Creates a Static Account in the GCP Secrets Engine for Vault.
Each static account is tied to a separately managed Service Account, and can have one or more bindings associated with it.
resource "google_service_account" "this" {
account_id = "my-awesome-account"
}
resource "vault_gcp_secret_backend" "gcp" {
path = "gcp"
credentials = "${file("credentials.json")}"
}
resource "vault_gcp_secret_static_account" "static_account" {
backend = vault_gcp_secret_backend.gcp.path
static_account = "project_viewer"
secret_type = "access_token"
token_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
service_account_email = google_service_account.this.email
# Optional
binding {
resource = "//cloudresourcemanager.googleapis.com/projects/${google_service_account.this.project}"
roles = [
"roles/viewer",
]
}
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
backend
- (Required, Forces new resource) Path where the GCP Secrets Engine is mounted
static_account
- (Required, Forces new resource) Name of the Static Account to create
service_account_email
- (Required, Forces new resource) Email of the GCP service account to manage.
secret_type
- (Optional, Forces new resource) Type of secret generated for this static account. Accepted values: access_token
, service_account_key
. Defaults to access_token
.
token_scopes
- (Optional, Required for secret_type = "access_token"
) List of OAuth scopes to assign to access_token
secrets generated under this static account (access_token
static accounts only).
binding
- (Optional) Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
The binding
block supports:
resource
- (Required) Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.
roles
- (Required) List of GCP IAM roles for the resource.
In addition to the fields above, the following attributes are also exposed:
service_account_project
- Project the service account belongs to.A static account can be imported using its Vault Path. For example, referencing the example above,
$ terraform import vault_gcp_secret_static_account.static_account gcp/static-account/project_viewer