

public period: pulumi.Output<string>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property policies

public policies: pulumi.Output<string[]>;

An array of strings specifying the policies to be set on tokens issued using this role.

property role

public role: pulumi.Output<string>;

Name of the GCP role

property tokenBoundCidrs

public tokenBoundCidrs: pulumi.Output<string[] | undefined>;

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

public tokenExplicitMaxTtl: pulumi.Output<number | undefined>;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

public tokenMaxTtl: pulumi.Output<number | undefined>;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

public tokenNoDefaultPolicy: pulumi.Output<boolean | undefined>;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

public tokenNumUses: pulumi.Output<number | undefined>;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

public tokenPeriod: pulumi.Output<number | undefined>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property tokenPolicies

public tokenPolicies: pulumi.Output<string[] | undefined>;

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

public tokenTtl: pulumi.Output<number | undefined>;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

public tokenType: pulumi.Output<string | undefined>;

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

property ttl

public ttl: pulumi.Output<string>;

The TTL period of tokens issued using this role, provided as a number of seconds.

property type

public type: pulumi.Output<string>;

Type of GCP authentication role (either gce or iam)

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource SecretBackend

class SecretBackend extends CustomResource

constructor

new SecretBackend(name: string, args?: SecretBackendArgs, opts?: pulumi.CustomResourceOptions)

Create a SecretBackend resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretBackendState, opts?: pulumi.CustomResourceOptions): SecretBackend

Get an existing SecretBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is SecretBackend

Returns true if the given object is an instance of SecretBackend. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property credentials

public credentials: pulumi.Output<string | undefined>;

The GCP service account credentials in JSON format.

property defaultLeaseTtlSeconds

public defaultLeaseTtlSeconds: pulumi.Output<number | undefined>;

The default TTL for credentials issued by this backend. Defaults to ‘0’.

property description

public description: pulumi.Output<string | undefined>;

A human-friendly description for this backend.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property maxLeaseTtlSeconds

public maxLeaseTtlSeconds: pulumi.Output<number | undefined>;

The maximum TTL that can be requested for credentials issued by this backend. Defaults to ‘0’.

property path

public path: pulumi.Output<string | undefined>;

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to gcp.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource SecretRoleset

class SecretRoleset extends CustomResource

Creates a Roleset in the GCP Secrets Engine for Vault.

Each Roleset is tied to a Service Account, and can have one or more bindings associated with it.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as vault from "@pulumi/vault";

const project = "my-awesome-project";
const gcp = new vault.gcp.SecretBackend("gcp", {
    credentials: fs.readFileSync("credentials.json", "utf-8"),
    path: "gcp",
});
const roleset = new vault.gcp.SecretRoleset("roleset", {
    backend: gcp.path,
    bindings: [{
        resource: `//cloudresourcemanager.googleapis.com/projects/${project}`,
        roles: ["roles/viewer"],
    }],
    project: project,
    roleset: "projectViewer",
    secretType: "accessToken",
    tokenScopes: ["https://www.googleapis.com/auth/cloud-platform"],
});

constructor

new SecretRoleset(name: string, args: SecretRolesetArgs, opts?: pulumi.CustomResourceOptions)

Create a SecretRoleset resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretRolesetState, opts?: pulumi.CustomResourceOptions): SecretRoleset

Get an existing SecretRoleset resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is SecretRoleset

Returns true if the given object is an instance of SecretRoleset. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property backend

public backend: pulumi.Output<string>;

Path where the GCP Secrets Engine is mounted

property bindings

public bindings: pulumi.Output<SecretRolesetBinding[]>;

Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property project

public project: pulumi.Output<string>;

Name of the GCP project that this roleset’s service account will belong to.

property roleset

public roleset: pulumi.Output<string>;

Name of the Roleset to create

property secretType

public secretType: pulumi.Output<string>;

Type of secret generated for this role set. Accepted values: accessToken, serviceAccountKey. Defaults to accessToken.

property serviceAccountEmail

public serviceAccountEmail: pulumi.Output<string>;

Email of the service account created by Vault for this Roleset

property tokenScopes

public tokenScopes: pulumi.Output<string[] | undefined>;

List of OAuth scopes to assign to accessToken secrets generated under this role set (accessToken role sets only).

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Others

interface AuthBackendArgs

interface AuthBackendArgs

The set of arguments for constructing a AuthBackend resource.

property clientEmail

clientEmail?: pulumi.Input<string>;

The clients email associated with the credentials

property clientId

clientId?: pulumi.Input<string>;

The Client ID of the credentials

property credentials

credentials?: pulumi.Input<string>;

A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.

property description

description?: pulumi.Input<string>;

property path

path?: pulumi.Input<string>;

property privateKeyId

privateKeyId?: pulumi.Input<string>;

The ID of the private key from the credentials

property projectId

projectId?: pulumi.Input<string>;

The GCP Project ID

interface AuthBackendRoleArgs

interface AuthBackendRoleArgs

The set of arguments for constructing a AuthBackendRole resource.

property addGroupAliases

addGroupAliases?: pulumi.Input<boolean>;

property allowGceInference

allowGceInference?: pulumi.Input<boolean>;

A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.

property backend

backend?: pulumi.Input<string>;

Path to the mounted GCP auth backend

property boundInstanceGroups

boundInstanceGroups?: pulumi.Input<pulumi.Input<string>[]>;

The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either boundZones or boundRegions must be set too.

property boundLabels

boundLabels?: pulumi.Input<pulumi.Input<string>[]>;

A comma-separated list of GCP labels formatted as "key:value" strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL’d, we recommend that this be used in conjunction with other restrictions.

property boundProjects

boundProjects?: pulumi.Input<pulumi.Input<string>[]>;

GCP Projects that the role exists within

property boundRegions

boundRegions?: pulumi.Input<pulumi.Input<string>[]>;

The list of regions that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a regional group and the group must belong to this region. If boundZones are provided, this attribute is ignored.

property boundServiceAccounts

boundServiceAccounts?: pulumi.Input<pulumi.Input<string>[]>;

GCP Service Accounts allowed to issue tokens under this role. (Note: Required if role is iam)

property boundZones

boundZones?: pulumi.Input<pulumi.Input<string>[]>;

The list of zones that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a zonal group and the group must belong to this zone.

property maxJwtExp

maxJwtExp?: pulumi.Input<string>;

The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter exp. The GCE metadata tokens currently do not allow the exp claim to be customized.

property maxTtl

DEPRECATED use token_max_ttl instead if you are running Vault >= 1.2
maxTtl?: pulumi.Input<string>;

The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

property period

DEPRECATED use token_period instead if you are running Vault >= 1.2
period?: pulumi.Input<string>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property policies

DEPRECATED use token_policies instead if you are running Vault >= 1.2
policies?: pulumi.Input<pulumi.Input<string>[]>;

An array of strings specifying the policies to be set on tokens issued using this role.

property role

role: pulumi.Input<string>;

Name of the GCP role

property tokenBoundCidrs

tokenBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

tokenExplicitMaxTtl?: pulumi.Input<number>;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

tokenMaxTtl?: pulumi.Input<number>;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

tokenNoDefaultPolicy?: pulumi.Input<boolean>;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

tokenNumUses?: pulumi.Input<number>;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

tokenPeriod?: pulumi.Input<number>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property tokenPolicies

tokenPolicies?: pulumi.Input<pulumi.Input<string>[]>;

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

tokenTtl?: pulumi.Input<number>;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

tokenType?: pulumi.Input<string>;

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

property ttl

DEPRECATED use token_ttl instead if you are running Vault >= 1.2
ttl?: pulumi.Input<string>;

The TTL period of tokens issued using this role, provided as a number of seconds.

property type

type: pulumi.Input<string>;

Type of GCP authentication role (either gce or iam)

interface AuthBackendRoleState

interface AuthBackendRoleState

Input properties used for looking up and filtering AuthBackendRole resources.

property addGroupAliases

addGroupAliases?: pulumi.Input<boolean>;

property allowGceInference

allowGceInference?: pulumi.Input<boolean>;

A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.

property backend

backend?: pulumi.Input<string>;

Path to the mounted GCP auth backend

property boundInstanceGroups

boundInstanceGroups?: pulumi.Input<pulumi.Input<string>[]>;

The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either boundZones or boundRegions must be set too.

property boundLabels

boundLabels?: pulumi.Input<pulumi.Input<string>[]>;

A comma-separated list of GCP labels formatted as "key:value" strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL’d, we recommend that this be used in conjunction with other restrictions.

property boundProjects

boundProjects?: pulumi.Input<pulumi.Input<string>[]>;

GCP Projects that the role exists within

property boundRegions

boundRegions?: pulumi.Input<pulumi.Input<string>[]>;

The list of regions that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a regional group and the group must belong to this region. If boundZones are provided, this attribute is ignored.

property boundServiceAccounts

boundServiceAccounts?: pulumi.Input<pulumi.Input<string>[]>;

GCP Service Accounts allowed to issue tokens under this role. (Note: Required if role is iam)

property boundZones

boundZones?: pulumi.Input<pulumi.Input<string>[]>;

The list of zones that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a zonal group and the group must belong to this zone.

property maxJwtExp

maxJwtExp?: pulumi.Input<string>;

The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter exp. The GCE metadata tokens currently do not allow the exp claim to be customized.

property maxTtl

DEPRECATED use token_max_ttl instead if you are running Vault >= 1.2
maxTtl?: pulumi.Input<string>;

The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

property period

DEPRECATED use token_period instead if you are running Vault >= 1.2
period?: pulumi.Input<string>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property policies

DEPRECATED use token_policies instead if you are running Vault >= 1.2
policies?: pulumi.Input<pulumi.Input<string>[]>;

An array of strings specifying the policies to be set on tokens issued using this role.

property role

role?: pulumi.Input<string>;

Name of the GCP role

property tokenBoundCidrs

tokenBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

tokenExplicitMaxTtl?: pulumi.Input<number>;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

tokenMaxTtl?: pulumi.Input<number>;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

tokenNoDefaultPolicy?: pulumi.Input<boolean>;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

tokenNumUses?: pulumi.Input<number>;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

tokenPeriod?: pulumi.Input<number>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property tokenPolicies

tokenPolicies?: pulumi.Input<pulumi.Input<string>[]>;

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

tokenTtl?: pulumi.Input<number>;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

tokenType?: pulumi.Input<string>;

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

property ttl

DEPRECATED use token_ttl instead if you are running Vault >= 1.2
ttl?: pulumi.Input<string>;

The TTL period of tokens issued using this role, provided as a number of seconds.

property type

type?: pulumi.Input<string>;

Type of GCP authentication role (either gce or iam)

interface AuthBackendState

interface AuthBackendState

Input properties used for looking up and filtering AuthBackend resources.

property clientEmail

clientEmail?: pulumi.Input<string>;

The clients email associated with the credentials

property clientId

clientId?: pulumi.Input<string>;

The Client ID of the credentials

property credentials

credentials?: pulumi.Input<string>;

A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.

property description

description?: pulumi.Input<string>;

property path

path?: pulumi.Input<string>;

property privateKeyId

privateKeyId?: pulumi.Input<string>;

The ID of the private key from the credentials

property projectId

projectId?: pulumi.Input<string>;

The GCP Project ID

interface SecretBackendArgs

interface SecretBackendArgs

The set of arguments for constructing a SecretBackend resource.

property credentials

credentials?: pulumi.Input<string>;

The GCP service account credentials in JSON format.

property defaultLeaseTtlSeconds

defaultLeaseTtlSeconds?: pulumi.Input<number>;

The default TTL for credentials issued by this backend. Defaults to ‘0’.

property description

description?: pulumi.Input<string>;

A human-friendly description for this backend.

property maxLeaseTtlSeconds

maxLeaseTtlSeconds?: pulumi.Input<number>;

The maximum TTL that can be requested for credentials issued by this backend. Defaults to ‘0’.

property path

path?: pulumi.Input<string>;

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to gcp.

interface SecretBackendState

interface SecretBackendState

Input properties used for looking up and filtering SecretBackend resources.

property credentials

credentials?: pulumi.Input<string>;

The GCP service account credentials in JSON format.

property defaultLeaseTtlSeconds

defaultLeaseTtlSeconds?: pulumi.Input<number>;

The default TTL for credentials issued by this backend. Defaults to ‘0’.

property description

description?: pulumi.Input<string>;

A human-friendly description for this backend.

property maxLeaseTtlSeconds

maxLeaseTtlSeconds?: pulumi.Input<number>;

The maximum TTL that can be requested for credentials issued by this backend. Defaults to ‘0’.

property path

path?: pulumi.Input<string>;

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to gcp.

interface SecretRolesetArgs

interface SecretRolesetArgs

The set of arguments for constructing a SecretRoleset resource.

property backend

backend: pulumi.Input<string>;

Path where the GCP Secrets Engine is mounted

property bindings

bindings: pulumi.Input<pulumi.Input<SecretRolesetBinding>[]>;

Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.

property project

project: pulumi.Input<string>;

Name of the GCP project that this roleset’s service account will belong to.

property roleset

roleset: pulumi.Input<string>;

Name of the Roleset to create

property secretType

secretType?: pulumi.Input<string>;

Type of secret generated for this role set. Accepted values: accessToken, serviceAccountKey. Defaults to accessToken.

property tokenScopes

tokenScopes?: pulumi.Input<pulumi.Input<string>[]>;

List of OAuth scopes to assign to accessToken secrets generated under this role set (accessToken role sets only).

interface SecretRolesetState

interface SecretRolesetState

Input properties used for looking up and filtering SecretRoleset resources.

property backend

backend?: pulumi.Input<string>;

Path where the GCP Secrets Engine is mounted

property bindings

bindings?: pulumi.Input<pulumi.Input<SecretRolesetBinding>[]>;

Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.

property project

project?: pulumi.Input<string>;

Name of the GCP project that this roleset’s service account will belong to.

property roleset

roleset?: pulumi.Input<string>;

Name of the Roleset to create

property secretType

secretType?: pulumi.Input<string>;

Type of secret generated for this role set. Accepted values: accessToken, serviceAccountKey. Defaults to accessToken.

property serviceAccountEmail

serviceAccountEmail?: pulumi.Input<string>;

Email of the service account created by Vault for this Roleset

property tokenScopes

tokenScopes?: pulumi.Input<pulumi.Input<string>[]>;

List of OAuth scopes to assign to accessToken secrets generated under this role set (accessToken role sets only).