vault_token

Provides a resource to generate a vault token with its options. The token renewing is supported through optional arguments.

The token used by Terraform will require update access to the auth/token/lookup-accessor path to create tokens and the auth/token/revoke-accessor path in Vault to destroy a token.

path "auth/token/lookup-accessor" {
  capabilities = ["update"]
}

path "auth/token/revoke-accessor" {
  capabilities = ["update"]
}

Example Usage

resource "vault_token" "example" {
  role_name = "app"

  policies = ["policy1", "policy2"]

  renewable = true
  ttl = "24h"

  renew_min_lease = 43200
  renew_increment = 86400

  metadata = {
    "purpose" = "service-account"
  }
}

Argument Reference

The following arguments are supported:

Attributes Reference

Import

Tokens can be imported using its id as accessor id, e.g.

$ terraform import vault_token.example <accessor_id>