1. Packages
  2. HashiCorp Vault
  3. API Docs
  4. kubernetes
  5. SecretBackendRole
HashiCorp Vault v6.2.0 published on Friday, Jun 21, 2024 by Pulumi

vault.kubernetes.SecretBackendRole

Explore with Pulumi AI

vault logo
HashiCorp Vault v6.2.0 published on Friday, Jun 21, 2024 by Pulumi

    Example Usage

    Example using service_account_name mode:

    import * as pulumi from "@pulumi/pulumi";
    import * as std from "@pulumi/std";
    import * as vault from "@pulumi/vault";
    
    const config = new vault.kubernetes.SecretBackend("config", {
        path: "kubernetes",
        description: "kubernetes secrets engine description",
        kubernetesHost: "https://127.0.0.1:61233",
        kubernetesCaCert: std.file({
            input: "/path/to/cert",
        }).then(invoke => invoke.result),
        serviceAccountJwt: std.file({
            input: "/path/to/token",
        }).then(invoke => invoke.result),
        disableLocalCaJwt: false,
    });
    const sa_example = new vault.kubernetes.SecretBackendRole("sa-example", {
        backend: config.path,
        name: "service-account-name-role",
        allowedKubernetesNamespaces: ["*"],
        tokenMaxTtl: 43200,
        tokenDefaultTtl: 21600,
        serviceAccountName: "test-service-account-with-generated-token",
        extraLabels: {
            id: "abc123",
            name: "some_name",
        },
        extraAnnotations: {
            env: "development",
            location: "earth",
        },
    });
    
    import pulumi
    import pulumi_std as std
    import pulumi_vault as vault
    
    config = vault.kubernetes.SecretBackend("config",
        path="kubernetes",
        description="kubernetes secrets engine description",
        kubernetes_host="https://127.0.0.1:61233",
        kubernetes_ca_cert=std.file(input="/path/to/cert").result,
        service_account_jwt=std.file(input="/path/to/token").result,
        disable_local_ca_jwt=False)
    sa_example = vault.kubernetes.SecretBackendRole("sa-example",
        backend=config.path,
        name="service-account-name-role",
        allowed_kubernetes_namespaces=["*"],
        token_max_ttl=43200,
        token_default_ttl=21600,
        service_account_name="test-service-account-with-generated-token",
        extra_labels={
            "id": "abc123",
            "name": "some_name",
        },
        extra_annotations={
            "env": "development",
            "location": "earth",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-std/sdk/go/std"
    	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		invokeFile, err := std.File(ctx, &std.FileArgs{
    			Input: "/path/to/cert",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		invokeFile1, err := std.File(ctx, &std.FileArgs{
    			Input: "/path/to/token",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
    			Path:              pulumi.String("kubernetes"),
    			Description:       pulumi.String("kubernetes secrets engine description"),
    			KubernetesHost:    pulumi.String("https://127.0.0.1:61233"),
    			KubernetesCaCert:  invokeFile.Result,
    			ServiceAccountJwt: invokeFile1.Result,
    			DisableLocalCaJwt: pulumi.Bool(false),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = kubernetes.NewSecretBackendRole(ctx, "sa-example", &kubernetes.SecretBackendRoleArgs{
    			Backend: config.Path,
    			Name:    pulumi.String("service-account-name-role"),
    			AllowedKubernetesNamespaces: pulumi.StringArray{
    				pulumi.String("*"),
    			},
    			TokenMaxTtl:        pulumi.Int(43200),
    			TokenDefaultTtl:    pulumi.Int(21600),
    			ServiceAccountName: pulumi.String("test-service-account-with-generated-token"),
    			ExtraLabels: pulumi.StringMap{
    				"id":   pulumi.String("abc123"),
    				"name": pulumi.String("some_name"),
    			},
    			ExtraAnnotations: pulumi.StringMap{
    				"env":      pulumi.String("development"),
    				"location": pulumi.String("earth"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Std = Pulumi.Std;
    using Vault = Pulumi.Vault;
    
    return await Deployment.RunAsync(() => 
    {
        var config = new Vault.Kubernetes.SecretBackend("config", new()
        {
            Path = "kubernetes",
            Description = "kubernetes secrets engine description",
            KubernetesHost = "https://127.0.0.1:61233",
            KubernetesCaCert = Std.File.Invoke(new()
            {
                Input = "/path/to/cert",
            }).Apply(invoke => invoke.Result),
            ServiceAccountJwt = Std.File.Invoke(new()
            {
                Input = "/path/to/token",
            }).Apply(invoke => invoke.Result),
            DisableLocalCaJwt = false,
        });
    
        var sa_example = new Vault.Kubernetes.SecretBackendRole("sa-example", new()
        {
            Backend = config.Path,
            Name = "service-account-name-role",
            AllowedKubernetesNamespaces = new[]
            {
                "*",
            },
            TokenMaxTtl = 43200,
            TokenDefaultTtl = 21600,
            ServiceAccountName = "test-service-account-with-generated-token",
            ExtraLabels = 
            {
                { "id", "abc123" },
                { "name", "some_name" },
            },
            ExtraAnnotations = 
            {
                { "env", "development" },
                { "location", "earth" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.vault.kubernetes.SecretBackend;
    import com.pulumi.vault.kubernetes.SecretBackendArgs;
    import com.pulumi.vault.kubernetes.SecretBackendRole;
    import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var config = new SecretBackend("config", SecretBackendArgs.builder()
                .path("kubernetes")
                .description("kubernetes secrets engine description")
                .kubernetesHost("https://127.0.0.1:61233")
                .kubernetesCaCert(StdFunctions.file(FileArgs.builder()
                    .input("/path/to/cert")
                    .build()).result())
                .serviceAccountJwt(StdFunctions.file(FileArgs.builder()
                    .input("/path/to/token")
                    .build()).result())
                .disableLocalCaJwt(false)
                .build());
    
            var sa_example = new SecretBackendRole("sa-example", SecretBackendRoleArgs.builder()
                .backend(config.path())
                .name("service-account-name-role")
                .allowedKubernetesNamespaces("*")
                .tokenMaxTtl(43200)
                .tokenDefaultTtl(21600)
                .serviceAccountName("test-service-account-with-generated-token")
                .extraLabels(Map.ofEntries(
                    Map.entry("id", "abc123"),
                    Map.entry("name", "some_name")
                ))
                .extraAnnotations(Map.ofEntries(
                    Map.entry("env", "development"),
                    Map.entry("location", "earth")
                ))
                .build());
    
        }
    }
    
    resources:
      config:
        type: vault:kubernetes:SecretBackend
        properties:
          path: kubernetes
          description: kubernetes secrets engine description
          kubernetesHost: https://127.0.0.1:61233
          kubernetesCaCert:
            fn::invoke:
              Function: std:file
              Arguments:
                input: /path/to/cert
              Return: result
          serviceAccountJwt:
            fn::invoke:
              Function: std:file
              Arguments:
                input: /path/to/token
              Return: result
          disableLocalCaJwt: false
      sa-example:
        type: vault:kubernetes:SecretBackendRole
        properties:
          backend: ${config.path}
          name: service-account-name-role
          allowedKubernetesNamespaces:
            - '*'
          tokenMaxTtl: 43200
          tokenDefaultTtl: 21600
          serviceAccountName: test-service-account-with-generated-token
          extraLabels:
            id: abc123
            name: some_name
          extraAnnotations:
            env: development
            location: earth
    

    Example using kubernetes_role_name mode:

    import * as pulumi from "@pulumi/pulumi";
    import * as std from "@pulumi/std";
    import * as vault from "@pulumi/vault";
    
    const config = new vault.kubernetes.SecretBackend("config", {
        path: "kubernetes",
        description: "kubernetes secrets engine description",
        kubernetesHost: "https://127.0.0.1:61233",
        kubernetesCaCert: std.file({
            input: "/path/to/cert",
        }).then(invoke => invoke.result),
        serviceAccountJwt: std.file({
            input: "/path/to/token",
        }).then(invoke => invoke.result),
        disableLocalCaJwt: false,
    });
    const name_example = new vault.kubernetes.SecretBackendRole("name-example", {
        backend: config.path,
        name: "service-account-name-role",
        allowedKubernetesNamespaces: ["*"],
        tokenMaxTtl: 43200,
        tokenDefaultTtl: 21600,
        kubernetesRoleName: "vault-k8s-secrets-role",
        extraLabels: {
            id: "abc123",
            name: "some_name",
        },
        extraAnnotations: {
            env: "development",
            location: "earth",
        },
    });
    
    import pulumi
    import pulumi_std as std
    import pulumi_vault as vault
    
    config = vault.kubernetes.SecretBackend("config",
        path="kubernetes",
        description="kubernetes secrets engine description",
        kubernetes_host="https://127.0.0.1:61233",
        kubernetes_ca_cert=std.file(input="/path/to/cert").result,
        service_account_jwt=std.file(input="/path/to/token").result,
        disable_local_ca_jwt=False)
    name_example = vault.kubernetes.SecretBackendRole("name-example",
        backend=config.path,
        name="service-account-name-role",
        allowed_kubernetes_namespaces=["*"],
        token_max_ttl=43200,
        token_default_ttl=21600,
        kubernetes_role_name="vault-k8s-secrets-role",
        extra_labels={
            "id": "abc123",
            "name": "some_name",
        },
        extra_annotations={
            "env": "development",
            "location": "earth",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-std/sdk/go/std"
    	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		invokeFile, err := std.File(ctx, &std.FileArgs{
    			Input: "/path/to/cert",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		invokeFile1, err := std.File(ctx, &std.FileArgs{
    			Input: "/path/to/token",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
    			Path:              pulumi.String("kubernetes"),
    			Description:       pulumi.String("kubernetes secrets engine description"),
    			KubernetesHost:    pulumi.String("https://127.0.0.1:61233"),
    			KubernetesCaCert:  invokeFile.Result,
    			ServiceAccountJwt: invokeFile1.Result,
    			DisableLocalCaJwt: pulumi.Bool(false),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = kubernetes.NewSecretBackendRole(ctx, "name-example", &kubernetes.SecretBackendRoleArgs{
    			Backend: config.Path,
    			Name:    pulumi.String("service-account-name-role"),
    			AllowedKubernetesNamespaces: pulumi.StringArray{
    				pulumi.String("*"),
    			},
    			TokenMaxTtl:        pulumi.Int(43200),
    			TokenDefaultTtl:    pulumi.Int(21600),
    			KubernetesRoleName: pulumi.String("vault-k8s-secrets-role"),
    			ExtraLabels: pulumi.StringMap{
    				"id":   pulumi.String("abc123"),
    				"name": pulumi.String("some_name"),
    			},
    			ExtraAnnotations: pulumi.StringMap{
    				"env":      pulumi.String("development"),
    				"location": pulumi.String("earth"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Std = Pulumi.Std;
    using Vault = Pulumi.Vault;
    
    return await Deployment.RunAsync(() => 
    {
        var config = new Vault.Kubernetes.SecretBackend("config", new()
        {
            Path = "kubernetes",
            Description = "kubernetes secrets engine description",
            KubernetesHost = "https://127.0.0.1:61233",
            KubernetesCaCert = Std.File.Invoke(new()
            {
                Input = "/path/to/cert",
            }).Apply(invoke => invoke.Result),
            ServiceAccountJwt = Std.File.Invoke(new()
            {
                Input = "/path/to/token",
            }).Apply(invoke => invoke.Result),
            DisableLocalCaJwt = false,
        });
    
        var name_example = new Vault.Kubernetes.SecretBackendRole("name-example", new()
        {
            Backend = config.Path,
            Name = "service-account-name-role",
            AllowedKubernetesNamespaces = new[]
            {
                "*",
            },
            TokenMaxTtl = 43200,
            TokenDefaultTtl = 21600,
            KubernetesRoleName = "vault-k8s-secrets-role",
            ExtraLabels = 
            {
                { "id", "abc123" },
                { "name", "some_name" },
            },
            ExtraAnnotations = 
            {
                { "env", "development" },
                { "location", "earth" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.vault.kubernetes.SecretBackend;
    import com.pulumi.vault.kubernetes.SecretBackendArgs;
    import com.pulumi.vault.kubernetes.SecretBackendRole;
    import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var config = new SecretBackend("config", SecretBackendArgs.builder()
                .path("kubernetes")
                .description("kubernetes secrets engine description")
                .kubernetesHost("https://127.0.0.1:61233")
                .kubernetesCaCert(StdFunctions.file(FileArgs.builder()
                    .input("/path/to/cert")
                    .build()).result())
                .serviceAccountJwt(StdFunctions.file(FileArgs.builder()
                    .input("/path/to/token")
                    .build()).result())
                .disableLocalCaJwt(false)
                .build());
    
            var name_example = new SecretBackendRole("name-example", SecretBackendRoleArgs.builder()
                .backend(config.path())
                .name("service-account-name-role")
                .allowedKubernetesNamespaces("*")
                .tokenMaxTtl(43200)
                .tokenDefaultTtl(21600)
                .kubernetesRoleName("vault-k8s-secrets-role")
                .extraLabels(Map.ofEntries(
                    Map.entry("id", "abc123"),
                    Map.entry("name", "some_name")
                ))
                .extraAnnotations(Map.ofEntries(
                    Map.entry("env", "development"),
                    Map.entry("location", "earth")
                ))
                .build());
    
        }
    }
    
    resources:
      config:
        type: vault:kubernetes:SecretBackend
        properties:
          path: kubernetes
          description: kubernetes secrets engine description
          kubernetesHost: https://127.0.0.1:61233
          kubernetesCaCert:
            fn::invoke:
              Function: std:file
              Arguments:
                input: /path/to/cert
              Return: result
          serviceAccountJwt:
            fn::invoke:
              Function: std:file
              Arguments:
                input: /path/to/token
              Return: result
          disableLocalCaJwt: false
      name-example:
        type: vault:kubernetes:SecretBackendRole
        properties:
          backend: ${config.path}
          name: service-account-name-role
          allowedKubernetesNamespaces:
            - '*'
          tokenMaxTtl: 43200
          tokenDefaultTtl: 21600
          kubernetesRoleName: vault-k8s-secrets-role
          extraLabels:
            id: abc123
            name: some_name
          extraAnnotations:
            env: development
            location: earth
    

    Example using generated_role_rules mode:

    import * as pulumi from "@pulumi/pulumi";
    import * as std from "@pulumi/std";
    import * as vault from "@pulumi/vault";
    
    const config = new vault.kubernetes.SecretBackend("config", {
        path: "kubernetes",
        description: "kubernetes secrets engine description",
        kubernetesHost: "https://127.0.0.1:61233",
        kubernetesCaCert: std.file({
            input: "/path/to/cert",
        }).then(invoke => invoke.result),
        serviceAccountJwt: std.file({
            input: "/path/to/token",
        }).then(invoke => invoke.result),
        disableLocalCaJwt: false,
    });
    const rules_example = new vault.kubernetes.SecretBackendRole("rules-example", {
        backend: config.path,
        name: "service-account-name-role",
        allowedKubernetesNamespaces: ["*"],
        tokenMaxTtl: 43200,
        tokenDefaultTtl: 21600,
        kubernetesRoleType: "Role",
        generatedRoleRules: `rules:
    - apiGroups: [""]
      resources: ["pods"]
      verbs: ["list"]
    `,
        extraLabels: {
            id: "abc123",
            name: "some_name",
        },
        extraAnnotations: {
            env: "development",
            location: "earth",
        },
    });
    
    import pulumi
    import pulumi_std as std
    import pulumi_vault as vault
    
    config = vault.kubernetes.SecretBackend("config",
        path="kubernetes",
        description="kubernetes secrets engine description",
        kubernetes_host="https://127.0.0.1:61233",
        kubernetes_ca_cert=std.file(input="/path/to/cert").result,
        service_account_jwt=std.file(input="/path/to/token").result,
        disable_local_ca_jwt=False)
    rules_example = vault.kubernetes.SecretBackendRole("rules-example",
        backend=config.path,
        name="service-account-name-role",
        allowed_kubernetes_namespaces=["*"],
        token_max_ttl=43200,
        token_default_ttl=21600,
        kubernetes_role_type="Role",
        generated_role_rules="""rules:
    - apiGroups: [""]
      resources: ["pods"]
      verbs: ["list"]
    """,
        extra_labels={
            "id": "abc123",
            "name": "some_name",
        },
        extra_annotations={
            "env": "development",
            "location": "earth",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-std/sdk/go/std"
    	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		invokeFile, err := std.File(ctx, &std.FileArgs{
    			Input: "/path/to/cert",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		invokeFile1, err := std.File(ctx, &std.FileArgs{
    			Input: "/path/to/token",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
    			Path:              pulumi.String("kubernetes"),
    			Description:       pulumi.String("kubernetes secrets engine description"),
    			KubernetesHost:    pulumi.String("https://127.0.0.1:61233"),
    			KubernetesCaCert:  invokeFile.Result,
    			ServiceAccountJwt: invokeFile1.Result,
    			DisableLocalCaJwt: pulumi.Bool(false),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = kubernetes.NewSecretBackendRole(ctx, "rules-example", &kubernetes.SecretBackendRoleArgs{
    			Backend: config.Path,
    			Name:    pulumi.String("service-account-name-role"),
    			AllowedKubernetesNamespaces: pulumi.StringArray{
    				pulumi.String("*"),
    			},
    			TokenMaxTtl:        pulumi.Int(43200),
    			TokenDefaultTtl:    pulumi.Int(21600),
    			KubernetesRoleType: pulumi.String("Role"),
    			GeneratedRoleRules: pulumi.String("rules:\n- apiGroups: [\"\"]\n  resources: [\"pods\"]\n  verbs: [\"list\"]\n"),
    			ExtraLabels: pulumi.StringMap{
    				"id":   pulumi.String("abc123"),
    				"name": pulumi.String("some_name"),
    			},
    			ExtraAnnotations: pulumi.StringMap{
    				"env":      pulumi.String("development"),
    				"location": pulumi.String("earth"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Std = Pulumi.Std;
    using Vault = Pulumi.Vault;
    
    return await Deployment.RunAsync(() => 
    {
        var config = new Vault.Kubernetes.SecretBackend("config", new()
        {
            Path = "kubernetes",
            Description = "kubernetes secrets engine description",
            KubernetesHost = "https://127.0.0.1:61233",
            KubernetesCaCert = Std.File.Invoke(new()
            {
                Input = "/path/to/cert",
            }).Apply(invoke => invoke.Result),
            ServiceAccountJwt = Std.File.Invoke(new()
            {
                Input = "/path/to/token",
            }).Apply(invoke => invoke.Result),
            DisableLocalCaJwt = false,
        });
    
        var rules_example = new Vault.Kubernetes.SecretBackendRole("rules-example", new()
        {
            Backend = config.Path,
            Name = "service-account-name-role",
            AllowedKubernetesNamespaces = new[]
            {
                "*",
            },
            TokenMaxTtl = 43200,
            TokenDefaultTtl = 21600,
            KubernetesRoleType = "Role",
            GeneratedRoleRules = @"rules:
    - apiGroups: [""""]
      resources: [""pods""]
      verbs: [""list""]
    ",
            ExtraLabels = 
            {
                { "id", "abc123" },
                { "name", "some_name" },
            },
            ExtraAnnotations = 
            {
                { "env", "development" },
                { "location", "earth" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.vault.kubernetes.SecretBackend;
    import com.pulumi.vault.kubernetes.SecretBackendArgs;
    import com.pulumi.vault.kubernetes.SecretBackendRole;
    import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var config = new SecretBackend("config", SecretBackendArgs.builder()
                .path("kubernetes")
                .description("kubernetes secrets engine description")
                .kubernetesHost("https://127.0.0.1:61233")
                .kubernetesCaCert(StdFunctions.file(FileArgs.builder()
                    .input("/path/to/cert")
                    .build()).result())
                .serviceAccountJwt(StdFunctions.file(FileArgs.builder()
                    .input("/path/to/token")
                    .build()).result())
                .disableLocalCaJwt(false)
                .build());
    
            var rules_example = new SecretBackendRole("rules-example", SecretBackendRoleArgs.builder()
                .backend(config.path())
                .name("service-account-name-role")
                .allowedKubernetesNamespaces("*")
                .tokenMaxTtl(43200)
                .tokenDefaultTtl(21600)
                .kubernetesRoleType("Role")
                .generatedRoleRules("""
    rules:
    - apiGroups: [""]
      resources: ["pods"]
      verbs: ["list"]
                """)
                .extraLabels(Map.ofEntries(
                    Map.entry("id", "abc123"),
                    Map.entry("name", "some_name")
                ))
                .extraAnnotations(Map.ofEntries(
                    Map.entry("env", "development"),
                    Map.entry("location", "earth")
                ))
                .build());
    
        }
    }
    
    resources:
      config:
        type: vault:kubernetes:SecretBackend
        properties:
          path: kubernetes
          description: kubernetes secrets engine description
          kubernetesHost: https://127.0.0.1:61233
          kubernetesCaCert:
            fn::invoke:
              Function: std:file
              Arguments:
                input: /path/to/cert
              Return: result
          serviceAccountJwt:
            fn::invoke:
              Function: std:file
              Arguments:
                input: /path/to/token
              Return: result
          disableLocalCaJwt: false
      rules-example:
        type: vault:kubernetes:SecretBackendRole
        properties:
          backend: ${config.path}
          name: service-account-name-role
          allowedKubernetesNamespaces:
            - '*'
          tokenMaxTtl: 43200
          tokenDefaultTtl: 21600
          kubernetesRoleType: Role
          generatedRoleRules: |
            rules:
            - apiGroups: [""]
              resources: ["pods"]
              verbs: ["list"]        
          extraLabels:
            id: abc123
            name: some_name
          extraAnnotations:
            env: development
            location: earth
    

    Create SecretBackendRole Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new SecretBackendRole(name: string, args: SecretBackendRoleArgs, opts?: CustomResourceOptions);
    @overload
    def SecretBackendRole(resource_name: str,
                          args: SecretBackendRoleArgs,
                          opts: Optional[ResourceOptions] = None)
    
    @overload
    def SecretBackendRole(resource_name: str,
                          opts: Optional[ResourceOptions] = None,
                          backend: Optional[str] = None,
                          kubernetes_role_name: Optional[str] = None,
                          allowed_kubernetes_namespaces: Optional[Sequence[str]] = None,
                          extra_annotations: Optional[Mapping[str, str]] = None,
                          extra_labels: Optional[Mapping[str, str]] = None,
                          generated_role_rules: Optional[str] = None,
                          allowed_kubernetes_namespace_selector: Optional[str] = None,
                          kubernetes_role_type: Optional[str] = None,
                          name: Optional[str] = None,
                          name_template: Optional[str] = None,
                          namespace: Optional[str] = None,
                          service_account_name: Optional[str] = None,
                          token_default_ttl: Optional[int] = None,
                          token_max_ttl: Optional[int] = None)
    func NewSecretBackendRole(ctx *Context, name string, args SecretBackendRoleArgs, opts ...ResourceOption) (*SecretBackendRole, error)
    public SecretBackendRole(string name, SecretBackendRoleArgs args, CustomResourceOptions? opts = null)
    public SecretBackendRole(String name, SecretBackendRoleArgs args)
    public SecretBackendRole(String name, SecretBackendRoleArgs args, CustomResourceOptions options)
    
    type: vault:kubernetes:SecretBackendRole
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole = new Vault.Kubernetes.SecretBackendRole("examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole", new()
    {
        Backend = "string",
        KubernetesRoleName = "string",
        AllowedKubernetesNamespaces = new[]
        {
            "string",
        },
        ExtraAnnotations = 
        {
            { "string", "string" },
        },
        ExtraLabels = 
        {
            { "string", "string" },
        },
        GeneratedRoleRules = "string",
        AllowedKubernetesNamespaceSelector = "string",
        KubernetesRoleType = "string",
        Name = "string",
        NameTemplate = "string",
        Namespace = "string",
        ServiceAccountName = "string",
        TokenDefaultTtl = 0,
        TokenMaxTtl = 0,
    });
    
    example, err := kubernetes.NewSecretBackendRole(ctx, "examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole", &kubernetes.SecretBackendRoleArgs{
    	Backend:            pulumi.String("string"),
    	KubernetesRoleName: pulumi.String("string"),
    	AllowedKubernetesNamespaces: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	ExtraAnnotations: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	ExtraLabels: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	GeneratedRoleRules:                 pulumi.String("string"),
    	AllowedKubernetesNamespaceSelector: pulumi.String("string"),
    	KubernetesRoleType:                 pulumi.String("string"),
    	Name:                               pulumi.String("string"),
    	NameTemplate:                       pulumi.String("string"),
    	Namespace:                          pulumi.String("string"),
    	ServiceAccountName:                 pulumi.String("string"),
    	TokenDefaultTtl:                    pulumi.Int(0),
    	TokenMaxTtl:                        pulumi.Int(0),
    })
    
    var examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole = new SecretBackendRole("examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole", SecretBackendRoleArgs.builder()
        .backend("string")
        .kubernetesRoleName("string")
        .allowedKubernetesNamespaces("string")
        .extraAnnotations(Map.of("string", "string"))
        .extraLabels(Map.of("string", "string"))
        .generatedRoleRules("string")
        .allowedKubernetesNamespaceSelector("string")
        .kubernetesRoleType("string")
        .name("string")
        .nameTemplate("string")
        .namespace("string")
        .serviceAccountName("string")
        .tokenDefaultTtl(0)
        .tokenMaxTtl(0)
        .build());
    
    examplesecret_backend_role_resource_resource_from_kubernetessecret_backend_role = vault.kubernetes.SecretBackendRole("examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole",
        backend="string",
        kubernetes_role_name="string",
        allowed_kubernetes_namespaces=["string"],
        extra_annotations={
            "string": "string",
        },
        extra_labels={
            "string": "string",
        },
        generated_role_rules="string",
        allowed_kubernetes_namespace_selector="string",
        kubernetes_role_type="string",
        name="string",
        name_template="string",
        namespace="string",
        service_account_name="string",
        token_default_ttl=0,
        token_max_ttl=0)
    
    const examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole = new vault.kubernetes.SecretBackendRole("examplesecretBackendRoleResourceResourceFromKubernetessecretBackendRole", {
        backend: "string",
        kubernetesRoleName: "string",
        allowedKubernetesNamespaces: ["string"],
        extraAnnotations: {
            string: "string",
        },
        extraLabels: {
            string: "string",
        },
        generatedRoleRules: "string",
        allowedKubernetesNamespaceSelector: "string",
        kubernetesRoleType: "string",
        name: "string",
        nameTemplate: "string",
        namespace: "string",
        serviceAccountName: "string",
        tokenDefaultTtl: 0,
        tokenMaxTtl: 0,
    });
    
    type: vault:kubernetes:SecretBackendRole
    properties:
        allowedKubernetesNamespaceSelector: string
        allowedKubernetesNamespaces:
            - string
        backend: string
        extraAnnotations:
            string: string
        extraLabels:
            string: string
        generatedRoleRules: string
        kubernetesRoleName: string
        kubernetesRoleType: string
        name: string
        nameTemplate: string
        namespace: string
        serviceAccountName: string
        tokenDefaultTtl: 0
        tokenMaxTtl: 0
    

    SecretBackendRole Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The SecretBackendRole resource accepts the following input properties:

    Backend string
    The path of the Kubernetes Secrets Engine backend mount to create the role in.
    AllowedKubernetesNamespaceSelector string
    A label selector for Kubernetes namespaces in which credentials can be generated. Accepts either a JSON or YAML object. The value should be of type LabelSelector. If set with allowed_kubernetes_namespace, the conditions are ORed.
    AllowedKubernetesNamespaces List<string>
    The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.
    ExtraAnnotations Dictionary<string, string>
    Additional annotations to apply to all generated Kubernetes objects.
    ExtraLabels Dictionary<string, string>

    Additional labels to apply to all generated Kubernetes objects.

    This resource also directly accepts all vault.Mount fields.

    GeneratedRoleRules string
    The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.
    KubernetesRoleName string
    The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with service_account_name and generated_role_rules. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.
    KubernetesRoleType string
    Specifies whether the Kubernetes role is a Role or ClusterRole.
    Name string
    The name of the role.
    NameTemplate string
    The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    ServiceAccountName string
    The pre-existing service account to generate tokens for. Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a Kubernetes token will be created when credentials are requested.
    TokenDefaultTtl int
    The default TTL for generated Kubernetes tokens in seconds.
    TokenMaxTtl int
    The maximum TTL for generated Kubernetes tokens in seconds.
    Backend string
    The path of the Kubernetes Secrets Engine backend mount to create the role in.
    AllowedKubernetesNamespaceSelector string
    A label selector for Kubernetes namespaces in which credentials can be generated. Accepts either a JSON or YAML object. The value should be of type LabelSelector. If set with allowed_kubernetes_namespace, the conditions are ORed.
    AllowedKubernetesNamespaces []string
    The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.
    ExtraAnnotations map[string]string
    Additional annotations to apply to all generated Kubernetes objects.
    ExtraLabels map[string]string

    Additional labels to apply to all generated Kubernetes objects.

    This resource also directly accepts all vault.Mount fields.

    GeneratedRoleRules string
    The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.
    KubernetesRoleName string
    The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with service_account_name and generated_role_rules. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.
    KubernetesRoleType string
    Specifies whether the Kubernetes role is a Role or ClusterRole.
    Name string
    The name of the role.
    NameTemplate string
    The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    ServiceAccountName string
    The pre-existing service account to generate tokens for. Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a Kubernetes token will be created when credentials are requested.
    TokenDefaultTtl int
    The default TTL for generated Kubernetes tokens in seconds.
    TokenMaxTtl int
    The maximum TTL for generated Kubernetes tokens in seconds.
    backend String
    The path of the Kubernetes Secrets Engine backend mount to create the role in.
    allowedKubernetesNamespaceSelector String
    A label selector for Kubernetes namespaces in which credentials can be generated. Accepts either a JSON or YAML object. The value should be of type LabelSelector. If set with allowed_kubernetes_namespace, the conditions are ORed.
    allowedKubernetesNamespaces List<String>
    The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.
    extraAnnotations Map<String,String>
    Additional annotations to apply to all generated Kubernetes objects.
    extraLabels Map<String,String>

    Additional labels to apply to all generated Kubernetes objects.

    This resource also directly accepts all vault.Mount fields.

    generatedRoleRules String
    The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.
    kubernetesRoleName String
    The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with service_account_name and generated_role_rules. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.
    kubernetesRoleType String
    Specifies whether the Kubernetes role is a Role or ClusterRole.
    name String
    The name of the role.
    nameTemplate String
    The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    serviceAccountName String
    The pre-existing service account to generate tokens for. Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a Kubernetes token will be created when credentials are requested.
    tokenDefaultTtl Integer
    The default TTL for generated Kubernetes tokens in seconds.
    tokenMaxTtl Integer
    The maximum TTL for generated Kubernetes tokens in seconds.
    backend string
    The path of the Kubernetes Secrets Engine backend mount to create the role in.
    allowedKubernetesNamespaceSelector string
    A label selector for Kubernetes namespaces in which credentials can be generated. Accepts either a JSON or YAML object. The value should be of type LabelSelector. If set with allowed_kubernetes_namespace, the conditions are ORed.
    allowedKubernetesNamespaces string[]
    The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.
    extraAnnotations {[key: string]: string}
    Additional annotations to apply to all generated Kubernetes objects.
    extraLabels {[key: string]: string}

    Additional labels to apply to all generated Kubernetes objects.

    This resource also directly accepts all vault.Mount fields.

    generatedRoleRules string
    The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.
    kubernetesRoleName string
    The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with service_account_name and generated_role_rules. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.
    kubernetesRoleType string
    Specifies whether the Kubernetes role is a Role or ClusterRole.
    name string
    The name of the role.
    nameTemplate string
    The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    serviceAccountName string
    The pre-existing service account to generate tokens for. Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a Kubernetes token will be created when credentials are requested.
    tokenDefaultTtl number
    The default TTL for generated Kubernetes tokens in seconds.
    tokenMaxTtl number
    The maximum TTL for generated Kubernetes tokens in seconds.
    backend str
    The path of the Kubernetes Secrets Engine backend mount to create the role in.
    allowed_kubernetes_namespace_selector str
    A label selector for Kubernetes namespaces in which credentials can be generated. Accepts either a JSON or YAML object. The value should be of type LabelSelector. If set with allowed_kubernetes_namespace, the conditions are ORed.
    allowed_kubernetes_namespaces Sequence[str]
    The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.
    extra_annotations Mapping[str, str]
    Additional annotations to apply to all generated Kubernetes objects.
    extra_labels Mapping[str, str]

    Additional labels to apply to all generated Kubernetes objects.

    This resource also directly accepts all vault.Mount fields.

    generated_role_rules str
    The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.
    kubernetes_role_name str
    The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with service_account_name and generated_role_rules. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.
    kubernetes_role_type str
    Specifies whether the Kubernetes role is a Role or ClusterRole.
    name str
    The name of the role.
    name_template str
    The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    service_account_name str
    The pre-existing service account to generate tokens for. Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a Kubernetes token will be created when credentials are requested.
    token_default_ttl int
    The default TTL for generated Kubernetes tokens in seconds.
    token_max_ttl int
    The maximum TTL for generated Kubernetes tokens in seconds.
    backend String
    The path of the Kubernetes Secrets Engine backend mount to create the role in.
    allowedKubernetesNamespaceSelector String
    A label selector for Kubernetes namespaces in which credentials can be generated. Accepts either a JSON or YAML object. The value should be of type LabelSelector. If set with allowed_kubernetes_namespace, the conditions are ORed.
    allowedKubernetesNamespaces List<String>
    The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.
    extraAnnotations Map<String>
    Additional annotations to apply to all generated Kubernetes objects.
    extraLabels Map<String>

    Additional labels to apply to all generated Kubernetes objects.

    This resource also directly accepts all vault.Mount fields.

    generatedRoleRules String
    The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.
    kubernetesRoleName String
    The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with service_account_name and generated_role_rules. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.
    kubernetesRoleType String
    Specifies whether the Kubernetes role is a Role or ClusterRole.
    name String
    The name of the role.
    nameTemplate String
    The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    serviceAccountName String
    The pre-existing service account to generate tokens for. Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a Kubernetes token will be created when credentials are requested.
    tokenDefaultTtl Number
    The default TTL for generated Kubernetes tokens in seconds.
    tokenMaxTtl Number
    The maximum TTL for generated Kubernetes tokens in seconds.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the SecretBackendRole resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing SecretBackendRole Resource

    Get an existing SecretBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: SecretBackendRoleState, opts?: CustomResourceOptions): SecretBackendRole
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            allowed_kubernetes_namespace_selector: Optional[str] = None,
            allowed_kubernetes_namespaces: Optional[Sequence[str]] = None,
            backend: Optional[str] = None,
            extra_annotations: Optional[Mapping[str, str]] = None,
            extra_labels: Optional[Mapping[str, str]] = None,
            generated_role_rules: Optional[str] = None,
            kubernetes_role_name: Optional[str] = None,
            kubernetes_role_type: Optional[str] = None,
            name: Optional[str] = None,
            name_template: Optional[str] = None,
            namespace: Optional[str] = None,
            service_account_name: Optional[str] = None,
            token_default_ttl: Optional[int] = None,
            token_max_ttl: Optional[int] = None) -> SecretBackendRole
    func GetSecretBackendRole(ctx *Context, name string, id IDInput, state *SecretBackendRoleState, opts ...ResourceOption) (*SecretBackendRole, error)
    public static SecretBackendRole Get(string name, Input<string> id, SecretBackendRoleState? state, CustomResourceOptions? opts = null)
    public static SecretBackendRole get(String name, Output<String> id, SecretBackendRoleState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AllowedKubernetesNamespaceSelector string
    A label selector for Kubernetes namespaces in which credentials can be generated. Accepts either a JSON or YAML object. The value should be of type LabelSelector. If set with allowed_kubernetes_namespace, the conditions are ORed.
    AllowedKubernetesNamespaces List<string>
    The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.
    Backend string
    The path of the Kubernetes Secrets Engine backend mount to create the role in.
    ExtraAnnotations Dictionary<string, string>
    Additional annotations to apply to all generated Kubernetes objects.
    ExtraLabels Dictionary<string, string>

    Additional labels to apply to all generated Kubernetes objects.

    This resource also directly accepts all vault.Mount fields.

    GeneratedRoleRules string
    The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.
    KubernetesRoleName string
    The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with service_account_name and generated_role_rules. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.
    KubernetesRoleType string
    Specifies whether the Kubernetes role is a Role or ClusterRole.
    Name string
    The name of the role.
    NameTemplate string
    The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    ServiceAccountName string
    The pre-existing service account to generate tokens for. Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a Kubernetes token will be created when credentials are requested.
    TokenDefaultTtl int
    The default TTL for generated Kubernetes tokens in seconds.
    TokenMaxTtl int
    The maximum TTL for generated Kubernetes tokens in seconds.
    AllowedKubernetesNamespaceSelector string
    A label selector for Kubernetes namespaces in which credentials can be generated. Accepts either a JSON or YAML object. The value should be of type LabelSelector. If set with allowed_kubernetes_namespace, the conditions are ORed.
    AllowedKubernetesNamespaces []string
    The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.
    Backend string
    The path of the Kubernetes Secrets Engine backend mount to create the role in.
    ExtraAnnotations map[string]string
    Additional annotations to apply to all generated Kubernetes objects.
    ExtraLabels map[string]string

    Additional labels to apply to all generated Kubernetes objects.

    This resource also directly accepts all vault.Mount fields.

    GeneratedRoleRules string
    The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.
    KubernetesRoleName string
    The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with service_account_name and generated_role_rules. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.
    KubernetesRoleType string
    Specifies whether the Kubernetes role is a Role or ClusterRole.
    Name string
    The name of the role.
    NameTemplate string
    The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    ServiceAccountName string
    The pre-existing service account to generate tokens for. Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a Kubernetes token will be created when credentials are requested.
    TokenDefaultTtl int
    The default TTL for generated Kubernetes tokens in seconds.
    TokenMaxTtl int
    The maximum TTL for generated Kubernetes tokens in seconds.
    allowedKubernetesNamespaceSelector String
    A label selector for Kubernetes namespaces in which credentials can be generated. Accepts either a JSON or YAML object. The value should be of type LabelSelector. If set with allowed_kubernetes_namespace, the conditions are ORed.
    allowedKubernetesNamespaces List<String>
    The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.
    backend String
    The path of the Kubernetes Secrets Engine backend mount to create the role in.
    extraAnnotations Map<String,String>
    Additional annotations to apply to all generated Kubernetes objects.
    extraLabels Map<String,String>

    Additional labels to apply to all generated Kubernetes objects.

    This resource also directly accepts all vault.Mount fields.

    generatedRoleRules String
    The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.
    kubernetesRoleName String
    The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with service_account_name and generated_role_rules. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.
    kubernetesRoleType String
    Specifies whether the Kubernetes role is a Role or ClusterRole.
    name String
    The name of the role.
    nameTemplate String
    The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    serviceAccountName String
    The pre-existing service account to generate tokens for. Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a Kubernetes token will be created when credentials are requested.
    tokenDefaultTtl Integer
    The default TTL for generated Kubernetes tokens in seconds.
    tokenMaxTtl Integer
    The maximum TTL for generated Kubernetes tokens in seconds.
    allowedKubernetesNamespaceSelector string
    A label selector for Kubernetes namespaces in which credentials can be generated. Accepts either a JSON or YAML object. The value should be of type LabelSelector. If set with allowed_kubernetes_namespace, the conditions are ORed.
    allowedKubernetesNamespaces string[]
    The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.
    backend string
    The path of the Kubernetes Secrets Engine backend mount to create the role in.
    extraAnnotations {[key: string]: string}
    Additional annotations to apply to all generated Kubernetes objects.
    extraLabels {[key: string]: string}

    Additional labels to apply to all generated Kubernetes objects.

    This resource also directly accepts all vault.Mount fields.

    generatedRoleRules string
    The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.
    kubernetesRoleName string
    The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with service_account_name and generated_role_rules. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.
    kubernetesRoleType string
    Specifies whether the Kubernetes role is a Role or ClusterRole.
    name string
    The name of the role.
    nameTemplate string
    The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    serviceAccountName string
    The pre-existing service account to generate tokens for. Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a Kubernetes token will be created when credentials are requested.
    tokenDefaultTtl number
    The default TTL for generated Kubernetes tokens in seconds.
    tokenMaxTtl number
    The maximum TTL for generated Kubernetes tokens in seconds.
    allowed_kubernetes_namespace_selector str
    A label selector for Kubernetes namespaces in which credentials can be generated. Accepts either a JSON or YAML object. The value should be of type LabelSelector. If set with allowed_kubernetes_namespace, the conditions are ORed.
    allowed_kubernetes_namespaces Sequence[str]
    The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.
    backend str
    The path of the Kubernetes Secrets Engine backend mount to create the role in.
    extra_annotations Mapping[str, str]
    Additional annotations to apply to all generated Kubernetes objects.
    extra_labels Mapping[str, str]

    Additional labels to apply to all generated Kubernetes objects.

    This resource also directly accepts all vault.Mount fields.

    generated_role_rules str
    The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.
    kubernetes_role_name str
    The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with service_account_name and generated_role_rules. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.
    kubernetes_role_type str
    Specifies whether the Kubernetes role is a Role or ClusterRole.
    name str
    The name of the role.
    name_template str
    The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    service_account_name str
    The pre-existing service account to generate tokens for. Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a Kubernetes token will be created when credentials are requested.
    token_default_ttl int
    The default TTL for generated Kubernetes tokens in seconds.
    token_max_ttl int
    The maximum TTL for generated Kubernetes tokens in seconds.
    allowedKubernetesNamespaceSelector String
    A label selector for Kubernetes namespaces in which credentials can be generated. Accepts either a JSON or YAML object. The value should be of type LabelSelector. If set with allowed_kubernetes_namespace, the conditions are ORed.
    allowedKubernetesNamespaces List<String>
    The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. If set with allowed_kubernetes_namespace_selector, the conditions are ORed.
    backend String
    The path of the Kubernetes Secrets Engine backend mount to create the role in.
    extraAnnotations Map<String>
    Additional annotations to apply to all generated Kubernetes objects.
    extraLabels Map<String>

    Additional labels to apply to all generated Kubernetes objects.

    This resource also directly accepts all vault.Mount fields.

    generatedRoleRules String
    The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.
    kubernetesRoleName String
    The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with service_account_name and generated_role_rules. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.
    kubernetesRoleType String
    Specifies whether the Kubernetes role is a Role or ClusterRole.
    name String
    The name of the role.
    nameTemplate String
    The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    serviceAccountName String
    The pre-existing service account to generate tokens for. Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a Kubernetes token will be created when credentials are requested.
    tokenDefaultTtl Number
    The default TTL for generated Kubernetes tokens in seconds.
    tokenMaxTtl Number
    The maximum TTL for generated Kubernetes tokens in seconds.

    Import

    The Kubernetes secret backend role can be imported using the full path to the role

    of the form: <backend_path>/roles/<role_name> e.g.

    $ pulumi import vault:kubernetes/secretBackendRole:SecretBackendRole example kubernetes kubernetes/roles/example-role
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the vault Terraform Provider.
    vault logo
    HashiCorp Vault v6.2.0 published on Friday, Jun 21, 2024 by Pulumi