1. Packages
  2. HashiCorp Vault Provider
  3. API Docs
  4. kubernetes
  5. getServiceAccountToken
HashiCorp Vault v6.6.0 published on Thursday, Mar 13, 2025 by Pulumi

vault.kubernetes.getServiceAccountToken

Explore with Pulumi AI

HashiCorp Vault v6.6.0 published on Thursday, Mar 13, 2025 by Pulumi

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";

const config = new vault.kubernetes.SecretBackend("config", {
    path: "kubernetes",
    description: "kubernetes secrets engine description",
    kubernetesHost: "https://127.0.0.1:61233",
    kubernetesCaCert: std.file({
        input: "/path/to/cert",
    }).then(invoke => invoke.result),
    serviceAccountJwt: std.file({
        input: "/path/to/token",
    }).then(invoke => invoke.result),
    disableLocalCaJwt: false,
});
const role = new vault.kubernetes.SecretBackendRole("role", {
    backend: config.path,
    name: "service-account-name-role",
    allowedKubernetesNamespaces: ["*"],
    tokenMaxTtl: 43200,
    tokenDefaultTtl: 21600,
    serviceAccountName: "test-service-account-with-generated-token",
    extraLabels: {
        id: "abc123",
        name: "some_name",
    },
    extraAnnotations: {
        env: "development",
        location: "earth",
    },
});
const token = vault.kubernetes.getServiceAccountTokenOutput({
    backend: config.path,
    role: role.name,
    kubernetesNamespace: "test",
    clusterRoleBinding: false,
    ttl: "1h",
});
Copy
import pulumi
import pulumi_std as std
import pulumi_vault as vault

config = vault.kubernetes.SecretBackend("config",
    path="kubernetes",
    description="kubernetes secrets engine description",
    kubernetes_host="https://127.0.0.1:61233",
    kubernetes_ca_cert=std.file(input="/path/to/cert").result,
    service_account_jwt=std.file(input="/path/to/token").result,
    disable_local_ca_jwt=False)
role = vault.kubernetes.SecretBackendRole("role",
    backend=config.path,
    name="service-account-name-role",
    allowed_kubernetes_namespaces=["*"],
    token_max_ttl=43200,
    token_default_ttl=21600,
    service_account_name="test-service-account-with-generated-token",
    extra_labels={
        "id": "abc123",
        "name": "some_name",
    },
    extra_annotations={
        "env": "development",
        "location": "earth",
    })
token = vault.kubernetes.get_service_account_token_output(backend=config.path,
    role=role.name,
    kubernetes_namespace="test",
    cluster_role_binding=False,
    ttl="1h")
Copy
package main

import (
	"github.com/pulumi/pulumi-std/sdk/go/std"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "/path/to/cert",
		}, nil)
		if err != nil {
			return err
		}
		invokeFile1, err := std.File(ctx, &std.FileArgs{
			Input: "/path/to/token",
		}, nil)
		if err != nil {
			return err
		}
		config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
			Path:              pulumi.String("kubernetes"),
			Description:       pulumi.String("kubernetes secrets engine description"),
			KubernetesHost:    pulumi.String("https://127.0.0.1:61233"),
			KubernetesCaCert:  pulumi.String(invokeFile.Result),
			ServiceAccountJwt: pulumi.String(invokeFile1.Result),
			DisableLocalCaJwt: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		role, err := kubernetes.NewSecretBackendRole(ctx, "role", &kubernetes.SecretBackendRoleArgs{
			Backend: config.Path,
			Name:    pulumi.String("service-account-name-role"),
			AllowedKubernetesNamespaces: pulumi.StringArray{
				pulumi.String("*"),
			},
			TokenMaxTtl:        pulumi.Int(43200),
			TokenDefaultTtl:    pulumi.Int(21600),
			ServiceAccountName: pulumi.String("test-service-account-with-generated-token"),
			ExtraLabels: pulumi.StringMap{
				"id":   pulumi.String("abc123"),
				"name": pulumi.String("some_name"),
			},
			ExtraAnnotations: pulumi.StringMap{
				"env":      pulumi.String("development"),
				"location": pulumi.String("earth"),
			},
		})
		if err != nil {
			return err
		}
		_ = kubernetes.GetServiceAccountTokenOutput(ctx, kubernetes.GetServiceAccountTokenOutputArgs{
			Backend:             config.Path,
			Role:                role.Name,
			KubernetesNamespace: pulumi.String("test"),
			ClusterRoleBinding:  pulumi.Bool(false),
			Ttl:                 pulumi.String("1h"),
		}, nil)
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var config = new Vault.Kubernetes.SecretBackend("config", new()
    {
        Path = "kubernetes",
        Description = "kubernetes secrets engine description",
        KubernetesHost = "https://127.0.0.1:61233",
        KubernetesCaCert = Std.File.Invoke(new()
        {
            Input = "/path/to/cert",
        }).Apply(invoke => invoke.Result),
        ServiceAccountJwt = Std.File.Invoke(new()
        {
            Input = "/path/to/token",
        }).Apply(invoke => invoke.Result),
        DisableLocalCaJwt = false,
    });

    var role = new Vault.Kubernetes.SecretBackendRole("role", new()
    {
        Backend = config.Path,
        Name = "service-account-name-role",
        AllowedKubernetesNamespaces = new[]
        {
            "*",
        },
        TokenMaxTtl = 43200,
        TokenDefaultTtl = 21600,
        ServiceAccountName = "test-service-account-with-generated-token",
        ExtraLabels = 
        {
            { "id", "abc123" },
            { "name", "some_name" },
        },
        ExtraAnnotations = 
        {
            { "env", "development" },
            { "location", "earth" },
        },
    });

    var token = Vault.Kubernetes.GetServiceAccountToken.Invoke(new()
    {
        Backend = config.Path,
        Role = role.Name,
        KubernetesNamespace = "test",
        ClusterRoleBinding = false,
        Ttl = "1h",
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.kubernetes.SecretBackend;
import com.pulumi.vault.kubernetes.SecretBackendArgs;
import com.pulumi.vault.kubernetes.SecretBackendRole;
import com.pulumi.vault.kubernetes.SecretBackendRoleArgs;
import com.pulumi.vault.kubernetes.KubernetesFunctions;
import com.pulumi.vault.kubernetes.inputs.GetServiceAccountTokenArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var config = new SecretBackend("config", SecretBackendArgs.builder()
            .path("kubernetes")
            .description("kubernetes secrets engine description")
            .kubernetesHost("https://127.0.0.1:61233")
            .kubernetesCaCert(StdFunctions.file(FileArgs.builder()
                .input("/path/to/cert")
                .build()).result())
            .serviceAccountJwt(StdFunctions.file(FileArgs.builder()
                .input("/path/to/token")
                .build()).result())
            .disableLocalCaJwt(false)
            .build());

        var role = new SecretBackendRole("role", SecretBackendRoleArgs.builder()
            .backend(config.path())
            .name("service-account-name-role")
            .allowedKubernetesNamespaces("*")
            .tokenMaxTtl(43200)
            .tokenDefaultTtl(21600)
            .serviceAccountName("test-service-account-with-generated-token")
            .extraLabels(Map.ofEntries(
                Map.entry("id", "abc123"),
                Map.entry("name", "some_name")
            ))
            .extraAnnotations(Map.ofEntries(
                Map.entry("env", "development"),
                Map.entry("location", "earth")
            ))
            .build());

        final var token = KubernetesFunctions.getServiceAccountToken(GetServiceAccountTokenArgs.builder()
            .backend(config.path())
            .role(role.name())
            .kubernetesNamespace("test")
            .clusterRoleBinding(false)
            .ttl("1h")
            .build());

    }
}
Copy
resources:
  config:
    type: vault:kubernetes:SecretBackend
    properties:
      path: kubernetes
      description: kubernetes secrets engine description
      kubernetesHost: https://127.0.0.1:61233
      kubernetesCaCert:
        fn::invoke:
          function: std:file
          arguments:
            input: /path/to/cert
          return: result
      serviceAccountJwt:
        fn::invoke:
          function: std:file
          arguments:
            input: /path/to/token
          return: result
      disableLocalCaJwt: false
  role:
    type: vault:kubernetes:SecretBackendRole
    properties:
      backend: ${config.path}
      name: service-account-name-role
      allowedKubernetesNamespaces:
        - '*'
      tokenMaxTtl: 43200
      tokenDefaultTtl: 21600
      serviceAccountName: test-service-account-with-generated-token
      extraLabels:
        id: abc123
        name: some_name
      extraAnnotations:
        env: development
        location: earth
variables:
  token:
    fn::invoke:
      function: vault:kubernetes:getServiceAccountToken
      arguments:
        backend: ${config.path}
        role: ${role.name}
        kubernetesNamespace: test
        clusterRoleBinding: false
        ttl: 1h
Copy

Using getServiceAccountToken

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getServiceAccountToken(args: GetServiceAccountTokenArgs, opts?: InvokeOptions): Promise<GetServiceAccountTokenResult>
function getServiceAccountTokenOutput(args: GetServiceAccountTokenOutputArgs, opts?: InvokeOptions): Output<GetServiceAccountTokenResult>
Copy
def get_service_account_token(backend: Optional[str] = None,
                              cluster_role_binding: Optional[bool] = None,
                              kubernetes_namespace: Optional[str] = None,
                              namespace: Optional[str] = None,
                              role: Optional[str] = None,
                              ttl: Optional[str] = None,
                              opts: Optional[InvokeOptions] = None) -> GetServiceAccountTokenResult
def get_service_account_token_output(backend: Optional[pulumi.Input[str]] = None,
                              cluster_role_binding: Optional[pulumi.Input[bool]] = None,
                              kubernetes_namespace: Optional[pulumi.Input[str]] = None,
                              namespace: Optional[pulumi.Input[str]] = None,
                              role: Optional[pulumi.Input[str]] = None,
                              ttl: Optional[pulumi.Input[str]] = None,
                              opts: Optional[InvokeOptions] = None) -> Output[GetServiceAccountTokenResult]
Copy
func GetServiceAccountToken(ctx *Context, args *GetServiceAccountTokenArgs, opts ...InvokeOption) (*GetServiceAccountTokenResult, error)
func GetServiceAccountTokenOutput(ctx *Context, args *GetServiceAccountTokenOutputArgs, opts ...InvokeOption) GetServiceAccountTokenResultOutput
Copy

> Note: This function is named GetServiceAccountToken in the Go SDK.

public static class GetServiceAccountToken 
{
    public static Task<GetServiceAccountTokenResult> InvokeAsync(GetServiceAccountTokenArgs args, InvokeOptions? opts = null)
    public static Output<GetServiceAccountTokenResult> Invoke(GetServiceAccountTokenInvokeArgs args, InvokeOptions? opts = null)
}
Copy
public static CompletableFuture<GetServiceAccountTokenResult> getServiceAccountToken(GetServiceAccountTokenArgs args, InvokeOptions options)
public static Output<GetServiceAccountTokenResult> getServiceAccountToken(GetServiceAccountTokenArgs args, InvokeOptions options)
Copy
fn::invoke:
  function: vault:kubernetes/getServiceAccountToken:getServiceAccountToken
  arguments:
    # arguments dictionary
Copy

The following arguments are supported:

Backend This property is required. string
The Kubernetes secret backend to generate service account tokens from.
KubernetesNamespace This property is required. string
The name of the Kubernetes namespace in which to generate the credentials.
Role This property is required. string
The name of the Kubernetes secret backend role to generate service account tokens from.
ClusterRoleBinding bool
If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
Namespace Changes to this property will trigger replacement. string
The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
Ttl string
The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
Backend This property is required. string
The Kubernetes secret backend to generate service account tokens from.
KubernetesNamespace This property is required. string
The name of the Kubernetes namespace in which to generate the credentials.
Role This property is required. string
The name of the Kubernetes secret backend role to generate service account tokens from.
ClusterRoleBinding bool
If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
Namespace Changes to this property will trigger replacement. string
The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
Ttl string
The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
backend This property is required. String
The Kubernetes secret backend to generate service account tokens from.
kubernetesNamespace This property is required. String
The name of the Kubernetes namespace in which to generate the credentials.
role This property is required. String
The name of the Kubernetes secret backend role to generate service account tokens from.
clusterRoleBinding Boolean
If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
namespace Changes to this property will trigger replacement. String
The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
ttl String
The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
backend This property is required. string
The Kubernetes secret backend to generate service account tokens from.
kubernetesNamespace This property is required. string
The name of the Kubernetes namespace in which to generate the credentials.
role This property is required. string
The name of the Kubernetes secret backend role to generate service account tokens from.
clusterRoleBinding boolean
If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
namespace Changes to this property will trigger replacement. string
The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
ttl string
The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
backend This property is required. str
The Kubernetes secret backend to generate service account tokens from.
kubernetes_namespace This property is required. str
The name of the Kubernetes namespace in which to generate the credentials.
role This property is required. str
The name of the Kubernetes secret backend role to generate service account tokens from.
cluster_role_binding bool
If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
namespace Changes to this property will trigger replacement. str
The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
ttl str
The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.
backend This property is required. String
The Kubernetes secret backend to generate service account tokens from.
kubernetesNamespace This property is required. String
The name of the Kubernetes namespace in which to generate the credentials.
role This property is required. String
The name of the Kubernetes secret backend role to generate service account tokens from.
clusterRoleBinding Boolean
If true, generate a ClusterRoleBinding to grant permissions across the whole cluster instead of within a namespace.
namespace Changes to this property will trigger replacement. String
The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
ttl String
The TTL of the generated Kubernetes service account token, specified in seconds or as a Go duration format string.

getServiceAccountToken Result

The following output properties are available:

Backend string
Id string
The provider-assigned unique ID for this managed resource.
KubernetesNamespace string
LeaseDuration int
The duration of the lease in seconds.
LeaseId string
The lease identifier assigned by Vault.
LeaseRenewable bool
True if the duration of this lease can be extended through renewal.
Role string
ServiceAccountName string
The name of the service account associated with the token.
ServiceAccountNamespace string
The Kubernetes namespace that the service account resides in.
ServiceAccountToken string
The Kubernetes service account token.
ClusterRoleBinding bool
Namespace string
Ttl string
Backend string
Id string
The provider-assigned unique ID for this managed resource.
KubernetesNamespace string
LeaseDuration int
The duration of the lease in seconds.
LeaseId string
The lease identifier assigned by Vault.
LeaseRenewable bool
True if the duration of this lease can be extended through renewal.
Role string
ServiceAccountName string
The name of the service account associated with the token.
ServiceAccountNamespace string
The Kubernetes namespace that the service account resides in.
ServiceAccountToken string
The Kubernetes service account token.
ClusterRoleBinding bool
Namespace string
Ttl string
backend String
id String
The provider-assigned unique ID for this managed resource.
kubernetesNamespace String
leaseDuration Integer
The duration of the lease in seconds.
leaseId String
The lease identifier assigned by Vault.
leaseRenewable Boolean
True if the duration of this lease can be extended through renewal.
role String
serviceAccountName String
The name of the service account associated with the token.
serviceAccountNamespace String
The Kubernetes namespace that the service account resides in.
serviceAccountToken String
The Kubernetes service account token.
clusterRoleBinding Boolean
namespace String
ttl String
backend string
id string
The provider-assigned unique ID for this managed resource.
kubernetesNamespace string
leaseDuration number
The duration of the lease in seconds.
leaseId string
The lease identifier assigned by Vault.
leaseRenewable boolean
True if the duration of this lease can be extended through renewal.
role string
serviceAccountName string
The name of the service account associated with the token.
serviceAccountNamespace string
The Kubernetes namespace that the service account resides in.
serviceAccountToken string
The Kubernetes service account token.
clusterRoleBinding boolean
namespace string
ttl string
backend str
id str
The provider-assigned unique ID for this managed resource.
kubernetes_namespace str
lease_duration int
The duration of the lease in seconds.
lease_id str
The lease identifier assigned by Vault.
lease_renewable bool
True if the duration of this lease can be extended through renewal.
role str
service_account_name str
The name of the service account associated with the token.
service_account_namespace str
The Kubernetes namespace that the service account resides in.
service_account_token str
The Kubernetes service account token.
cluster_role_binding bool
namespace str
ttl str
backend String
id String
The provider-assigned unique ID for this managed resource.
kubernetesNamespace String
leaseDuration Number
The duration of the lease in seconds.
leaseId String
The lease identifier assigned by Vault.
leaseRenewable Boolean
True if the duration of this lease can be extended through renewal.
role String
serviceAccountName String
The name of the service account associated with the token.
serviceAccountNamespace String
The Kubernetes namespace that the service account resides in.
serviceAccountToken String
The Kubernetes service account token.
clusterRoleBinding Boolean
namespace String
ttl String

Package Details

Repository
Vault pulumi/pulumi-vault
License
Apache-2.0
Notes
This Pulumi package is based on the vault Terraform Provider.
HashiCorp Vault v6.6.0 published on Thursday, Mar 13, 2025 by Pulumi