Creates a role for the Kubernetes Secrets Engine in Vault.
A role configures what service account tokens can be generated, and what permissions will be attached to them. The permissions attached to a service account token depend on the Kubernetes roles applied to its service account.
Example using service_account_name
mode:
resource "vault_kubernetes_secret_backend" "config" {
path = "kubernetes"
description = "kubernetes secrets engine description"
kubernetes_host = "https://127.0.0.1:61233"
kubernetes_ca_cert = file("/path/to/cert")
service_account_jwt = file("/path/to/token")
disable_local_ca_jwt = false
}
resource "vault_kubernetes_secret_backend_role" "sa-example" {
backend = vault_kubernetes_secret_backend.config.path
name = "service-account-name-role"
allowed_kubernetes_namespaces = ["*"]
token_max_ttl = 43200
token_default_ttl = 21600
service_account_name = "test-service-account-with-generated-token"
extra_labels = {
id = "abc123"
name = "some_name"
}
extra_annotations = {
env = "development"
location = "earth"
}
}
Example using kubernetes_role_name
mode:
resource "vault_kubernetes_secret_backend" "config" {
path = "kubernetes"
description = "kubernetes secrets engine description"
kubernetes_host = "https://127.0.0.1:61233"
kubernetes_ca_cert = file("/path/to/cert")
service_account_jwt = file("/path/to/token")
disable_local_ca_jwt = false
}
resource "vault_kubernetes_secret_backend_role" "name-example" {
backend = vault_kubernetes_secret_backend.config.path
name = "service-account-name-role"
allowed_kubernetes_namespaces = ["*"]
token_max_ttl = 43200
token_default_ttl = 21600
kubernetes_role_name = "vault-k8s-secrets-role"
extra_labels = {
id = "abc123"
name = "some_name"
}
extra_annotations = {
env = "development"
location = "earth"
}
}
Example using generated_role_rules
mode:
resource "vault_kubernetes_secret_backend" "config" {
path = "kubernetes"
description = "kubernetes secrets engine description"
kubernetes_host = "https://127.0.0.1:61233"
kubernetes_ca_cert = file("/path/to/cert")
service_account_jwt = file("/path/to/token")
disable_local_ca_jwt = false
}
resource "vault_kubernetes_secret_backend_role" "rules-example" {
backend = vault_kubernetes_secret_backend.config.path
name = "service-account-name-role"
allowed_kubernetes_namespaces = ["*"]
token_max_ttl = 43200
token_default_ttl = 21600
kubernetes_role_type = "Role"
generated_role_rules = <<EOF
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
EOF
extra_labels = {
id = "abc123"
name = "some_name"
}
extra_annotations = {
env = "development"
location = "earth"
}
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
name
- (Required) The name of the role.
backend
- (Required) The path of the Kubernetes Secrets Engine backend mount to create
the role in.
allowed_kubernetes_namespaces
- (Optional) The list of Kubernetes namespaces this role
can generate credentials for. If set to *
all namespaces are allowed. If set with
allowed_kubernetes_namespace_selector
, the conditions are OR
ed.
allowed_kubernetes_namespace_selector
- (Optional) A label selector for Kubernetes namespaces
in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
of type LabelSelector.
If set with allowed_kubernetes_namespace
, the conditions are OR
ed.
token_max_ttl
- (Optional) The maximum TTL for generated Kubernetes tokens in seconds.
token_default_ttl
- (Optional) The default TTL for generated Kubernetes tokens in seconds.
service_account_name
- (Optional) The pre-existing service account to generate tokens for.
Mutually exclusive with kubernetes_role_name
and generated_role_rules
. If set, only a
Kubernetes token will be created when credentials are requested.
kubernetes_role_name
- (Optional) The pre-existing Role or ClusterRole to bind a
generated service account to. Mutually exclusive with service_account_name
and
generated_role_rules
. If set, Kubernetes token, service account, and role
binding objects will be created when credentials are requested.
kubernetes_role_type
- (Optional) Specifies whether the Kubernetes role is a Role or
ClusterRole.
generated_role_rules
- (Optional) The Role or ClusterRole rules to use when generating
a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name
and kubernetes_role_name
. If set, the entire chain of Kubernetes objects will be generated
when credentials are requested.
name_template
- (Optional) The name template to use when generating service accounts,
roles and role bindings. If unset, a default template is used.
extra_annotations
- (Optional) Additional annotations to apply to all generated
Kubernetes objects.
extra_labels
- (Optional) Additional labels to apply to all generated Kubernetes
objects.
This resource also directly accepts all vault_mount fields.
No additional attributes are exported by this resource.
The Kubernetes secret backend role can be imported using the full path to the role
of the form: <backend_path>/roles/<role_name>
e.g.
$ terraform import vault_kubernetes_secret_backend_role.example kubernetes kubernetes/roles/example-role