1. Docs
  2. Reference
  3. API
  4. pulumi_vault
  5. ssh

ssh

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-vault repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-vault repo.

class pulumi_vault.ssh.SecretBackendCa(resource_name, opts=None, backend=None, generate_signing_key=None, private_key=None, public_key=None, __props__=None, __name__=None, __opts__=None)

Provides a resource to manage CA information in an SSH secret backend SSH secret backend within Vault.

import pulumi
import pulumi_vault as vault

example = vault.Mount("example", type="ssh")
foo = vault.ssh.SecretBackendCa("foo", backend=example.path)
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • backend (pulumi.Input[str]) – The path where the SSH secret backend is mounted. Defaults to ‘ssh’

  • generate_signing_key (pulumi.Input[bool]) – Whether Vault should generate the signing key pair internally. Defaults to true

  • private_key (pulumi.Input[str]) – The private key part the SSH CA key pair; required if generate_signing_key is false.

  • public_key (pulumi.Input[str]) – The public key part the SSH CA key pair; required if generate_signing_key is false.

backend: pulumi.Output[str] = None

The path where the SSH secret backend is mounted. Defaults to ‘ssh’

generate_signing_key: pulumi.Output[bool] = None

Whether Vault should generate the signing key pair internally. Defaults to true

private_key: pulumi.Output[str] = None

The private key part the SSH CA key pair; required if generate_signing_key is false.

public_key: pulumi.Output[str] = None

The public key part the SSH CA key pair; required if generate_signing_key is false.

static get(resource_name, id, opts=None, backend=None, generate_signing_key=None, private_key=None, public_key=None)

Get an existing SecretBackendCa resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • backend (pulumi.Input[str]) – The path where the SSH secret backend is mounted. Defaults to ‘ssh’

  • generate_signing_key (pulumi.Input[bool]) – Whether Vault should generate the signing key pair internally. Defaults to true

  • private_key (pulumi.Input[str]) – The private key part the SSH CA key pair; required if generate_signing_key is false.

  • public_key (pulumi.Input[str]) – The public key part the SSH CA key pair; required if generate_signing_key is false.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_vault.ssh.SecretBackendRole(resource_name, opts=None, allow_bare_domains=None, allow_host_certificates=None, allow_subdomains=None, allow_user_certificates=None, allow_user_key_ids=None, allowed_critical_options=None, allowed_domains=None, allowed_extensions=None, allowed_user_key_lengths=None, allowed_users=None, backend=None, cidr_list=None, default_critical_options=None, default_extensions=None, default_user=None, key_id_format=None, key_type=None, max_ttl=None, name=None, ttl=None, __props__=None, __name__=None, __opts__=None)

Provides a resource to manage roles in an SSH secret backend SSH secret backend within Vault.

import pulumi
import pulumi_vault as vault

example = vault.Mount("example", type="ssh")
foo = vault.ssh.SecretBackendRole("foo",
    allow_user_certificates=True,
    backend=example.path,
    key_type="ca")
bar = vault.ssh.SecretBackendRole("bar",
    allowed_users="default,baz",
    backend=example.path,
    cidr_list="0.0.0.0/0",
    default_user="default",
    key_type="otp")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • allow_bare_domains (pulumi.Input[bool]) – Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.

  • allow_host_certificates (pulumi.Input[bool]) – Specifies if certificates are allowed to be signed for use as a ‘host’.

  • allow_subdomains (pulumi.Input[bool]) – Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.

  • allow_user_certificates (pulumi.Input[bool]) – Specifies if certificates are allowed to be signed for use as a ‘user’.

  • allow_user_key_ids (pulumi.Input[bool]) – Specifies if users can override the key ID for a signed certificate with the key_id field.

  • allowed_critical_options (pulumi.Input[str]) – Specifies a comma-separated list of critical options that certificates can have when signed.

  • allowed_domains (pulumi.Input[str]) – The list of domains for which a client can request a host certificate.

  • allowed_extensions (pulumi.Input[str]) – Specifies a comma-separated list of extensions that certificates can have when signed.

  • allowed_user_key_lengths (pulumi.Input[dict]) – Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type.

  • allowed_users (pulumi.Input[str]) – Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.

  • backend (pulumi.Input[str]) – The path where the SSH secret backend is mounted.

  • cidr_list (pulumi.Input[str]) – The comma-separated string of CIDR blocks for which this role is applicable.

  • default_critical_options (pulumi.Input[dict]) – Specifies a map of critical options that certificates have when signed.

  • default_extensions (pulumi.Input[dict]) – Specifies a map of extensions that certificates have when signed.

  • default_user (pulumi.Input[str]) – Specifies the default username for which a credential will be generated.

  • key_id_format (pulumi.Input[str]) – Specifies a custom format for the key id of a signed certificate.

  • key_type (pulumi.Input[str]) – Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.

  • max_ttl (pulumi.Input[str]) – Specifies the maximum Time To Live value.

  • name (pulumi.Input[str]) – Specifies the name of the role to create.

  • ttl (pulumi.Input[str]) – Specifies the Time To Live value.

allow_bare_domains: pulumi.Output[bool] = None

Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.

allow_host_certificates: pulumi.Output[bool] = None

Specifies if certificates are allowed to be signed for use as a ‘host’.

allow_subdomains: pulumi.Output[bool] = None

Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.

allow_user_certificates: pulumi.Output[bool] = None

Specifies if certificates are allowed to be signed for use as a ‘user’.

allow_user_key_ids: pulumi.Output[bool] = None

Specifies if users can override the key ID for a signed certificate with the key_id field.

allowed_critical_options: pulumi.Output[str] = None

Specifies a comma-separated list of critical options that certificates can have when signed.

allowed_domains: pulumi.Output[str] = None

The list of domains for which a client can request a host certificate.

allowed_extensions: pulumi.Output[str] = None

Specifies a comma-separated list of extensions that certificates can have when signed.

allowed_user_key_lengths: pulumi.Output[dict] = None

Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type.

allowed_users: pulumi.Output[str] = None

Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.

backend: pulumi.Output[str] = None

The path where the SSH secret backend is mounted.

cidr_list: pulumi.Output[str] = None

The comma-separated string of CIDR blocks for which this role is applicable.

default_critical_options: pulumi.Output[dict] = None

Specifies a map of critical options that certificates have when signed.

default_extensions: pulumi.Output[dict] = None

Specifies a map of extensions that certificates have when signed.

default_user: pulumi.Output[str] = None

Specifies the default username for which a credential will be generated.

key_id_format: pulumi.Output[str] = None

Specifies a custom format for the key id of a signed certificate.

key_type: pulumi.Output[str] = None

Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.

max_ttl: pulumi.Output[str] = None

Specifies the maximum Time To Live value.

name: pulumi.Output[str] = None

Specifies the name of the role to create.

ttl: pulumi.Output[str] = None

Specifies the Time To Live value.

static get(resource_name, id, opts=None, allow_bare_domains=None, allow_host_certificates=None, allow_subdomains=None, allow_user_certificates=None, allow_user_key_ids=None, allowed_critical_options=None, allowed_domains=None, allowed_extensions=None, allowed_user_key_lengths=None, allowed_users=None, backend=None, cidr_list=None, default_critical_options=None, default_extensions=None, default_user=None, key_id_format=None, key_type=None, max_ttl=None, name=None, ttl=None)

Get an existing SecretBackendRole resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • allow_bare_domains (pulumi.Input[bool]) – Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.

  • allow_host_certificates (pulumi.Input[bool]) – Specifies if certificates are allowed to be signed for use as a ‘host’.

  • allow_subdomains (pulumi.Input[bool]) – Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.

  • allow_user_certificates (pulumi.Input[bool]) – Specifies if certificates are allowed to be signed for use as a ‘user’.

  • allow_user_key_ids (pulumi.Input[bool]) – Specifies if users can override the key ID for a signed certificate with the key_id field.

  • allowed_critical_options (pulumi.Input[str]) – Specifies a comma-separated list of critical options that certificates can have when signed.

  • allowed_domains (pulumi.Input[str]) – The list of domains for which a client can request a host certificate.

  • allowed_extensions (pulumi.Input[str]) – Specifies a comma-separated list of extensions that certificates can have when signed.

  • allowed_user_key_lengths (pulumi.Input[dict]) – Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type.

  • allowed_users (pulumi.Input[str]) – Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.

  • backend (pulumi.Input[str]) – The path where the SSH secret backend is mounted.

  • cidr_list (pulumi.Input[str]) – The comma-separated string of CIDR blocks for which this role is applicable.

  • default_critical_options (pulumi.Input[dict]) – Specifies a map of critical options that certificates have when signed.

  • default_extensions (pulumi.Input[dict]) – Specifies a map of extensions that certificates have when signed.

  • default_user (pulumi.Input[str]) – Specifies the default username for which a credential will be generated.

  • key_id_format (pulumi.Input[str]) – Specifies a custom format for the key id of a signed certificate.

  • key_type (pulumi.Input[str]) – Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.

  • max_ttl (pulumi.Input[str]) – Specifies the maximum Time To Live value.

  • name (pulumi.Input[str]) – Specifies the name of the role to create.

  • ttl (pulumi.Input[str]) – Specifies the Time To Live value.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str