SecretBackendRole
Provides a resource to manage roles in an SSH secret backend SSH secret backend within Vault.
Example Usage
using Pulumi;
using Vault = Pulumi.Vault;
class MyStack : Stack
{
public MyStack()
{
var example = new Vault.Mount("example", new Vault.MountArgs
{
Type = "ssh",
});
var foo = new Vault.Ssh.SecretBackendRole("foo", new Vault.Ssh.SecretBackendRoleArgs
{
AllowUserCertificates = true,
Backend = example.Path,
KeyType = "ca",
});
var bar = new Vault.Ssh.SecretBackendRole("bar", new Vault.Ssh.SecretBackendRoleArgs
{
AllowedUsers = "default,baz",
Backend = example.Path,
CidrList = "0.0.0.0/0",
DefaultUser = "default",
KeyType = "otp",
});
}
}
Coming soon!
import pulumi
import pulumi_vault as vault
example = vault.Mount("example", type="ssh")
foo = vault.ssh.SecretBackendRole("foo",
allow_user_certificates=True,
backend=example.path,
key_type="ca")
bar = vault.ssh.SecretBackendRole("bar",
allowed_users="default,baz",
backend=example.path,
cidr_list="0.0.0.0/0",
default_user="default",
key_type="otp")import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const example = new vault.Mount("example", {
type: "ssh",
});
const foo = new vault.ssh.SecretBackendRole("foo", {
allowUserCertificates: true,
backend: example.path,
keyType: "ca",
});
const bar = new vault.ssh.SecretBackendRole("bar", {
allowedUsers: "default,baz",
backend: example.path,
cidrList: "0.0.0.0/0",
defaultUser: "default",
keyType: "otp",
});Create a SecretBackendRole Resource
new SecretBackendRole(name: string, args: SecretBackendRoleArgs, opts?: CustomResourceOptions);def SecretBackendRole(resource_name, opts=None, allow_bare_domains=None, allow_host_certificates=None, allow_subdomains=None, allow_user_certificates=None, allow_user_key_ids=None, allowed_critical_options=None, allowed_domains=None, allowed_extensions=None, allowed_user_key_lengths=None, allowed_users=None, backend=None, cidr_list=None, default_critical_options=None, default_extensions=None, default_user=None, key_id_format=None, key_type=None, max_ttl=None, name=None, ttl=None, __props__=None);func NewSecretBackendRole(ctx *Context, name string, args SecretBackendRoleArgs, opts ...ResourceOption) (*SecretBackendRole, error)public SecretBackendRole(string name, SecretBackendRoleArgs args, CustomResourceOptions? opts = null)- name string
- The unique name of the resource.
- args SecretBackendRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- opts ResourceOptions
- A bag of options that control this resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SecretBackendRoleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecretBackendRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
SecretBackendRole Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.
Inputs
The SecretBackendRole resource accepts the following input properties:
- Backend string
The path where the SSH secret backend is mounted.
- Key
Type string Specifies the type of credentials generated by this role. This can be either
otp,dynamicorca.- Allow
Bare boolDomains Specifies if host certificates that are requested are allowed to use the base domains listed in
allowed_domains.- Allow
Host boolCertificates Specifies if certificates are allowed to be signed for use as a ‘host’.
- Allow
Subdomains bool Specifies if host certificates that are requested are allowed to be subdomains of those listed in
allowed_domains.- Allow
User boolCertificates Specifies if certificates are allowed to be signed for use as a ‘user’.
- Allow
User boolKey Ids Specifies if users can override the key ID for a signed certificate with the
key_idfield.- Allowed
Critical stringOptions Specifies a comma-separated list of critical options that certificates can have when signed.
- Allowed
Domains string The list of domains for which a client can request a host certificate.
- Allowed
Extensions string Specifies a comma-separated list of extensions that certificates can have when signed.
- Allowed
User Dictionary<string, object>Key Lengths Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type.
- Allowed
Users string Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
- Cidr
List string The comma-separated string of CIDR blocks for which this role is applicable.
- Default
Critical Dictionary<string, object>Options Specifies a map of critical options that certificates have when signed.
- Default
Extensions Dictionary<string, object> Specifies a map of extensions that certificates have when signed.
- Default
User string Specifies the default username for which a credential will be generated.
- Key
Id stringFormat Specifies a custom format for the key id of a signed certificate.
- Max
Ttl string Specifies the maximum Time To Live value.
- Name string
Specifies the name of the role to create.
- Ttl string
Specifies the Time To Live value.
- Backend string
The path where the SSH secret backend is mounted.
- Key
Type string Specifies the type of credentials generated by this role. This can be either
otp,dynamicorca.- Allow
Bare boolDomains Specifies if host certificates that are requested are allowed to use the base domains listed in
allowed_domains.- Allow
Host boolCertificates Specifies if certificates are allowed to be signed for use as a ‘host’.
- Allow
Subdomains bool Specifies if host certificates that are requested are allowed to be subdomains of those listed in
allowed_domains.- Allow
User boolCertificates Specifies if certificates are allowed to be signed for use as a ‘user’.
- Allow
User boolKey Ids Specifies if users can override the key ID for a signed certificate with the
key_idfield.- Allowed
Critical stringOptions Specifies a comma-separated list of critical options that certificates can have when signed.
- Allowed
Domains string The list of domains for which a client can request a host certificate.
- Allowed
Extensions string Specifies a comma-separated list of extensions that certificates can have when signed.
- Allowed
User map[string]interface{}Key Lengths Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type.
- Allowed
Users string Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
- Cidr
List string The comma-separated string of CIDR blocks for which this role is applicable.
- Default
Critical map[string]interface{}Options Specifies a map of critical options that certificates have when signed.
- Default
Extensions map[string]interface{} Specifies a map of extensions that certificates have when signed.
- Default
User string Specifies the default username for which a credential will be generated.
- Key
Id stringFormat Specifies a custom format for the key id of a signed certificate.
- Max
Ttl string Specifies the maximum Time To Live value.
- Name string
Specifies the name of the role to create.
- Ttl string
Specifies the Time To Live value.
- backend string
The path where the SSH secret backend is mounted.
- key
Type string Specifies the type of credentials generated by this role. This can be either
otp,dynamicorca.- allow
Bare booleanDomains Specifies if host certificates that are requested are allowed to use the base domains listed in
allowed_domains.- allow
Host booleanCertificates Specifies if certificates are allowed to be signed for use as a ‘host’.
- allow
Subdomains boolean Specifies if host certificates that are requested are allowed to be subdomains of those listed in
allowed_domains.- allow
User booleanCertificates Specifies if certificates are allowed to be signed for use as a ‘user’.
- allow
User booleanKey Ids Specifies if users can override the key ID for a signed certificate with the
key_idfield.- allowed
Critical stringOptions Specifies a comma-separated list of critical options that certificates can have when signed.
- allowed
Domains string The list of domains for which a client can request a host certificate.
- allowed
Extensions string Specifies a comma-separated list of extensions that certificates can have when signed.
- allowed
User {[key: string]: any}Key Lengths Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type.
- allowed
Users string Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
- cidr
List string The comma-separated string of CIDR blocks for which this role is applicable.
- default
Critical {[key: string]: any}Options Specifies a map of critical options that certificates have when signed.
- default
Extensions {[key: string]: any} Specifies a map of extensions that certificates have when signed.
- default
User string Specifies the default username for which a credential will be generated.
- key
Id stringFormat Specifies a custom format for the key id of a signed certificate.
- max
Ttl string Specifies the maximum Time To Live value.
- name string
Specifies the name of the role to create.
- ttl string
Specifies the Time To Live value.
- backend str
The path where the SSH secret backend is mounted.
- key_
type str Specifies the type of credentials generated by this role. This can be either
otp,dynamicorca.- allow_
bare_ booldomains Specifies if host certificates that are requested are allowed to use the base domains listed in
allowed_domains.- allow_
host_ boolcertificates Specifies if certificates are allowed to be signed for use as a ‘host’.
- allow_
subdomains bool Specifies if host certificates that are requested are allowed to be subdomains of those listed in
allowed_domains.- allow_
user_ boolcertificates Specifies if certificates are allowed to be signed for use as a ‘user’.
- allow_
user_ boolkey_ ids Specifies if users can override the key ID for a signed certificate with the
key_idfield.- allowed_
critical_ stroptions Specifies a comma-separated list of critical options that certificates can have when signed.
- allowed_
domains str The list of domains for which a client can request a host certificate.
- allowed_
extensions str Specifies a comma-separated list of extensions that certificates can have when signed.
- allowed_
user_ Dict[str, Any]key_ lengths Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type.
- allowed_
users str Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
- cidr_
list str The comma-separated string of CIDR blocks for which this role is applicable.
- default_
critical_ Dict[str, Any]options Specifies a map of critical options that certificates have when signed.
- default_
extensions Dict[str, Any] Specifies a map of extensions that certificates have when signed.
- default_
user str Specifies the default username for which a credential will be generated.
- key_
id_ strformat Specifies a custom format for the key id of a signed certificate.
- max_
ttl str Specifies the maximum Time To Live value.
- name str
Specifies the name of the role to create.
- ttl str
Specifies the Time To Live value.
Outputs
All input properties are implicitly available as output properties. Additionally, the SecretBackendRole resource produces the following output properties:
Look up an Existing SecretBackendRole Resource
Get an existing SecretBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SecretBackendRoleState, opts?: CustomResourceOptions): SecretBackendRolestatic get(resource_name, id, opts=None, allow_bare_domains=None, allow_host_certificates=None, allow_subdomains=None, allow_user_certificates=None, allow_user_key_ids=None, allowed_critical_options=None, allowed_domains=None, allowed_extensions=None, allowed_user_key_lengths=None, allowed_users=None, backend=None, cidr_list=None, default_critical_options=None, default_extensions=None, default_user=None, key_id_format=None, key_type=None, max_ttl=None, name=None, ttl=None, __props__=None);func GetSecretBackendRole(ctx *Context, name string, id IDInput, state *SecretBackendRoleState, opts ...ResourceOption) (*SecretBackendRole, error)public static SecretBackendRole Get(string name, Input<string> id, SecretBackendRoleState? state, CustomResourceOptions? opts = null)- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Allow
Bare boolDomains Specifies if host certificates that are requested are allowed to use the base domains listed in
allowed_domains.- Allow
Host boolCertificates Specifies if certificates are allowed to be signed for use as a ‘host’.
- Allow
Subdomains bool Specifies if host certificates that are requested are allowed to be subdomains of those listed in
allowed_domains.- Allow
User boolCertificates Specifies if certificates are allowed to be signed for use as a ‘user’.
- Allow
User boolKey Ids Specifies if users can override the key ID for a signed certificate with the
key_idfield.- Allowed
Critical stringOptions Specifies a comma-separated list of critical options that certificates can have when signed.
- Allowed
Domains string The list of domains for which a client can request a host certificate.
- Allowed
Extensions string Specifies a comma-separated list of extensions that certificates can have when signed.
- Allowed
User Dictionary<string, object>Key Lengths Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type.
- Allowed
Users string Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
- Backend string
The path where the SSH secret backend is mounted.
- Cidr
List string The comma-separated string of CIDR blocks for which this role is applicable.
- Default
Critical Dictionary<string, object>Options Specifies a map of critical options that certificates have when signed.
- Default
Extensions Dictionary<string, object> Specifies a map of extensions that certificates have when signed.
- Default
User string Specifies the default username for which a credential will be generated.
- Key
Id stringFormat Specifies a custom format for the key id of a signed certificate.
- Key
Type string Specifies the type of credentials generated by this role. This can be either
otp,dynamicorca.- Max
Ttl string Specifies the maximum Time To Live value.
- Name string
Specifies the name of the role to create.
- Ttl string
Specifies the Time To Live value.
- Allow
Bare boolDomains Specifies if host certificates that are requested are allowed to use the base domains listed in
allowed_domains.- Allow
Host boolCertificates Specifies if certificates are allowed to be signed for use as a ‘host’.
- Allow
Subdomains bool Specifies if host certificates that are requested are allowed to be subdomains of those listed in
allowed_domains.- Allow
User boolCertificates Specifies if certificates are allowed to be signed for use as a ‘user’.
- Allow
User boolKey Ids Specifies if users can override the key ID for a signed certificate with the
key_idfield.- Allowed
Critical stringOptions Specifies a comma-separated list of critical options that certificates can have when signed.
- Allowed
Domains string The list of domains for which a client can request a host certificate.
- Allowed
Extensions string Specifies a comma-separated list of extensions that certificates can have when signed.
- Allowed
User map[string]interface{}Key Lengths Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type.
- Allowed
Users string Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
- Backend string
The path where the SSH secret backend is mounted.
- Cidr
List string The comma-separated string of CIDR blocks for which this role is applicable.
- Default
Critical map[string]interface{}Options Specifies a map of critical options that certificates have when signed.
- Default
Extensions map[string]interface{} Specifies a map of extensions that certificates have when signed.
- Default
User string Specifies the default username for which a credential will be generated.
- Key
Id stringFormat Specifies a custom format for the key id of a signed certificate.
- Key
Type string Specifies the type of credentials generated by this role. This can be either
otp,dynamicorca.- Max
Ttl string Specifies the maximum Time To Live value.
- Name string
Specifies the name of the role to create.
- Ttl string
Specifies the Time To Live value.
- allow
Bare booleanDomains Specifies if host certificates that are requested are allowed to use the base domains listed in
allowed_domains.- allow
Host booleanCertificates Specifies if certificates are allowed to be signed for use as a ‘host’.
- allow
Subdomains boolean Specifies if host certificates that are requested are allowed to be subdomains of those listed in
allowed_domains.- allow
User booleanCertificates Specifies if certificates are allowed to be signed for use as a ‘user’.
- allow
User booleanKey Ids Specifies if users can override the key ID for a signed certificate with the
key_idfield.- allowed
Critical stringOptions Specifies a comma-separated list of critical options that certificates can have when signed.
- allowed
Domains string The list of domains for which a client can request a host certificate.
- allowed
Extensions string Specifies a comma-separated list of extensions that certificates can have when signed.
- allowed
User {[key: string]: any}Key Lengths Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type.
- allowed
Users string Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
- backend string
The path where the SSH secret backend is mounted.
- cidr
List string The comma-separated string of CIDR blocks for which this role is applicable.
- default
Critical {[key: string]: any}Options Specifies a map of critical options that certificates have when signed.
- default
Extensions {[key: string]: any} Specifies a map of extensions that certificates have when signed.
- default
User string Specifies the default username for which a credential will be generated.
- key
Id stringFormat Specifies a custom format for the key id of a signed certificate.
- key
Type string Specifies the type of credentials generated by this role. This can be either
otp,dynamicorca.- max
Ttl string Specifies the maximum Time To Live value.
- name string
Specifies the name of the role to create.
- ttl string
Specifies the Time To Live value.
- allow_
bare_ booldomains Specifies if host certificates that are requested are allowed to use the base domains listed in
allowed_domains.- allow_
host_ boolcertificates Specifies if certificates are allowed to be signed for use as a ‘host’.
- allow_
subdomains bool Specifies if host certificates that are requested are allowed to be subdomains of those listed in
allowed_domains.- allow_
user_ boolcertificates Specifies if certificates are allowed to be signed for use as a ‘user’.
- allow_
user_ boolkey_ ids Specifies if users can override the key ID for a signed certificate with the
key_idfield.- allowed_
critical_ stroptions Specifies a comma-separated list of critical options that certificates can have when signed.
- allowed_
domains str The list of domains for which a client can request a host certificate.
- allowed_
extensions str Specifies a comma-separated list of extensions that certificates can have when signed.
- allowed_
user_ Dict[str, Any]key_ lengths Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type.
- allowed_
users str Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
- backend str
The path where the SSH secret backend is mounted.
- cidr_
list str The comma-separated string of CIDR blocks for which this role is applicable.
- default_
critical_ Dict[str, Any]options Specifies a map of critical options that certificates have when signed.
- default_
extensions Dict[str, Any] Specifies a map of extensions that certificates have when signed.
- default_
user str Specifies the default username for which a credential will be generated.
- key_
id_ strformat Specifies a custom format for the key id of a signed certificate.
- key_
type str Specifies the type of credentials generated by this role. This can be either
otp,dynamicorca.- max_
ttl str Specifies the maximum Time To Live value.
- name str
Specifies the name of the role to create.
- ttl str
Specifies the Time To Live value.
Package Details
- Repository
- https://github.com/pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.