Creates a role on an AWS Secret Backend for Vault. Roles are used to map credentials to the policies that generated them.
resource "vault_aws_secret_backend" "aws" {
access_key = "AKIA....."
secret_key = "AWS secret key"
}
resource "vault_aws_secret_backend_role" "role" {
backend = vault_aws_secret_backend.aws.path
name = "deploy"
credential_type = "iam_user"
policy_document = <<EOT
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}
EOT
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
backend
- (Required) The path the AWS secret backend is mounted at,
with no leading or trailing /
s.
name
- (Required) The name to identify this role within the backend.
Must be unique within the backend.
credential_type
- (Required) Specifies the type of credential to be used when
retrieving credentials from the role. Must be one of iam_user
, assumed_role
, or
federation_token
.
role_arns
- (Optional) Specifies the ARNs of the AWS roles this Vault role
is allowed to assume. Required when credential_type
is assumed_role
and
prohibited otherwise.
policy_arns
- (Optional) Specifies a list of AWS managed policy ARNs. The
behavior depends on the credential type. With iam_user
, the policies will be
attached to IAM users when they are requested. With assumed_role
and
federation_token
, the policy ARNs will act as a filter on what the credentials
can do, similar to policy_document
. When credential_type
is iam_user
or
federation_token
, at least one of policy_document
or policy_arns
must
be specified.
policy_document
- (Optional) The IAM policy document for the role. The
behavior depends on the credential type. With iam_user
, the policy document
will be attached to the IAM user generated and augment the permissions the IAM
user has. With assumed_role
and federation_token
, the policy document will
act as a filter on what the credentials can do, similar to policy_arns
.
iam_groups
(Optional) - A list of IAM group names. IAM users generated
against this vault role will be added to these IAM Groups. For a credential
type of assumed_role
or federation_token
, the policies sent to the
corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the
policies from each group in iam_groups
combined with the policy_document
and policy_arns
parameters.
default_sts_ttl
- (Optional) The default TTL in seconds for STS credentials.
When a TTL is not specified when STS credentials are requested,
and a default TTL is specified on the role,
then this default TTL will be used. Valid only when credential_type
is one of
assumed_role
or federation_token
.
max_sts_ttl
- (Optional) The max allowed TTL in seconds for STS credentials
(credentials TTL are capped to max_sts_ttl
). Valid only when credential_type
is
one of assumed_role
or federation_token
.
user_path
- (Optional) The path for the user name. Valid only when
credential_type
is iam_user
. Default is /
.
permissions_boundary_arn
- (Optional) The ARN of the AWS Permissions
Boundary to attach to IAM users created in the role. Valid only when
credential_type
is iam_user
. If not specified, then no permissions boundary
policy will be attached.
No additional attributes are exported by this resource.
AWS secret backend roles can be imported using the path
, e.g.
$ terraform import vault_aws_secret_backend_role.role aws/roles/deploy