1. Docs
  2. Reference
  3. API
  4. pulumi_vault
  5. aws

aws

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-vault repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-vault repo.

class pulumi_vault.aws.AuthBackendCert(resource_name, opts=None, aws_public_cert=None, backend=None, cert_name=None, type=None, __props__=None, __name__=None, __opts__=None)

Create a AuthBackendCert resource with the given unique name, props, and options. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[str] aws_public_cert: The Base64 encoded AWS Public key required to

verify PKCS7 signature of the EC2 instance metadata. You can find this key in the AWS documentation.

Parameters

  • backend (pulumi.Input[str]) – The path the AWS auth backend being configured was mounted at. Defaults to aws.

  • cert_name (pulumi.Input[str]) – The name of the certificate.

  • type (pulumi.Input[str]) – Either “pkcs7” or “identity”, indicating the type of document which can be verified using the given certificate. Defaults to “pkcs7”.

aws_public_cert: pulumi.Output[str] = None

The Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata. You can find this key in the AWS documentation.

backend: pulumi.Output[str] = None

The path the AWS auth backend being configured was mounted at. Defaults to aws.

cert_name: pulumi.Output[str] = None

The name of the certificate.

type: pulumi.Output[str] = None

Either “pkcs7” or “identity”, indicating the type of document which can be verified using the given certificate. Defaults to “pkcs7”.

static get(resource_name, id, opts=None, aws_public_cert=None, backend=None, cert_name=None, type=None)

Get an existing AuthBackendCert resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • aws_public_cert (pulumi.Input[str]) –

    The Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata. You can find this key in the AWS documentation.

  • backend (pulumi.Input[str]) – The path the AWS auth backend being configured was mounted at. Defaults to aws.

  • cert_name (pulumi.Input[str]) – The name of the certificate.

  • type (pulumi.Input[str]) – Either “pkcs7” or “identity”, indicating the type of document which can be verified using the given certificate. Defaults to “pkcs7”.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_vault.aws.AuthBackendClient(resource_name, opts=None, access_key=None, backend=None, ec2_endpoint=None, iam_endpoint=None, iam_server_id_header_value=None, secret_key=None, sts_endpoint=None, __props__=None, __name__=None, __opts__=None)

Create a AuthBackendClient resource with the given unique name, props, and options. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[str] access_key: The AWS access key that Vault should use for the

auth backend.

Parameters

  • backend (pulumi.Input[str]) – The path the AWS auth backend being configured was mounted at. Defaults to aws.

  • ec2_endpoint (pulumi.Input[str]) – Override the URL Vault uses when making EC2 API calls.

  • iam_endpoint (pulumi.Input[str]) – Override the URL Vault uses when making IAM API calls.

  • iam_server_id_header_value (pulumi.Input[str]) – The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.

  • secret_key (pulumi.Input[str]) – The AWS secret key that Vault should use for the auth backend.

  • sts_endpoint (pulumi.Input[str]) – Override the URL Vault uses when making STS API calls.

access_key: pulumi.Output[str] = None

The AWS access key that Vault should use for the auth backend.

backend: pulumi.Output[str] = None

The path the AWS auth backend being configured was mounted at. Defaults to aws.

ec2_endpoint: pulumi.Output[str] = None

Override the URL Vault uses when making EC2 API calls.

iam_endpoint: pulumi.Output[str] = None

Override the URL Vault uses when making IAM API calls.

iam_server_id_header_value: pulumi.Output[str] = None

The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.

secret_key: pulumi.Output[str] = None

The AWS secret key that Vault should use for the auth backend.

sts_endpoint: pulumi.Output[str] = None

Override the URL Vault uses when making STS API calls.

static get(resource_name, id, opts=None, access_key=None, backend=None, ec2_endpoint=None, iam_endpoint=None, iam_server_id_header_value=None, secret_key=None, sts_endpoint=None)

Get an existing AuthBackendClient resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • access_key (pulumi.Input[str]) – The AWS access key that Vault should use for the auth backend.

  • backend (pulumi.Input[str]) – The path the AWS auth backend being configured was mounted at. Defaults to aws.

  • ec2_endpoint (pulumi.Input[str]) – Override the URL Vault uses when making EC2 API calls.

  • iam_endpoint (pulumi.Input[str]) – Override the URL Vault uses when making IAM API calls.

  • iam_server_id_header_value (pulumi.Input[str]) – The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.

  • secret_key (pulumi.Input[str]) – The AWS secret key that Vault should use for the auth backend.

  • sts_endpoint (pulumi.Input[str]) – Override the URL Vault uses when making STS API calls.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_vault.aws.AuthBackendIdentityWhitelist(resource_name, opts=None, backend=None, disable_periodic_tidy=None, safety_buffer=None, __props__=None, __name__=None, __opts__=None)

Configures the periodic tidying operation of the whitelisted identity entries.

For more information, see the Vault docs.

import pulumi
import pulumi_vault as vault

example_auth_backend = vault.AuthBackend("exampleAuthBackend", type="aws")
example_auth_backend_identity_whitelist = vault.aws.AuthBackendIdentityWhitelist("exampleAuthBackendIdentityWhitelist",
    backend=example_auth_backend.path,
    safety_buffer=3600)
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • backend (pulumi.Input[str]) – The path of the AWS backend being configured.

  • disable_periodic_tidy (pulumi.Input[bool]) – If set to true, disables the periodic tidying of the identity-whitelist entries.

  • safety_buffer (pulumi.Input[float]) – The amount of extra time, in minutes, that must have passed beyond the roletag expiration, before it is removed from the backend storage.

backend: pulumi.Output[str] = None

The path of the AWS backend being configured.

disable_periodic_tidy: pulumi.Output[bool] = None

If set to true, disables the periodic tidying of the identity-whitelist entries.

safety_buffer: pulumi.Output[float] = None

The amount of extra time, in minutes, that must have passed beyond the roletag expiration, before it is removed from the backend storage.

static get(resource_name, id, opts=None, backend=None, disable_periodic_tidy=None, safety_buffer=None)

Get an existing AuthBackendIdentityWhitelist resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • backend (pulumi.Input[str]) – The path of the AWS backend being configured.

  • disable_periodic_tidy (pulumi.Input[bool]) – If set to true, disables the periodic tidying of the identity-whitelist entries.

  • safety_buffer (pulumi.Input[float]) – The amount of extra time, in minutes, that must have passed beyond the roletag expiration, before it is removed from the backend storage.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_vault.aws.AuthBackendLogin(resource_name, opts=None, backend=None, iam_http_request_method=None, iam_request_body=None, iam_request_headers=None, iam_request_url=None, identity=None, nonce=None, pkcs7=None, role=None, signature=None, __props__=None, __name__=None, __opts__=None)

Logs into a Vault server using an AWS auth backend. Login can be accomplished using a signed identity request from IAM or using ec2 instance metadata. For more information, see the Vault documentation.

import pulumi
import pulumi_vault as vault

aws = vault.AuthBackend("aws", type="aws")
example_auth_backend_client = vault.aws.AuthBackendClient("exampleAuthBackendClient",
    access_key="123456789012",
    backend=aws.path,
    secret_key="AWSSECRETKEYGOESHERE")
example_auth_backend_role = vault.aws.AuthBackendRole("exampleAuthBackendRole",
    auth_type="ec2",
    backend=aws.path,
    bound_account_id="123456789012",
    bound_ami_id="ami-8c1be5f6",
    bound_iam_instance_profile_arn="arn:aws:iam::123456789012:instance-profile/MyProfile",
    bound_subnet_id="vpc-133128f1",
    bound_vpc_id="vpc-b61106d4",
    max_ttl=120,
    role="test-role",
    token_policies=[
        "default",
        "dev",
        "prod",
    ],
    ttl=60)
example_auth_backend_login = vault.aws.AuthBackendLogin("exampleAuthBackendLogin",
    backend=vault_auth_backend["example"]["path"],
    identity="BASE64ENCODEDIDENTITYDOCUMENT",
    role=example_auth_backend_role.role,
    signature="BASE64ENCODEDSHA256IDENTITYDOCUMENTSIGNATURE")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • backend (pulumi.Input[str]) – The unique name of the AWS auth backend. Defaults to ‘aws’.

  • iam_http_request_method (pulumi.Input[str]) – The HTTP method used in the signed IAM request.

  • iam_request_body (pulumi.Input[str]) – The base64-encoded body of the signed request.

  • iam_request_headers (pulumi.Input[str]) – The base64-encoded, JSON serialized representation of the GetCallerIdentity HTTP request headers.

  • iam_request_url (pulumi.Input[str]) – The base64-encoded HTTP URL used in the signed request.

  • identity (pulumi.Input[str]) – The base64-encoded EC2 instance identity document to authenticate with. Can be retrieved from the EC2 metadata server.

  • nonce (pulumi.Input[str]) – The unique nonce to be used for login requests. Can be set to a user-specified value, or will contain the server-generated value once a token is issued. EC2 instances can only acquire a single token until the whitelist is tidied again unless they keep track of this nonce.

  • pkcs7 (pulumi.Input[str]) – The PKCS#7 signature of the identity document to authenticate with, with all newline characters removed. Can be retrieved from the EC2 metadata server.

  • role (pulumi.Input[str]) – The name of the AWS auth backend role to create tokens against.

  • signature (pulumi.Input[str]) – The base64-encoded SHA256 RSA signature of the instance identity document to authenticate with, with all newline characters removed. Can be retrieved from the EC2 metadata server.

accessor: pulumi.Output[str] = None

The token’s accessor.

auth_type: pulumi.Output[str] = None

The authentication type used to generate this token.

backend: pulumi.Output[str] = None

The unique name of the AWS auth backend. Defaults to ‘aws’.

client_token: pulumi.Output[str] = None

The token returned by Vault.

iam_http_request_method: pulumi.Output[str] = None

The HTTP method used in the signed IAM request.

iam_request_body: pulumi.Output[str] = None

The base64-encoded body of the signed request.

iam_request_headers: pulumi.Output[str] = None

The base64-encoded, JSON serialized representation of the GetCallerIdentity HTTP request headers.

iam_request_url: pulumi.Output[str] = None

The base64-encoded HTTP URL used in the signed request.

identity: pulumi.Output[str] = None

The base64-encoded EC2 instance identity document to authenticate with. Can be retrieved from the EC2 metadata server.

lease_duration: pulumi.Output[float] = None

The duration in seconds the token will be valid, relative to the time in lease_start_time.

lease_start_time: pulumi.Output[str] = None

Time at which the lease was read, using the clock of the system where Terraform was running

metadata: pulumi.Output[dict] = None

A map of information returned by the Vault server about the authentication used to generate this token.

nonce: pulumi.Output[str] = None

The unique nonce to be used for login requests. Can be set to a user-specified value, or will contain the server-generated value once a token is issued. EC2 instances can only acquire a single token until the whitelist is tidied again unless they keep track of this nonce.

pkcs7: pulumi.Output[str] = None

The PKCS#7 signature of the identity document to authenticate with, with all newline characters removed. Can be retrieved from the EC2 metadata server.

policies: pulumi.Output[list] = None

The Vault policies assigned to this token.

renewable: pulumi.Output[bool] = None

Set to true if the token can be extended through renewal.

role: pulumi.Output[str] = None

The name of the AWS auth backend role to create tokens against.

signature: pulumi.Output[str] = None

The base64-encoded SHA256 RSA signature of the instance identity document to authenticate with, with all newline characters removed. Can be retrieved from the EC2 metadata server.

static get(resource_name, id, opts=None, accessor=None, auth_type=None, backend=None, client_token=None, iam_http_request_method=None, iam_request_body=None, iam_request_headers=None, iam_request_url=None, identity=None, lease_duration=None, lease_start_time=None, metadata=None, nonce=None, pkcs7=None, policies=None, renewable=None, role=None, signature=None)

Get an existing AuthBackendLogin resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • accessor (pulumi.Input[str]) – The token’s accessor.

  • auth_type (pulumi.Input[str]) – The authentication type used to generate this token.

  • backend (pulumi.Input[str]) – The unique name of the AWS auth backend. Defaults to ‘aws’.

  • client_token (pulumi.Input[str]) – The token returned by Vault.

  • iam_http_request_method (pulumi.Input[str]) – The HTTP method used in the signed IAM request.

  • iam_request_body (pulumi.Input[str]) – The base64-encoded body of the signed request.

  • iam_request_headers (pulumi.Input[str]) – The base64-encoded, JSON serialized representation of the GetCallerIdentity HTTP request headers.

  • iam_request_url (pulumi.Input[str]) – The base64-encoded HTTP URL used in the signed request.

  • identity (pulumi.Input[str]) – The base64-encoded EC2 instance identity document to authenticate with. Can be retrieved from the EC2 metadata server.

  • lease_duration (pulumi.Input[float]) – The duration in seconds the token will be valid, relative to the time in lease_start_time.

  • lease_start_time (pulumi.Input[str]) – Time at which the lease was read, using the clock of the system where Terraform was running

  • metadata (pulumi.Input[dict]) – A map of information returned by the Vault server about the authentication used to generate this token.

  • nonce (pulumi.Input[str]) – The unique nonce to be used for login requests. Can be set to a user-specified value, or will contain the server-generated value once a token is issued. EC2 instances can only acquire a single token until the whitelist is tidied again unless they keep track of this nonce.

  • pkcs7 (pulumi.Input[str]) – The PKCS#7 signature of the identity document to authenticate with, with all newline characters removed. Can be retrieved from the EC2 metadata server.

  • policies (pulumi.Input[list]) – The Vault policies assigned to this token.

  • renewable (pulumi.Input[bool]) – Set to true if the token can be extended through renewal.

  • role (pulumi.Input[str]) – The name of the AWS auth backend role to create tokens against.

  • signature (pulumi.Input[str]) – The base64-encoded SHA256 RSA signature of the instance identity document to authenticate with, with all newline characters removed. Can be retrieved from the EC2 metadata server.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_vault.aws.AuthBackendRole(resource_name, opts=None, allow_instance_migration=None, auth_type=None, backend=None, bound_account_ids=None, bound_ami_ids=None, bound_ec2_instance_ids=None, bound_iam_instance_profile_arns=None, bound_iam_principal_arns=None, bound_iam_role_arns=None, bound_regions=None, bound_subnet_ids=None, bound_vpc_ids=None, disallow_reauthentication=None, inferred_aws_region=None, inferred_entity_type=None, max_ttl=None, period=None, policies=None, resolve_aws_unique_ids=None, role=None, role_tag=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_policies=None, token_ttl=None, token_type=None, ttl=None, __props__=None, __name__=None, __opts__=None)

Manages an AWS auth backend role in a Vault server. Roles constrain the instances or principals that can perform the login operation against the backend. See the Vault documentation for more information.

import pulumi
import pulumi_vault as vault

aws = vault.AuthBackend("aws", type="aws")
example = vault.aws.AuthBackendRole("example",
    backend=aws.path,
    role="test-role",
    auth_type="iam",
    bound_ami_ids=["ami-8c1be5f6"],
    bound_account_ids=["123456789012"],
    bound_vpc_ids=["vpc-b61106d4"],
    bound_subnet_ids=["vpc-133128f1"],
    bound_iam_role_arns=["arn:aws:iam::123456789012:role/MyRole"],
    bound_iam_instance_profile_arns=["arn:aws:iam::123456789012:instance-profile/MyProfile"],
    inferred_entity_type="ec2_instance",
    inferred_aws_region="us-east-1",
    token_ttl=60,
    token_max_ttl=120,
    token_policies=[
        "default",
        "dev",
        "prod",
    ])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • allow_instance_migration (pulumi.Input[bool]) – If set to true, allows migration of the underlying instance where the client resides.

  • auth_type (pulumi.Input[str]) – The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam.

  • backend (pulumi.Input[str]) – Unique name of the auth backend to configure.

  • bound_account_ids (pulumi.Input[list]) – If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

  • bound_ami_ids (pulumi.Input[list]) – If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

  • bound_ec2_instance_ids (pulumi.Input[list]) – Only EC2 instances that match this instance ID will be permitted to log in.

  • bound_iam_instance_profile_arns (pulumi.Input[list]) – If set, defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile ARN which has a prefix that matches the value specified by this field. The value is prefix-matched as though it were a glob ending in *. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

  • bound_iam_principal_arns (pulumi.Input[list]) – If set, defines the IAM principal that must be authenticated when auth_type is set to iam. Wildcards are supported at the end of the ARN.

  • bound_iam_role_arns (pulumi.Input[list]) – If set, defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

  • bound_regions (pulumi.Input[list]) – If set, defines a constraint on the EC2 instances that can perform the login operation that the region in their identity document must match the one specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

  • bound_subnet_ids (pulumi.Input[list]) – If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

  • bound_vpc_ids (pulumi.Input[list]) – If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

  • disallow_reauthentication (pulumi.Input[bool]) – IF set to true, only allows a single token to be granted per instance ID. This can only be set when auth_type is set to ec2.

  • inferred_aws_region (pulumi.Input[str]) – When inferred_entity_type is set, this is the region to search for the inferred entities. Required if inferred_entity_type is set. This only applies when auth_type is set to iam.

  • inferred_entity_type (pulumi.Input[str]) – If set, instructs Vault to turn on inferencing. The only valid value is ec2_instance, which instructs Vault to infer that the role comes from an EC2 instance in an IAM instance profile. This only applies when auth_type is set to iam.

  • max_ttl (pulumi.Input[float]) – The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

  • period (pulumi.Input[float]) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

  • policies (pulumi.Input[list]) – An array of strings specifying the policies to be set on tokens issued using this role.

  • resolve_aws_unique_ids (pulumi.Input[bool]) – If set to true, the bound_iam_principal_arns are resolved to AWS Unique IDs for the bound principal ARN. This field is ignored when a bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more closely mimics the behavior of AWS services in that if an IAM user or role is deleted and a new one is recreated with the same name, those new users or roles won’t get access to roles in Vault that were permissioned to the prior principals of the same name. Defaults to true. Once set to true, this cannot be changed to false without recreating the role.

  • role (pulumi.Input[str]) – The name of the role.

  • role_tag (pulumi.Input[str]) – If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

  • token_bound_cidrs (pulumi.Input[list]) – List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

  • token_explicit_max_ttl (pulumi.Input[float]) – If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

  • token_max_ttl (pulumi.Input[float]) – The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

  • token_no_default_policy (pulumi.Input[bool]) – If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

  • token_num_uses (pulumi.Input[float]) – The period, if any, in number of seconds to set on the token.

  • token_period (pulumi.Input[float]) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

  • token_policies (pulumi.Input[list]) – List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

  • token_ttl (pulumi.Input[float]) – The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

  • token_type (pulumi.Input[str]) – The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

  • ttl (pulumi.Input[float]) – The TTL period of tokens issued using this role, provided as a number of seconds.

allow_instance_migration: pulumi.Output[bool] = None

If set to true, allows migration of the underlying instance where the client resides.

auth_type: pulumi.Output[str] = None

The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam.

backend: pulumi.Output[str] = None

Unique name of the auth backend to configure.

bound_account_ids: pulumi.Output[list] = None

If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

bound_ami_ids: pulumi.Output[list] = None

If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

bound_ec2_instance_ids: pulumi.Output[list] = None

Only EC2 instances that match this instance ID will be permitted to log in.

bound_iam_instance_profile_arns: pulumi.Output[list] = None

If set, defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile ARN which has a prefix that matches the value specified by this field. The value is prefix-matched as though it were a glob ending in *. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

bound_iam_principal_arns: pulumi.Output[list] = None

If set, defines the IAM principal that must be authenticated when auth_type is set to iam. Wildcards are supported at the end of the ARN.

bound_iam_role_arns: pulumi.Output[list] = None

If set, defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

bound_regions: pulumi.Output[list] = None

If set, defines a constraint on the EC2 instances that can perform the login operation that the region in their identity document must match the one specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

bound_subnet_ids: pulumi.Output[list] = None

If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

bound_vpc_ids: pulumi.Output[list] = None

If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

disallow_reauthentication: pulumi.Output[bool] = None

IF set to true, only allows a single token to be granted per instance ID. This can only be set when auth_type is set to ec2.

inferred_aws_region: pulumi.Output[str] = None

When inferred_entity_type is set, this is the region to search for the inferred entities. Required if inferred_entity_type is set. This only applies when auth_type is set to iam.

inferred_entity_type: pulumi.Output[str] = None

If set, instructs Vault to turn on inferencing. The only valid value is ec2_instance, which instructs Vault to infer that the role comes from an EC2 instance in an IAM instance profile. This only applies when auth_type is set to iam.

max_ttl: pulumi.Output[float] = None

The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

period: pulumi.Output[float] = None

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

policies: pulumi.Output[list] = None

An array of strings specifying the policies to be set on tokens issued using this role.

resolve_aws_unique_ids: pulumi.Output[bool] = None

If set to true, the bound_iam_principal_arns are resolved to AWS Unique IDs for the bound principal ARN. This field is ignored when a bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more closely mimics the behavior of AWS services in that if an IAM user or role is deleted and a new one is recreated with the same name, those new users or roles won’t get access to roles in Vault that were permissioned to the prior principals of the same name. Defaults to true. Once set to true, this cannot be changed to false without recreating the role.

role: pulumi.Output[str] = None

The name of the role.

role_tag: pulumi.Output[str] = None

If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

token_bound_cidrs: pulumi.Output[list] = None

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

token_explicit_max_ttl: pulumi.Output[float] = None

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

token_max_ttl: pulumi.Output[float] = None

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

token_no_default_policy: pulumi.Output[bool] = None

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

token_num_uses: pulumi.Output[float] = None

The period, if any, in number of seconds to set on the token.

token_period: pulumi.Output[float] = None

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

token_policies: pulumi.Output[list] = None

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

token_ttl: pulumi.Output[float] = None

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

token_type: pulumi.Output[str] = None

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

ttl: pulumi.Output[float] = None

The TTL period of tokens issued using this role, provided as a number of seconds.

static get(resource_name, id, opts=None, allow_instance_migration=None, auth_type=None, backend=None, bound_account_ids=None, bound_ami_ids=None, bound_ec2_instance_ids=None, bound_iam_instance_profile_arns=None, bound_iam_principal_arns=None, bound_iam_role_arns=None, bound_regions=None, bound_subnet_ids=None, bound_vpc_ids=None, disallow_reauthentication=None, inferred_aws_region=None, inferred_entity_type=None, max_ttl=None, period=None, policies=None, resolve_aws_unique_ids=None, role=None, role_tag=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_policies=None, token_ttl=None, token_type=None, ttl=None)

Get an existing AuthBackendRole resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • allow_instance_migration (pulumi.Input[bool]) – If set to true, allows migration of the underlying instance where the client resides.

  • auth_type (pulumi.Input[str]) – The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam.

  • backend (pulumi.Input[str]) – Unique name of the auth backend to configure.

  • bound_account_ids (pulumi.Input[list]) – If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

  • bound_ami_ids (pulumi.Input[list]) – If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

  • bound_ec2_instance_ids (pulumi.Input[list]) – Only EC2 instances that match this instance ID will be permitted to log in.

  • bound_iam_instance_profile_arns (pulumi.Input[list]) – If set, defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile ARN which has a prefix that matches the value specified by this field. The value is prefix-matched as though it were a glob ending in *. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

  • bound_iam_principal_arns (pulumi.Input[list]) – If set, defines the IAM principal that must be authenticated when auth_type is set to iam. Wildcards are supported at the end of the ARN.

  • bound_iam_role_arns (pulumi.Input[list]) – If set, defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

  • bound_regions (pulumi.Input[list]) – If set, defines a constraint on the EC2 instances that can perform the login operation that the region in their identity document must match the one specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

  • bound_subnet_ids (pulumi.Input[list]) – If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

  • bound_vpc_ids (pulumi.Input[list]) – If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

  • disallow_reauthentication (pulumi.Input[bool]) – IF set to true, only allows a single token to be granted per instance ID. This can only be set when auth_type is set to ec2.

  • inferred_aws_region (pulumi.Input[str]) – When inferred_entity_type is set, this is the region to search for the inferred entities. Required if inferred_entity_type is set. This only applies when auth_type is set to iam.

  • inferred_entity_type (pulumi.Input[str]) – If set, instructs Vault to turn on inferencing. The only valid value is ec2_instance, which instructs Vault to infer that the role comes from an EC2 instance in an IAM instance profile. This only applies when auth_type is set to iam.

  • max_ttl (pulumi.Input[float]) – The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

  • period (pulumi.Input[float]) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

  • policies (pulumi.Input[list]) – An array of strings specifying the policies to be set on tokens issued using this role.

  • resolve_aws_unique_ids (pulumi.Input[bool]) –

    If set to true, the bound_iam_principal_arns are resolved to AWS Unique IDs for the bound principal ARN. This field is ignored when a bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more closely mimics the behavior of AWS services in that if an IAM user or role is deleted and a new one is recreated with the same name, those new users or roles won’t get access to roles in Vault that were permissioned to the prior principals of the same name. Defaults to true. Once set to true, this cannot be changed to false without recreating the role.

  • role (pulumi.Input[str]) – The name of the role.

  • role_tag (pulumi.Input[str]) – If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.

  • token_bound_cidrs (pulumi.Input[list]) – List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

  • token_explicit_max_ttl (pulumi.Input[float]) –

    If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

  • token_max_ttl (pulumi.Input[float]) – The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

  • token_no_default_policy (pulumi.Input[bool]) – If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

  • token_num_uses (pulumi.Input[float]) –

    The period, if any, in number of seconds to set on the token.

  • token_period (pulumi.Input[float]) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

  • token_policies (pulumi.Input[list]) – List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

  • token_ttl (pulumi.Input[float]) – The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

  • token_type (pulumi.Input[str]) – The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

  • ttl (pulumi.Input[float]) – The TTL period of tokens issued using this role, provided as a number of seconds.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_vault.aws.AuthBackendRoleTag(resource_name, opts=None, allow_instance_migration=None, backend=None, disallow_reauthentication=None, instance_id=None, max_ttl=None, policies=None, role=None, __props__=None, __name__=None, __opts__=None)

Reads role tag information from an AWS auth backend in Vault.

import pulumi
import pulumi_vault as vault

aws = vault.AuthBackend("aws",
    path="%s",
    type="aws")
role = vault.aws.AuthBackendRole("role",
    auth_type="ec2",
    backend=aws.path,
    bound_account_id="123456789012",
    policies=[
        "dev",
        "prod",
        "qa",
        "test",
    ],
    role="%s",
    role_tag="VaultRoleTag")
test = vault.aws.AuthBackendRoleTag("test",
    backend=aws.path,
    instance_id="i-1234567",
    max_ttl="1h",
    policies=[
        "prod",
        "dev",
        "test",
    ],
    role=role.role)
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • allow_instance_migration (pulumi.Input[bool]) – If set, allows migration of the underlying instances where the client resides. Use with caution.

  • backend (pulumi.Input[str]) – The path to the AWS auth backend to read role tags from, with no leading or trailing /s. Defaults to “aws”.

  • disallow_reauthentication (pulumi.Input[bool]) – If set, only allows a single token to be granted per instance ID.

  • instance_id (pulumi.Input[str]) – Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID.

  • max_ttl (pulumi.Input[str]) – The maximum TTL of the tokens issued using this role.

  • policies (pulumi.Input[list]) – The policies to be associated with the tag. Must be a subset of the policies associated with the role.

  • role (pulumi.Input[str]) – The name of the AWS auth backend role to read role tags from, with no leading or trailing /s.

allow_instance_migration: pulumi.Output[bool] = None

If set, allows migration of the underlying instances where the client resides. Use with caution.

backend: pulumi.Output[str] = None

The path to the AWS auth backend to read role tags from, with no leading or trailing /s. Defaults to “aws”.

disallow_reauthentication: pulumi.Output[bool] = None

If set, only allows a single token to be granted per instance ID.

instance_id: pulumi.Output[str] = None

Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID.

max_ttl: pulumi.Output[str] = None

The maximum TTL of the tokens issued using this role.

policies: pulumi.Output[list] = None

The policies to be associated with the tag. Must be a subset of the policies associated with the role.

role: pulumi.Output[str] = None

The name of the AWS auth backend role to read role tags from, with no leading or trailing /s.

tag_key: pulumi.Output[str] = None

The key of the role tag.

tag_value: pulumi.Output[str] = None

The value to set the role key.

static get(resource_name, id, opts=None, allow_instance_migration=None, backend=None, disallow_reauthentication=None, instance_id=None, max_ttl=None, policies=None, role=None, tag_key=None, tag_value=None)

Get an existing AuthBackendRoleTag resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • allow_instance_migration (pulumi.Input[bool]) – If set, allows migration of the underlying instances where the client resides. Use with caution.

  • backend (pulumi.Input[str]) – The path to the AWS auth backend to read role tags from, with no leading or trailing /s. Defaults to “aws”.

  • disallow_reauthentication (pulumi.Input[bool]) – If set, only allows a single token to be granted per instance ID.

  • instance_id (pulumi.Input[str]) – Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID.

  • max_ttl (pulumi.Input[str]) – The maximum TTL of the tokens issued using this role.

  • policies (pulumi.Input[list]) – The policies to be associated with the tag. Must be a subset of the policies associated with the role.

  • role (pulumi.Input[str]) – The name of the AWS auth backend role to read role tags from, with no leading or trailing /s.

  • tag_key (pulumi.Input[str]) – The key of the role tag.

  • tag_value (pulumi.Input[str]) – The value to set the role key.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_vault.aws.AuthBackendRoletagBlacklist(resource_name, opts=None, backend=None, disable_periodic_tidy=None, safety_buffer=None, __props__=None, __name__=None, __opts__=None)

Configures the periodic tidying operation of the blacklisted role tag entries.

import pulumi
import pulumi_vault as vault

example_auth_backend = vault.AuthBackend("exampleAuthBackend", type="aws")
example_auth_backend_roletag_blacklist = vault.aws.AuthBackendRoletagBlacklist("exampleAuthBackendRoletagBlacklist",
    backend=example_auth_backend.path,
    safety_buffer=360)
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • backend (pulumi.Input[str]) – The path the AWS auth backend being configured was mounted at.

  • disable_periodic_tidy (pulumi.Input[bool]) – If set to true, disables the periodic tidying of the roletag blacklist entries. Defaults to false.

  • safety_buffer (pulumi.Input[float]) – The amount of extra time that must have passed beyond the roletag expiration, before it is removed from the backend storage. Defaults to 259,200 seconds, or 72 hours.

backend: pulumi.Output[str] = None

The path the AWS auth backend being configured was mounted at.

disable_periodic_tidy: pulumi.Output[bool] = None

If set to true, disables the periodic tidying of the roletag blacklist entries. Defaults to false.

safety_buffer: pulumi.Output[float] = None

The amount of extra time that must have passed beyond the roletag expiration, before it is removed from the backend storage. Defaults to 259,200 seconds, or 72 hours.

static get(resource_name, id, opts=None, backend=None, disable_periodic_tidy=None, safety_buffer=None)

Get an existing AuthBackendRoletagBlacklist resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • backend (pulumi.Input[str]) – The path the AWS auth backend being configured was mounted at.

  • disable_periodic_tidy (pulumi.Input[bool]) – If set to true, disables the periodic tidying of the roletag blacklist entries. Defaults to false.

  • safety_buffer (pulumi.Input[float]) – The amount of extra time that must have passed beyond the roletag expiration, before it is removed from the backend storage. Defaults to 259,200 seconds, or 72 hours.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_vault.aws.AuthBackendStsRole(resource_name, opts=None, account_id=None, backend=None, sts_role=None, __props__=None, __name__=None, __opts__=None)

Create a AuthBackendStsRole resource with the given unique name, props, and options. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[str] account_id: The AWS account ID to configure the STS role for. :param pulumi.Input[str] backend: The path the AWS auth backend being configured was

mounted at. Defaults to aws.

Parameters

sts_role (pulumi.Input[str]) – The STS role to assume when verifying requests made by EC2 instances in the account specified by account_id.

account_id: pulumi.Output[str] = None

The AWS account ID to configure the STS role for.

backend: pulumi.Output[str] = None

The path the AWS auth backend being configured was mounted at. Defaults to aws.

sts_role: pulumi.Output[str] = None

The STS role to assume when verifying requests made by EC2 instances in the account specified by account_id.

static get(resource_name, id, opts=None, account_id=None, backend=None, sts_role=None)

Get an existing AuthBackendStsRole resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • account_id (pulumi.Input[str]) – The AWS account ID to configure the STS role for.

  • backend (pulumi.Input[str]) – The path the AWS auth backend being configured was mounted at. Defaults to aws.

  • sts_role (pulumi.Input[str]) – The STS role to assume when verifying requests made by EC2 instances in the account specified by account_id.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_vault.aws.AwaitableGetAccessCredentialsResult(access_key=None, backend=None, id=None, lease_duration=None, lease_id=None, lease_renewable=None, lease_start_time=None, role=None, role_arn=None, secret_key=None, security_token=None, type=None)
class pulumi_vault.aws.GetAccessCredentialsResult(access_key=None, backend=None, id=None, lease_duration=None, lease_id=None, lease_renewable=None, lease_start_time=None, role=None, role_arn=None, secret_key=None, security_token=None, type=None)

A collection of values returned by getAccessCredentials.

access_key = None

The AWS Access Key ID returned by Vault.

id = None

The provider-assigned unique ID for this managed resource.

lease_duration = None

The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.

lease_id = None

The lease identifier assigned by Vault.

secret_key = None

The AWS Secret Key returned by Vault.

security_token = None

The STS token returned by Vault, if any.

class pulumi_vault.aws.SecretBackend(resource_name, opts=None, access_key=None, default_lease_ttl_seconds=None, description=None, max_lease_ttl_seconds=None, path=None, region=None, secret_key=None, __props__=None, __name__=None, __opts__=None)

Create a SecretBackend resource with the given unique name, props, and options. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[str] access_key: The AWS Access Key ID this backend should use to

issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.

Parameters

  • default_lease_ttl_seconds (pulumi.Input[float]) – The default TTL for credentials issued by this backend.

  • description (pulumi.Input[str]) – A human-friendly description for this backend.

  • max_lease_ttl_seconds (pulumi.Input[float]) – The maximum TTL that can be requested for credentials issued by this backend.

  • path (pulumi.Input[str]) – The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.

  • region (pulumi.Input[str]) – The AWS region for API calls. Defaults to us-east-1.

  • secret_key (pulumi.Input[str]) – The AWS Secret Key this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.

access_key: pulumi.Output[str] = None

The AWS Access Key ID this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.

default_lease_ttl_seconds: pulumi.Output[float] = None

The default TTL for credentials issued by this backend.

description: pulumi.Output[str] = None

A human-friendly description for this backend.

max_lease_ttl_seconds: pulumi.Output[float] = None

The maximum TTL that can be requested for credentials issued by this backend.

path: pulumi.Output[str] = None

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.

region: pulumi.Output[str] = None

The AWS region for API calls. Defaults to us-east-1.

secret_key: pulumi.Output[str] = None

The AWS Secret Key this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.

static get(resource_name, id, opts=None, access_key=None, default_lease_ttl_seconds=None, description=None, max_lease_ttl_seconds=None, path=None, region=None, secret_key=None)

Get an existing SecretBackend resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • access_key (pulumi.Input[str]) – The AWS Access Key ID this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.

  • default_lease_ttl_seconds (pulumi.Input[float]) – The default TTL for credentials issued by this backend.

  • description (pulumi.Input[str]) – A human-friendly description for this backend.

  • max_lease_ttl_seconds (pulumi.Input[float]) – The maximum TTL that can be requested for credentials issued by this backend.

  • path (pulumi.Input[str]) – The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws.

  • region (pulumi.Input[str]) – The AWS region for API calls. Defaults to us-east-1.

  • secret_key (pulumi.Input[str]) – The AWS Secret Key this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_vault.aws.SecretBackendRole(resource_name, opts=None, backend=None, credential_type=None, default_sts_ttl=None, max_sts_ttl=None, name=None, policy_arns=None, policy_document=None, role_arns=None, __props__=None, __name__=None, __opts__=None)

Create a SecretBackendRole resource with the given unique name, props, and options. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[str] backend: The path the AWS secret backend is mounted at,

with no leading or trailing /s.

Parameters

  • credential_type (pulumi.Input[str]) – Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.

  • default_sts_ttl (pulumi.Input[float]) – The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.

  • max_sts_ttl (pulumi.Input[float]) – The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.

  • name (pulumi.Input[str]) – The name to identify this role within the backend. Must be unique within the backend.

  • policy_arns (pulumi.Input[list]) – Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.

  • policy_document (pulumi.Input[str]) – The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.

  • role_arns (pulumi.Input[list]) – Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.

backend: pulumi.Output[str] = None

The path the AWS secret backend is mounted at, with no leading or trailing /s.

credential_type: pulumi.Output[str] = None

Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.

default_sts_ttl: pulumi.Output[float] = None

The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.

max_sts_ttl: pulumi.Output[float] = None

The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.

name: pulumi.Output[str] = None

The name to identify this role within the backend. Must be unique within the backend.

policy_arns: pulumi.Output[list] = None

Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.

policy_document: pulumi.Output[str] = None

The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.

role_arns: pulumi.Output[list] = None

Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.

static get(resource_name, id, opts=None, backend=None, credential_type=None, default_sts_ttl=None, max_sts_ttl=None, name=None, policy_arns=None, policy_document=None, role_arns=None)

Get an existing SecretBackendRole resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • backend (pulumi.Input[str]) – The path the AWS secret backend is mounted at, with no leading or trailing /s.

  • credential_type (pulumi.Input[str]) – Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.

  • default_sts_ttl (pulumi.Input[float]) – The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.

  • max_sts_ttl (pulumi.Input[float]) – The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.

  • name (pulumi.Input[str]) – The name to identify this role within the backend. Must be unique within the backend.

  • policy_arns (pulumi.Input[list]) – Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified.

  • policy_document (pulumi.Input[str]) – The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns.

  • role_arns (pulumi.Input[list]) – Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

pulumi_vault.aws.get_access_credentials(backend=None, role=None, role_arn=None, type=None, opts=None)

Use this data source to access information about an existing resource.

Parameters

  • backend (str) – The path to the AWS secret backend to read credentials from, with no leading or trailing /s.

  • role (str) – The name of the AWS secret backend role to read credentials from, with no leading or trailing /s.

  • role_arn (str) – The specific AWS ARN to use from the configured role. If the role does not have multiple ARNs, this does not need to be specified.

  • type (str) – The type of credentials to read. Defaults to "creds", which just returns an AWS Access Key ID and Secret Key. Can also be set to "sts", which will return a security token in addition to the keys.