Parameter |
Choices/Defaults |
Comments |
allow_instance_migration
-
|
|
If set to true, allows migration of the underlying instance where the client resides.
|
auth_type
-
|
|
auth type permitted for this role. Valid choices are ec2 and iam
|
authtype
-
|
Choices:
- token
- userpass
- github
- ldap
- approle
Default:
"token or environment variable `VAULT_AUTHTYPE`"
|
authentication type
|
aws_header
-
|
Default:
"to environment variable `VAULT_AWS_HEADER`"
|
X-Vault-AWS-IAM-Server-ID Header value to prevent replay attacks.
|
bound_account_id
-
|
|
Defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID
|
bound_ami_id
-
|
|
Defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified
|
bound_ec2_instance_id
-
|
|
-EC2 instance id
|
bound_iam_instance_profile_arn
-
|
|
Defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile
|
bound_iam_principal_arn
-
|
|
IAM principal arn
|
bound_iam_role_arn
-
|
|
Defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN
|
bound_region
-
|
|
The bound region for the role
|
bound_subnet_id
-
|
|
Defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID
|
bound_vpc_id
-
|
|
Defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value
|
ca_cert
-
|
Default:
"to environment variable `VAULT_CACERT`"
|
Path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate
|
ca_path
-
|
Default:
"to environment variable `VAULT_CAPATH`"
|
Path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate. If ca_cert is specified, its value will take precedence
|
client_cert
-
|
Default:
"to environment variable `VAULT_CLIENT_CERT`"
|
Path to a PEM-encoded client certificate for TLS authentication to the Vault server
|
client_key
-
|
Default:
"to environment variable `VAULT_CLIENT_KEY`"
|
Path to an unencrypted PEM-encoded private key matching the client certificate
|
disallow_reauthentication
-
|
|
If set to true, only allows a single token to be granted per instance ID.
|
inferred_entity_type
-
|
|
Instructs Vault to turn on inferencing. The only valid value is ec2_instance
|
login_mount_point
-
|
Default:
"value of authtype or environment varialbe `VAULT_LOGIN_MOUNT_POINT`"
|
authentication mount point
|
max_ttl
-
|
|
The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds
|
mount_point
-
|
|
location where this auth_method will be mounted. also known as "path"
|
name
-
|
|
role name.
|
namespace
-
|
Default:
"to environment variable VAULT_NAMESPACE"
|
namespace for vault
|
password
-
|
Default:
"to environment variable `VAULT_PASSWORD`"
|
password to login to vault.
|
period
-
|
|
The period
|
policies
-
|
|
policies for the role.
|
resolve_aws_unique_ids
-
|
|
If set to true, the bound_iam_principal_arn is resolved to an AWS Unique ID for the bound principal ARN.
|
role_tag
-
|
|
Role tag
|
token
-
|
Default:
"to environment variable `VAULT_TOKEN`"
|
token for vault
|
ttl
-
|
|
The TTL period of tokens issued using this role, provided as a number of seconds.
|
url
-
|
Default:
"to environment variable `VAULT_ADDR`"
|
url for vault
|
username
-
|
Default:
"to environment variable `VAULT_USER`"
|
username to login to vault.
|
verify
-
|
Default:
"to environment variable `VAULT_SKIP_VERIFY`"
|
If set, do not verify presented TLS certificate before communicating with Vault server. Setting this variable is not recommended except during testing
|