Manages an STS role in a Vault server. STS roles are mappings between account IDs and STS ARNs. When a login attempt is made from an EC2 instance in the account ID specified, the associated STS role will be used to verify the request. For more information, see the Vault documentation.
resource "vault_auth_backend" "aws" {
type = "aws"
}
resource "vault_aws_auth_backend_sts_role" "role" {
backend = vault_auth_backend.aws.path
account_id = "1234567890"
sts_role = "arn:aws:iam::1234567890:role/my-role"
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
account_id
- (Optional) The AWS account ID to configure the STS role for.
sts_role
- (Optional) The STS role to assume when verifying requests made
by EC2 instances in the account specified by account_id
.
backend
- (Optional) The path the AWS auth backend being configured was
mounted at. Defaults to aws
.
No additional attributes are exported by this resource.
AWS auth backend STS roles can be imported using auth/
, the backend
path, /config/sts/
, and the account_id
e.g.
$ terraform import vault_aws_auth_backend_sts_role.example auth/aws/config/sts/1234567890