SecretBackendRole

Creates a role on an PKI Secret Backend for Vault.

Example Usage

using Pulumi;
using Vault = Pulumi.Vault;

class MyStack : Stack
{
    public MyStack()
    {
        var pki = new Vault.PkiSecret.SecretBackend("pki", new Vault.PkiSecret.SecretBackendArgs
        {
            DefaultLeaseTtlSeconds = 3600,
            MaxLeaseTtlSeconds = 86400,
            Path = "%s",
        });
        var role = new Vault.PkiSecret.SecretBackendRole("role", new Vault.PkiSecret.SecretBackendRoleArgs
        {
            Backend = pki.Path,
        });
    }

}

Coming soon!

import pulumi
import pulumi_vault as vault

pki = vault.pki_secret.SecretBackend("pki",
    default_lease_ttl_seconds=3600,
    max_lease_ttl_seconds=86400,
    path="%s")
role = vault.pki_secret.SecretBackendRole("role", backend=pki.path)

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const pki = new vault.pkiSecret.SecretBackend("pki", {
    defaultLeaseTtlSeconds: 3600,
    maxLeaseTtlSeconds: 86400,
    path: "%s",
});
const role = new vault.pkiSecret.SecretBackendRole("role", {
    backend: pki.path,
});

Create a SecretBackendRole Resource

new SecretBackendRole(name: string, args: SecretBackendRoleArgs, opts?: CustomResourceOptions);

def SecretBackendRole(resource_name, opts=None, allow_any_name=None, allow_bare_domains=None, allow_glob_domains=None, allow_ip_sans=None, allow_localhost=None, allow_subdomains=None, allowed_domains=None, allowed_other_sans=None, allowed_uri_sans=None, backend=None, basic_constraints_valid_for_non_ca=None, client_flag=None, code_signing_flag=None, countries=None, email_protection_flag=None, enforce_hostnames=None, ext_key_usages=None, generate_lease=None, key_bits=None, key_type=None, key_usages=None, localities=None, max_ttl=None, name=None, no_store=None, not_before_duration=None, organization_unit=None, organizations=None, policy_identifiers=None, postal_codes=None, provinces=None, require_cn=None, server_flag=None, street_addresses=None, ttl=None, use_csr_common_name=None, use_csr_sans=None, __props__=None);

func NewSecretBackendRole(ctx *Context, name string, args SecretBackendRoleArgs, opts ...ResourceOption) (*SecretBackendRole, error)

public SecretBackendRole(string name, SecretBackendRoleArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

SecretBackendRole Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The SecretBackendRole resource accepts the following input properties:

Backend string: The path the PKI secret backend is mounted at, with no leading or trailing /s.
AllowAnyName bool: Flag to allow any name
AllowBareDomains bool: Flag to allow certificates matching the actual domain
AllowGlobDomains bool: Flag to allow names containing glob patterns.
AllowIpSans bool: Flag to allow IP SANs
AllowLocalhost bool: Flag to allow certificates for localhost
AllowSubdomains bool: Flag to allow certificates matching subdomains
AllowedDomains List<string>: List of allowed domains for certificates
AllowedOtherSans List<string>: Defines allowed custom SANs
AllowedUriSans List<string>: Defines allowed URI SANs
BasicConstraintsValidForNonCa bool: Flag to mark basic constraints valid when issuing non-CA certificates
ClientFlag bool: Flag to specify certificates for client use
CodeSigningFlag bool: Flag to specify certificates for code signing use
Countries List<string>: The country of generated certificates
EmailProtectionFlag bool: Flag to specify certificates for email protection use
EnforceHostnames bool: Flag to allow only valid host names
ExtKeyUsages List<string>: Specify the allowed extended key usage constraint on issued certificates
GenerateLease bool: Flag to generate leases with certificates
KeyBits int: The number of bits of generated keys
KeyType string: The type of generated keys
KeyUsages List<string>: Specify the allowed key usage constraint on issued certificates
Localities List<string>: The locality of generated certificates
MaxTtl string: The maximum TTL
Name string: The name to identify this role within the backend. Must be unique within the backend.
NoStore bool: Flag to not store certificates in the storage backend
NotBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
OrganizationUnit List<string>: The organization unit of generated certificates
Organizations List<string>: The organization of generated certificates
PolicyIdentifiers List<string>: Specify the list of allowed policies IODs
PostalCodes List<string>: The postal code of generated certificates
Provinces List<string>: The province of generated certificates
RequireCn bool: Flag to force CN usage
ServerFlag bool: Flag to specify certificates for server use
StreetAddresses List<string>: The street address of generated certificates
Ttl string: The TTL
UseCsrCommonName bool: Flag to use the CN in the CSR
UseCsrSans bool: Flag to use the SANs in the CSR

Backend string: The path the PKI secret backend is mounted at, with no leading or trailing /s.
AllowAnyName bool: Flag to allow any name
AllowBareDomains bool: Flag to allow certificates matching the actual domain
AllowGlobDomains bool: Flag to allow names containing glob patterns.
AllowIpSans bool: Flag to allow IP SANs
AllowLocalhost bool: Flag to allow certificates for localhost
AllowSubdomains bool: Flag to allow certificates matching subdomains
AllowedDomains []string: List of allowed domains for certificates
AllowedOtherSans []string: Defines allowed custom SANs
AllowedUriSans []string: Defines allowed URI SANs
BasicConstraintsValidForNonCa bool: Flag to mark basic constraints valid when issuing non-CA certificates
ClientFlag bool: Flag to specify certificates for client use
CodeSigningFlag bool: Flag to specify certificates for code signing use
Countries []string: The country of generated certificates
EmailProtectionFlag bool: Flag to specify certificates for email protection use
EnforceHostnames bool: Flag to allow only valid host names
ExtKeyUsages []string: Specify the allowed extended key usage constraint on issued certificates
GenerateLease bool: Flag to generate leases with certificates
KeyBits int: The number of bits of generated keys
KeyType string: The type of generated keys
KeyUsages []string: Specify the allowed key usage constraint on issued certificates
Localities []string: The locality of generated certificates
MaxTtl string: The maximum TTL
Name string: The name to identify this role within the backend. Must be unique within the backend.
NoStore bool: Flag to not store certificates in the storage backend
NotBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
OrganizationUnit []string: The organization unit of generated certificates
Organizations []string: The organization of generated certificates
PolicyIdentifiers []string: Specify the list of allowed policies IODs
PostalCodes []string: The postal code of generated certificates
Provinces []string: The province of generated certificates
RequireCn bool: Flag to force CN usage
ServerFlag bool: Flag to specify certificates for server use
StreetAddresses []string: The street address of generated certificates
Ttl string: The TTL
UseCsrCommonName bool: Flag to use the CN in the CSR
UseCsrSans bool: Flag to use the SANs in the CSR

backend string: The path the PKI secret backend is mounted at, with no leading or trailing /s.
allowAnyName boolean: Flag to allow any name
allowBareDomains boolean: Flag to allow certificates matching the actual domain
allowGlobDomains boolean: Flag to allow names containing glob patterns.
allowIpSans boolean: Flag to allow IP SANs
allowLocalhost boolean: Flag to allow certificates for localhost
allowSubdomains boolean: Flag to allow certificates matching subdomains
allowedDomains string[]: List of allowed domains for certificates
allowedOtherSans string[]: Defines allowed custom SANs
allowedUriSans string[]: Defines allowed URI SANs
basicConstraintsValidForNonCa boolean: Flag to mark basic constraints valid when issuing non-CA certificates
clientFlag boolean: Flag to specify certificates for client use
codeSigningFlag boolean: Flag to specify certificates for code signing use
countries string[]: The country of generated certificates
emailProtectionFlag boolean: Flag to specify certificates for email protection use
enforceHostnames boolean: Flag to allow only valid host names
extKeyUsages string[]: Specify the allowed extended key usage constraint on issued certificates
generateLease boolean: Flag to generate leases with certificates
keyBits number: The number of bits of generated keys
keyType string: The type of generated keys
keyUsages string[]: Specify the allowed key usage constraint on issued certificates
localities string[]: The locality of generated certificates
maxTtl string: The maximum TTL
name string: The name to identify this role within the backend. Must be unique within the backend.
noStore boolean: Flag to not store certificates in the storage backend
notBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
organizationUnit string[]: The organization unit of generated certificates
organizations string[]: The organization of generated certificates
policyIdentifiers string[]: Specify the list of allowed policies IODs
postalCodes string[]: The postal code of generated certificates
provinces string[]: The province of generated certificates
requireCn boolean: Flag to force CN usage
serverFlag boolean: Flag to specify certificates for server use
streetAddresses string[]: The street address of generated certificates
ttl string: The TTL
useCsrCommonName boolean: Flag to use the CN in the CSR
useCsrSans boolean: Flag to use the SANs in the CSR

backend str: The path the PKI secret backend is mounted at, with no leading or trailing /s.
allow_any_name bool: Flag to allow any name
allow_bare_domains bool: Flag to allow certificates matching the actual domain
allow_glob_domains bool: Flag to allow names containing glob patterns.
allow_ip_sans bool: Flag to allow IP SANs
allow_localhost bool: Flag to allow certificates for localhost
allow_subdomains bool: Flag to allow certificates matching subdomains
allowed_domains List[str]: List of allowed domains for certificates
allowed_other_sans List[str]: Defines allowed custom SANs
allowed_uri_sans List[str]: Defines allowed URI SANs
basic_constraints_valid_for_non_ca bool: Flag to mark basic constraints valid when issuing non-CA certificates
client_flag bool: Flag to specify certificates for client use
code_signing_flag bool: Flag to specify certificates for code signing use
countries List[str]: The country of generated certificates
email_protection_flag bool: Flag to specify certificates for email protection use
enforce_hostnames bool: Flag to allow only valid host names
ext_key_usages List[str]: Specify the allowed extended key usage constraint on issued certificates
generate_lease bool: Flag to generate leases with certificates
key_bits float: The number of bits of generated keys
key_type str: The type of generated keys
key_usages List[str]: Specify the allowed key usage constraint on issued certificates
localities List[str]: The locality of generated certificates
max_ttl str: The maximum TTL
name str: The name to identify this role within the backend. Must be unique within the backend.
no_store bool: Flag to not store certificates in the storage backend
not_before_duration str: Specifies the duration by which to backdate the NotBefore property.
organization_unit List[str]: The organization unit of generated certificates
organizations List[str]: The organization of generated certificates
policy_identifiers List[str]: Specify the list of allowed policies IODs
postal_codes List[str]: The postal code of generated certificates
provinces List[str]: The province of generated certificates
require_cn bool: Flag to force CN usage
server_flag bool: Flag to specify certificates for server use
street_addresses List[str]: The street address of generated certificates
ttl str: The TTL
use_csr_common_name bool: Flag to use the CN in the CSR
use_csr_sans bool: Flag to use the SANs in the CSR

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretBackendRole resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

Look up an Existing SecretBackendRole Resource

Get an existing SecretBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretBackendRoleState, opts?: CustomResourceOptions): SecretBackendRole

static get(resource_name, id, opts=None, allow_any_name=None, allow_bare_domains=None, allow_glob_domains=None, allow_ip_sans=None, allow_localhost=None, allow_subdomains=None, allowed_domains=None, allowed_other_sans=None, allowed_uri_sans=None, backend=None, basic_constraints_valid_for_non_ca=None, client_flag=None, code_signing_flag=None, countries=None, email_protection_flag=None, enforce_hostnames=None, ext_key_usages=None, generate_lease=None, key_bits=None, key_type=None, key_usages=None, localities=None, max_ttl=None, name=None, no_store=None, not_before_duration=None, organization_unit=None, organizations=None, policy_identifiers=None, postal_codes=None, provinces=None, require_cn=None, server_flag=None, street_addresses=None, ttl=None, use_csr_common_name=None, use_csr_sans=None, __props__=None);

func GetSecretBackendRole(ctx *Context, name string, id IDInput, state *SecretBackendRoleState, opts ...ResourceOption) (*SecretBackendRole, error)

public static SecretBackendRole Get(string name, Input<string> id, SecretBackendRoleState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AllowAnyName bool: Flag to allow any name
AllowBareDomains bool: Flag to allow certificates matching the actual domain
AllowGlobDomains bool: Flag to allow names containing glob patterns.
AllowIpSans bool: Flag to allow IP SANs
AllowLocalhost bool: Flag to allow certificates for localhost
AllowSubdomains bool: Flag to allow certificates matching subdomains
AllowedDomains List<string>: List of allowed domains for certificates
AllowedOtherSans List<string>: Defines allowed custom SANs
AllowedUriSans List<string>: Defines allowed URI SANs
Backend string: The path the PKI secret backend is mounted at, with no leading or trailing /s.
BasicConstraintsValidForNonCa bool: Flag to mark basic constraints valid when issuing non-CA certificates
ClientFlag bool: Flag to specify certificates for client use
CodeSigningFlag bool: Flag to specify certificates for code signing use
Countries List<string>: The country of generated certificates
EmailProtectionFlag bool: Flag to specify certificates for email protection use
EnforceHostnames bool: Flag to allow only valid host names
ExtKeyUsages List<string>: Specify the allowed extended key usage constraint on issued certificates
GenerateLease bool: Flag to generate leases with certificates
KeyBits int: The number of bits of generated keys
KeyType string: The type of generated keys
KeyUsages List<string>: Specify the allowed key usage constraint on issued certificates
Localities List<string>: The locality of generated certificates
MaxTtl string: The maximum TTL
Name string: The name to identify this role within the backend. Must be unique within the backend.
NoStore bool: Flag to not store certificates in the storage backend
NotBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
OrganizationUnit List<string>: The organization unit of generated certificates
Organizations List<string>: The organization of generated certificates
PolicyIdentifiers List<string>: Specify the list of allowed policies IODs
PostalCodes List<string>: The postal code of generated certificates
Provinces List<string>: The province of generated certificates
RequireCn bool: Flag to force CN usage
ServerFlag bool: Flag to specify certificates for server use
StreetAddresses List<string>: The street address of generated certificates
Ttl string: The TTL
UseCsrCommonName bool: Flag to use the CN in the CSR
UseCsrSans bool: Flag to use the SANs in the CSR

AllowAnyName bool: Flag to allow any name
AllowBareDomains bool: Flag to allow certificates matching the actual domain
AllowGlobDomains bool: Flag to allow names containing glob patterns.
AllowIpSans bool: Flag to allow IP SANs
AllowLocalhost bool: Flag to allow certificates for localhost
AllowSubdomains bool: Flag to allow certificates matching subdomains
AllowedDomains []string: List of allowed domains for certificates
AllowedOtherSans []string: Defines allowed custom SANs
AllowedUriSans []string: Defines allowed URI SANs
Backend string: The path the PKI secret backend is mounted at, with no leading or trailing /s.
BasicConstraintsValidForNonCa bool: Flag to mark basic constraints valid when issuing non-CA certificates
ClientFlag bool: Flag to specify certificates for client use
CodeSigningFlag bool: Flag to specify certificates for code signing use
Countries []string: The country of generated certificates
EmailProtectionFlag bool: Flag to specify certificates for email protection use
EnforceHostnames bool: Flag to allow only valid host names
ExtKeyUsages []string: Specify the allowed extended key usage constraint on issued certificates
GenerateLease bool: Flag to generate leases with certificates
KeyBits int: The number of bits of generated keys
KeyType string: The type of generated keys
KeyUsages []string: Specify the allowed key usage constraint on issued certificates
Localities []string: The locality of generated certificates
MaxTtl string: The maximum TTL
Name string: The name to identify this role within the backend. Must be unique within the backend.
NoStore bool: Flag to not store certificates in the storage backend
NotBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
OrganizationUnit []string: The organization unit of generated certificates
Organizations []string: The organization of generated certificates
PolicyIdentifiers []string: Specify the list of allowed policies IODs
PostalCodes []string: The postal code of generated certificates
Provinces []string: The province of generated certificates
RequireCn bool: Flag to force CN usage
ServerFlag bool: Flag to specify certificates for server use
StreetAddresses []string: The street address of generated certificates
Ttl string: The TTL
UseCsrCommonName bool: Flag to use the CN in the CSR
UseCsrSans bool: Flag to use the SANs in the CSR

allowAnyName boolean: Flag to allow any name
allowBareDomains boolean: Flag to allow certificates matching the actual domain
allowGlobDomains boolean: Flag to allow names containing glob patterns.
allowIpSans boolean: Flag to allow IP SANs
allowLocalhost boolean: Flag to allow certificates for localhost
allowSubdomains boolean: Flag to allow certificates matching subdomains
allowedDomains string[]: List of allowed domains for certificates
allowedOtherSans string[]: Defines allowed custom SANs
allowedUriSans string[]: Defines allowed URI SANs
backend string: The path the PKI secret backend is mounted at, with no leading or trailing /s.
basicConstraintsValidForNonCa boolean: Flag to mark basic constraints valid when issuing non-CA certificates
clientFlag boolean: Flag to specify certificates for client use
codeSigningFlag boolean: Flag to specify certificates for code signing use
countries string[]: The country of generated certificates
emailProtectionFlag boolean: Flag to specify certificates for email protection use
enforceHostnames boolean: Flag to allow only valid host names
extKeyUsages string[]: Specify the allowed extended key usage constraint on issued certificates
generateLease boolean: Flag to generate leases with certificates
keyBits number: The number of bits of generated keys
keyType string: The type of generated keys
keyUsages string[]: Specify the allowed key usage constraint on issued certificates
localities string[]: The locality of generated certificates
maxTtl string: The maximum TTL
name string: The name to identify this role within the backend. Must be unique within the backend.
noStore boolean: Flag to not store certificates in the storage backend
notBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
organizationUnit string[]: The organization unit of generated certificates
organizations string[]: The organization of generated certificates
policyIdentifiers string[]: Specify the list of allowed policies IODs
postalCodes string[]: The postal code of generated certificates
provinces string[]: The province of generated certificates
requireCn boolean: Flag to force CN usage
serverFlag boolean: Flag to specify certificates for server use
streetAddresses string[]: The street address of generated certificates
ttl string: The TTL
useCsrCommonName boolean: Flag to use the CN in the CSR
useCsrSans boolean: Flag to use the SANs in the CSR

allow_any_name bool: Flag to allow any name
allow_bare_domains bool: Flag to allow certificates matching the actual domain
allow_glob_domains bool: Flag to allow names containing glob patterns.
allow_ip_sans bool: Flag to allow IP SANs
allow_localhost bool: Flag to allow certificates for localhost
allow_subdomains bool: Flag to allow certificates matching subdomains
allowed_domains List[str]: List of allowed domains for certificates
allowed_other_sans List[str]: Defines allowed custom SANs
allowed_uri_sans List[str]: Defines allowed URI SANs
backend str: The path the PKI secret backend is mounted at, with no leading or trailing /s.
basic_constraints_valid_for_non_ca bool: Flag to mark basic constraints valid when issuing non-CA certificates
client_flag bool: Flag to specify certificates for client use
code_signing_flag bool: Flag to specify certificates for code signing use
countries List[str]: The country of generated certificates
email_protection_flag bool: Flag to specify certificates for email protection use
enforce_hostnames bool: Flag to allow only valid host names
ext_key_usages List[str]: Specify the allowed extended key usage constraint on issued certificates
generate_lease bool: Flag to generate leases with certificates
key_bits float: The number of bits of generated keys
key_type str: The type of generated keys
key_usages List[str]: Specify the allowed key usage constraint on issued certificates
localities List[str]: The locality of generated certificates
max_ttl str: The maximum TTL
name str: The name to identify this role within the backend. Must be unique within the backend.
no_store bool: Flag to not store certificates in the storage backend
not_before_duration str: Specifies the duration by which to backdate the NotBefore property.
organization_unit List[str]: The organization unit of generated certificates
organizations List[str]: The organization of generated certificates
policy_identifiers List[str]: Specify the list of allowed policies IODs
postal_codes List[str]: The postal code of generated certificates
provinces List[str]: The province of generated certificates
require_cn bool: Flag to force CN usage
server_flag bool: Flag to specify certificates for server use
street_addresses List[str]: The street address of generated certificates
ttl str: The TTL
use_csr_common_name bool: Flag to use the CN in the CSR
use_csr_sans bool: Flag to use the SANs in the CSR

Package Details

Repository: https://github.com/pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud