HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi
vault.kv.getSecretSubkeysV2
Explore with Pulumi AI
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const kvv2 = new vault.Mount("kvv2", {
    path: "kvv2",
    type: "kv",
    options: {
        version: "2",
    },
    description: "KV Version 2 secret engine mount",
});
const awsSecret = new vault.kv.SecretV2("aws_secret", {
    mount: kvv2.path,
    name: "aws_secret",
    dataJson: JSON.stringify({
        zip: "zap",
        foo: "bar",
    }),
});
const test = vault.kv.getSecretSubkeysV2Output({
    mount: kvv2.path,
    name: awsSecret.name,
});
import pulumi
import json
import pulumi_vault as vault
kvv2 = vault.Mount("kvv2",
    path="kvv2",
    type="kv",
    options={
        "version": "2",
    },
    description="KV Version 2 secret engine mount")
aws_secret = vault.kv.SecretV2("aws_secret",
    mount=kvv2.path,
    name="aws_secret",
    data_json=json.dumps({
        "zip": "zap",
        "foo": "bar",
    }))
test = vault.kv.get_secret_subkeys_v2_output(mount=kvv2.path,
    name=aws_secret.name)
package main
import (
	"encoding/json"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kv"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		kvv2, err := vault.NewMount(ctx, "kvv2", &vault.MountArgs{
			Path: pulumi.String("kvv2"),
			Type: pulumi.String("kv"),
			Options: pulumi.StringMap{
				"version": pulumi.String("2"),
			},
			Description: pulumi.String("KV Version 2 secret engine mount"),
		})
		if err != nil {
			return err
		}
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"zip": "zap",
			"foo": "bar",
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		awsSecret, err := kv.NewSecretV2(ctx, "aws_secret", &kv.SecretV2Args{
			Mount:    kvv2.Path,
			Name:     pulumi.String("aws_secret"),
			DataJson: pulumi.String(json0),
		})
		if err != nil {
			return err
		}
		_ = kv.GetSecretSubkeysV2Output(ctx, kv.GetSecretSubkeysV2OutputArgs{
			Mount: kvv2.Path,
			Name:  awsSecret.Name,
		}, nil)
		return nil
	})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() => 
{
    var kvv2 = new Vault.Mount("kvv2", new()
    {
        Path = "kvv2",
        Type = "kv",
        Options = 
        {
            { "version", "2" },
        },
        Description = "KV Version 2 secret engine mount",
    });
    var awsSecret = new Vault.Kv.SecretV2("aws_secret", new()
    {
        Mount = kvv2.Path,
        Name = "aws_secret",
        DataJson = JsonSerializer.Serialize(new Dictionary<string, object?>
        {
            ["zip"] = "zap",
            ["foo"] = "bar",
        }),
    });
    var test = Vault.kv.GetSecretSubkeysV2.Invoke(new()
    {
        Mount = kvv2.Path,
        Name = awsSecret.Name,
    });
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.kv.SecretV2;
import com.pulumi.vault.kv.SecretV2Args;
import com.pulumi.vault.kv.KvFunctions;
import com.pulumi.vault.kv.inputs.GetSecretSubkeysV2Args;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var kvv2 = new Mount("kvv2", MountArgs.builder()
            .path("kvv2")
            .type("kv")
            .options(Map.of("version", "2"))
            .description("KV Version 2 secret engine mount")
            .build());
        var awsSecret = new SecretV2("awsSecret", SecretV2Args.builder()
            .mount(kvv2.path())
            .name("aws_secret")
            .dataJson(serializeJson(
                jsonObject(
                    jsonProperty("zip", "zap"),
                    jsonProperty("foo", "bar")
                )))
            .build());
        final var test = KvFunctions.getSecretSubkeysV2(GetSecretSubkeysV2Args.builder()
            .mount(kvv2.path())
            .name(awsSecret.name())
            .build());
    }
}
resources:
  kvv2:
    type: vault:Mount
    properties:
      path: kvv2
      type: kv
      options:
        version: '2'
      description: KV Version 2 secret engine mount
  awsSecret:
    type: vault:kv:SecretV2
    name: aws_secret
    properties:
      mount: ${kvv2.path}
      name: aws_secret
      dataJson:
        fn::toJSON:
          zip: zap
          foo: bar
variables:
  test:
    fn::invoke:
      function: vault:kv:getSecretSubkeysV2
      arguments:
        mount: ${kvv2.path}
        name: ${awsSecret.name}
Required Vault Capabilities
Use of this resource requires the read capability on the given path.
Using getSecretSubkeysV2
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getSecretSubkeysV2(args: GetSecretSubkeysV2Args, opts?: InvokeOptions): Promise<GetSecretSubkeysV2Result>
function getSecretSubkeysV2Output(args: GetSecretSubkeysV2OutputArgs, opts?: InvokeOptions): Output<GetSecretSubkeysV2Result>def get_secret_subkeys_v2(depth: Optional[int] = None,
                          mount: Optional[str] = None,
                          name: Optional[str] = None,
                          namespace: Optional[str] = None,
                          version: Optional[int] = None,
                          opts: Optional[InvokeOptions] = None) -> GetSecretSubkeysV2Result
def get_secret_subkeys_v2_output(depth: Optional[pulumi.Input[int]] = None,
                          mount: Optional[pulumi.Input[str]] = None,
                          name: Optional[pulumi.Input[str]] = None,
                          namespace: Optional[pulumi.Input[str]] = None,
                          version: Optional[pulumi.Input[int]] = None,
                          opts: Optional[InvokeOptions] = None) -> Output[GetSecretSubkeysV2Result]func GetSecretSubkeysV2(ctx *Context, args *GetSecretSubkeysV2Args, opts ...InvokeOption) (*GetSecretSubkeysV2Result, error)
func GetSecretSubkeysV2Output(ctx *Context, args *GetSecretSubkeysV2OutputArgs, opts ...InvokeOption) GetSecretSubkeysV2ResultOutput> Note: This function is named GetSecretSubkeysV2 in the Go SDK.
public static class GetSecretSubkeysV2 
{
    public static Task<GetSecretSubkeysV2Result> InvokeAsync(GetSecretSubkeysV2Args args, InvokeOptions? opts = null)
    public static Output<GetSecretSubkeysV2Result> Invoke(GetSecretSubkeysV2InvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetSecretSubkeysV2Result> getSecretSubkeysV2(GetSecretSubkeysV2Args args, InvokeOptions options)
public static Output<GetSecretSubkeysV2Result> getSecretSubkeysV2(GetSecretSubkeysV2Args args, InvokeOptions options)
fn::invoke:
  function: vault:kv/getSecretSubkeysV2:getSecretSubkeysV2
  arguments:
    # arguments dictionaryThe following arguments are supported:
- Mount string
- Path where KV-V2 engine is mounted.
- Name string
- Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at kvv2/data/foo/bar/bazthe name isfoo/bar/baz.
- Depth int
- Specifies the deepest nesting level to provide in the output.
If non-zero, keys that reside at the specified depth value will be
artificially treated as leaves and will thus be nulleven if further underlying sub-keys exist.
- Namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.
- Version int
- Specifies the version to return. If not set the latest version is returned.
- Mount string
- Path where KV-V2 engine is mounted.
- Name string
- Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at kvv2/data/foo/bar/bazthe name isfoo/bar/baz.
- Depth int
- Specifies the deepest nesting level to provide in the output.
If non-zero, keys that reside at the specified depth value will be
artificially treated as leaves and will thus be nulleven if further underlying sub-keys exist.
- Namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.
- Version int
- Specifies the version to return. If not set the latest version is returned.
- mount String
- Path where KV-V2 engine is mounted.
- name String
- Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at kvv2/data/foo/bar/bazthe name isfoo/bar/baz.
- depth Integer
- Specifies the deepest nesting level to provide in the output.
If non-zero, keys that reside at the specified depth value will be
artificially treated as leaves and will thus be nulleven if further underlying sub-keys exist.
- namespace String
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.
- version Integer
- Specifies the version to return. If not set the latest version is returned.
- mount string
- Path where KV-V2 engine is mounted.
- name string
- Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at kvv2/data/foo/bar/bazthe name isfoo/bar/baz.
- depth number
- Specifies the deepest nesting level to provide in the output.
If non-zero, keys that reside at the specified depth value will be
artificially treated as leaves and will thus be nulleven if further underlying sub-keys exist.
- namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.
- version number
- Specifies the version to return. If not set the latest version is returned.
- mount str
- Path where KV-V2 engine is mounted.
- name str
- Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at kvv2/data/foo/bar/bazthe name isfoo/bar/baz.
- depth int
- Specifies the deepest nesting level to provide in the output.
If non-zero, keys that reside at the specified depth value will be
artificially treated as leaves and will thus be nulleven if further underlying sub-keys exist.
- namespace str
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.
- version int
- Specifies the version to return. If not set the latest version is returned.
- mount String
- Path where KV-V2 engine is mounted.
- name String
- Full name of the secret. For a nested secret
the name is the nested path excluding the mount and data
prefix. For example, for a secret at kvv2/data/foo/bar/bazthe name isfoo/bar/baz.
- depth Number
- Specifies the deepest nesting level to provide in the output.
If non-zero, keys that reside at the specified depth value will be
artificially treated as leaves and will thus be nulleven if further underlying sub-keys exist.
- namespace String
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.
- version Number
- Specifies the version to return. If not set the latest version is returned.
getSecretSubkeysV2 Result
The following output properties are available:
- Data Dictionary<string, string>
- Subkeys for the KV-V2 secret stored as a serialized map of strings.
- DataJson string
- Subkeys for the KV-V2 secret read from Vault.
- Id string
- The provider-assigned unique ID for this managed resource.
- Mount string
- Name string
- Path string
- Full path where the KV-V2 secrets are listed.
- Depth int
- Namespace string
- Version int
- Data map[string]string
- Subkeys for the KV-V2 secret stored as a serialized map of strings.
- DataJson string
- Subkeys for the KV-V2 secret read from Vault.
- Id string
- The provider-assigned unique ID for this managed resource.
- Mount string
- Name string
- Path string
- Full path where the KV-V2 secrets are listed.
- Depth int
- Namespace string
- Version int
- data Map<String,String>
- Subkeys for the KV-V2 secret stored as a serialized map of strings.
- dataJson String
- Subkeys for the KV-V2 secret read from Vault.
- id String
- The provider-assigned unique ID for this managed resource.
- mount String
- name String
- path String
- Full path where the KV-V2 secrets are listed.
- depth Integer
- namespace String
- version Integer
- data {[key: string]: string}
- Subkeys for the KV-V2 secret stored as a serialized map of strings.
- dataJson string
- Subkeys for the KV-V2 secret read from Vault.
- id string
- The provider-assigned unique ID for this managed resource.
- mount string
- name string
- path string
- Full path where the KV-V2 secrets are listed.
- depth number
- namespace string
- version number
- data Mapping[str, str]
- Subkeys for the KV-V2 secret stored as a serialized map of strings.
- data_json str
- Subkeys for the KV-V2 secret read from Vault.
- id str
- The provider-assigned unique ID for this managed resource.
- mount str
- name str
- path str
- Full path where the KV-V2 secrets are listed.
- depth int
- namespace str
- version int
- data Map<String>
- Subkeys for the KV-V2 secret stored as a serialized map of strings.
- dataJson String
- Subkeys for the KV-V2 secret read from Vault.
- id String
- The provider-assigned unique ID for this managed resource.
- mount String
- name String
- path String
- Full path where the KV-V2 secrets are listed.
- depth Number
- namespace String
- version Number
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the vaultTerraform Provider.