vault_gcp_secret_roleset

Creates a Roleset in the GCP Secrets Engine for Vault.

Each Roleset is tied to a Service Account, and can have one or more bindings associated with it.

Example Usage

locals {
  project = "my-awesome-project"
}

resource "vault_gcp_secret_backend" "gcp" {
  path        = "gcp"
  credentials = "${file("credentials.json")}"
}

resource "vault_gcp_secret_roleset" "roleset" {
  backend      = vault_gcp_secret_backend.gcp.path
  roleset      = "project_viewer"
  secret_type  = "access_token"
  project      = local.project
  token_scopes = ["https://www.googleapis.com/auth/cloud-platform"]

  binding {
    resource = "//cloudresourcemanager.googleapis.com/projects/${local.project}"

    roles = [
      "roles/viewer",
    ]
  }
}

Argument Reference

The following arguments are supported:

The binding block supports:

Attributes Reference

In addition to the fields above, the following attributes are also exposed:

Import

A roleset can be imported using its Vault Path. For example, referencing the example above,

$ terraform import vault_gcp_secret_roleset.roleset gcp/roleset/project_viewer