Reads a KV-V1 secret from a given path in Vault.
For more information on Vault's KV-V1 secret backend see here.
resource "vault_mount" "kvv1" {
path = "kvv1"
type = "kv"
options = { version = "1" }
description = "KV Version 1 secret engine mount"
}
resource "vault_kv_secret" "secret" {
path = "${vault_mount.kvv1.path}/secret"
data_json = jsonencode(
{
zip = "zap",
foo = "bar"
}
)
}
data "vault_kv_secret" "secret_data" {
path = vault_kv_secret.secret.path
}
The following arguments are supported:
namespace
- (Optional) The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
path
- (Required) Full path of the KV-V1 secret.
Use of this resource requires the read
capability on the given path.
The following attributes are exported:
data
- A mapping whose keys are the top-level data keys returned from
Vault and whose values are the corresponding values. This map can only
represent string data, so any non-string values returned from Vault are
serialized as JSON.
data_json
- JSON-encoded string that that is
read as the secret data at the given path.
lease_id
- The lease identifier assigned by Vault, if any.
lease_duration
- The duration of the secret lease, in seconds. Once
this time has passed any plan generated with this data may fail to apply.
lease_renewable
- True if the duration of this lease can be extended
through renewal.