Docs Home
HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi
vault.kubernetes.getServiceAccountToken
Explore with Pulumi AI
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const config = new vault.kubernetes.SecretBackend("config", {
path: "kubernetes",
description: "kubernetes secrets engine description",
kubernetesHost: "https://127.0.0.1:61233",
kubernetesCaCert: std.file({
input: "/path/to/cert",
}).then(invoke => invoke.result),
serviceAccountJwt: std.file({
input: "/path/to/token",
}).then(invoke => invoke.result),
disableLocalCaJwt: false,
});
const role = new vault.kubernetes.SecretBackendRole("role", {
backend: config.path,
name: "service-account-name-role",
allowedKubernetesNamespaces: ["*"],
tokenMaxTtl: 43200,
tokenDefaultTtl: 21600,
serviceAccountName: "test-service-account-with-generated-token",
extraLabels: {
id: "abc123",
name: "some_name",
},
extraAnnotations: {
env: "development",
location: "earth",
},
});
const token = vault.kubernetes.getServiceAccountTokenOutput({
backend: config.path,
role: role.name,
kubernetesNamespace: "test",
clusterRoleBinding: false,
ttl: "1h",
});
import pulumi
import pulumi_std as std
import pulumi_vault as vault
config = vault.kubernetes.SecretBackend("config",
path="kubernetes",
description="kubernetes secrets engine description",
kubernetes_host="https://127.0.0.1:61233",
kubernetes_ca_cert=std.file(input="/path/to/cert").result,
service_account_jwt=std.file(input="/path/to/token").result,
disable_local_ca_jwt=False)
role = vault.kubernetes.SecretBackendRole("role",
backend=config.path,
name="service-account-name-role",
allowed_kubernetes_namespaces=["*"],
token_max_ttl=43200,
token_default_ttl=21600,
service_account_name="test-service-account-with-generated-token",
extra_labels={
"id": "abc123",
"name": "some_name",
},
extra_annotations={
"env": "development",
"location": "earth",
})
token = vault.kubernetes.get_service_account_token_output(backend=config.path,
role=role.name,
kubernetes_namespace="test",
cluster_role_binding=False,
ttl="1h")
package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/cert",
}, nil)
if err != nil {
return err
}
invokeFile1, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/token",
}, nil)
if err != nil {
return err
}
config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
Path: pulumi.String("kubernetes"),
Description: pulumi.String("kubernetes secrets engine description"),
KubernetesHost: pulumi.String("https://127.0.0.1:61233"),
KubernetesCaCert: pulumi.String(invokeFile.Result),
ServiceAccountJwt: pulumi.String(invokeFile1.Result),
DisableLocalCaJwt: pulumi.Bool(false),
})
if err != nil {
return err
}
role, err := kubernetes.NewSecretBackendRole(ctx, "role", &kubernetes.SecretBackendRoleArgs{
Backend: config.Path,
Name: pulumi.String("service-account-name-role"),
AllowedKubernetesNamespaces: pulumi.StringArray{
pulumi.String("*"),
},
TokenMaxTtl: pulumi.Int(43200),
TokenDefaultTtl: pulumi.Int(21600),
ServiceAccountName: pulumi.String("test-service-account-with-generated-token"),
ExtraLabels: pulumi.StringMap{
"id": pulumi.String("abc123"),
"name": pulumi.String("some_name"),
},
ExtraAnnotations: pulumi.StringMap{
"env": pulumi.String("development"),
"location": pulumi.String("earth"),
},
})
if err != nil {
return err
}
_ = kubernetes.GetServiceAccountTokenOutput(ctx, kubernetes.GetServiceAccountTokenOutputArgs{
Backend: config.Path,
Role: role.Name,
KubernetesNamespace: pulumi.String("test"),
ClusterRoleBinding: pulumi.Bool(false),
Ttl: pulumi.String("1h"),
}, nil)
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var config = new Vault.Kubernetes.SecretBackend("config", new()
{
Path = "kubernetes",
Description = "kubernetes secrets engine description",
KubernetesHost = "https://127.0.0.1:61233",
KubernetesCaCert = Std.File.Invoke(new()
{
Input = "/path/to/cert",
}).Apply(invoke => invoke.Result),
ServiceAccountJwt = Std.File.Invoke(new()
{
Input = "/path/to/token",
}).Apply(invoke => invoke.Result),
DisableLocalCaJwt = false,
});
var role = new Vault.Kubernetes.SecretBackendRole("role", new()
{
Backend = config.Path,
Name = "service-account-name-role",
AllowedKubernetesNamespaces = new[]
{
"*",
},
TokenMaxTtl = 43200,
TokenDefaultTtl = 21600,
ServiceAccountName = "test-service-account-with-generated-token",
ExtraLabels =
{
{ "id", "abc123" },
{ "name", "some_name" },
},
ExtraAnnotations =
{
{ "env", "development" },
{ "location", "earth" },
},
});
var token = Vault.Kubernetes.GetServiceAccountToken.Invoke(new()
{
Backend = config.Path,
Role = role.Name,
KubernetesNamespace = "test",
ClusterRoleBinding = false,
Ttl = "1h",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.kubernetes.SecretBackend;
import com.pulumi.vault.kubernetes.SecretBackendArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import com.pulumi.vault.kubernetes.SecretBackendRole;
import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
import com.pulumi.vault.kubernetes.KubernetesFunctions;
import com.pulumi.vault.kubernetes.inputs.GetServiceAccountTokenArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var config = new SecretBackend("config", SecretBackendArgs.builder()
.path("kubernetes")
.description("kubernetes secrets engine description")
.kubernetesHost("https://127.0.0.1:61233")
.kubernetesCaCert(StdFunctions.file(FileArgs.builder()
.input("/path/to/cert")
.build()).result())
.serviceAccountJwt(StdFunctions.file(FileArgs.builder()
.input("/path/to/token")
.build()).result())
.disableLocalCaJwt(false)
.build());
var role = new SecretBackendRole("role", SecretBackendRoleArgs.builder()
.backend(config.path())
.name("service-account-name-role")
.allowedKubernetesNamespaces("*")
.tokenMaxTtl(43200)
.tokenDefaultTtl(21600)
.serviceAccountName("test-service-account-with-generated-token")
.extraLabels(Map.ofEntries(
Map.entry("id", "abc123"),
Map.entry("name", "some_name")
))
.extraAnnotations(Map.ofEntries(
Map.entry("env", "development"),
Map.entry("location", "earth")
))
.build());
final var token = KubernetesFunctions.getServiceAccountToken(GetServiceAccountTokenArgs.builder()
.backend(config.path())
.role(role.name())
.kubernetesNamespace("test")
.clusterRoleBinding(false)
.ttl("1h")
.build());
}
}
resources:
config:
type: vault:kubernetes:SecretBackend
properties:
path: kubernetes
description: kubernetes secrets engine description
kubernetesHost: https://127.0.0.1:61233
kubernetesCaCert:
fn::invoke:
function: std:file
arguments:
input: /path/to/cert
return: result
serviceAccountJwt:
fn::invoke:
function: std:file
arguments:
input: /path/to/token
return: result
disableLocalCaJwt: false
role:
type: vault:kubernetes:SecretBackendRole
properties:
backend: ${config.path}
name: service-account-name-role
allowedKubernetesNamespaces:
- '*'
tokenMaxTtl: 43200
tokenDefaultTtl: 21600
serviceAccountName: test-service-account-with-generated-token
extraLabels:
id: abc123
name: some_name
extraAnnotations:
env: development
location: earth
variables:
token:
fn::invoke:
function: vault:kubernetes:getServiceAccountToken
arguments:
backend: ${config.path}
role: ${role.name}
kubernetesNamespace: test
clusterRoleBinding: false
ttl: 1h
Using getServiceAccountToken
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getServiceAccountToken(args: GetServiceAccountTokenArgs, opts?: InvokeOptions): Promise<GetServiceAccountTokenResult>
function getServiceAccountTokenOutput(args: GetServiceAccountTokenOutputArgs, opts?: InvokeOptions): Output<GetServiceAccountTokenResult>def get_service_account_token(backend: Optional[str] = None,
cluster_role_binding: Optional[bool] = None,
kubernetes_namespace: Optional[str] = None,
namespace: Optional[str] = None,
role: Optional[str] = None,
ttl: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetServiceAccountTokenResult
def get_service_account_token_output(backend: Optional[pulumi.Input[str]] = None,
cluster_role_binding: Optional[pulumi.Input[bool]] = None,
kubernetes_namespace: Optional[pulumi.Input[str]] = None,
namespace: Optional[pulumi.Input[str]] = None,
role: Optional[pulumi.Input[str]] = None,
ttl: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetServiceAccountTokenResult]func GetServiceAccountToken(ctx *Context, args *GetServiceAccountTokenArgs, opts ...InvokeOption) (*GetServiceAccountTokenResult, error)
func GetServiceAccountTokenOutput(ctx *Context, args *GetServiceAccountTokenOutputArgs, opts ...InvokeOption) GetServiceAccountTokenResultOutput> Note: This function is named GetServiceAccountToken in the Go SDK.
public static class GetServiceAccountToken
{
public static Task<GetServiceAccountTokenResult> InvokeAsync(GetServiceAccountTokenArgs args, InvokeOptions? opts = null)
public static Output<GetServiceAccountTokenResult> Invoke(GetServiceAccountTokenInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetServiceAccountTokenResult> getServiceAccountToken(GetServiceAccountTokenArgs args, InvokeOptions options)
public static Output<GetServiceAccountTokenResult> getServiceAccountToken(GetServiceAccountTokenArgs args, InvokeOptions options)
fn::invoke:
function: vault:kubernetes/getServiceAccountToken:getServiceAccountToken
arguments:
# arguments dictionaryThe following arguments are supported:
- Backend string
- The Kubernetes secret backend to generate service account tokens from.
- Kubernetes
Namespace string - The name of the Kubernetes namespace in which to generate the credentials.
- Role string
- The name of the Kubernetes secret backend role to generate service account tokens from.
- Cluster
Role boolBinding - If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
- Namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Ttl string
- The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
- Backend string
- The Kubernetes secret backend to generate service account tokens from.
- Kubernetes
Namespace string - The name of the Kubernetes namespace in which to generate the credentials.
- Role string
- The name of the Kubernetes secret backend role to generate service account tokens from.
- Cluster
Role boolBinding - If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
- Namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Ttl string
- The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
- backend String
- The Kubernetes secret backend to generate service account tokens from.
- kubernetes
Namespace String - The name of the Kubernetes namespace in which to generate the credentials.
- role String
- The name of the Kubernetes secret backend role to generate service account tokens from.
- cluster
Role BooleanBinding - If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
- namespace String
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - ttl String
- The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
- backend string
- The Kubernetes secret backend to generate service account tokens from.
- kubernetes
Namespace string - The name of the Kubernetes namespace in which to generate the credentials.
- role string
- The name of the Kubernetes secret backend role to generate service account tokens from.
- cluster
Role booleanBinding - If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
- namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - ttl string
- The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
- backend str
- The Kubernetes secret backend to generate service account tokens from.
- kubernetes_
namespace str - The name of the Kubernetes namespace in which to generate the credentials.
- role str
- The name of the Kubernetes secret backend role to generate service account tokens from.
- cluster_
role_ boolbinding - If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
- namespace str
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - ttl str
- The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
- backend String
- The Kubernetes secret backend to generate service account tokens from.
- kubernetes
Namespace String - The name of the Kubernetes namespace in which to generate the credentials.
- role String
- The name of the Kubernetes secret backend role to generate service account tokens from.
- cluster
Role BooleanBinding - If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
- namespace String
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - ttl String
- The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
getServiceAccountToken Result
The following output properties are available:
- Backend string
- Id string
- The provider-assigned unique ID for this managed resource.
- Kubernetes
Namespace string - Lease
Duration int - The duration of the lease in seconds.
- Lease
Id string - The lease identifier assigned by Vault.
- Lease
Renewable bool - True if the duration of this lease can be extended through renewal.
- Role string
- Service
Account stringName - The name of the service account associated with the token.
- Service
Account stringNamespace - The Kubernetes namespace that the service account resides in.
- Service
Account stringToken - The Kubernetes service account token.
- Cluster
Role boolBinding - Namespace string
- Ttl string
- Backend string
- Id string
- The provider-assigned unique ID for this managed resource.
- Kubernetes
Namespace string - Lease
Duration int - The duration of the lease in seconds.
- Lease
Id string - The lease identifier assigned by Vault.
- Lease
Renewable bool - True if the duration of this lease can be extended through renewal.
- Role string
- Service
Account stringName - The name of the service account associated with the token.
- Service
Account stringNamespace - The Kubernetes namespace that the service account resides in.
- Service
Account stringToken - The Kubernetes service account token.
- Cluster
Role boolBinding - Namespace string
- Ttl string
- backend String
- id String
- The provider-assigned unique ID for this managed resource.
- kubernetes
Namespace String - lease
Duration Integer - The duration of the lease in seconds.
- lease
Id String - The lease identifier assigned by Vault.
- lease
Renewable Boolean - True if the duration of this lease can be extended through renewal.
- role String
- service
Account StringName - The name of the service account associated with the token.
- service
Account StringNamespace - The Kubernetes namespace that the service account resides in.
- service
Account StringToken - The Kubernetes service account token.
- cluster
Role BooleanBinding - namespace String
- ttl String
- backend string
- id string
- The provider-assigned unique ID for this managed resource.
- kubernetes
Namespace string - lease
Duration number - The duration of the lease in seconds.
- lease
Id string - The lease identifier assigned by Vault.
- lease
Renewable boolean - True if the duration of this lease can be extended through renewal.
- role string
- service
Account stringName - The name of the service account associated with the token.
- service
Account stringNamespace - The Kubernetes namespace that the service account resides in.
- service
Account stringToken - The Kubernetes service account token.
- cluster
Role booleanBinding - namespace string
- ttl string
- backend str
- id str
- The provider-assigned unique ID for this managed resource.
- kubernetes_
namespace str - lease_
duration int - The duration of the lease in seconds.
- lease_
id str - The lease identifier assigned by Vault.
- lease_
renewable bool - True if the duration of this lease can be extended through renewal.
- role str
- service_
account_ strname - The name of the service account associated with the token.
- service_
account_ strnamespace - The Kubernetes namespace that the service account resides in.
- service_
account_ strtoken - The Kubernetes service account token.
- cluster_
role_ boolbinding - namespace str
- ttl str
- backend String
- id String
- The provider-assigned unique ID for this managed resource.
- kubernetes
Namespace String - lease
Duration Number - The duration of the lease in seconds.
- lease
Id String - The lease identifier assigned by Vault.
- lease
Renewable Boolean - True if the duration of this lease can be extended through renewal.
- role String
- service
Account StringName - The name of the service account associated with the token.
- service
Account StringNamespace - The Kubernetes namespace that the service account resides in.
- service
Account StringToken - The Kubernetes service account token.
- cluster
Role BooleanBinding - namespace String
- ttl String
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.