HashiCorp Vault v6.6.0, Mar 13 25

HashiCorp Vault v6.6.0 published on Thursday, Mar 13, 2025 by Pulumi

vault.aws.AuthBackendClient

Explore with Pulumi AI

HashiCorp Vault v6.6.0 published on Thursday, Mar 13, 2025 by Pulumi

Example Usage

You can setup the AWS auth engine with Workload Identity Federation (WIF) for a secret-less configuration:

TypeScript
Python
Go
C#
Java
YAML

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const example = new vault.AuthBackend("example", {type: "aws"});
const exampleAuthBackendClient = new vault.aws.AuthBackendClient("example", {
    identityTokenAudience: "<TOKEN_AUDIENCE>",
    identityTokenTtl: "<TOKEN_TTL>",
    roleArn: "<AWS_ROLE_ARN>",
    rotationSchedule: "0 * * * SAT",
    rotationWindow: 3600,
});

import pulumi
import pulumi_vault as vault

example = vault.AuthBackend("example", type="aws")
example_auth_backend_client = vault.aws.AuthBackendClient("example",
    identity_token_audience="<TOKEN_AUDIENCE>",
    identity_token_ttl="<TOKEN_TTL>",
    role_arn="<AWS_ROLE_ARN>",
    rotation_schedule="0 * * * SAT",
    rotation_window=3600)

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/aws"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := vault.NewAuthBackend(ctx, "example", &vault.AuthBackendArgs{
			Type: pulumi.String("aws"),
		})
		if err != nil {
			return err
		}
		_, err = aws.NewAuthBackendClient(ctx, "example", &aws.AuthBackendClientArgs{
			IdentityTokenAudience: pulumi.String("<TOKEN_AUDIENCE>"),
			IdentityTokenTtl:      pulumi.Int("<TOKEN_TTL>"),
			RoleArn:               pulumi.String("<AWS_ROLE_ARN>"),
			RotationSchedule:      pulumi.String("0 * * * SAT"),
			RotationWindow:        pulumi.Int(3600),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var example = new Vault.AuthBackend("example", new()
    {
        Type = "aws",
    });

    var exampleAuthBackendClient = new Vault.Aws.AuthBackendClient("example", new()
    {
        IdentityTokenAudience = "<TOKEN_AUDIENCE>",
        IdentityTokenTtl = "<TOKEN_TTL>",
        RoleArn = "<AWS_ROLE_ARN>",
        RotationSchedule = "0 * * * SAT",
        RotationWindow = 3600,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import com.pulumi.vault.aws.AuthBackendClient;
import com.pulumi.vault.aws.AuthBackendClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new AuthBackend("example", AuthBackendArgs.builder()
            .type("aws")
            .build());

        var exampleAuthBackendClient = new AuthBackendClient("exampleAuthBackendClient", AuthBackendClientArgs.builder()
            .identityTokenAudience("<TOKEN_AUDIENCE>")
            .identityTokenTtl("<TOKEN_TTL>")
            .roleArn("<AWS_ROLE_ARN>")
            .rotationSchedule("0 * * * SAT")
            .rotationWindow(3600)
            .build());

    }
}

resources:
  example:
    type: vault:AuthBackend
    properties:
      type: aws
  exampleAuthBackendClient:
    type: vault:aws:AuthBackendClient
    name: example
    properties:
      identityTokenAudience: <TOKEN_AUDIENCE>
      identityTokenTtl: <TOKEN_TTL>
      roleArn: <AWS_ROLE_ARN>
      rotationSchedule: 0 * * * SAT
      rotationWindow: 3600

TypeScript
Python
Go
C#
Java
YAML

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const example = new vault.AuthBackend("example", {type: "aws"});
const exampleAuthBackendClient = new vault.aws.AuthBackendClient("example", {
    backend: example.path,
    accessKey: "INSERT_AWS_ACCESS_KEY",
    secretKey: "INSERT_AWS_SECRET_KEY",
    rotationSchedule: "0 * * * SAT",
    rotationWindow: 3600,
});

import pulumi
import pulumi_vault as vault

example = vault.AuthBackend("example", type="aws")
example_auth_backend_client = vault.aws.AuthBackendClient("example",
    backend=example.path,
    access_key="INSERT_AWS_ACCESS_KEY",
    secret_key="INSERT_AWS_SECRET_KEY",
    rotation_schedule="0 * * * SAT",
    rotation_window=3600)

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/aws"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := vault.NewAuthBackend(ctx, "example", &vault.AuthBackendArgs{
			Type: pulumi.String("aws"),
		})
		if err != nil {
			return err
		}
		_, err = aws.NewAuthBackendClient(ctx, "example", &aws.AuthBackendClientArgs{
			Backend:          example.Path,
			AccessKey:        pulumi.String("INSERT_AWS_ACCESS_KEY"),
			SecretKey:        pulumi.String("INSERT_AWS_SECRET_KEY"),
			RotationSchedule: pulumi.String("0 * * * SAT"),
			RotationWindow:   pulumi.Int(3600),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var example = new Vault.AuthBackend("example", new()
    {
        Type = "aws",
    });

    var exampleAuthBackendClient = new Vault.Aws.AuthBackendClient("example", new()
    {
        Backend = example.Path,
        AccessKey = "INSERT_AWS_ACCESS_KEY",
        SecretKey = "INSERT_AWS_SECRET_KEY",
        RotationSchedule = "0 * * * SAT",
        RotationWindow = 3600,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import com.pulumi.vault.aws.AuthBackendClient;
import com.pulumi.vault.aws.AuthBackendClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new AuthBackend("example", AuthBackendArgs.builder()
            .type("aws")
            .build());

        var exampleAuthBackendClient = new AuthBackendClient("exampleAuthBackendClient", AuthBackendClientArgs.builder()
            .backend(example.path())
            .accessKey("INSERT_AWS_ACCESS_KEY")
            .secretKey("INSERT_AWS_SECRET_KEY")
            .rotationSchedule("0 * * * SAT")
            .rotationWindow(3600)
            .build());

    }
}

resources:
  example:
    type: vault:AuthBackend
    properties:
      type: aws
  exampleAuthBackendClient:
    type: vault:aws:AuthBackendClient
    name: example
    properties:
      backend: ${example.path}
      accessKey: INSERT_AWS_ACCESS_KEY
      secretKey: INSERT_AWS_SECRET_KEY
      rotationSchedule: 0 * * * SAT
      rotationWindow: 3600

Create AuthBackendClient Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

new AuthBackendClient(name: string, args?: AuthBackendClientArgs, opts?: CustomResourceOptions);

@overload
def AuthBackendClient(resource_name: str,
                      args: Optional[AuthBackendClientArgs] = None,
                      opts: Optional[ResourceOptions] = None)

@overload
def AuthBackendClient(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      access_key: Optional[str] = None,
                      backend: Optional[str] = None,
                      disable_automated_rotation: Optional[bool] = None,
                      ec2_endpoint: Optional[str] = None,
                      iam_endpoint: Optional[str] = None,
                      iam_server_id_header_value: Optional[str] = None,
                      identity_token_audience: Optional[str] = None,
                      identity_token_ttl: Optional[int] = None,
                      max_retries: Optional[int] = None,
                      namespace: Optional[str] = None,
                      role_arn: Optional[str] = None,
                      rotation_period: Optional[int] = None,
                      rotation_schedule: Optional[str] = None,
                      rotation_window: Optional[int] = None,
                      secret_key: Optional[str] = None,
                      sts_endpoint: Optional[str] = None,
                      sts_region: Optional[str] = None,
                      use_sts_region_from_client: Optional[bool] = None)

func NewAuthBackendClient(ctx *Context, name string, args *AuthBackendClientArgs, opts ...ResourceOption) (*AuthBackendClient, error)

public AuthBackendClient(string name, AuthBackendClientArgs? args = null, CustomResourceOptions? opts = null)

public AuthBackendClient(String name, AuthBackendClientArgs args)
public AuthBackendClient(String name, AuthBackendClientArgs args, CustomResourceOptions options)

type: vault:aws:AuthBackendClient
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args AuthBackendClientArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args AuthBackendClientArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AuthBackendClientArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AuthBackendClientArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args AuthBackendClientArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

TypeScript
Python
Go
C#
Java
YAML

var authBackendClientResource = new Vault.Aws.AuthBackendClient("authBackendClientResource", new()
{
    AccessKey = "string",
    Backend = "string",
    DisableAutomatedRotation = false,
    Ec2Endpoint = "string",
    IamEndpoint = "string",
    IamServerIdHeaderValue = "string",
    IdentityTokenAudience = "string",
    IdentityTokenTtl = 0,
    MaxRetries = 0,
    Namespace = "string",
    RoleArn = "string",
    RotationPeriod = 0,
    RotationSchedule = "string",
    RotationWindow = 0,
    SecretKey = "string",
    StsEndpoint = "string",
    StsRegion = "string",
    UseStsRegionFromClient = false,
});

example, err := aws.NewAuthBackendClient(ctx, "authBackendClientResource", &aws.AuthBackendClientArgs{
	AccessKey:                pulumi.String("string"),
	Backend:                  pulumi.String("string"),
	DisableAutomatedRotation: pulumi.Bool(false),
	Ec2Endpoint:              pulumi.String("string"),
	IamEndpoint:              pulumi.String("string"),
	IamServerIdHeaderValue:   pulumi.String("string"),
	IdentityTokenAudience:    pulumi.String("string"),
	IdentityTokenTtl:         pulumi.Int(0),
	MaxRetries:               pulumi.Int(0),
	Namespace:                pulumi.String("string"),
	RoleArn:                  pulumi.String("string"),
	RotationPeriod:           pulumi.Int(0),
	RotationSchedule:         pulumi.String("string"),
	RotationWindow:           pulumi.Int(0),
	SecretKey:                pulumi.String("string"),
	StsEndpoint:              pulumi.String("string"),
	StsRegion:                pulumi.String("string"),
	UseStsRegionFromClient:   pulumi.Bool(false),
})

var authBackendClientResource = new AuthBackendClient("authBackendClientResource", AuthBackendClientArgs.builder()
    .accessKey("string")
    .backend("string")
    .disableAutomatedRotation(false)
    .ec2Endpoint("string")
    .iamEndpoint("string")
    .iamServerIdHeaderValue("string")
    .identityTokenAudience("string")
    .identityTokenTtl(0)
    .maxRetries(0)
    .namespace("string")
    .roleArn("string")
    .rotationPeriod(0)
    .rotationSchedule("string")
    .rotationWindow(0)
    .secretKey("string")
    .stsEndpoint("string")
    .stsRegion("string")
    .useStsRegionFromClient(false)
    .build());

auth_backend_client_resource = vault.aws.AuthBackendClient("authBackendClientResource",
    access_key="string",
    backend="string",
    disable_automated_rotation=False,
    ec2_endpoint="string",
    iam_endpoint="string",
    iam_server_id_header_value="string",
    identity_token_audience="string",
    identity_token_ttl=0,
    max_retries=0,
    namespace="string",
    role_arn="string",
    rotation_period=0,
    rotation_schedule="string",
    rotation_window=0,
    secret_key="string",
    sts_endpoint="string",
    sts_region="string",
    use_sts_region_from_client=False)

const authBackendClientResource = new vault.aws.AuthBackendClient("authBackendClientResource", {
    accessKey: "string",
    backend: "string",
    disableAutomatedRotation: false,
    ec2Endpoint: "string",
    iamEndpoint: "string",
    iamServerIdHeaderValue: "string",
    identityTokenAudience: "string",
    identityTokenTtl: 0,
    maxRetries: 0,
    namespace: "string",
    roleArn: "string",
    rotationPeriod: 0,
    rotationSchedule: "string",
    rotationWindow: 0,
    secretKey: "string",
    stsEndpoint: "string",
    stsRegion: "string",
    useStsRegionFromClient: false,
});

type: vault:aws:AuthBackendClient
properties:
    accessKey: string
    backend: string
    disableAutomatedRotation: false
    ec2Endpoint: string
    iamEndpoint: string
    iamServerIdHeaderValue: string
    identityTokenAudience: string
    identityTokenTtl: 0
    maxRetries: 0
    namespace: string
    roleArn: string
    rotationPeriod: 0
    rotationSchedule: string
    rotationWindow: 0
    secretKey: string
    stsEndpoint: string
    stsRegion: string
    useStsRegionFromClient: false

AuthBackendClient Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The AuthBackendClient resource accepts the following input properties:

AccessKey string: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identity_token_audience.
Backend string: The path the AWS auth backend being configured was mounted at. Defaults to aws.
DisableAutomatedRotation bool: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
Ec2Endpoint string: Override the URL Vault uses when making EC2 API calls.
IamEndpoint string: Override the URL Vault uses when making IAM API calls.
IamServerIdHeaderValue string: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
IdentityTokenAudience string: The audience claim value. Mutually exclusive with access_key. Requires Vault 1.17+. Available only for Vault Enterprise
IdentityTokenTtl int: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
MaxRetries int: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
RoleArn string: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
RotationPeriod int: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
RotationSchedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
RotationWindow int: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
SecretKey string: The AWS secret key that Vault should use for the auth backend.
StsEndpoint string: Override the URL Vault uses when making STS API calls.
StsRegion string: Override the default region when making STS API calls. The sts_endpoint argument must be set when using sts_region.
UseStsRegionFromClient bool: Available in Vault v1.15+. If set, overrides both sts_endpoint and sts_region to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

AccessKey string: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identity_token_audience.
Backend string: The path the AWS auth backend being configured was mounted at. Defaults to aws.
DisableAutomatedRotation bool: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
Ec2Endpoint string: Override the URL Vault uses when making EC2 API calls.
IamEndpoint string: Override the URL Vault uses when making IAM API calls.
IamServerIdHeaderValue string: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
IdentityTokenAudience string: The audience claim value. Mutually exclusive with access_key. Requires Vault 1.17+. Available only for Vault Enterprise
IdentityTokenTtl int: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
MaxRetries int: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
RoleArn string: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
RotationPeriod int: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
RotationSchedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
RotationWindow int: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
SecretKey string: The AWS secret key that Vault should use for the auth backend.
StsEndpoint string: Override the URL Vault uses when making STS API calls.
StsRegion string: Override the default region when making STS API calls. The sts_endpoint argument must be set when using sts_region.
UseStsRegionFromClient bool: Available in Vault v1.15+. If set, overrides both sts_endpoint and sts_region to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

accessKey String: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identity_token_audience.
backend String: The path the AWS auth backend being configured was mounted at. Defaults to aws.
disableAutomatedRotation Boolean: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
ec2Endpoint String: Override the URL Vault uses when making EC2 API calls.
iamEndpoint String: Override the URL Vault uses when making IAM API calls.
iamServerIdHeaderValue String: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
identityTokenAudience String: The audience claim value. Mutually exclusive with access_key. Requires Vault 1.17+. Available only for Vault Enterprise
identityTokenTtl Integer: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
maxRetries Integer: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
roleArn String: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
rotationPeriod Integer: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
rotationSchedule String: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
rotationWindow Integer: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
secretKey String: The AWS secret key that Vault should use for the auth backend.
stsEndpoint String: Override the URL Vault uses when making STS API calls.
stsRegion String: Override the default region when making STS API calls. The sts_endpoint argument must be set when using sts_region.
useStsRegionFromClient Boolean: Available in Vault v1.15+. If set, overrides both sts_endpoint and sts_region to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

accessKey string: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identity_token_audience.
backend string: The path the AWS auth backend being configured was mounted at. Defaults to aws.
disableAutomatedRotation boolean: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
ec2Endpoint string: Override the URL Vault uses when making EC2 API calls.
iamEndpoint string: Override the URL Vault uses when making IAM API calls.
iamServerIdHeaderValue string: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
identityTokenAudience string: The audience claim value. Mutually exclusive with access_key. Requires Vault 1.17+. Available only for Vault Enterprise
identityTokenTtl number: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
maxRetries number: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
roleArn string: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
rotationPeriod number: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
rotationSchedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
rotationWindow number: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
secretKey string: The AWS secret key that Vault should use for the auth backend.
stsEndpoint string: Override the URL Vault uses when making STS API calls.
stsRegion string: Override the default region when making STS API calls. The sts_endpoint argument must be set when using sts_region.
useStsRegionFromClient boolean: Available in Vault v1.15+. If set, overrides both sts_endpoint and sts_region to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

access_key str: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identity_token_audience.
backend str: The path the AWS auth backend being configured was mounted at. Defaults to aws.
disable_automated_rotation bool: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
ec2_endpoint str: Override the URL Vault uses when making EC2 API calls.
iam_endpoint str: Override the URL Vault uses when making IAM API calls.
iam_server_id_header_value str: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
identity_token_audience str: The audience claim value. Mutually exclusive with access_key. Requires Vault 1.17+. Available only for Vault Enterprise
identity_token_ttl int: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
max_retries int: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
role_arn str: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
rotation_period int: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
rotation_schedule str: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
rotation_window int: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
secret_key str: The AWS secret key that Vault should use for the auth backend.
sts_endpoint str: Override the URL Vault uses when making STS API calls.
sts_region str: Override the default region when making STS API calls. The sts_endpoint argument must be set when using sts_region.
use_sts_region_from_client bool: Available in Vault v1.15+. If set, overrides both sts_endpoint and sts_region to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

accessKey String: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identity_token_audience.
backend String: The path the AWS auth backend being configured was mounted at. Defaults to aws.
disableAutomatedRotation Boolean: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
ec2Endpoint String: Override the URL Vault uses when making EC2 API calls.
iamEndpoint String: Override the URL Vault uses when making IAM API calls.
iamServerIdHeaderValue String: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
identityTokenAudience String: The audience claim value. Mutually exclusive with access_key. Requires Vault 1.17+. Available only for Vault Enterprise
identityTokenTtl Number: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
maxRetries Number: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
roleArn String: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
rotationPeriod Number: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
rotationSchedule String: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
rotationWindow Number: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
secretKey String: The AWS secret key that Vault should use for the auth backend.
stsEndpoint String: Override the URL Vault uses when making STS API calls.
stsRegion String: Override the default region when making STS API calls. The sts_endpoint argument must be set when using sts_region.
useStsRegionFromClient Boolean: Available in Vault v1.15+. If set, overrides both sts_endpoint and sts_region to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

Outputs

All input properties are implicitly available as output properties. Additionally, the AuthBackendClient resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing AuthBackendClient Resource

Get an existing AuthBackendClient resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

TypeScript
Python
Go
C#
Java
YAML

public static get(name: string, id: Input<ID>, state?: AuthBackendClientState, opts?: CustomResourceOptions): AuthBackendClient

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        access_key: Optional[str] = None,
        backend: Optional[str] = None,
        disable_automated_rotation: Optional[bool] = None,
        ec2_endpoint: Optional[str] = None,
        iam_endpoint: Optional[str] = None,
        iam_server_id_header_value: Optional[str] = None,
        identity_token_audience: Optional[str] = None,
        identity_token_ttl: Optional[int] = None,
        max_retries: Optional[int] = None,
        namespace: Optional[str] = None,
        role_arn: Optional[str] = None,
        rotation_period: Optional[int] = None,
        rotation_schedule: Optional[str] = None,
        rotation_window: Optional[int] = None,
        secret_key: Optional[str] = None,
        sts_endpoint: Optional[str] = None,
        sts_region: Optional[str] = None,
        use_sts_region_from_client: Optional[bool] = None) -> AuthBackendClient

func GetAuthBackendClient(ctx *Context, name string, id IDInput, state *AuthBackendClientState, opts ...ResourceOption) (*AuthBackendClient, error)

public static AuthBackendClient Get(string name, Input<string> id, AuthBackendClientState? state, CustomResourceOptions? opts = null)

public static AuthBackendClient get(String name, Output<String> id, AuthBackendClientState state, CustomResourceOptions options)

resources:  _:    type: vault:aws:AuthBackendClient    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccessKey string: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identity_token_audience.
Backend string: The path the AWS auth backend being configured was mounted at. Defaults to aws.
DisableAutomatedRotation bool: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
Ec2Endpoint string: Override the URL Vault uses when making EC2 API calls.
IamEndpoint string: Override the URL Vault uses when making IAM API calls.
IamServerIdHeaderValue string: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
IdentityTokenAudience string: The audience claim value. Mutually exclusive with access_key. Requires Vault 1.17+. Available only for Vault Enterprise
IdentityTokenTtl int: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
MaxRetries int: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
RoleArn string: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
RotationPeriod int: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
RotationSchedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
RotationWindow int: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
SecretKey string: The AWS secret key that Vault should use for the auth backend.
StsEndpoint string: Override the URL Vault uses when making STS API calls.
StsRegion string: Override the default region when making STS API calls. The sts_endpoint argument must be set when using sts_region.
UseStsRegionFromClient bool: Available in Vault v1.15+. If set, overrides both sts_endpoint and sts_region to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

AccessKey string: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identity_token_audience.
Backend string: The path the AWS auth backend being configured was mounted at. Defaults to aws.
DisableAutomatedRotation bool: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
Ec2Endpoint string: Override the URL Vault uses when making EC2 API calls.
IamEndpoint string: Override the URL Vault uses when making IAM API calls.
IamServerIdHeaderValue string: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
IdentityTokenAudience string: The audience claim value. Mutually exclusive with access_key. Requires Vault 1.17+. Available only for Vault Enterprise
IdentityTokenTtl int: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
MaxRetries int: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
RoleArn string: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
RotationPeriod int: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
RotationSchedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
RotationWindow int: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
SecretKey string: The AWS secret key that Vault should use for the auth backend.
StsEndpoint string: Override the URL Vault uses when making STS API calls.
StsRegion string: Override the default region when making STS API calls. The sts_endpoint argument must be set when using sts_region.
UseStsRegionFromClient bool: Available in Vault v1.15+. If set, overrides both sts_endpoint and sts_region to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

accessKey String: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identity_token_audience.
backend String: The path the AWS auth backend being configured was mounted at. Defaults to aws.
disableAutomatedRotation Boolean: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
ec2Endpoint String: Override the URL Vault uses when making EC2 API calls.
iamEndpoint String: Override the URL Vault uses when making IAM API calls.
iamServerIdHeaderValue String: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
identityTokenAudience String: The audience claim value. Mutually exclusive with access_key. Requires Vault 1.17+. Available only for Vault Enterprise
identityTokenTtl Integer: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
maxRetries Integer: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
roleArn String: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
rotationPeriod Integer: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
rotationSchedule String: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
rotationWindow Integer: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
secretKey String: The AWS secret key that Vault should use for the auth backend.
stsEndpoint String: Override the URL Vault uses when making STS API calls.
stsRegion String: Override the default region when making STS API calls. The sts_endpoint argument must be set when using sts_region.
useStsRegionFromClient Boolean: Available in Vault v1.15+. If set, overrides both sts_endpoint and sts_region to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

accessKey string: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identity_token_audience.
backend string: The path the AWS auth backend being configured was mounted at. Defaults to aws.
disableAutomatedRotation boolean: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
ec2Endpoint string: Override the URL Vault uses when making EC2 API calls.
iamEndpoint string: Override the URL Vault uses when making IAM API calls.
iamServerIdHeaderValue string: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
identityTokenAudience string: The audience claim value. Mutually exclusive with access_key. Requires Vault 1.17+. Available only for Vault Enterprise
identityTokenTtl number: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
maxRetries number: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
roleArn string: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
rotationPeriod number: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
rotationSchedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
rotationWindow number: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
secretKey string: The AWS secret key that Vault should use for the auth backend.
stsEndpoint string: Override the URL Vault uses when making STS API calls.
stsRegion string: Override the default region when making STS API calls. The sts_endpoint argument must be set when using sts_region.
useStsRegionFromClient boolean: Available in Vault v1.15+. If set, overrides both sts_endpoint and sts_region to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

access_key str: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identity_token_audience.
backend str: The path the AWS auth backend being configured was mounted at. Defaults to aws.
disable_automated_rotation bool: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
ec2_endpoint str: Override the URL Vault uses when making EC2 API calls.
iam_endpoint str: Override the URL Vault uses when making IAM API calls.
iam_server_id_header_value str: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
identity_token_audience str: The audience claim value. Mutually exclusive with access_key. Requires Vault 1.17+. Available only for Vault Enterprise
identity_token_ttl int: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
max_retries int: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
role_arn str: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
rotation_period int: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
rotation_schedule str: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
rotation_window int: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
secret_key str: The AWS secret key that Vault should use for the auth backend.
sts_endpoint str: Override the URL Vault uses when making STS API calls.
sts_region str: Override the default region when making STS API calls. The sts_endpoint argument must be set when using sts_region.
use_sts_region_from_client bool: Available in Vault v1.15+. If set, overrides both sts_endpoint and sts_region to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

accessKey String: The AWS access key that Vault should use for the auth backend. Mutually exclusive with identity_token_audience.
backend String: The path the AWS auth backend being configured was mounted at. Defaults to aws.
disableAutomatedRotation Boolean: Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
ec2Endpoint String: Override the URL Vault uses when making EC2 API calls.
iamEndpoint String: Override the URL Vault uses when making IAM API calls.
iamServerIdHeaderValue String: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method.
identityTokenAudience String: The audience claim value. Mutually exclusive with access_key. Requires Vault 1.17+. Available only for Vault Enterprise
identityTokenTtl Number: The TTL of generated identity tokens in seconds. Requires Vault 1.17+. Available only for Vault Enterprise
maxRetries Number: Number of max retries the client should use for recoverable errors. The default -1 falls back to the AWS SDK's default behavior.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
roleArn String: Role ARN to assume for plugin identity token federation. Requires Vault 1.17+. Available only for Vault Enterprise
rotationPeriod Number: The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
rotationSchedule String: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
rotationWindow Number: The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
secretKey String: The AWS secret key that Vault should use for the auth backend.
stsEndpoint String: Override the URL Vault uses when making STS API calls.
stsRegion String: Override the default region when making STS API calls. The sts_endpoint argument must be set when using sts_region.
useStsRegionFromClient Boolean: Available in Vault v1.15+. If set, overrides both sts_endpoint and sts_region to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used.

Import

AWS auth backend clients can be imported using auth/, the backend path, and /config/client e.g.

$ pulumi import vault:aws/authBackendClient:AuthBackendClient example auth/aws/config/client

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

HashiCorp Vault v6.6.0 published on Thursday, Mar 13, 2025 by Pulumi

pulumi/pulumi-vault

vault.aws.AuthBackendClient

On this page

On this page

Example Usage

Create AuthBackendClient Resource

Constructor syntax

Parameters

Constructor example

AuthBackendClient Resource Properties

Inputs

Outputs

Look up Existing AuthBackendClient Resource

Import

Package Details

On this page

On this page