SecretBackendKey

Creates an Encryption Keyring on a Transit Secret Backend for Vault.

Example Usage

using Pulumi;
using Vault = Pulumi.Vault;

class MyStack : Stack
{
    public MyStack()
    {
        var transit = new Vault.Mount("transit", new Vault.MountArgs
        {
            DefaultLeaseTtlSeconds = 3600,
            Description = "Example description",
            MaxLeaseTtlSeconds = 86400,
            Path = "transit",
            Type = "transit",
        });
        var key = new Vault.Transit.SecretBackendKey("key", new Vault.Transit.SecretBackendKeyArgs
        {
            Backend = transit.Path,
        });
    }

}

Coming soon!

import pulumi
import pulumi_vault as vault

transit = vault.Mount("transit",
    default_lease_ttl_seconds=3600,
    description="Example description",
    max_lease_ttl_seconds=86400,
    path="transit",
    type="transit")
key = vault.transit.SecretBackendKey("key", backend=transit.path)

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const transit = new vault.Mount("transit", {
    defaultLeaseTtlSeconds: 3600,
    description: "Example description",
    maxLeaseTtlSeconds: 86400,
    path: "transit",
    type: "transit",
});
const key = new vault.transit.SecretBackendKey("key", {
    backend: transit.path,
});

Create a SecretBackendKey Resource

new SecretBackendKey(name: string, args: SecretBackendKeyArgs, opts?: CustomResourceOptions);

def SecretBackendKey(resource_name, opts=None, allow_plaintext_backup=None, backend=None, convergent_encryption=None, deletion_allowed=None, derived=None, exportable=None, min_decryption_version=None, min_encryption_version=None, name=None, type=None, __props__=None);

func NewSecretBackendKey(ctx *Context, name string, args SecretBackendKeyArgs, opts ...ResourceOption) (*SecretBackendKey, error)

public SecretBackendKey(string name, SecretBackendKeyArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args SecretBackendKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecretBackendKeyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecretBackendKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

SecretBackendKey Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The SecretBackendKey resource accepts the following input properties:

Backend string: The path the transit secret backend is mounted at, with no leading or trailing /s.
AllowPlaintextBackup bool: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled. * Refer to Vault API documentation on key backups for more information: Backup Key
ConvergentEncryption bool: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
DeletionAllowed bool: Specifies if the key is allowed to be deleted.
Derived bool: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
Exportable bool: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
MinDecryptionVersion int: Minimum key version to use for decryption.
MinEncryptionVersion int: Minimum key version to use for encryption
Name string: The name to identify this key within the backend. Must be unique within the backend.
Type string: Specifies the type of key to create. The currently-supported types are: aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, rsa-2048 and rsa-4096. * Refer to the Vault documentation on transit key types for more information: Key Types

Backend string: The path the transit secret backend is mounted at, with no leading or trailing /s.
AllowPlaintextBackup bool: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled. * Refer to Vault API documentation on key backups for more information: Backup Key
ConvergentEncryption bool: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
DeletionAllowed bool: Specifies if the key is allowed to be deleted.
Derived bool: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
Exportable bool: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
MinDecryptionVersion int: Minimum key version to use for decryption.
MinEncryptionVersion int: Minimum key version to use for encryption
Name string: The name to identify this key within the backend. Must be unique within the backend.
Type string: Specifies the type of key to create. The currently-supported types are: aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, rsa-2048 and rsa-4096. * Refer to the Vault documentation on transit key types for more information: Key Types

backend string: The path the transit secret backend is mounted at, with no leading or trailing /s.
allowPlaintextBackup boolean: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled. * Refer to Vault API documentation on key backups for more information: Backup Key
convergentEncryption boolean: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
deletionAllowed boolean: Specifies if the key is allowed to be deleted.
derived boolean: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
exportable boolean: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
minDecryptionVersion number: Minimum key version to use for decryption.
minEncryptionVersion number: Minimum key version to use for encryption
name string: The name to identify this key within the backend. Must be unique within the backend.
type string: Specifies the type of key to create. The currently-supported types are: aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, rsa-2048 and rsa-4096. * Refer to the Vault documentation on transit key types for more information: Key Types

backend str: The path the transit secret backend is mounted at, with no leading or trailing /s.
allow_plaintext_backup bool: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled. * Refer to Vault API documentation on key backups for more information: Backup Key
convergent_encryption bool: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
deletion_allowed bool: Specifies if the key is allowed to be deleted.
derived bool: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
exportable bool: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
min_decryption_version float: Minimum key version to use for decryption.
min_encryption_version float: Minimum key version to use for encryption
name str: The name to identify this key within the backend. Must be unique within the backend.
type str: Specifies the type of key to create. The currently-supported types are: aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, rsa-2048 and rsa-4096. * Refer to the Vault documentation on transit key types for more information: Key Types

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretBackendKey resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
Keys List<ImmutableDictionary<string, object>>: List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key. * for key types aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key’s metadata. * for key types ed25519, ecdsa-p256, rsa-2048 and rsa-4096, each key version will be a map of the following:
LatestVersion int: Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key’s information can be referenced from keys by selecting element 0
MinAvailableVersion int: Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
SupportsDecryption bool: Whether or not the key supports decryption, based on key type.
SupportsDerivation bool: Whether or not the key supports derivation, based on key type.
SupportsEncryption bool: Whether or not the key supports encryption, based on key type.
SupportsSigning bool: Whether or not the key supports signing, based on key type.

Id string: The provider-assigned unique ID for this managed resource.
Keys []map[string]interface{}: List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key. * for key types aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key’s metadata. * for key types ed25519, ecdsa-p256, rsa-2048 and rsa-4096, each key version will be a map of the following:
LatestVersion int: Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key’s information can be referenced from keys by selecting element 0
MinAvailableVersion int: Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
SupportsDecryption bool: Whether or not the key supports decryption, based on key type.
SupportsDerivation bool: Whether or not the key supports derivation, based on key type.
SupportsEncryption bool: Whether or not the key supports encryption, based on key type.
SupportsSigning bool: Whether or not the key supports signing, based on key type.

id string: The provider-assigned unique ID for this managed resource.
keys {[key: string]: any}[]: List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key. * for key types aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key’s metadata. * for key types ed25519, ecdsa-p256, rsa-2048 and rsa-4096, each key version will be a map of the following:
latestVersion number: Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key’s information can be referenced from keys by selecting element 0
minAvailableVersion number: Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
supportsDecryption boolean: Whether or not the key supports decryption, based on key type.
supportsDerivation boolean: Whether or not the key supports derivation, based on key type.
supportsEncryption boolean: Whether or not the key supports encryption, based on key type.
supportsSigning boolean: Whether or not the key supports signing, based on key type.

id str: The provider-assigned unique ID for this managed resource.
keys List[Any>]: List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key. * for key types aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key’s metadata. * for key types ed25519, ecdsa-p256, rsa-2048 and rsa-4096, each key version will be a map of the following:
latest_version float: Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key’s information can be referenced from keys by selecting element 0
min_available_version float: Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
supports_decryption bool: Whether or not the key supports decryption, based on key type.
supports_derivation bool: Whether or not the key supports derivation, based on key type.
supports_encryption bool: Whether or not the key supports encryption, based on key type.
supports_signing bool: Whether or not the key supports signing, based on key type.

Look up an Existing SecretBackendKey Resource

Get an existing SecretBackendKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretBackendKeyState, opts?: CustomResourceOptions): SecretBackendKey

static get(resource_name, id, opts=None, allow_plaintext_backup=None, backend=None, convergent_encryption=None, deletion_allowed=None, derived=None, exportable=None, keys=None, latest_version=None, min_available_version=None, min_decryption_version=None, min_encryption_version=None, name=None, supports_decryption=None, supports_derivation=None, supports_encryption=None, supports_signing=None, type=None, __props__=None);

func GetSecretBackendKey(ctx *Context, name string, id IDInput, state *SecretBackendKeyState, opts ...ResourceOption) (*SecretBackendKey, error)

public static SecretBackendKey Get(string name, Input<string> id, SecretBackendKeyState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AllowPlaintextBackup bool: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled. * Refer to Vault API documentation on key backups for more information: Backup Key
Backend string: The path the transit secret backend is mounted at, with no leading or trailing /s.
ConvergentEncryption bool: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
DeletionAllowed bool: Specifies if the key is allowed to be deleted.
Derived bool: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
Exportable bool: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
Keys List<ImmutableDictionary<string, object>>: List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key. * for key types aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key’s metadata. * for key types ed25519, ecdsa-p256, rsa-2048 and rsa-4096, each key version will be a map of the following:
LatestVersion int: Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key’s information can be referenced from keys by selecting element 0
MinAvailableVersion int: Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
MinDecryptionVersion int: Minimum key version to use for decryption.
MinEncryptionVersion int: Minimum key version to use for encryption
Name string: The name to identify this key within the backend. Must be unique within the backend.
SupportsDecryption bool: Whether or not the key supports decryption, based on key type.
SupportsDerivation bool: Whether or not the key supports derivation, based on key type.
SupportsEncryption bool: Whether or not the key supports encryption, based on key type.
SupportsSigning bool: Whether or not the key supports signing, based on key type.
Type string: Specifies the type of key to create. The currently-supported types are: aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, rsa-2048 and rsa-4096. * Refer to the Vault documentation on transit key types for more information: Key Types

AllowPlaintextBackup bool: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled. * Refer to Vault API documentation on key backups for more information: Backup Key
Backend string: The path the transit secret backend is mounted at, with no leading or trailing /s.
ConvergentEncryption bool: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
DeletionAllowed bool: Specifies if the key is allowed to be deleted.
Derived bool: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
Exportable bool: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
Keys []map[string]interface{}: List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key. * for key types aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key’s metadata. * for key types ed25519, ecdsa-p256, rsa-2048 and rsa-4096, each key version will be a map of the following:
LatestVersion int: Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key’s information can be referenced from keys by selecting element 0
MinAvailableVersion int: Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
MinDecryptionVersion int: Minimum key version to use for decryption.
MinEncryptionVersion int: Minimum key version to use for encryption
Name string: The name to identify this key within the backend. Must be unique within the backend.
SupportsDecryption bool: Whether or not the key supports decryption, based on key type.
SupportsDerivation bool: Whether or not the key supports derivation, based on key type.
SupportsEncryption bool: Whether or not the key supports encryption, based on key type.
SupportsSigning bool: Whether or not the key supports signing, based on key type.
Type string: Specifies the type of key to create. The currently-supported types are: aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, rsa-2048 and rsa-4096. * Refer to the Vault documentation on transit key types for more information: Key Types

allowPlaintextBackup boolean: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled. * Refer to Vault API documentation on key backups for more information: Backup Key
backend string: The path the transit secret backend is mounted at, with no leading or trailing /s.
convergentEncryption boolean: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
deletionAllowed boolean: Specifies if the key is allowed to be deleted.
derived boolean: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
exportable boolean: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
keys {[key: string]: any}[]: List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key. * for key types aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key’s metadata. * for key types ed25519, ecdsa-p256, rsa-2048 and rsa-4096, each key version will be a map of the following:
latestVersion number: Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key’s information can be referenced from keys by selecting element 0
minAvailableVersion number: Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
minDecryptionVersion number: Minimum key version to use for decryption.
minEncryptionVersion number: Minimum key version to use for encryption
name string: The name to identify this key within the backend. Must be unique within the backend.
supportsDecryption boolean: Whether or not the key supports decryption, based on key type.
supportsDerivation boolean: Whether or not the key supports derivation, based on key type.
supportsEncryption boolean: Whether or not the key supports encryption, based on key type.
supportsSigning boolean: Whether or not the key supports signing, based on key type.
type string: Specifies the type of key to create. The currently-supported types are: aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, rsa-2048 and rsa-4096. * Refer to the Vault documentation on transit key types for more information: Key Types

allow_plaintext_backup bool: Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled. * Refer to Vault API documentation on key backups for more information: Backup Key
backend str: The path the transit secret backend is mounted at, with no leading or trailing /s.
convergent_encryption bool: Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
deletion_allowed bool: Specifies if the key is allowed to be deleted.
derived bool: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
exportable bool: Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
keys List[Any>]: List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key. * for key types aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key’s metadata. * for key types ed25519, ecdsa-p256, rsa-2048 and rsa-4096, each key version will be a map of the following:
latest_version float: Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key’s information can be referenced from keys by selecting element 0
min_available_version float: Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
min_decryption_version float: Minimum key version to use for decryption.
min_encryption_version float: Minimum key version to use for encryption
name str: The name to identify this key within the backend. Must be unique within the backend.
supports_decryption bool: Whether or not the key supports decryption, based on key type.
supports_derivation bool: Whether or not the key supports derivation, based on key type.
supports_encryption bool: Whether or not the key supports encryption, based on key type.
supports_signing bool: Whether or not the key supports signing, based on key type.
type str: Specifies the type of key to create. The currently-supported types are: aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, rsa-2048 and rsa-4096. * Refer to the Vault documentation on transit key types for more information: Key Types

Package Details

Repository: https://github.com/pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud