» vault_aws_secret_backend_role

Creates a role on an AWS Secret Backend for Vault. Roles are used to map credentials to the policies that generated them.

» Example Usage

resource "vault_aws_secret_backend" "aws" {
  access_key = "AKIA....."
  secret_key = "AWS secret key"
}

resource "vault_aws_secret_backend_role" "role" {
  backend = "${vault_aws_secret_backend.aws.path}"
  name    = "deploy"
  credential_type = "assumed_role"

  policy_document = <<EOT
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:*",
      "Resource": "*"
    }
  ]
}
EOT
}

» Argument Reference

The following arguments are supported:

  • backend - (Required) The path the AWS secret backend is mounted at, with no leading or trailing /s.

  • name - (Required) The name to identify this role within the backend. Must be unique within the backend.

  • policy_document - (Optional) The JSON-formatted policy to associate with this role. Either policy_document or policy_arns must be specified.

  • policy_arns - (Optional) The ARN for a pre-existing policy to associate with this role. Either policy_document or policy_arns must be specified.

  • role_arns - (Optional) Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise.

  • credential_type - (Required) Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token.

  • default_sts_ttl - (Optional) The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.

  • max_sts_ttl - (Optional) The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.

» Attributes Reference

No additional attributes are exported by this resource.

» Import

AWS secret backend roles can be imported using the path, e.g.

$ terraform import vault_aws_secret_backend_role.role aws/roles/deploy