vault_gcp_secret_static_account

Creates a Static Account in the GCP Secrets Engine for Vault.

Each static account is tied to a separately managed Service Account, and can have one or more bindings associated with it.

Example Usage

resource "google_service_account" "this" {
  account_id = "my-awesome-account"
}

resource "vault_gcp_secret_backend" "gcp" {
  path        = "gcp"
  credentials = "${file("credentials.json")}"
}

resource "vault_gcp_secret_static_account" "static_account" {
  backend        = vault_gcp_secret_backend.gcp.path
  static_account = "project_viewer"
  secret_type    = "access_token"
  token_scopes   = ["https://www.googleapis.com/auth/cloud-platform"]

  service_account_email = google_service_account.this.email

  # Optional
  binding {
    resource = "//cloudresourcemanager.googleapis.com/projects/${google_service_account.this.project}"

    roles = [
      "roles/viewer",
    ]
  }
}

Argument Reference

The following arguments are supported:

The binding block supports:

Attributes Reference

In addition to the fields above, the following attributes are also exposed:

Import

A static account can be imported using its Vault Path. For example, referencing the example above,

$ terraform import vault_gcp_secret_static_account.static_account gcp/static-account/project_viewer