Docs Home
HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi
vault.kv.getSecret
Explore with Pulumi AI
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const kvv1 = new vault.Mount("kvv1", {
path: "kvv1",
type: "kv",
options: {
version: "1",
},
description: "KV Version 1 secret engine mount",
});
const secret = new vault.kv.Secret("secret", {
path: pulumi.interpolate`${kvv1.path}/secret`,
dataJson: JSON.stringify({
zip: "zap",
foo: "bar",
}),
});
const secretData = vault.kv.getSecretOutput({
path: secret.path,
});
import pulumi
import json
import pulumi_vault as vault
kvv1 = vault.Mount("kvv1",
path="kvv1",
type="kv",
options={
"version": "1",
},
description="KV Version 1 secret engine mount")
secret = vault.kv.Secret("secret",
path=kvv1.path.apply(lambda path: f"{path}/secret"),
data_json=json.dumps({
"zip": "zap",
"foo": "bar",
}))
secret_data = vault.kv.get_secret_output(path=secret.path)
package main
import (
"encoding/json"
"fmt"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kv"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
kvv1, err := vault.NewMount(ctx, "kvv1", &vault.MountArgs{
Path: pulumi.String("kvv1"),
Type: pulumi.String("kv"),
Options: pulumi.StringMap{
"version": pulumi.String("1"),
},
Description: pulumi.String("KV Version 1 secret engine mount"),
})
if err != nil {
return err
}
tmpJSON0, err := json.Marshal(map[string]interface{}{
"zip": "zap",
"foo": "bar",
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
secret, err := kv.NewSecret(ctx, "secret", &kv.SecretArgs{
Path: kvv1.Path.ApplyT(func(path string) (string, error) {
return fmt.Sprintf("%v/secret", path), nil
}).(pulumi.StringOutput),
DataJson: pulumi.String(json0),
})
if err != nil {
return err
}
_ = kv.LookupSecretOutput(ctx, kv.GetSecretOutputArgs{
Path: secret.Path,
}, nil)
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var kvv1 = new Vault.Mount("kvv1", new()
{
Path = "kvv1",
Type = "kv",
Options =
{
{ "version", "1" },
},
Description = "KV Version 1 secret engine mount",
});
var secret = new Vault.Kv.Secret("secret", new()
{
Path = kvv1.Path.Apply(path => $"{path}/secret"),
DataJson = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["zip"] = "zap",
["foo"] = "bar",
}),
});
var secretData = Vault.kv.GetSecret.Invoke(new()
{
Path = secret.Path,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.kv.Secret;
import com.pulumi.vault.kv.SecretArgs;
import com.pulumi.vault.kv.KvFunctions;
import com.pulumi.vault.kv.inputs.GetSecretArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var kvv1 = new Mount("kvv1", MountArgs.builder()
.path("kvv1")
.type("kv")
.options(Map.of("version", "1"))
.description("KV Version 1 secret engine mount")
.build());
var secret = new Secret("secret", SecretArgs.builder()
.path(kvv1.path().applyValue(_path -> String.format("%s/secret", _path)))
.dataJson(serializeJson(
jsonObject(
jsonProperty("zip", "zap"),
jsonProperty("foo", "bar")
)))
.build());
final var secretData = KvFunctions.getSecret(GetSecretArgs.builder()
.path(secret.path())
.build());
}
}
resources:
kvv1:
type: vault:Mount
properties:
path: kvv1
type: kv
options:
version: '1'
description: KV Version 1 secret engine mount
secret:
type: vault:kv:Secret
properties:
path: ${kvv1.path}/secret
dataJson:
fn::toJSON:
zip: zap
foo: bar
variables:
secretData:
fn::invoke:
function: vault:kv:getSecret
arguments:
path: ${secret.path}
Required Vault Capabilities
Use of this resource requires the read capability on the given path.
Using getSecret
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getSecret(args: GetSecretArgs, opts?: InvokeOptions): Promise<GetSecretResult>
function getSecretOutput(args: GetSecretOutputArgs, opts?: InvokeOptions): Output<GetSecretResult>def get_secret(namespace: Optional[str] = None,
path: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetSecretResult
def get_secret_output(namespace: Optional[pulumi.Input[str]] = None,
path: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetSecretResult]func LookupSecret(ctx *Context, args *LookupSecretArgs, opts ...InvokeOption) (*LookupSecretResult, error)
func LookupSecretOutput(ctx *Context, args *LookupSecretOutputArgs, opts ...InvokeOption) LookupSecretResultOutput> Note: This function is named LookupSecret in the Go SDK.
public static class GetSecret
{
public static Task<GetSecretResult> InvokeAsync(GetSecretArgs args, InvokeOptions? opts = null)
public static Output<GetSecretResult> Invoke(GetSecretInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetSecretResult> getSecret(GetSecretArgs args, InvokeOptions options)
public static Output<GetSecretResult> getSecret(GetSecretArgs args, InvokeOptions options)
fn::invoke:
function: vault:kv/getSecret:getSecret
arguments:
# arguments dictionaryThe following arguments are supported:
getSecret Result
The following output properties are available:
- Data Dictionary<string, string>
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- Data
Json string - JSON-encoded string that that is read as the secret data at the given path.
- Id string
- The provider-assigned unique ID for this managed resource.
- Lease
Duration int - The duration of the secret lease, in seconds. Once this time has passed any plan generated with this data may fail to apply.
- Lease
Id string - The lease identifier assigned by Vault, if any.
- Lease
Renewable bool - True if the duration of this lease can be extended through renewal.
- Path string
- Namespace string
- Data map[string]string
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- Data
Json string - JSON-encoded string that that is read as the secret data at the given path.
- Id string
- The provider-assigned unique ID for this managed resource.
- Lease
Duration int - The duration of the secret lease, in seconds. Once this time has passed any plan generated with this data may fail to apply.
- Lease
Id string - The lease identifier assigned by Vault, if any.
- Lease
Renewable bool - True if the duration of this lease can be extended through renewal.
- Path string
- Namespace string
- data Map<String,String>
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- data
Json String - JSON-encoded string that that is read as the secret data at the given path.
- id String
- The provider-assigned unique ID for this managed resource.
- lease
Duration Integer - The duration of the secret lease, in seconds. Once this time has passed any plan generated with this data may fail to apply.
- lease
Id String - The lease identifier assigned by Vault, if any.
- lease
Renewable Boolean - True if the duration of this lease can be extended through renewal.
- path String
- namespace String
- data {[key: string]: string}
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- data
Json string - JSON-encoded string that that is read as the secret data at the given path.
- id string
- The provider-assigned unique ID for this managed resource.
- lease
Duration number - The duration of the secret lease, in seconds. Once this time has passed any plan generated with this data may fail to apply.
- lease
Id string - The lease identifier assigned by Vault, if any.
- lease
Renewable boolean - True if the duration of this lease can be extended through renewal.
- path string
- namespace string
- data Mapping[str, str]
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- data_
json str - JSON-encoded string that that is read as the secret data at the given path.
- id str
- The provider-assigned unique ID for this managed resource.
- lease_
duration int - The duration of the secret lease, in seconds. Once this time has passed any plan generated with this data may fail to apply.
- lease_
id str - The lease identifier assigned by Vault, if any.
- lease_
renewable bool - True if the duration of this lease can be extended through renewal.
- path str
- namespace str
- data Map<String>
- A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.
- data
Json String - JSON-encoded string that that is read as the secret data at the given path.
- id String
- The provider-assigned unique ID for this managed resource.
- lease
Duration Number - The duration of the secret lease, in seconds. Once this time has passed any plan generated with this data may fail to apply.
- lease
Id String - The lease identifier assigned by Vault, if any.
- lease
Renewable Boolean - True if the duration of this lease can be extended through renewal.
- path String
- namespace String
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.