vault_kubernetes_secret_backend_role

Creates a role for the Kubernetes Secrets Engine in Vault.

A role configures what service account tokens can be generated, and what permissions will be attached to them. The permissions attached to a service account token depend on the Kubernetes roles applied to its service account.

Example Usage

Example using service_account_name mode:

resource "vault_kubernetes_secret_backend" "config" {
  path                 = "kubernetes"
  description          = "kubernetes secrets engine description"
  kubernetes_host      = "https://127.0.0.1:61233"
  kubernetes_ca_cert   = file("/path/to/cert")
  service_account_jwt  = file("/path/to/token")
  disable_local_ca_jwt = false
}

resource "vault_kubernetes_secret_backend_role" "sa-example" {
  backend                       = vault_kubernetes_secret_backend.config.path
  name                          = "service-account-name-role"
  allowed_kubernetes_namespaces = ["*"]
  token_max_ttl                 = 43200
  token_default_ttl             = 21600
  service_account_name          = "test-service-account-with-generated-token"

  extra_labels = {
    id   = "abc123"
    name = "some_name"
  }

  extra_annotations = {
    env      = "development"
    location = "earth"
  }
}

Example using kubernetes_role_name mode:

resource "vault_kubernetes_secret_backend" "config" {
  path                 = "kubernetes"
  description          = "kubernetes secrets engine description"
  kubernetes_host      = "https://127.0.0.1:61233"
  kubernetes_ca_cert   = file("/path/to/cert")
  service_account_jwt  = file("/path/to/token")
  disable_local_ca_jwt = false
}

resource "vault_kubernetes_secret_backend_role" "name-example" {
  backend                       = vault_kubernetes_secret_backend.config.path
  name                          = "service-account-name-role"
  allowed_kubernetes_namespaces = ["*"]
  token_max_ttl                 = 43200
  token_default_ttl             = 21600
  kubernetes_role_name          = "vault-k8s-secrets-role"

  extra_labels = {
    id   = "abc123"
    name = "some_name"
  }

  extra_annotations = {
    env      = "development"
    location = "earth"
  }
}

Example using generated_role_rules mode:

resource "vault_kubernetes_secret_backend" "config" {
  path                 = "kubernetes"
  description          = "kubernetes secrets engine description"
  kubernetes_host      = "https://127.0.0.1:61233"
  kubernetes_ca_cert   = file("/path/to/cert")
  service_account_jwt  = file("/path/to/token")
  disable_local_ca_jwt = false
}

resource "vault_kubernetes_secret_backend_role" "rules-example" {
  backend                       = vault_kubernetes_secret_backend.config.path
  name                          = "service-account-name-role"
  allowed_kubernetes_namespaces = ["*"]
  token_max_ttl                 = 43200
  token_default_ttl             = 21600
  kubernetes_role_type          = "Role"
  generated_role_rules          = <<EOF
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list"]
EOF

  extra_labels = {
    id   = "abc123"
    name = "some_name"
  }

  extra_annotations = {
    env      = "development"
    location = "earth"
  }
}

Argument Reference

The following arguments are supported:

This resource also directly accepts all vault_mount fields.

Attributes Reference

No additional attributes are exported by this resource.

Import

The Kubernetes secret backend role can be imported using the full path to the role of the form: <backend_path>/roles/<role_name> e.g.

$ terraform import vault_kubernetes_secret_backend_role.example kubernetes kubernetes/roles/example-role