New in version 3.9.8.
| Parameter | Choices/Defaults | Comments |
|---|---|---|
| allow_instance_migration |
if set to true, allows migration of the underlying instance where the client resides.
|
|
| auth_type |
auth type permitted for this role. Valid choices are ec2 and iam
|
|
| authtype |
Default: token
|
authentication type to use: token, userpass, github, ldap, approle
|
| bound_account_id |
defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID
|
|
| bound_ami_id |
defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified
|
|
| bound_iam_instance_profile_arn |
defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile
|
|
| bound_iam_role_arn |
defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN
|
|
| bound_subnet_id |
defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID
|
|
| bound_vpc_id |
defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value
|
|
| ca_cert |
Default: to environment variable VAULT_CACERT
|
path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate
|
| ca_path |
Default: to environment variable VAULT_CAPATH
|
path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence
|
| client_cert |
Default: to environment variable VAULT_CLIENT_CERT
|
path to a PEM-encoded client certificate for TLS authentication to the Vault server
|
| client_key |
Default: to environment variable VAULT_CLIENT_KEY
|
path to an unencrypted PEM-encoded private key matching the client certificate
|
| disallow_reauthentication |
If set to true, only allows a single token to be granted per instance ID.
|
|
| inferred_entity_type |
Instructs Vault to turn on inferencing. The only valid value is ec2_instance
|
|
| name |
role name.
|
|
| password |
Default: to environment variable VAULT_PASSWORD
|
password to login to vault.
|
| policies |
policies for the role.
|
|
| resolve_aws_unique_ids |
If set to true, the bound_iam_principal_arn is resolved to an AWS Unique ID for the bound principal ARN.
|
|
| token |
Default: to environment variable VAULT_TOKEN
|
token for vault
|
| token_max_ttl |
The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds
|
|
| token_ttl |
The TTL period of tokens issued using this role, provided as a number of seconds
|
|
| url |
Default: to environment variable VAULT_ADDR
|
url for vault
|
| username |
Default: to environment variable VAULT_USER
|
username to login to vault.
|
| verify |
Default: to environment variable VAULT_SKIP_VERIFY
|
if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing
|
---
- hosts: localhost
tasks:
- hashivault_aws_ec2_role_create:
name: myrole
auth_type: iam
inferred_entity_type: ec2_instance
inferred_aws_region: eu-west-1
bound_iam_role_arn: arn:aws:iam::12345678:root/ec2-role
Hint
If you notice any issues in this documentation you can edit this document to improve it.