» vault_aws_auth_backend_role_tag

Reads role tag information from an AWS auth backend in Vault.

» Example Usage

resource "vault_auth_backend" "aws" {
  path = "%s"
  type = "aws"
}

resource "vault_aws_auth_backend_role" "role" {
  backend          = "${vault_auth_backend.aws.path}"
  role             = "%s"
  auth_type        = "ec2"
  bound_account_id = "123456789012"
  policies         = ["dev", "prod", "qa", "test"]
  role_tag         = "VaultRoleTag"
}

resource "vault_aws_auth_backend_role_tag" "test" {
  backend     = "${vault_auth_backend.aws.path}"
  role        = "${vault_aws_auth_backend_role.role.role}"
  policies    = ["prod", "dev", "test"]
  max_ttl     = "1h"
  instance_id = "i-1234567"
}

» Argument Reference

The following arguments are supported:

  • role - (Required) The name of the AWS auth backend role to read role tags from, with no leading or trailing /s.

  • backend - (Optional) The path to the AWS auth backend to read role tags from, with no leading or trailing /s. Defaults to "aws".

  • policies - (Optional) The policies to be associated with the tag. Must be a subset of the policies associated with the role.

  • max_ttl - (Optional) The maximum TTL of the tokens issued using this role.

  • instance_id - (Optional) Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID.

  • allow_instance_migration - (Optional) If set, allows migration of the underlying instances where the client resides. Use with caution.

  • disallow_reauthentication - (Optional) If set, only allows a single token to be granted per instance ID.

» Attributes Reference

In addition to the arguments above, the following attributes are exported: