Configures the client used by an AWS Auth Backend in Vault.
This resource sets the access key and secret key that Vault will use when making API requests on behalf of an AWS Auth Backend. It can also be used to override the URLs Vault uses when making those API requests.
For more information, see the Vault docs.
resource "vault_auth_backend" "example" {
type = "aws"
}
resource "vault_aws_auth_backend_client" "example" {
backend = vault_auth_backend.example.path
access_key = "INSERT_AWS_ACCESS_KEY"
secret_key = "INSERT_AWS_SECRET_KEY"
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
backend
- (Optional) The path the AWS auth backend being configured was
mounted at. Defaults to aws
.
access_key
- (Optional) The AWS access key that Vault should use for the
auth backend.
secret_key
- (Optional) The AWS secret key that Vault should use for the
auth backend.
ec2_endpoint
- (Optional) Override the URL Vault uses when making EC2 API
calls.
iam_endpoint
- (Optional) Override the URL Vault uses when making IAM API
calls.
sts_endpoint
- (Optional) Override the URL Vault uses when making STS API
calls.
sts_region
- (Optional) Override the default region when making STS API
calls. The sts_endpoint
argument must be set when using sts_region
.
use_sts_region_from_client
- (Optional) Available in Vault v1.15+. If set,
overrides both sts_endpoint
and sts_region
to instead use the region
specified in the client request headers for IAM-based authentication.
This can be useful when you have client requests coming from different
regions and want flexibility in which regional STS API is used.
iam_server_id_header_value
- (Optional) The value to require in the
X-Vault-AWS-IAM-Server-ID
header as part of GetCallerIdentity
requests
that are used in the IAM auth method.
No additional attributes are exported by this resource.
AWS auth backend clients can be imported using auth/
, the backend
path, and /config/client
e.g.
$ terraform import vault_aws_auth_backend_client.example auth/aws/config/client