SecretRoleset

Creates a Roleset in the GCP Secrets Engine for Vault.

Each Roleset is tied to a Service Account, and can have one or more bindings associated with it.

Example Usage

using System.IO;
using Pulumi;
using Vault = Pulumi.Vault;

class MyStack : Stack
{
    public MyStack()
    {
        var project = "my-awesome-project";
        var gcp = new Vault.Gcp.SecretBackend("gcp", new Vault.Gcp.SecretBackendArgs
        {
            Credentials = File.ReadAllText("credentials.json"),
            Path = "gcp",
        });
        var roleset = new Vault.Gcp.SecretRoleset("roleset", new Vault.Gcp.SecretRolesetArgs
        {
            Backend = gcp.Path,
            Bindings = 
            {
                new Vault.Gcp.Inputs.SecretRolesetBindingArgs
                {
                    Resource = $"//cloudresourcemanager.googleapis.com/projects/{project}",
                    Roles = 
                    {
                        "roles/viewer",
                    },
                },
            },
            Project = project,
            Roleset = "project_viewer",
            SecretType = "access_token",
            TokenScopes = 
            {
                "https://www.googleapis.com/auth/cloud-platform",
            },
        });
    }

}

Coming soon!

import pulumi
import pulumi_vault as vault

project = "my-awesome-project"
gcp = vault.gcp.SecretBackend("gcp",
    credentials=(lambda path: open(path).read())("credentials.json"),
    path="gcp")
roleset = vault.gcp.SecretRoleset("roleset",
    backend=gcp.path,
    bindings=[{
        "resource": f"//cloudresourcemanager.googleapis.com/projects/{project}",
        "roles": ["roles/viewer"],
    }],
    project=project,
    roleset="project_viewer",
    secret_type="access_token",
    token_scopes=["https://www.googleapis.com/auth/cloud-platform"])

import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as vault from "@pulumi/vault";

const project = "my-awesome-project";
const gcp = new vault.gcp.SecretBackend("gcp", {
    credentials: fs.readFileSync("credentials.json", "utf-8"),
    path: "gcp",
});
const roleset = new vault.gcp.SecretRoleset("roleset", {
    backend: gcp.path,
    bindings: [{
        resource: `//cloudresourcemanager.googleapis.com/projects/${project}`,
        roles: ["roles/viewer"],
    }],
    project: project,
    roleset: "project_viewer",
    secretType: "access_token",
    tokenScopes: ["https://www.googleapis.com/auth/cloud-platform"],
});

Create a SecretRoleset Resource

new SecretRoleset(name: string, args: SecretRolesetArgs, opts?: CustomResourceOptions);

def SecretRoleset(resource_name, opts=None, backend=None, bindings=None, project=None, roleset=None, secret_type=None, token_scopes=None, __props__=None);

func NewSecretRoleset(ctx *Context, name string, args SecretRolesetArgs, opts ...ResourceOption) (*SecretRoleset, error)

public SecretRoleset(string name, SecretRolesetArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args SecretRolesetArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecretRolesetArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecretRolesetArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

SecretRoleset Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The SecretRoleset resource accepts the following input properties:

Backend string: Path where the GCP Secrets Engine is mounted
Bindings List<SecretRolesetBindingArgs>: Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
Project string: Name of the GCP project that this roleset’s service account will belong to.
Roleset string: Name of the Roleset to create
SecretType string: Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
TokenScopes List<string>: List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).

Backend string: Path where the GCP Secrets Engine is mounted
Bindings []SecretRolesetBinding: Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
Project string: Name of the GCP project that this roleset’s service account will belong to.
Roleset string: Name of the Roleset to create
SecretType string: Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
TokenScopes []string: List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).

backend string: Path where the GCP Secrets Engine is mounted
bindings SecretRolesetBinding[]: Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
project string: Name of the GCP project that this roleset’s service account will belong to.
roleset string: Name of the Roleset to create
secretType string: Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
tokenScopes string[]: List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).

backend str: Path where the GCP Secrets Engine is mounted
bindings List[SecretRolesetBinding]: Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
project str: Name of the GCP project that this roleset’s service account will belong to.
roleset str: Name of the Roleset to create
secret_type str: Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
token_scopes List[str]: List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretRoleset resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
ServiceAccountEmail string: Email of the service account created by Vault for this Roleset

Id string: The provider-assigned unique ID for this managed resource.
ServiceAccountEmail string: Email of the service account created by Vault for this Roleset

id string: The provider-assigned unique ID for this managed resource.
serviceAccountEmail string: Email of the service account created by Vault for this Roleset

id str: The provider-assigned unique ID for this managed resource.
service_account_email str: Email of the service account created by Vault for this Roleset

Look up an Existing SecretRoleset Resource

Get an existing SecretRoleset resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretRolesetState, opts?: CustomResourceOptions): SecretRoleset

static get(resource_name, id, opts=None, backend=None, bindings=None, project=None, roleset=None, secret_type=None, service_account_email=None, token_scopes=None, __props__=None);

func GetSecretRoleset(ctx *Context, name string, id IDInput, state *SecretRolesetState, opts ...ResourceOption) (*SecretRoleset, error)

public static SecretRoleset Get(string name, Input<string> id, SecretRolesetState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Backend string: Path where the GCP Secrets Engine is mounted
Bindings List<SecretRolesetBindingArgs>: Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
Project string: Name of the GCP project that this roleset’s service account will belong to.
Roleset string: Name of the Roleset to create
SecretType string: Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
ServiceAccountEmail string: Email of the service account created by Vault for this Roleset
TokenScopes List<string>: List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).

Backend string: Path where the GCP Secrets Engine is mounted
Bindings []SecretRolesetBinding: Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
Project string: Name of the GCP project that this roleset’s service account will belong to.
Roleset string: Name of the Roleset to create
SecretType string: Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
ServiceAccountEmail string: Email of the service account created by Vault for this Roleset
TokenScopes []string: List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).

backend string: Path where the GCP Secrets Engine is mounted
bindings SecretRolesetBinding[]: Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
project string: Name of the GCP project that this roleset’s service account will belong to.
roleset string: Name of the Roleset to create
secretType string: Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
serviceAccountEmail string: Email of the service account created by Vault for this Roleset
tokenScopes string[]: List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).

backend str: Path where the GCP Secrets Engine is mounted
bindings List[SecretRolesetBinding]: Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
project str: Name of the GCP project that this roleset’s service account will belong to.
roleset str: Name of the Roleset to create
secret_type str: Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.
service_account_email str: Email of the service account created by Vault for this Roleset
token_scopes List[str]: List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).

Supporting Types

SecretRolesetBinding

See the input and output API doc for this type.

Resource string: Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
Roles List<string>: List of GCP IAM roles for the resource.

Resource string: Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
Roles []string: List of GCP IAM roles for the resource.

resource string: Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
roles string[]: List of GCP IAM roles for the resource.

resource str: Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
roles List[str]: List of GCP IAM roles for the resource.

Package Details

Repository: https://github.com/pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud