Reads a KV-V2 secret from a given path in Vault.
This resource is primarily intended to be used with Vault's KV-V2 secret backend.
resource "vault_mount" "kvv2" {
path = "kvv2"
type = "kv"
options = { version = "2" }
description = "KV Version 2 secret engine mount"
}
resource "vault_kv_secret_v2" "example" {
mount = vault_mount.kvv2.path
name = "secret"
cas = 1
delete_all_versions = true
data_json = jsonencode(
{
zip = "zap",
foo = "bar"
}
)
}
data "vault_kv_secret_v2" "example" {
mount = vault_mount.kvv2.path
name = vault_kv_secret_v2.example.name
}
The following arguments are supported:
namespace
- (Optional) The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
mount
- (Required) Path where KV-V2 engine is mounted.
name
- (Required) Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at kvv2/data/foo/bar/baz
the name is foo/bar/baz
.
version
- (Optional) Version of the secret to retrieve.
Use of this resource requires the read
capability on the given path.
The following attributes are exported:
path
- Full path where the KVV2 secret is written.
data
- A mapping whose keys are the top-level data keys returned from
Vault and whose values are the corresponding values. This map can only
represent string data, so any non-string values returned from Vault are
serialized as JSON.
data_json
- JSON-encoded string that that is
read as the secret data at the given path.
created_time
- Time at which secret was created.
custom_metadata
- Custom metadata for the secret.
deletion_time
- Deletion time for the secret.
destroyed
- Indicates whether the secret has been destroyed.
version
- Version of the secret.