HashiCorp Vault v6.7.1, May 2 25

HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi

vault.database.SecretBackendRole

Explore with Pulumi AI

HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const db = new vault.Mount("db", {
    path: "postgres",
    type: "database",
});
const postgres = new vault.database.SecretBackendConnection("postgres", {
    backend: db.path,
    name: "postgres",
    allowedRoles: [
        "dev",
        "prod",
    ],
    postgresql: {
        connectionUrl: "postgres://username:password@host:port/database",
    },
});
const role = new vault.database.SecretBackendRole("role", {
    backend: db.path,
    name: "dev",
    dbName: postgres.name,
    creationStatements: ["CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"],
});

import pulumi
import pulumi_vault as vault

db = vault.Mount("db",
    path="postgres",
    type="database")
postgres = vault.database.SecretBackendConnection("postgres",
    backend=db.path,
    name="postgres",
    allowed_roles=[
        "dev",
        "prod",
    ],
    postgresql={
        "connection_url": "postgres://username:password@host:port/database",
    })
role = vault.database.SecretBackendRole("role",
    backend=db.path,
    name="dev",
    db_name=postgres.name,
    creation_statements=["CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"])

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/database"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		db, err := vault.NewMount(ctx, "db", &vault.MountArgs{
			Path: pulumi.String("postgres"),
			Type: pulumi.String("database"),
		})
		if err != nil {
			return err
		}
		postgres, err := database.NewSecretBackendConnection(ctx, "postgres", &database.SecretBackendConnectionArgs{
			Backend: db.Path,
			Name:    pulumi.String("postgres"),
			AllowedRoles: pulumi.StringArray{
				pulumi.String("dev"),
				pulumi.String("prod"),
			},
			Postgresql: &database.SecretBackendConnectionPostgresqlArgs{
				ConnectionUrl: pulumi.String("postgres://username:password@host:port/database"),
			},
		})
		if err != nil {
			return err
		}
		_, err = database.NewSecretBackendRole(ctx, "role", &database.SecretBackendRoleArgs{
			Backend: db.Path,
			Name:    pulumi.String("dev"),
			DbName:  postgres.Name,
			CreationStatements: pulumi.StringArray{
				pulumi.String("CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var db = new Vault.Mount("db", new()
    {
        Path = "postgres",
        Type = "database",
    });

    var postgres = new Vault.Database.SecretBackendConnection("postgres", new()
    {
        Backend = db.Path,
        Name = "postgres",
        AllowedRoles = new[]
        {
            "dev",
            "prod",
        },
        Postgresql = new Vault.Database.Inputs.SecretBackendConnectionPostgresqlArgs
        {
            ConnectionUrl = "postgres://username:password@host:port/database",
        },
    });

    var role = new Vault.Database.SecretBackendRole("role", new()
    {
        Backend = db.Path,
        Name = "dev",
        DbName = postgres.Name,
        CreationStatements = new[]
        {
            "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.database.SecretBackendConnection;
import com.pulumi.vault.database.SecretBackendConnectionArgs;
import com.pulumi.vault.database.inputs.SecretBackendConnectionPostgresqlArgs;
import com.pulumi.vault.database.SecretBackendRole;
import com.pulumi.vault.database.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var db = new Mount("db", MountArgs.builder()
            .path("postgres")
            .type("database")
            .build());

        var postgres = new SecretBackendConnection("postgres", SecretBackendConnectionArgs.builder()
            .backend(db.path())
            .name("postgres")
            .allowedRoles(            
                "dev",
                "prod")
            .postgresql(SecretBackendConnectionPostgresqlArgs.builder()
                .connectionUrl("postgres://username:password@host:port/database")
                .build())
            .build());

        var role = new SecretBackendRole("role", SecretBackendRoleArgs.builder()
            .backend(db.path())
            .name("dev")
            .dbName(postgres.name())
            .creationStatements("CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';")
            .build());

    }
}

resources:
  db:
    type: vault:Mount
    properties:
      path: postgres
      type: database
  postgres:
    type: vault:database:SecretBackendConnection
    properties:
      backend: ${db.path}
      name: postgres
      allowedRoles:
        - dev
        - prod
      postgresql:
        connectionUrl: postgres://username:password@host:port/database
  role:
    type: vault:database:SecretBackendRole
    properties:
      backend: ${db.path}
      name: dev
      dbName: ${postgres.name}
      creationStatements:
        - CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';

Create SecretBackendRole Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SecretBackendRole(name: string, args: SecretBackendRoleArgs, opts?: CustomResourceOptions);

@overload
def SecretBackendRole(resource_name: str,
                      args: SecretBackendRoleArgs,
                      opts: Optional[ResourceOptions] = None)

@overload
def SecretBackendRole(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      backend: Optional[str] = None,
                      creation_statements: Optional[Sequence[str]] = None,
                      db_name: Optional[str] = None,
                      credential_config: Optional[Mapping[str, str]] = None,
                      credential_type: Optional[str] = None,
                      default_ttl: Optional[int] = None,
                      max_ttl: Optional[int] = None,
                      name: Optional[str] = None,
                      namespace: Optional[str] = None,
                      renew_statements: Optional[Sequence[str]] = None,
                      revocation_statements: Optional[Sequence[str]] = None,
                      rollback_statements: Optional[Sequence[str]] = None)

func NewSecretBackendRole(ctx *Context, name string, args SecretBackendRoleArgs, opts ...ResourceOption) (*SecretBackendRole, error)

public SecretBackendRole(string name, SecretBackendRoleArgs args, CustomResourceOptions? opts = null)

public SecretBackendRole(String name, SecretBackendRoleArgs args)
public SecretBackendRole(String name, SecretBackendRoleArgs args, CustomResourceOptions options)

type: vault:database:SecretBackendRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var examplesecretBackendRoleResourceResourceFromDatabasesecretBackendRole = new Vault.Database.SecretBackendRole("examplesecretBackendRoleResourceResourceFromDatabasesecretBackendRole", new()
{
    Backend = "string",
    CreationStatements = new[]
    {
        "string",
    },
    DbName = "string",
    CredentialConfig = 
    {
        { "string", "string" },
    },
    CredentialType = "string",
    DefaultTtl = 0,
    MaxTtl = 0,
    Name = "string",
    Namespace = "string",
    RenewStatements = new[]
    {
        "string",
    },
    RevocationStatements = new[]
    {
        "string",
    },
    RollbackStatements = new[]
    {
        "string",
    },
});

example, err := database.NewSecretBackendRole(ctx, "examplesecretBackendRoleResourceResourceFromDatabasesecretBackendRole", &database.SecretBackendRoleArgs{
	Backend: pulumi.String("string"),
	CreationStatements: pulumi.StringArray{
		pulumi.String("string"),
	},
	DbName: pulumi.String("string"),
	CredentialConfig: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	CredentialType: pulumi.String("string"),
	DefaultTtl:     pulumi.Int(0),
	MaxTtl:         pulumi.Int(0),
	Name:           pulumi.String("string"),
	Namespace:      pulumi.String("string"),
	RenewStatements: pulumi.StringArray{
		pulumi.String("string"),
	},
	RevocationStatements: pulumi.StringArray{
		pulumi.String("string"),
	},
	RollbackStatements: pulumi.StringArray{
		pulumi.String("string"),
	},
})

var examplesecretBackendRoleResourceResourceFromDatabasesecretBackendRole = new com.pulumi.vault.database.SecretBackendRole("examplesecretBackendRoleResourceResourceFromDatabasesecretBackendRole", com.pulumi.vault.database.SecretBackendRoleArgs.builder()
    .backend("string")
    .creationStatements("string")
    .dbName("string")
    .credentialConfig(Map.of("string", "string"))
    .credentialType("string")
    .defaultTtl(0)
    .maxTtl(0)
    .name("string")
    .namespace("string")
    .renewStatements("string")
    .revocationStatements("string")
    .rollbackStatements("string")
    .build());

examplesecret_backend_role_resource_resource_from_databasesecret_backend_role = vault.database.SecretBackendRole("examplesecretBackendRoleResourceResourceFromDatabasesecretBackendRole",
    backend="string",
    creation_statements=["string"],
    db_name="string",
    credential_config={
        "string": "string",
    },
    credential_type="string",
    default_ttl=0,
    max_ttl=0,
    name="string",
    namespace="string",
    renew_statements=["string"],
    revocation_statements=["string"],
    rollback_statements=["string"])

const examplesecretBackendRoleResourceResourceFromDatabasesecretBackendRole = new vault.database.SecretBackendRole("examplesecretBackendRoleResourceResourceFromDatabasesecretBackendRole", {
    backend: "string",
    creationStatements: ["string"],
    dbName: "string",
    credentialConfig: {
        string: "string",
    },
    credentialType: "string",
    defaultTtl: 0,
    maxTtl: 0,
    name: "string",
    namespace: "string",
    renewStatements: ["string"],
    revocationStatements: ["string"],
    rollbackStatements: ["string"],
});

type: vault:database:SecretBackendRole
properties:
    backend: string
    creationStatements:
        - string
    credentialConfig:
        string: string
    credentialType: string
    dbName: string
    defaultTtl: 0
    maxTtl: 0
    name: string
    namespace: string
    renewStatements:
        - string
    revocationStatements:
        - string
    rollbackStatements:
        - string

SecretBackendRole Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The SecretBackendRole resource accepts the following input properties:

Backend string

The unique name of the Vault mount to configure.

CreationStatements List<string>

The database statements to execute when creating a user.

DbName string

The unique name of the database connection to use for the role.

CredentialConfig Dictionary<string, string>

Specifies the configuration for the given credential_type.

The following options are available for each credential_type value:

CredentialType string

Specifies the type of credential that will be generated for the role. Options include: password, rsa_private_key, client_certificate. See the plugin's API page for credential types supported by individual databases.

DefaultTtl int

The default number of seconds for leases for this role.

MaxTtl int

The maximum number of seconds for leases for this role.

Name string

A unique name to give the role.

Namespace string

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

RenewStatements List<string>

The database statements to execute when renewing a user.

RevocationStatements List<string>

The database statements to execute when revoking a user.

RollbackStatements List<string>

The database statements to execute when rolling back creation due to an error.

Backend string

The unique name of the Vault mount to configure.

CreationStatements []string

The database statements to execute when creating a user.

DbName string

The unique name of the database connection to use for the role.

CredentialConfig map[string]string

Specifies the configuration for the given credential_type.

The following options are available for each credential_type value:

CredentialType string

DefaultTtl int

The default number of seconds for leases for this role.

MaxTtl int

The maximum number of seconds for leases for this role.

Name string

A unique name to give the role.

Namespace string

RenewStatements []string

The database statements to execute when renewing a user.

RevocationStatements []string

The database statements to execute when revoking a user.

RollbackStatements []string

The database statements to execute when rolling back creation due to an error.

backend String

The unique name of the Vault mount to configure.

creationStatements List<String>

The database statements to execute when creating a user.

dbName String

The unique name of the database connection to use for the role.

credentialConfig Map<String,String>

Specifies the configuration for the given credential_type.

The following options are available for each credential_type value:

credentialType String

defaultTtl Integer

The default number of seconds for leases for this role.

maxTtl Integer

The maximum number of seconds for leases for this role.

name String

A unique name to give the role.

namespace String

renewStatements List<String>

The database statements to execute when renewing a user.

revocationStatements List<String>

The database statements to execute when revoking a user.

rollbackStatements List<String>

The database statements to execute when rolling back creation due to an error.

backend string

The unique name of the Vault mount to configure.

creationStatements string[]

The database statements to execute when creating a user.

dbName string

The unique name of the database connection to use for the role.

credentialConfig {[key: string]: string}

Specifies the configuration for the given credential_type.

The following options are available for each credential_type value:

credentialType string

defaultTtl number

The default number of seconds for leases for this role.

maxTtl number

The maximum number of seconds for leases for this role.

name string

A unique name to give the role.

namespace string

renewStatements string[]

The database statements to execute when renewing a user.

revocationStatements string[]

The database statements to execute when revoking a user.

rollbackStatements string[]

The database statements to execute when rolling back creation due to an error.

backend str

The unique name of the Vault mount to configure.

creation_statements Sequence[str]

The database statements to execute when creating a user.

db_name str

The unique name of the database connection to use for the role.

credential_config Mapping[str, str]

Specifies the configuration for the given credential_type.

The following options are available for each credential_type value:

credential_type str

default_ttl int

The default number of seconds for leases for this role.

max_ttl int

The maximum number of seconds for leases for this role.

name str

A unique name to give the role.

namespace str

renew_statements Sequence[str]

The database statements to execute when renewing a user.

revocation_statements Sequence[str]

The database statements to execute when revoking a user.

rollback_statements Sequence[str]

The database statements to execute when rolling back creation due to an error.

backend String

The unique name of the Vault mount to configure.

creationStatements List<String>

The database statements to execute when creating a user.

dbName String

The unique name of the database connection to use for the role.

credentialConfig Map<String>

Specifies the configuration for the given credential_type.

The following options are available for each credential_type value:

credentialType String

defaultTtl Number

The default number of seconds for leases for this role.

maxTtl Number

The maximum number of seconds for leases for this role.

name String

A unique name to give the role.

namespace String

renewStatements List<String>

The database statements to execute when renewing a user.

revocationStatements List<String>

The database statements to execute when revoking a user.

rollbackStatements List<String>

The database statements to execute when rolling back creation due to an error.

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretBackendRole resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing SecretBackendRole Resource

Get an existing SecretBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretBackendRoleState, opts?: CustomResourceOptions): SecretBackendRole

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        backend: Optional[str] = None,
        creation_statements: Optional[Sequence[str]] = None,
        credential_config: Optional[Mapping[str, str]] = None,
        credential_type: Optional[str] = None,
        db_name: Optional[str] = None,
        default_ttl: Optional[int] = None,
        max_ttl: Optional[int] = None,
        name: Optional[str] = None,
        namespace: Optional[str] = None,
        renew_statements: Optional[Sequence[str]] = None,
        revocation_statements: Optional[Sequence[str]] = None,
        rollback_statements: Optional[Sequence[str]] = None) -> SecretBackendRole

func GetSecretBackendRole(ctx *Context, name string, id IDInput, state *SecretBackendRoleState, opts ...ResourceOption) (*SecretBackendRole, error)

public static SecretBackendRole Get(string name, Input<string> id, SecretBackendRoleState? state, CustomResourceOptions? opts = null)

public static SecretBackendRole get(String name, Output<String> id, SecretBackendRoleState state, CustomResourceOptions options)

resources:  _:    type: vault:database:SecretBackendRole    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Backend string

The unique name of the Vault mount to configure.

CreationStatements List<string>

The database statements to execute when creating a user.

CredentialConfig Dictionary<string, string>

Specifies the configuration for the given credential_type.

The following options are available for each credential_type value:

CredentialType string

DbName string

The unique name of the database connection to use for the role.

DefaultTtl int

The default number of seconds for leases for this role.

MaxTtl int

The maximum number of seconds for leases for this role.

Name string

A unique name to give the role.

Namespace string

RenewStatements List<string>

The database statements to execute when renewing a user.

RevocationStatements List<string>

The database statements to execute when revoking a user.

RollbackStatements List<string>

The database statements to execute when rolling back creation due to an error.

Backend string

The unique name of the Vault mount to configure.

CreationStatements []string

The database statements to execute when creating a user.

CredentialConfig map[string]string

Specifies the configuration for the given credential_type.

The following options are available for each credential_type value:

CredentialType string

DbName string

The unique name of the database connection to use for the role.

DefaultTtl int

The default number of seconds for leases for this role.

MaxTtl int

The maximum number of seconds for leases for this role.

Name string

A unique name to give the role.

Namespace string

RenewStatements []string

The database statements to execute when renewing a user.

RevocationStatements []string

The database statements to execute when revoking a user.

RollbackStatements []string

The database statements to execute when rolling back creation due to an error.

backend String

The unique name of the Vault mount to configure.

creationStatements List<String>

The database statements to execute when creating a user.

credentialConfig Map<String,String>

Specifies the configuration for the given credential_type.

The following options are available for each credential_type value:

credentialType String

dbName String

The unique name of the database connection to use for the role.

defaultTtl Integer

The default number of seconds for leases for this role.

maxTtl Integer

The maximum number of seconds for leases for this role.

name String

A unique name to give the role.

namespace String

renewStatements List<String>

The database statements to execute when renewing a user.

revocationStatements List<String>

The database statements to execute when revoking a user.

rollbackStatements List<String>

The database statements to execute when rolling back creation due to an error.

backend string

The unique name of the Vault mount to configure.

creationStatements string[]

The database statements to execute when creating a user.

credentialConfig {[key: string]: string}

Specifies the configuration for the given credential_type.

The following options are available for each credential_type value:

credentialType string

dbName string

The unique name of the database connection to use for the role.

defaultTtl number

The default number of seconds for leases for this role.

maxTtl number

The maximum number of seconds for leases for this role.

name string

A unique name to give the role.

namespace string

renewStatements string[]

The database statements to execute when renewing a user.

revocationStatements string[]

The database statements to execute when revoking a user.

rollbackStatements string[]

The database statements to execute when rolling back creation due to an error.

backend str

The unique name of the Vault mount to configure.

creation_statements Sequence[str]

The database statements to execute when creating a user.

credential_config Mapping[str, str]

Specifies the configuration for the given credential_type.

The following options are available for each credential_type value:

credential_type str

db_name str

The unique name of the database connection to use for the role.

default_ttl int

The default number of seconds for leases for this role.

max_ttl int

The maximum number of seconds for leases for this role.

name str

A unique name to give the role.

namespace str

renew_statements Sequence[str]

The database statements to execute when renewing a user.

revocation_statements Sequence[str]

The database statements to execute when revoking a user.

rollback_statements Sequence[str]

The database statements to execute when rolling back creation due to an error.

backend String

The unique name of the Vault mount to configure.

creationStatements List<String>

The database statements to execute when creating a user.

credentialConfig Map<String>

Specifies the configuration for the given credential_type.

The following options are available for each credential_type value:

credentialType String

dbName String

The unique name of the database connection to use for the role.

defaultTtl Number

The default number of seconds for leases for this role.

maxTtl Number

The maximum number of seconds for leases for this role.

name String

A unique name to give the role.

namespace String

renewStatements List<String>

The database statements to execute when renewing a user.

revocationStatements List<String>

The database statements to execute when revoking a user.

rollbackStatements List<String>

The database statements to execute when rolling back creation due to an error.

Import

Database secret backend roles can be imported using the backend, /roles/, and the name e.g.

$ pulumi import vault:database/secretBackendRole:SecretBackendRole example postgres/roles/my-role

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi

pulumi/pulumi-vault

vault.database.SecretBackendRole

On this page

On this page

Example Usage

Create SecretBackendRole Resource

Constructor syntax

Parameters

Constructor example

SecretBackendRole Resource Properties

Inputs

Outputs

Look up Existing SecretBackendRole Resource

Import

Package Details

On this page

On this page