1. Packages
  2. HashiCorp Vault Provider
  3. API Docs
  4. secrets
  5. SyncAwsDestination
HashiCorp Vault v6.6.0 published on Thursday, Mar 13, 2025 by Pulumi

vault.secrets.SyncAwsDestination

Explore with Pulumi AI

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const aws = new vault.secrets.SyncAwsDestination("aws", {
    name: "aws-dest",
    accessKeyId: accessKeyId,
    secretAccessKey: secretAccessKey,
    region: "us-east-1",
    roleArn: "role-arn",
    externalId: "external-id",
    secretNameTemplate: "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
    customTags: {
        foo: "bar",
    },
});
Copy
import pulumi
import pulumi_vault as vault

aws = vault.secrets.SyncAwsDestination("aws",
    name="aws-dest",
    access_key_id=access_key_id,
    secret_access_key=secret_access_key,
    region="us-east-1",
    role_arn="role-arn",
    external_id="external-id",
    secret_name_template="vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
    custom_tags={
        "foo": "bar",
    })
Copy
package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/secrets"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := secrets.NewSyncAwsDestination(ctx, "aws", &secrets.SyncAwsDestinationArgs{
			Name:               pulumi.String("aws-dest"),
			AccessKeyId:        pulumi.Any(accessKeyId),
			SecretAccessKey:    pulumi.Any(secretAccessKey),
			Region:             pulumi.String("us-east-1"),
			RoleArn:            pulumi.String("role-arn"),
			ExternalId:         pulumi.String("external-id"),
			SecretNameTemplate: pulumi.String("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}"),
			CustomTags: pulumi.StringMap{
				"foo": pulumi.String("bar"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var aws = new Vault.Secrets.SyncAwsDestination("aws", new()
    {
        Name = "aws-dest",
        AccessKeyId = accessKeyId,
        SecretAccessKey = secretAccessKey,
        Region = "us-east-1",
        RoleArn = "role-arn",
        ExternalId = "external-id",
        SecretNameTemplate = "vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}",
        CustomTags = 
        {
            { "foo", "bar" },
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.secrets.SyncAwsDestination;
import com.pulumi.vault.secrets.SyncAwsDestinationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var aws = new SyncAwsDestination("aws", SyncAwsDestinationArgs.builder()
            .name("aws-dest")
            .accessKeyId(accessKeyId)
            .secretAccessKey(secretAccessKey)
            .region("us-east-1")
            .roleArn("role-arn")
            .externalId("external-id")
            .secretNameTemplate("vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}")
            .customTags(Map.of("foo", "bar"))
            .build());

    }
}
Copy
resources:
  aws:
    type: vault:secrets:SyncAwsDestination
    properties:
      name: aws-dest
      accessKeyId: ${accessKeyId}
      secretAccessKey: ${secretAccessKey}
      region: us-east-1
      roleArn: role-arn
      externalId: external-id
      secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}
      customTags:
        foo: bar
Copy

Create SyncAwsDestination Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SyncAwsDestination(name: string, args?: SyncAwsDestinationArgs, opts?: CustomResourceOptions);
@overload
def SyncAwsDestination(resource_name: str,
                       args: Optional[SyncAwsDestinationArgs] = None,
                       opts: Optional[ResourceOptions] = None)

@overload
def SyncAwsDestination(resource_name: str,
                       opts: Optional[ResourceOptions] = None,
                       access_key_id: Optional[str] = None,
                       custom_tags: Optional[Mapping[str, str]] = None,
                       external_id: Optional[str] = None,
                       granularity: Optional[str] = None,
                       name: Optional[str] = None,
                       namespace: Optional[str] = None,
                       region: Optional[str] = None,
                       role_arn: Optional[str] = None,
                       secret_access_key: Optional[str] = None,
                       secret_name_template: Optional[str] = None)
func NewSyncAwsDestination(ctx *Context, name string, args *SyncAwsDestinationArgs, opts ...ResourceOption) (*SyncAwsDestination, error)
public SyncAwsDestination(string name, SyncAwsDestinationArgs? args = null, CustomResourceOptions? opts = null)
public SyncAwsDestination(String name, SyncAwsDestinationArgs args)
public SyncAwsDestination(String name, SyncAwsDestinationArgs args, CustomResourceOptions options)
type: vault:secrets:SyncAwsDestination
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args SyncAwsDestinationArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args SyncAwsDestinationArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args SyncAwsDestinationArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args SyncAwsDestinationArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. SyncAwsDestinationArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var syncAwsDestinationResource = new Vault.Secrets.SyncAwsDestination("syncAwsDestinationResource", new()
{
    AccessKeyId = "string",
    CustomTags = 
    {
        { "string", "string" },
    },
    ExternalId = "string",
    Granularity = "string",
    Name = "string",
    Namespace = "string",
    Region = "string",
    RoleArn = "string",
    SecretAccessKey = "string",
    SecretNameTemplate = "string",
});
Copy
example, err := secrets.NewSyncAwsDestination(ctx, "syncAwsDestinationResource", &secrets.SyncAwsDestinationArgs{
	AccessKeyId: pulumi.String("string"),
	CustomTags: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	ExternalId:         pulumi.String("string"),
	Granularity:        pulumi.String("string"),
	Name:               pulumi.String("string"),
	Namespace:          pulumi.String("string"),
	Region:             pulumi.String("string"),
	RoleArn:            pulumi.String("string"),
	SecretAccessKey:    pulumi.String("string"),
	SecretNameTemplate: pulumi.String("string"),
})
Copy
var syncAwsDestinationResource = new SyncAwsDestination("syncAwsDestinationResource", SyncAwsDestinationArgs.builder()
    .accessKeyId("string")
    .customTags(Map.of("string", "string"))
    .externalId("string")
    .granularity("string")
    .name("string")
    .namespace("string")
    .region("string")
    .roleArn("string")
    .secretAccessKey("string")
    .secretNameTemplate("string")
    .build());
Copy
sync_aws_destination_resource = vault.secrets.SyncAwsDestination("syncAwsDestinationResource",
    access_key_id="string",
    custom_tags={
        "string": "string",
    },
    external_id="string",
    granularity="string",
    name="string",
    namespace="string",
    region="string",
    role_arn="string",
    secret_access_key="string",
    secret_name_template="string")
Copy
const syncAwsDestinationResource = new vault.secrets.SyncAwsDestination("syncAwsDestinationResource", {
    accessKeyId: "string",
    customTags: {
        string: "string",
    },
    externalId: "string",
    granularity: "string",
    name: "string",
    namespace: "string",
    region: "string",
    roleArn: "string",
    secretAccessKey: "string",
    secretNameTemplate: "string",
});
Copy
type: vault:secrets:SyncAwsDestination
properties:
    accessKeyId: string
    customTags:
        string: string
    externalId: string
    granularity: string
    name: string
    namespace: string
    region: string
    roleArn: string
    secretAccessKey: string
    secretNameTemplate: string
Copy

SyncAwsDestination Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The SyncAwsDestination resource accepts the following input properties:

AccessKeyId string
Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
CustomTags Dictionary<string, string>
Custom tags to set on the secret managed at the destination.
ExternalId string
Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
Granularity string
Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
Name Changes to this property will trigger replacement. string
Unique name of the AWS destination.
Namespace Changes to this property will trigger replacement. string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
Region Changes to this property will trigger replacement. string
Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
RoleArn string
Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
SecretAccessKey string
Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
SecretNameTemplate string
Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
AccessKeyId string
Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
CustomTags map[string]string
Custom tags to set on the secret managed at the destination.
ExternalId string
Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
Granularity string
Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
Name Changes to this property will trigger replacement. string
Unique name of the AWS destination.
Namespace Changes to this property will trigger replacement. string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
Region Changes to this property will trigger replacement. string
Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
RoleArn string
Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
SecretAccessKey string
Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
SecretNameTemplate string
Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
accessKeyId String
Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
customTags Map<String,String>
Custom tags to set on the secret managed at the destination.
externalId String
Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
granularity String
Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
name Changes to this property will trigger replacement. String
Unique name of the AWS destination.
namespace Changes to this property will trigger replacement. String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
region Changes to this property will trigger replacement. String
Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
roleArn String
Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
secretAccessKey String
Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
secretNameTemplate String
Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
accessKeyId string
Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
customTags {[key: string]: string}
Custom tags to set on the secret managed at the destination.
externalId string
Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
granularity string
Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
name Changes to this property will trigger replacement. string
Unique name of the AWS destination.
namespace Changes to this property will trigger replacement. string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
region Changes to this property will trigger replacement. string
Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
roleArn string
Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
secretAccessKey string
Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
secretNameTemplate string
Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
access_key_id str
Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
custom_tags Mapping[str, str]
Custom tags to set on the secret managed at the destination.
external_id str
Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
granularity str
Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
name Changes to this property will trigger replacement. str
Unique name of the AWS destination.
namespace Changes to this property will trigger replacement. str
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
region Changes to this property will trigger replacement. str
Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
role_arn str
Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
secret_access_key str
Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
secret_name_template str
Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
accessKeyId String
Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
customTags Map<String>
Custom tags to set on the secret managed at the destination.
externalId String
Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
granularity String
Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
name Changes to this property will trigger replacement. String
Unique name of the AWS destination.
namespace Changes to this property will trigger replacement. String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
region Changes to this property will trigger replacement. String
Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
roleArn String
Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
secretAccessKey String
Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
secretNameTemplate String
Template describing how to generate external secret names. Supports a subset of the Go Template syntax.

Outputs

All input properties are implicitly available as output properties. Additionally, the SyncAwsDestination resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
Type string
The type of the secrets destination (aws-sm).
Id string
The provider-assigned unique ID for this managed resource.
Type string
The type of the secrets destination (aws-sm).
id String
The provider-assigned unique ID for this managed resource.
type String
The type of the secrets destination (aws-sm).
id string
The provider-assigned unique ID for this managed resource.
type string
The type of the secrets destination (aws-sm).
id str
The provider-assigned unique ID for this managed resource.
type str
The type of the secrets destination (aws-sm).
id String
The provider-assigned unique ID for this managed resource.
type String
The type of the secrets destination (aws-sm).

Look up Existing SyncAwsDestination Resource

Get an existing SyncAwsDestination resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SyncAwsDestinationState, opts?: CustomResourceOptions): SyncAwsDestination
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        access_key_id: Optional[str] = None,
        custom_tags: Optional[Mapping[str, str]] = None,
        external_id: Optional[str] = None,
        granularity: Optional[str] = None,
        name: Optional[str] = None,
        namespace: Optional[str] = None,
        region: Optional[str] = None,
        role_arn: Optional[str] = None,
        secret_access_key: Optional[str] = None,
        secret_name_template: Optional[str] = None,
        type: Optional[str] = None) -> SyncAwsDestination
func GetSyncAwsDestination(ctx *Context, name string, id IDInput, state *SyncAwsDestinationState, opts ...ResourceOption) (*SyncAwsDestination, error)
public static SyncAwsDestination Get(string name, Input<string> id, SyncAwsDestinationState? state, CustomResourceOptions? opts = null)
public static SyncAwsDestination get(String name, Output<String> id, SyncAwsDestinationState state, CustomResourceOptions options)
resources:  _:    type: vault:secrets:SyncAwsDestination    get:      id: ${id}
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AccessKeyId string
Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
CustomTags Dictionary<string, string>
Custom tags to set on the secret managed at the destination.
ExternalId string
Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
Granularity string
Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
Name Changes to this property will trigger replacement. string
Unique name of the AWS destination.
Namespace Changes to this property will trigger replacement. string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
Region Changes to this property will trigger replacement. string
Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
RoleArn string
Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
SecretAccessKey string
Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
SecretNameTemplate string
Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
Type Changes to this property will trigger replacement. string
The type of the secrets destination (aws-sm).
AccessKeyId string
Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
CustomTags map[string]string
Custom tags to set on the secret managed at the destination.
ExternalId string
Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
Granularity string
Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
Name Changes to this property will trigger replacement. string
Unique name of the AWS destination.
Namespace Changes to this property will trigger replacement. string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
Region Changes to this property will trigger replacement. string
Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
RoleArn string
Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
SecretAccessKey string
Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
SecretNameTemplate string
Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
Type Changes to this property will trigger replacement. string
The type of the secrets destination (aws-sm).
accessKeyId String
Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
customTags Map<String,String>
Custom tags to set on the secret managed at the destination.
externalId String
Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
granularity String
Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
name Changes to this property will trigger replacement. String
Unique name of the AWS destination.
namespace Changes to this property will trigger replacement. String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
region Changes to this property will trigger replacement. String
Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
roleArn String
Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
secretAccessKey String
Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
secretNameTemplate String
Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
type Changes to this property will trigger replacement. String
The type of the secrets destination (aws-sm).
accessKeyId string
Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
customTags {[key: string]: string}
Custom tags to set on the secret managed at the destination.
externalId string
Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
granularity string
Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
name Changes to this property will trigger replacement. string
Unique name of the AWS destination.
namespace Changes to this property will trigger replacement. string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
region Changes to this property will trigger replacement. string
Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
roleArn string
Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
secretAccessKey string
Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
secretNameTemplate string
Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
type Changes to this property will trigger replacement. string
The type of the secrets destination (aws-sm).
access_key_id str
Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
custom_tags Mapping[str, str]
Custom tags to set on the secret managed at the destination.
external_id str
Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
granularity str
Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
name Changes to this property will trigger replacement. str
Unique name of the AWS destination.
namespace Changes to this property will trigger replacement. str
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
region Changes to this property will trigger replacement. str
Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
role_arn str
Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
secret_access_key str
Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
secret_name_template str
Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
type Changes to this property will trigger replacement. str
The type of the secrets destination (aws-sm).
accessKeyId String
Access key id to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_ACCESS_KEY_ID environment variable.
customTags Map<String>
Custom tags to set on the secret managed at the destination.
externalId String
Optional extra protection that must match the trust policy granting access to the AWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users. The field is mutable with no special condition, but users must be careful that the new value fits with the trust relationship condition they set on AWS otherwise sync operations will start to fail due to client-side access denied errors. Ignored if the role_arn field is empty.
granularity String
Determines what level of information is synced as a distinct resource at the destination. Supports secret-path and secret-key.
name Changes to this property will trigger replacement. String
Unique name of the AWS destination.
namespace Changes to this property will trigger replacement. String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace.
region Changes to this property will trigger replacement. String
Region where to manage the secrets manager entries. Can be omitted and directly provided to Vault using the AWS_REGION environment variable.
roleArn String
Specifies a role to assume when connecting to AWS. When assuming a role, Vault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must exist for Vault to be able to assume this role. The role can be in a different account. The value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error. It is possible to provide both an access key pair and a role to assume.
secretAccessKey String
Secret access key to authenticate against the AWS secrets manager. Can be omitted and directly provided to Vault using the AWS_SECRET_ACCESS_KEY environment variable.
secretNameTemplate String
Template describing how to generate external secret names. Supports a subset of the Go Template syntax.
type Changes to this property will trigger replacement. String
The type of the secrets destination (aws-sm).

Import

AWS Secrets sync destinations can be imported using the name, e.g.

$ pulumi import vault:secrets/syncAwsDestination:SyncAwsDestination aws aws-dest
Copy

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository
Vault pulumi/pulumi-vault
License
Apache-2.0
Notes
This Pulumi package is based on the vault Terraform Provider.