» vault_generic_secret

Reads arbitrary data from a given path in Vault.

This resource is primarily intended to be used with Vault's "generic" secret backend, but it is also compatible with any other Vault endpoint that supports the vault read command.

» Example Usage

data "vault_generic_secret" "rundeck_auth" {
  path = "secret/rundeck_auth"

# Rundeck Provider, for example
# For this example, in Vault there is a key named "auth_token" and the value is the token we need to keep secret.
# In general usage, replace "auth_token" with the key you wish to extract from Vault. 

provider "rundeck" {
  url        = "http://rundeck.example.com/"
  auth_token = "${data.vault_generic_secret.rundeck_auth.data["auth_token"]}"

» Argument Reference

The following arguments are supported:

  • path - (Required) The full logical path from which to request data. To read data from the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Reading from other backends with this data source is possible; consult each backend's documentation to see which endpoints support the GET method.

» Required Vault Capabilities

Use of this resource requires the read capability on the given path.

» Attributes Reference

The following attributes are exported:

  • data_json - A string containing the full data payload retrieved from Vault, serialized in JSON format.

  • data - A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.

  • lease_id - The lease identifier assigned by Vault, if any.

  • lease_duration - The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.

  • lease_start_time - As a convenience, this records the current time on the computer where Terraform is running when the data is requested. This can be used to approximate the absolute time represented by lease_duration, though users must allow for any clock drift and response latency relative to to the Vault server.

  • lease_renewable - true if the lease can be renewed using Vault's sys/renew/{lease-id} endpoint. Terraform does not currently support lease renewal, and so it will request a new lease each time this data source is refreshed.