Creates an AWS Secret Backend for Vault. AWS secret backends can then issue AWS access keys and secret keys, once a role has been added to the backend.
resource "vault_aws_secret_backend" "aws" {
access_key = "AKIA....."
secret_key = "AWS secret key"
}
resource "vault_aws_secret_backend" "aws" {
identity_token_audience = "<TOKEN_AUDIENCE>"
identity_token_ttl = "<TOKEN_TTL>"
role_arn = "<AWS_ROLE_ARN>"
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
access_key
- (Optional) The AWS Access Key ID this backend should use to
issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
secret_key
- (Optional) The AWS Secret Key this backend should use to
issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
region
- (Optional) The AWS region for API calls. Defaults to us-east-1
.path
- (Optional) The unique path this backend should be mounted at. Must
not begin or end with a /
. Defaults to aws
.
disable_remount
- (Optional) If set, opts out of mount migration on path updates.
See here for more info on Mount Migration
description
- (Optional) A human-friendly description for this backend.
default_lease_ttl_seconds
- (Optional) The default TTL for credentials
issued by this backend.
max_lease_ttl_seconds
- (Optional) The maximum TTL that can be requested
for credentials issued by this backend.
iam_endpoint
- (Optional) Specifies a custom HTTP IAM endpoint to use.
sts_endpoint
- (Optional) Specifies a custom HTTP STS endpoint to use.
username_template
- (Optional) Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:
local
- (Optional) Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas.
identity_token_audience
- (Optional) The audience claim value. Requires Vault 1.16+.
identity_token_ttl
- (Optional) The TTL of generated identity tokens in seconds. Requires Vault 1.16+.
identity_token_key
- (Optional) The key to use for signing identity tokens. Requires Vault 1.16+.
role_arn
- (Optional) Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.
{{ if (eq .Type "STS") }}
{{ printf "vault-%s-%s" (unix_time) (random 20) | truncate 32 }}
{{ else }}
{{ printf "vault-%s-%s-%s" (printf "%s-%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}
{{ end }}
No additional attributes are exported by this resource.
AWS secret backends can be imported using the path
, e.g.
$ terraform import vault_aws_secret_backend.aws aws
Refer to the Inject Secrets into Terraform Using the Vault Provider tutorial for a step-by-step usage example.