ResiLien
/
terraform
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
terraform/website/source/docs/providers/vault/d/generic_secret.html.md

2.8 KiB
Raw Blame History

layout page_title sidebar_current description
vault Vault: vault_generic_secret data source docs-vault-datasource-generic-secret Reads arbitrary data from a given path in Vault

vault_generic_secret

Reads arbitrary data from a given path in Vault.

This resource is primarily intended to be used with Vault's "generic" secret backend, but it is also compatible with any other Vault endpoint that supports the vault read command.

~> Important All data retrieved from Vault will be written in cleartext to state file generated by Terraform, will appear in the console output when Terraform runs, and may be included in plan files if secrets are interpolated into any resource attributes. Protect these artifacts accordingly. See the main provider documentation for more details.

Example Usage

data "vault_generic_secret" "rundeck_auth" {
  path = "secret/rundeck_auth"
}

# Rundeck Provider, for example
provider "rundeck" {
  url        = "http://rundeck.example.com/"
  auth_token = "${data.vault_generic_secret.rundeck_auth.data["auth_token"]}"
}

Argument Reference

The following arguments are supported:

  • path - (Required) The full logical path from which to request data. To read data from the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Reading from other backends with this data source is possible; consult each backend's documentation to see which endpoints support the GET method.

Required Vault Capabilities

Use of this resource requires the read capability on the given path.

Attributes Reference

The following attributes are exported:

  • data_json - A string containing the full data payload retrieved from Vault, serialized in JSON format.

  • data - A mapping whose keys are the top-level data keys returned from Vault and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON.

  • lease_id - The lease identifier assigned by Vault, if any.

  • lease_duration - The duration of the secret lease, in seconds relative to the time the data was requested. Once this time has passed any plan generated with this data may fail to apply.

  • lease_start_time - As a convenience, this records the current time on the computer where Terraform is running when the data is requested. This can be used to approximate the absolute time represented by lease_duration, though users must allow for any clock drift and response latency relative to to the Vault server.

  • lease_renewable - true if the lease can be renewed using Vault's sys/renew/{lease-id} endpoint. Terraform does not currently support lease renewal, and so it will request a new lease each time this data source is refreshed.