» vault_gcp_secret_roleset
Creates a Roleset in the GCP Secrets Engine for Vault.
Each Roleset is tied to a Service Account, and can have one or more bindings associated with it.
» Example Usage
locals {
project = "my-awesome-project"
}
resource "vault_gcp_secret_backend" "gcp" {
credentials = "${file("credentials.json")}"
}
resource "vault_gcp_secret_roleset" "agent" {
backend = "${vault_gcp_secret_backend.gcp.path}"
roleset = "project_viewer"
secret_type = "access_token"
project = "${local.project}"
token_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
binding {
resource = "//cloudresourcemanager.googleapis.com/projects/${local.project}"
roles = [
"roles/viewer",
]
}
}
» Argument Reference
The following arguments are supported:
-
backend- (Required, Forces new resource) Path where the GCP Secrets Engine is mounted -
roleset- (Required, Forces new resource) Name of the Roleset to create -
project- (Required, Forces new resource) Name of the GCP project that this roleset's service account will belong to. -
secret_type- (Optional, Forces new resource) Type of secret generated for this role set. Accepted values:access_token,service_account_key. Defaults toaccess_token. -
token_scopes- (Optional, Required forsecret_type = "access_token") List of OAuth scopes to assign toaccess_tokensecrets generated under this role set (access_tokenrole sets only). -
binding- (Required) Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
The binding block supports:
-
resource- (Required) Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats. -
roles- (Required) List of GCP IAM roles for the resource.
» Attributes Reference
In addition to the fields above, the following attributes are also exposed:
-
service_account_emailEmail of the service account created by Vault for this Roleset.