diff --git a/vault/resource_aws_secret_backend.go b/vault/resource_aws_secret_backend.go index b264533fb..3d0ecc087 100644 --- a/vault/resource_aws_secret_backend.go +++ b/vault/resource_aws_secret_backend.go @@ -59,13 +59,13 @@ func awsSecretBackendResource() *schema.Resource { }, "access_key": { Type: schema.TypeString, - Required: true, + Optional: true, Description: "The AWS Access Key ID to use when generating new credentials.", Sensitive: true, }, "secret_key": { Type: schema.TypeString, - Required: true, + Optional: true, Description: "The AWS Secret Access Key to use when generating new credentials.", Sensitive: true, }, diff --git a/vault/resource_aws_secret_backend_test.go b/vault/resource_aws_secret_backend_test.go index 641bec20f..574ced3dc 100644 --- a/vault/resource_aws_secret_backend_test.go +++ b/vault/resource_aws_secret_backend_test.go @@ -43,6 +43,18 @@ func TestAccAWSSecretBackend_basic(t *testing.T) { resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "region", "us-west-1"), ), }, + { + Config: testAccAWSSecretBackendConfig_noCreds(path), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "path", path), + resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "description", "test description"), + resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "default_lease_ttl_seconds", "1800"), + resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "max_lease_ttl_seconds", "43200"), + resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "access_key", ""), + resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "secret_key", ""), + resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "region", "us-west-1"), + ), + }, }, }) } @@ -125,3 +137,14 @@ resource "vault_aws_secret_backend" "test" { region = "us-west-1" }`, path, accessKey, secretKey) } + +func testAccAWSSecretBackendConfig_noCreds(path string) string { + return fmt.Sprintf(` +resource "vault_aws_secret_backend" "test" { + path = "%s" + description = "test description" + default_lease_ttl_seconds = 1800 + max_lease_ttl_seconds = 43200 + region = "us-west-1" +}`, path) +} diff --git a/website/docs/r/aws_secret_backend.html.md b/website/docs/r/aws_secret_backend.html.md index 3a2bb4041..fb690e826 100644 --- a/website/docs/r/aws_secret_backend.html.md +++ b/website/docs/r/aws_secret_backend.html.md @@ -31,11 +31,11 @@ resource "vault_aws_secret_backend" "aws" { The following arguments are supported: -* `access_key` - (Required) The AWS Access Key ID this backend should use to -issue new credentials. +* `access_key` - (Optional) The AWS Access Key ID this backend should use to +issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials. -* `secret_key` - (Required) The AWS Secret Key this backend should use to -issue new credentials. +* `secret_key` - (Optional) The AWS Secret Key this backend should use to +issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials. ~> **Important** Vault version 1.2.3 and older does not support reading the configured credentials back from the API, With these older versions, Terraform cannot detect and correct drift