82 lines
2.8 KiB
Markdown
82 lines
2.8 KiB
Markdown
|
---
|
||
|
|
layout: "vault"
|
||
|
|
page_title: "Vault: vault_generic_secret data source"
|
||
|
|
sidebar_current: "docs-vault-datasource-generic-secret"
|
||
|
|
description: |-
|
||
|
|
Reads arbitrary data from a given path in Vault
|
||
|
|
---
|
||
|
|
|
||
|
|
# vault\_generic\_secret
|
||
|
|
|
||
|
|
Reads arbitrary data from a given path in Vault.
|
||
|
|
|
||
|
|
This resource is primarily intended to be used with
|
||
|
|
[Vault's "generic" secret backend](https://www.vaultproject.io/docs/secrets/generic/index.html),
|
||
|
|
but it is also compatible with any other Vault endpoint that supports
|
||
|
|
the `vault read` command.
|
||
|
|
|
||
|
|
~> **Important** All data retrieved from Vault will be
|
||
|
|
written in cleartext to state file generated by Terraform, will appear in
|
||
|
|
the console output when Terraform runs, and may be included in plan files
|
||
|
|
if secrets are interpolated into any resource attributes.
|
||
|
|
Protect these artifacts accordingly. See
|
||
|
|
[the main provider documentation](../index.html)
|
||
|
|
for more details.
|
||
|
|
|
||
|
|
## Example Usage
|
||
|
|
|
||
|
|
```
|
||
|
|
data "vault_generic_secret" "rundeck_auth" {
|
||
|
|
path = "secret/rundeck_auth"
|
||
|
|
}
|
||
|
|
|
||
|
|
# Rundeck Provider, for example
|
||
|
|
provider "rundeck" {
|
||
|
|
url = "http://rundeck.example.com/"
|
||
|
|
auth_token = "${data.vault_generic_secret.rundeck_auth.data["auth_token"]}"
|
||
|
|
}
|
||
|
|
```
|
||
|
|
|
||
|
|
## Argument Reference
|
||
|
|
|
||
|
|
The following arguments are supported:
|
||
|
|
|
||
|
|
* `path` - (Required) The full logical path from which to request data.
|
||
|
|
To read data from the "generic" secret backend mounted in Vault by
|
||
|
|
default, this should be prefixed with `secret/`. Reading from other backends
|
||
|
|
with this data source is possible; consult each backend's documentation
|
||
|
|
to see which endpoints support the `GET` method.
|
||
|
|
|
||
|
|
## Required Vault Capabilities
|
||
|
|
|
||
|
|
Use of this resource requires the `read` capability on the given path.
|
||
|
|
|
||
|
|
## Attributes Reference
|
||
|
|
|
||
|
|
The following attributes are exported:
|
||
|
|
|
||
|
|
* `data_json` - A string containing the full data payload retrieved from
|
||
|
|
Vault, serialized in JSON format.
|
||
|
|
|
||
|
|
* `data` - A mapping whose keys are the top-level data keys returned from
|
||
|
|
Vault and whose values are the corresponding values. This map can only
|
||
|
|
represent string data, so any non-string values returned from Vault are
|
||
|
|
serialized as JSON.
|
||
|
|
|
||
|
|
* `lease_id` - The lease identifier assigned by Vault, if any.
|
||
|
|
|
||
|
|
* `lease_duration` - The duration of the secret lease, in seconds relative
|
||
|
|
to the time the data was requested. Once this time has passed any plan
|
||
|
|
generated with this data may fail to apply.
|
||
|
|
|
||
|
|
* `lease_start_time` - As a convenience, this records the current time
|
||
|
|
on the computer where Terraform is running when the data is requested.
|
||
|
|
This can be used to approximate the absolute time represented by
|
||
|
|
`lease_duration`, though users must allow for any clock drift and response
|
||
|
|
latency relative to to the Vault server.
|
||
|
|
|
||
|
|
* `lease_renewable` - `true` if the lease can be renewed using Vault's
|
||
|
|
`sys/renew/{lease-id}` endpoint. Terraform does not currently support lease
|
||
|
|
renewal, and so it will request a new lease each time this data source is
|
||
|
|
refreshed.
|