vault-secrets

The vault-secrets provider enables you to dynamically import Secrets from HashiCorp Vault into your Environment. The provider will return a map of names to Secrets.

Example

  vault:
    login:
      fn::open::vault-login:
        address: https://127.0.0.1:8200/
        jwt:
          role: example-role
    secrets:
      fn::open::vault-secrets:
        login: ${vault.login}
        read:
          api-key:
            path: api-key
          app-secret:
            path: app-secret

Configuring OIDC

To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Vault, see the OpenID Connect integration documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following:

• esc open <your-org>/<your-environment> command of the Pulumi ESC CLI
• pulumi env open <your-org>/<your-environment> command of the Pulumi CLI

Make sure to replace <your-org> and <your-environment> with the values of your Pulumi organization and environment file respectively. You should see output similar to the following:

{
  "vault": {
    "login": {
      "address": "***",
      "token": "***"
    },
    "secrets": {
      "test1": {
        "data": {
          "keyA": "valA",
          "keyB": "valB"
        },
        "metadata": {
          "created_time": "2023-11-06T18:24:05.784222Z",
          "custom_metadata": null,
          "deletion_time": "",
          "destroyed": false,
          "version": 1
        }
      }
    }
  }
}

Inputs

VaultSecretsLogin

VaultSecretsRead

Outputs