1. Docs
  2. Reference
  3. API
  4. pulumi_vault
  5. transit

transit

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-vault repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-vault repo.

class pulumi_vault.transit.SecretBackendKey(resource_name, opts=None, allow_plaintext_backup=None, backend=None, convergent_encryption=None, deletion_allowed=None, derived=None, exportable=None, min_decryption_version=None, min_encryption_version=None, name=None, type=None, __props__=None, __name__=None, __opts__=None)

Creates an Encryption Keyring on a Transit Secret Backend for Vault.

import pulumi
import pulumi_vault as vault

transit = vault.Mount("transit",
    default_lease_ttl_seconds=3600,
    description="Example description",
    max_lease_ttl_seconds=86400,
    path="transit",
    type="transit")
key = vault.transit.SecretBackendKey("key", backend=transit.path)
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • allow_plaintext_backup (pulumi.Input[bool]) – Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

* Refer to Vault API documentation on key backups for more information: [Backup Key](https://www.vaultproject.io/api-docs/secret/transit#backup-key)
Parameters

  • backend (pulumi.Input[str]) – The path the transit secret backend is mounted at, with no leading or trailing /s.

  • convergent_encryption (pulumi.Input[bool]) – Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

  • deletion_allowed (pulumi.Input[bool]) – Specifies if the key is allowed to be deleted.

  • derived (pulumi.Input[bool]) – Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

  • exportable (pulumi.Input[bool]) – Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

  • min_decryption_version (pulumi.Input[float]) – Minimum key version to use for decryption.

  • min_encryption_version (pulumi.Input[float]) – Minimum key version to use for encryption

  • name (pulumi.Input[str]) – The name to identify this key within the backend. Must be unique within the backend.

  • type (pulumi.Input[str]) – Specifies the type of key to create. The currently-supported types are: aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, rsa-2048 and rsa-4096.

* Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)
allow_plaintext_backup: pulumi.Output[bool] = None

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

  • Refer to Vault API documentation on key backups for more information: Backup Key

backend: pulumi.Output[str] = None

The path the transit secret backend is mounted at, with no leading or trailing /s.

convergent_encryption: pulumi.Output[bool] = None

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

deletion_allowed: pulumi.Output[bool] = None

Specifies if the key is allowed to be deleted.

derived: pulumi.Output[bool] = None

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

exportable: pulumi.Output[bool] = None

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

keys: pulumi.Output[list] = None

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

  • for key types aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key’s metadata.

  • for key types ed25519, ecdsa-p256, rsa-2048 and rsa-4096, each key version will be a map of the following:

latest_version: pulumi.Output[float] = None

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key’s information can be referenced from keys by selecting element 0

min_available_version: pulumi.Output[float] = None

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

min_decryption_version: pulumi.Output[float] = None

Minimum key version to use for decryption.

min_encryption_version: pulumi.Output[float] = None

Minimum key version to use for encryption

name: pulumi.Output[str] = None

The name to identify this key within the backend. Must be unique within the backend.

supports_decryption: pulumi.Output[bool] = None

Whether or not the key supports decryption, based on key type.

supports_derivation: pulumi.Output[bool] = None

Whether or not the key supports derivation, based on key type.

supports_encryption: pulumi.Output[bool] = None

Whether or not the key supports encryption, based on key type.

supports_signing: pulumi.Output[bool] = None

Whether or not the key supports signing, based on key type.

type: pulumi.Output[str] = None

Specifies the type of key to create. The currently-supported types are: aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, rsa-2048 and rsa-4096.

  • Refer to the Vault documentation on transit key types for more information: Key Types

static get(resource_name, id, opts=None, allow_plaintext_backup=None, backend=None, convergent_encryption=None, deletion_allowed=None, derived=None, exportable=None, keys=None, latest_version=None, min_available_version=None, min_decryption_version=None, min_encryption_version=None, name=None, supports_decryption=None, supports_derivation=None, supports_encryption=None, supports_signing=None, type=None)

Get an existing SecretBackendKey resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • allow_plaintext_backup (pulumi.Input[bool]) – Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

* Refer to Vault API documentation on key backups for more information: [Backup Key](https://www.vaultproject.io/api-docs/secret/transit#backup-key)
Parameters

  • backend (pulumi.Input[str]) – The path the transit secret backend is mounted at, with no leading or trailing /s.

  • convergent_encryption (pulumi.Input[bool]) – Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

  • deletion_allowed (pulumi.Input[bool]) – Specifies if the key is allowed to be deleted.

  • derived (pulumi.Input[bool]) – Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

  • exportable (pulumi.Input[bool]) – Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

  • keys (pulumi.Input[list]) – List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

* for key types `aes256-gcm96` and `chacha20-poly1305`, each key version will be a map of a single value `id` which is just a hash of the key's metadata.
* for key types `ed25519`, `ecdsa-p256`, `rsa-2048` and `rsa-4096`, each key version will be a map of the following:
Parameters

  • latest_version (pulumi.Input[float]) – Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key’s information can be referenced from keys by selecting element 0

  • min_available_version (pulumi.Input[float]) – Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

  • min_decryption_version (pulumi.Input[float]) – Minimum key version to use for decryption.

  • min_encryption_version (pulumi.Input[float]) – Minimum key version to use for encryption

  • name (pulumi.Input[str]) – The name to identify this key within the backend. Must be unique within the backend.

  • supports_decryption (pulumi.Input[bool]) – Whether or not the key supports decryption, based on key type.

  • supports_derivation (pulumi.Input[bool]) – Whether or not the key supports derivation, based on key type.

  • supports_encryption (pulumi.Input[bool]) – Whether or not the key supports encryption, based on key type.

  • supports_signing (pulumi.Input[bool]) – Whether or not the key supports signing, based on key type.

  • type (pulumi.Input[str]) – Specifies the type of key to create. The currently-supported types are: aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, rsa-2048 and rsa-4096.

* Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)
translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_vault.transit.SecretCacheConfig(resource_name, opts=None, backend=None, size=None, __props__=None, __name__=None, __opts__=None)

Configure the cache for the Transit Secret Backend in Vault.

Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • backend (pulumi.Input[str]) – The path the transit secret backend is mounted at, with no leading or trailing /s.

  • size (pulumi.Input[float]) – The number of cache entries. 0 means unlimited.

backend: pulumi.Output[str] = None

The path the transit secret backend is mounted at, with no leading or trailing /s.

size: pulumi.Output[float] = None

The number of cache entries. 0 means unlimited.

static get(resource_name, id, opts=None, backend=None, size=None)

Get an existing SecretCacheConfig resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • backend (pulumi.Input[str]) – The path the transit secret backend is mounted at, with no leading or trailing /s.

  • size (pulumi.Input[float]) – The number of cache entries. 0 means unlimited.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str