HashiCorp Vault v6.2.0, Jun 21 24

HashiCorp Vault v6.2.0 published on Friday, Jun 21, 2024 by Pulumi

vault.pkiSecret.SecretBackendRole

Explore with Pulumi AI

HashiCorp Vault v6.2.0 published on Friday, Jun 21, 2024 by Pulumi

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const pki = new vault.Mount("pki", {
    path: "pki",
    type: "pki",
    defaultLeaseTtlSeconds: 3600,
    maxLeaseTtlSeconds: 86400,
});
const role = new vault.pkisecret.SecretBackendRole("role", {
    backend: pki.path,
    name: "my_role",
    ttl: "3600",
    allowIpSans: true,
    keyType: "rsa",
    keyBits: 4096,
    allowedDomains: [
        "example.com",
        "my.domain",
    ],
    allowSubdomains: true,
});

import pulumi
import pulumi_vault as vault

pki = vault.Mount("pki",
    path="pki",
    type="pki",
    default_lease_ttl_seconds=3600,
    max_lease_ttl_seconds=86400)
role = vault.pki_secret.SecretBackendRole("role",
    backend=pki.path,
    name="my_role",
    ttl="3600",
    allow_ip_sans=True,
    key_type="rsa",
    key_bits=4096,
    allowed_domains=[
        "example.com",
        "my.domain",
    ],
    allow_subdomains=True)

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkiSecret"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pki, err := vault.NewMount(ctx, "pki", &vault.MountArgs{
			Path:                   pulumi.String("pki"),
			Type:                   pulumi.String("pki"),
			DefaultLeaseTtlSeconds: pulumi.Int(3600),
			MaxLeaseTtlSeconds:     pulumi.Int(86400),
		})
		if err != nil {
			return err
		}
		_, err = pkiSecret.NewSecretBackendRole(ctx, "role", &pkiSecret.SecretBackendRoleArgs{
			Backend:     pki.Path,
			Name:        pulumi.String("my_role"),
			Ttl:         pulumi.String("3600"),
			AllowIpSans: pulumi.Bool(true),
			KeyType:     pulumi.String("rsa"),
			KeyBits:     pulumi.Int(4096),
			AllowedDomains: pulumi.StringArray{
				pulumi.String("example.com"),
				pulumi.String("my.domain"),
			},
			AllowSubdomains: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var pki = new Vault.Mount("pki", new()
    {
        Path = "pki",
        Type = "pki",
        DefaultLeaseTtlSeconds = 3600,
        MaxLeaseTtlSeconds = 86400,
    });

    var role = new Vault.PkiSecret.SecretBackendRole("role", new()
    {
        Backend = pki.Path,
        Name = "my_role",
        Ttl = "3600",
        AllowIpSans = true,
        KeyType = "rsa",
        KeyBits = 4096,
        AllowedDomains = new[]
        {
            "example.com",
            "my.domain",
        },
        AllowSubdomains = true,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pki = new Mount("pki", MountArgs.builder()
            .path("pki")
            .type("pki")
            .defaultLeaseTtlSeconds(3600)
            .maxLeaseTtlSeconds(86400)
            .build());

        var role = new SecretBackendRole("role", SecretBackendRoleArgs.builder()
            .backend(pki.path())
            .name("my_role")
            .ttl(3600)
            .allowIpSans(true)
            .keyType("rsa")
            .keyBits(4096)
            .allowedDomains(            
                "example.com",
                "my.domain")
            .allowSubdomains(true)
            .build());

    }
}

resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true

Create SecretBackendRole Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SecretBackendRole(name: string, args: SecretBackendRoleArgs, opts?: CustomResourceOptions);

@overload
def SecretBackendRole(resource_name: str,
                      args: SecretBackendRoleArgs,
                      opts: Optional[ResourceOptions] = None)

@overload
def SecretBackendRole(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      backend: Optional[str] = None,
                      ext_key_usages: Optional[Sequence[str]] = None,
                      use_csr_common_name: Optional[bool] = None,
                      allow_ip_sans: Optional[bool] = None,
                      generate_lease: Optional[bool] = None,
                      allow_subdomains: Optional[bool] = None,
                      allow_wildcard_certificates: Optional[bool] = None,
                      allowed_domains: Optional[Sequence[str]] = None,
                      allowed_domains_template: Optional[bool] = None,
                      allowed_other_sans: Optional[Sequence[str]] = None,
                      allowed_serial_numbers: Optional[Sequence[str]] = None,
                      allowed_uri_sans: Optional[Sequence[str]] = None,
                      allowed_uri_sans_template: Optional[bool] = None,
                      allowed_user_ids: Optional[Sequence[str]] = None,
                      allow_bare_domains: Optional[bool] = None,
                      basic_constraints_valid_for_non_ca: Optional[bool] = None,
                      client_flag: Optional[bool] = None,
                      code_signing_flag: Optional[bool] = None,
                      key_bits: Optional[int] = None,
                      email_protection_flag: Optional[bool] = None,
                      enforce_hostnames: Optional[bool] = None,
                      ext_key_usage_oids: Optional[Sequence[str]] = None,
                      allow_any_name: Optional[bool] = None,
                      allow_localhost: Optional[bool] = None,
                      allow_glob_domains: Optional[bool] = None,
                      countries: Optional[Sequence[str]] = None,
                      key_type: Optional[str] = None,
                      key_usages: Optional[Sequence[str]] = None,
                      localities: Optional[Sequence[str]] = None,
                      max_ttl: Optional[str] = None,
                      name: Optional[str] = None,
                      namespace: Optional[str] = None,
                      no_store: Optional[bool] = None,
                      not_before_duration: Optional[str] = None,
                      organization_unit: Optional[Sequence[str]] = None,
                      organizations: Optional[Sequence[str]] = None,
                      policy_identifier: Optional[Sequence[_pkisecret.SecretBackendRolePolicyIdentifierArgs]] = None,
                      policy_identifiers: Optional[Sequence[str]] = None,
                      postal_codes: Optional[Sequence[str]] = None,
                      provinces: Optional[Sequence[str]] = None,
                      require_cn: Optional[bool] = None,
                      server_flag: Optional[bool] = None,
                      street_addresses: Optional[Sequence[str]] = None,
                      ttl: Optional[str] = None,
                      issuer_ref: Optional[str] = None,
                      use_csr_sans: Optional[bool] = None)

func NewSecretBackendRole(ctx *Context, name string, args SecretBackendRoleArgs, opts ...ResourceOption) (*SecretBackendRole, error)

public SecretBackendRole(string name, SecretBackendRoleArgs args, CustomResourceOptions? opts = null)

public SecretBackendRole(String name, SecretBackendRoleArgs args)
public SecretBackendRole(String name, SecretBackendRoleArgs args, CustomResourceOptions options)

type: vault:pkiSecret:SecretBackendRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole = new Vault.PkiSecret.SecretBackendRole("examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole", new()
{
    Backend = "string",
    ExtKeyUsages = new[]
    {
        "string",
    },
    UseCsrCommonName = false,
    AllowIpSans = false,
    GenerateLease = false,
    AllowSubdomains = false,
    AllowWildcardCertificates = false,
    AllowedDomains = new[]
    {
        "string",
    },
    AllowedDomainsTemplate = false,
    AllowedOtherSans = new[]
    {
        "string",
    },
    AllowedSerialNumbers = new[]
    {
        "string",
    },
    AllowedUriSans = new[]
    {
        "string",
    },
    AllowedUriSansTemplate = false,
    AllowedUserIds = new[]
    {
        "string",
    },
    AllowBareDomains = false,
    BasicConstraintsValidForNonCa = false,
    ClientFlag = false,
    CodeSigningFlag = false,
    KeyBits = 0,
    EmailProtectionFlag = false,
    EnforceHostnames = false,
    ExtKeyUsageOids = new[]
    {
        "string",
    },
    AllowAnyName = false,
    AllowLocalhost = false,
    AllowGlobDomains = false,
    Countries = new[]
    {
        "string",
    },
    KeyType = "string",
    KeyUsages = new[]
    {
        "string",
    },
    Localities = new[]
    {
        "string",
    },
    MaxTtl = "string",
    Name = "string",
    Namespace = "string",
    NoStore = false,
    NotBeforeDuration = "string",
    OrganizationUnit = new[]
    {
        "string",
    },
    Organizations = new[]
    {
        "string",
    },
    PolicyIdentifier = new[]
    {
        new Vault.PkiSecret.Inputs.SecretBackendRolePolicyIdentifierArgs
        {
            Oid = "string",
            Cps = "string",
            Notice = "string",
        },
    },
    PolicyIdentifiers = new[]
    {
        "string",
    },
    PostalCodes = new[]
    {
        "string",
    },
    Provinces = new[]
    {
        "string",
    },
    RequireCn = false,
    ServerFlag = false,
    StreetAddresses = new[]
    {
        "string",
    },
    Ttl = "string",
    IssuerRef = "string",
    UseCsrSans = false,
});

example, err := pkiSecret.NewSecretBackendRole(ctx, "examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole", &pkiSecret.SecretBackendRoleArgs{
	Backend: pulumi.String("string"),
	ExtKeyUsages: pulumi.StringArray{
		pulumi.String("string"),
	},
	UseCsrCommonName:          pulumi.Bool(false),
	AllowIpSans:               pulumi.Bool(false),
	GenerateLease:             pulumi.Bool(false),
	AllowSubdomains:           pulumi.Bool(false),
	AllowWildcardCertificates: pulumi.Bool(false),
	AllowedDomains: pulumi.StringArray{
		pulumi.String("string"),
	},
	AllowedDomainsTemplate: pulumi.Bool(false),
	AllowedOtherSans: pulumi.StringArray{
		pulumi.String("string"),
	},
	AllowedSerialNumbers: pulumi.StringArray{
		pulumi.String("string"),
	},
	AllowedUriSans: pulumi.StringArray{
		pulumi.String("string"),
	},
	AllowedUriSansTemplate: pulumi.Bool(false),
	AllowedUserIds: pulumi.StringArray{
		pulumi.String("string"),
	},
	AllowBareDomains:              pulumi.Bool(false),
	BasicConstraintsValidForNonCa: pulumi.Bool(false),
	ClientFlag:                    pulumi.Bool(false),
	CodeSigningFlag:               pulumi.Bool(false),
	KeyBits:                       pulumi.Int(0),
	EmailProtectionFlag:           pulumi.Bool(false),
	EnforceHostnames:              pulumi.Bool(false),
	ExtKeyUsageOids: pulumi.StringArray{
		pulumi.String("string"),
	},
	AllowAnyName:     pulumi.Bool(false),
	AllowLocalhost:   pulumi.Bool(false),
	AllowGlobDomains: pulumi.Bool(false),
	Countries: pulumi.StringArray{
		pulumi.String("string"),
	},
	KeyType: pulumi.String("string"),
	KeyUsages: pulumi.StringArray{
		pulumi.String("string"),
	},
	Localities: pulumi.StringArray{
		pulumi.String("string"),
	},
	MaxTtl:            pulumi.String("string"),
	Name:              pulumi.String("string"),
	Namespace:         pulumi.String("string"),
	NoStore:           pulumi.Bool(false),
	NotBeforeDuration: pulumi.String("string"),
	OrganizationUnit: pulumi.StringArray{
		pulumi.String("string"),
	},
	Organizations: pulumi.StringArray{
		pulumi.String("string"),
	},
	PolicyIdentifier: pkisecret.SecretBackendRolePolicyIdentifierArray{
		&pkisecret.SecretBackendRolePolicyIdentifierArgs{
			Oid:    pulumi.String("string"),
			Cps:    pulumi.String("string"),
			Notice: pulumi.String("string"),
		},
	},
	PolicyIdentifiers: pulumi.StringArray{
		pulumi.String("string"),
	},
	PostalCodes: pulumi.StringArray{
		pulumi.String("string"),
	},
	Provinces: pulumi.StringArray{
		pulumi.String("string"),
	},
	RequireCn:  pulumi.Bool(false),
	ServerFlag: pulumi.Bool(false),
	StreetAddresses: pulumi.StringArray{
		pulumi.String("string"),
	},
	Ttl:        pulumi.String("string"),
	IssuerRef:  pulumi.String("string"),
	UseCsrSans: pulumi.Bool(false),
})

var examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole = new SecretBackendRole("examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole", SecretBackendRoleArgs.builder()
    .backend("string")
    .extKeyUsages("string")
    .useCsrCommonName(false)
    .allowIpSans(false)
    .generateLease(false)
    .allowSubdomains(false)
    .allowWildcardCertificates(false)
    .allowedDomains("string")
    .allowedDomainsTemplate(false)
    .allowedOtherSans("string")
    .allowedSerialNumbers("string")
    .allowedUriSans("string")
    .allowedUriSansTemplate(false)
    .allowedUserIds("string")
    .allowBareDomains(false)
    .basicConstraintsValidForNonCa(false)
    .clientFlag(false)
    .codeSigningFlag(false)
    .keyBits(0)
    .emailProtectionFlag(false)
    .enforceHostnames(false)
    .extKeyUsageOids("string")
    .allowAnyName(false)
    .allowLocalhost(false)
    .allowGlobDomains(false)
    .countries("string")
    .keyType("string")
    .keyUsages("string")
    .localities("string")
    .maxTtl("string")
    .name("string")
    .namespace("string")
    .noStore(false)
    .notBeforeDuration("string")
    .organizationUnit("string")
    .organizations("string")
    .policyIdentifier(SecretBackendRolePolicyIdentifierArgs.builder()
        .oid("string")
        .cps("string")
        .notice("string")
        .build())
    .policyIdentifiers("string")
    .postalCodes("string")
    .provinces("string")
    .requireCn(false)
    .serverFlag(false)
    .streetAddresses("string")
    .ttl("string")
    .issuerRef("string")
    .useCsrSans(false)
    .build());

examplesecret_backend_role_resource_resource_from_pki_secretsecret_backend_role = vault.pki_secret.SecretBackendRole("examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole",
    backend="string",
    ext_key_usages=["string"],
    use_csr_common_name=False,
    allow_ip_sans=False,
    generate_lease=False,
    allow_subdomains=False,
    allow_wildcard_certificates=False,
    allowed_domains=["string"],
    allowed_domains_template=False,
    allowed_other_sans=["string"],
    allowed_serial_numbers=["string"],
    allowed_uri_sans=["string"],
    allowed_uri_sans_template=False,
    allowed_user_ids=["string"],
    allow_bare_domains=False,
    basic_constraints_valid_for_non_ca=False,
    client_flag=False,
    code_signing_flag=False,
    key_bits=0,
    email_protection_flag=False,
    enforce_hostnames=False,
    ext_key_usage_oids=["string"],
    allow_any_name=False,
    allow_localhost=False,
    allow_glob_domains=False,
    countries=["string"],
    key_type="string",
    key_usages=["string"],
    localities=["string"],
    max_ttl="string",
    name="string",
    namespace="string",
    no_store=False,
    not_before_duration="string",
    organization_unit=["string"],
    organizations=["string"],
    policy_identifier=[vault.pki_secret.SecretBackendRolePolicyIdentifierArgs(
        oid="string",
        cps="string",
        notice="string",
    )],
    policy_identifiers=["string"],
    postal_codes=["string"],
    provinces=["string"],
    require_cn=False,
    server_flag=False,
    street_addresses=["string"],
    ttl="string",
    issuer_ref="string",
    use_csr_sans=False)

const examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole = new vault.pkisecret.SecretBackendRole("examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole", {
    backend: "string",
    extKeyUsages: ["string"],
    useCsrCommonName: false,
    allowIpSans: false,
    generateLease: false,
    allowSubdomains: false,
    allowWildcardCertificates: false,
    allowedDomains: ["string"],
    allowedDomainsTemplate: false,
    allowedOtherSans: ["string"],
    allowedSerialNumbers: ["string"],
    allowedUriSans: ["string"],
    allowedUriSansTemplate: false,
    allowedUserIds: ["string"],
    allowBareDomains: false,
    basicConstraintsValidForNonCa: false,
    clientFlag: false,
    codeSigningFlag: false,
    keyBits: 0,
    emailProtectionFlag: false,
    enforceHostnames: false,
    extKeyUsageOids: ["string"],
    allowAnyName: false,
    allowLocalhost: false,
    allowGlobDomains: false,
    countries: ["string"],
    keyType: "string",
    keyUsages: ["string"],
    localities: ["string"],
    maxTtl: "string",
    name: "string",
    namespace: "string",
    noStore: false,
    notBeforeDuration: "string",
    organizationUnit: ["string"],
    organizations: ["string"],
    policyIdentifier: [{
        oid: "string",
        cps: "string",
        notice: "string",
    }],
    policyIdentifiers: ["string"],
    postalCodes: ["string"],
    provinces: ["string"],
    requireCn: false,
    serverFlag: false,
    streetAddresses: ["string"],
    ttl: "string",
    issuerRef: "string",
    useCsrSans: false,
});

type: vault:pkiSecret:SecretBackendRole
properties:
    allowAnyName: false
    allowBareDomains: false
    allowGlobDomains: false
    allowIpSans: false
    allowLocalhost: false
    allowSubdomains: false
    allowWildcardCertificates: false
    allowedDomains:
        - string
    allowedDomainsTemplate: false
    allowedOtherSans:
        - string
    allowedSerialNumbers:
        - string
    allowedUriSans:
        - string
    allowedUriSansTemplate: false
    allowedUserIds:
        - string
    backend: string
    basicConstraintsValidForNonCa: false
    clientFlag: false
    codeSigningFlag: false
    countries:
        - string
    emailProtectionFlag: false
    enforceHostnames: false
    extKeyUsageOids:
        - string
    extKeyUsages:
        - string
    generateLease: false
    issuerRef: string
    keyBits: 0
    keyType: string
    keyUsages:
        - string
    localities:
        - string
    maxTtl: string
    name: string
    namespace: string
    noStore: false
    notBeforeDuration: string
    organizationUnit:
        - string
    organizations:
        - string
    policyIdentifier:
        - cps: string
          notice: string
          oid: string
    policyIdentifiers:
        - string
    postalCodes:
        - string
    provinces:
        - string
    requireCn: false
    serverFlag: false
    streetAddresses:
        - string
    ttl: string
    useCsrCommonName: false
    useCsrSans: false

SecretBackendRole Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The SecretBackendRole resource accepts the following input properties:

Backend string: The path the PKI secret backend is mounted at, with no leading or trailing /s.
AllowAnyName bool: Flag to allow any name
AllowBareDomains bool: Flag to allow certificates matching the actual domain
AllowGlobDomains bool: Flag to allow names containing glob patterns.
AllowIpSans bool: Flag to allow IP SANs
AllowLocalhost bool: Flag to allow certificates for localhost
AllowSubdomains bool: Flag to allow certificates matching subdomains
AllowWildcardCertificates bool: Flag to allow wildcard certificates.
AllowedDomains List<string>: List of allowed domains for certificates
AllowedDomainsTemplate bool: Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
AllowedOtherSans List<string>: Defines allowed custom SANs
AllowedSerialNumbers List<string>: An array of allowed serial numbers to put in Subject
AllowedUriSans List<string>: Defines allowed URI SANs
AllowedUriSansTemplate bool: Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
AllowedUserIds List<string>: Defines allowed User IDs
BasicConstraintsValidForNonCa bool: Flag to mark basic constraints valid when issuing non-CA certificates
ClientFlag bool: Flag to specify certificates for client use
CodeSigningFlag bool: Flag to specify certificates for code signing use
Countries List<string>: The country of generated certificates
EmailProtectionFlag bool: Flag to specify certificates for email protection use
EnforceHostnames bool: Flag to allow only valid host names
ExtKeyUsageOids List<string>: Specify the allowed extended key usage OIDs constraint on issued certificates
ExtKeyUsages List<string>: Specify the allowed extended key usage constraint on issued certificates
GenerateLease bool: Flag to generate leases with certificates
IssuerRef string: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
KeyBits int: The number of bits of generated keys
KeyType string: The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
KeyUsages List<string>: Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
Localities List<string>: The locality of generated certificates
MaxTtl string: The maximum lease TTL, in seconds, for the role.
Name string: The name to identify this role within the backend. Must be unique within the backend.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NoStore bool: Flag to not store certificates in the storage backend
NotBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
OrganizationUnit List<string>: The organization unit of generated certificates
Organizations List<string>: The organization of generated certificates
PolicyIdentifier List<SecretBackendRolePolicyIdentifier>: (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
PolicyIdentifiers List<string>: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
PostalCodes List<string>: The postal code of generated certificates
Provinces List<string>: The province of generated certificates
RequireCn bool: Flag to force CN usage
ServerFlag bool: Flag to specify certificates for server use
StreetAddresses List<string>: The street address of generated certificates
Ttl string: The TTL, in seconds, for any certificate issued against this role.
UseCsrCommonName bool: Flag to use the CN in the CSR
UseCsrSans bool: Flag to use the SANs in the CSR

Backend string: The path the PKI secret backend is mounted at, with no leading or trailing /s.
AllowAnyName bool: Flag to allow any name
AllowBareDomains bool: Flag to allow certificates matching the actual domain
AllowGlobDomains bool: Flag to allow names containing glob patterns.
AllowIpSans bool: Flag to allow IP SANs
AllowLocalhost bool: Flag to allow certificates for localhost
AllowSubdomains bool: Flag to allow certificates matching subdomains
AllowWildcardCertificates bool: Flag to allow wildcard certificates.
AllowedDomains []string: List of allowed domains for certificates
AllowedDomainsTemplate bool: Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
AllowedOtherSans []string: Defines allowed custom SANs
AllowedSerialNumbers []string: An array of allowed serial numbers to put in Subject
AllowedUriSans []string: Defines allowed URI SANs
AllowedUriSansTemplate bool: Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
AllowedUserIds []string: Defines allowed User IDs
BasicConstraintsValidForNonCa bool: Flag to mark basic constraints valid when issuing non-CA certificates
ClientFlag bool: Flag to specify certificates for client use
CodeSigningFlag bool: Flag to specify certificates for code signing use
Countries []string: The country of generated certificates
EmailProtectionFlag bool: Flag to specify certificates for email protection use
EnforceHostnames bool: Flag to allow only valid host names
ExtKeyUsageOids []string: Specify the allowed extended key usage OIDs constraint on issued certificates
ExtKeyUsages []string: Specify the allowed extended key usage constraint on issued certificates
GenerateLease bool: Flag to generate leases with certificates
IssuerRef string: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
KeyBits int: The number of bits of generated keys
KeyType string: The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
KeyUsages []string: Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
Localities []string: The locality of generated certificates
MaxTtl string: The maximum lease TTL, in seconds, for the role.
Name string: The name to identify this role within the backend. Must be unique within the backend.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NoStore bool: Flag to not store certificates in the storage backend
NotBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
OrganizationUnit []string: The organization unit of generated certificates
Organizations []string: The organization of generated certificates
PolicyIdentifier []SecretBackendRolePolicyIdentifierArgs: (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
PolicyIdentifiers []string: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
PostalCodes []string: The postal code of generated certificates
Provinces []string: The province of generated certificates
RequireCn bool: Flag to force CN usage
ServerFlag bool: Flag to specify certificates for server use
StreetAddresses []string: The street address of generated certificates
Ttl string: The TTL, in seconds, for any certificate issued against this role.
UseCsrCommonName bool: Flag to use the CN in the CSR
UseCsrSans bool: Flag to use the SANs in the CSR

backend String: The path the PKI secret backend is mounted at, with no leading or trailing /s.
allowAnyName Boolean: Flag to allow any name
allowBareDomains Boolean: Flag to allow certificates matching the actual domain
allowGlobDomains Boolean: Flag to allow names containing glob patterns.
allowIpSans Boolean: Flag to allow IP SANs
allowLocalhost Boolean: Flag to allow certificates for localhost
allowSubdomains Boolean: Flag to allow certificates matching subdomains
allowWildcardCertificates Boolean: Flag to allow wildcard certificates.
allowedDomains List<String>: List of allowed domains for certificates
allowedDomainsTemplate Boolean: Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowedOtherSans List<String>: Defines allowed custom SANs
allowedSerialNumbers List<String>: An array of allowed serial numbers to put in Subject
allowedUriSans List<String>: Defines allowed URI SANs
allowedUriSansTemplate Boolean: Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowedUserIds List<String>: Defines allowed User IDs
basicConstraintsValidForNonCa Boolean: Flag to mark basic constraints valid when issuing non-CA certificates
clientFlag Boolean: Flag to specify certificates for client use
codeSigningFlag Boolean: Flag to specify certificates for code signing use
countries List<String>: The country of generated certificates
emailProtectionFlag Boolean: Flag to specify certificates for email protection use
enforceHostnames Boolean: Flag to allow only valid host names
extKeyUsageOids List<String>: Specify the allowed extended key usage OIDs constraint on issued certificates
extKeyUsages List<String>: Specify the allowed extended key usage constraint on issued certificates
generateLease Boolean: Flag to generate leases with certificates
issuerRef String: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
keyBits Integer: The number of bits of generated keys
keyType String: The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
keyUsages List<String>: Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
localities List<String>: The locality of generated certificates
maxTtl String: The maximum lease TTL, in seconds, for the role.
name String: The name to identify this role within the backend. Must be unique within the backend.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
noStore Boolean: Flag to not store certificates in the storage backend
notBeforeDuration String: Specifies the duration by which to backdate the NotBefore property.
organizationUnit List<String>: The organization unit of generated certificates
organizations List<String>: The organization of generated certificates
policyIdentifier List<SecretBackendRolePolicyIdentifier>: (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
policyIdentifiers List<String>: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
postalCodes List<String>: The postal code of generated certificates
provinces List<String>: The province of generated certificates
requireCn Boolean: Flag to force CN usage
serverFlag Boolean: Flag to specify certificates for server use
streetAddresses List<String>: The street address of generated certificates
ttl String: The TTL, in seconds, for any certificate issued against this role.
useCsrCommonName Boolean: Flag to use the CN in the CSR
useCsrSans Boolean: Flag to use the SANs in the CSR

backend string: The path the PKI secret backend is mounted at, with no leading or trailing /s.
allowAnyName boolean: Flag to allow any name
allowBareDomains boolean: Flag to allow certificates matching the actual domain
allowGlobDomains boolean: Flag to allow names containing glob patterns.
allowIpSans boolean: Flag to allow IP SANs
allowLocalhost boolean: Flag to allow certificates for localhost
allowSubdomains boolean: Flag to allow certificates matching subdomains
allowWildcardCertificates boolean: Flag to allow wildcard certificates.
allowedDomains string[]: List of allowed domains for certificates
allowedDomainsTemplate boolean: Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowedOtherSans string[]: Defines allowed custom SANs
allowedSerialNumbers string[]: An array of allowed serial numbers to put in Subject
allowedUriSans string[]: Defines allowed URI SANs
allowedUriSansTemplate boolean: Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowedUserIds string[]: Defines allowed User IDs
basicConstraintsValidForNonCa boolean: Flag to mark basic constraints valid when issuing non-CA certificates
clientFlag boolean: Flag to specify certificates for client use
codeSigningFlag boolean: Flag to specify certificates for code signing use
countries string[]: The country of generated certificates
emailProtectionFlag boolean: Flag to specify certificates for email protection use
enforceHostnames boolean: Flag to allow only valid host names
extKeyUsageOids string[]: Specify the allowed extended key usage OIDs constraint on issued certificates
extKeyUsages string[]: Specify the allowed extended key usage constraint on issued certificates
generateLease boolean: Flag to generate leases with certificates
issuerRef string: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
keyBits number: The number of bits of generated keys
keyType string: The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
keyUsages string[]: Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
localities string[]: The locality of generated certificates
maxTtl string: The maximum lease TTL, in seconds, for the role.
name string: The name to identify this role within the backend. Must be unique within the backend.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
noStore boolean: Flag to not store certificates in the storage backend
notBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
organizationUnit string[]: The organization unit of generated certificates
organizations string[]: The organization of generated certificates
policyIdentifier SecretBackendRolePolicyIdentifier[]: (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
policyIdentifiers string[]: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
postalCodes string[]: The postal code of generated certificates
provinces string[]: The province of generated certificates
requireCn boolean: Flag to force CN usage
serverFlag boolean: Flag to specify certificates for server use
streetAddresses string[]: The street address of generated certificates
ttl string: The TTL, in seconds, for any certificate issued against this role.
useCsrCommonName boolean: Flag to use the CN in the CSR
useCsrSans boolean: Flag to use the SANs in the CSR

backend str: The path the PKI secret backend is mounted at, with no leading or trailing /s.
allow_any_name bool: Flag to allow any name
allow_bare_domains bool: Flag to allow certificates matching the actual domain
allow_glob_domains bool: Flag to allow names containing glob patterns.
allow_ip_sans bool: Flag to allow IP SANs
allow_localhost bool: Flag to allow certificates for localhost
allow_subdomains bool: Flag to allow certificates matching subdomains
allow_wildcard_certificates bool: Flag to allow wildcard certificates.
allowed_domains Sequence[str]: List of allowed domains for certificates
allowed_domains_template bool: Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowed_other_sans Sequence[str]: Defines allowed custom SANs
allowed_serial_numbers Sequence[str]: An array of allowed serial numbers to put in Subject
allowed_uri_sans Sequence[str]: Defines allowed URI SANs
allowed_uri_sans_template bool: Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowed_user_ids Sequence[str]: Defines allowed User IDs
basic_constraints_valid_for_non_ca bool: Flag to mark basic constraints valid when issuing non-CA certificates
client_flag bool: Flag to specify certificates for client use
code_signing_flag bool: Flag to specify certificates for code signing use
countries Sequence[str]: The country of generated certificates
email_protection_flag bool: Flag to specify certificates for email protection use
enforce_hostnames bool: Flag to allow only valid host names
ext_key_usage_oids Sequence[str]: Specify the allowed extended key usage OIDs constraint on issued certificates
ext_key_usages Sequence[str]: Specify the allowed extended key usage constraint on issued certificates
generate_lease bool: Flag to generate leases with certificates
issuer_ref str: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
key_bits int: The number of bits of generated keys
key_type str: The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
key_usages Sequence[str]: Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
localities Sequence[str]: The locality of generated certificates
max_ttl str: The maximum lease TTL, in seconds, for the role.
name str: The name to identify this role within the backend. Must be unique within the backend.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
no_store bool: Flag to not store certificates in the storage backend
not_before_duration str: Specifies the duration by which to backdate the NotBefore property.
organization_unit Sequence[str]: The organization unit of generated certificates
organizations Sequence[str]: The organization of generated certificates
policy_identifier Sequence[pkisecret.SecretBackendRolePolicyIdentifierArgs]: (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
policy_identifiers Sequence[str]: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
postal_codes Sequence[str]: The postal code of generated certificates
provinces Sequence[str]: The province of generated certificates
require_cn bool: Flag to force CN usage
server_flag bool: Flag to specify certificates for server use
street_addresses Sequence[str]: The street address of generated certificates
ttl str: The TTL, in seconds, for any certificate issued against this role.
use_csr_common_name bool: Flag to use the CN in the CSR
use_csr_sans bool: Flag to use the SANs in the CSR

backend String: The path the PKI secret backend is mounted at, with no leading or trailing /s.
allowAnyName Boolean: Flag to allow any name
allowBareDomains Boolean: Flag to allow certificates matching the actual domain
allowGlobDomains Boolean: Flag to allow names containing glob patterns.
allowIpSans Boolean: Flag to allow IP SANs
allowLocalhost Boolean: Flag to allow certificates for localhost
allowSubdomains Boolean: Flag to allow certificates matching subdomains
allowWildcardCertificates Boolean: Flag to allow wildcard certificates.
allowedDomains List<String>: List of allowed domains for certificates
allowedDomainsTemplate Boolean: Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowedOtherSans List<String>: Defines allowed custom SANs
allowedSerialNumbers List<String>: An array of allowed serial numbers to put in Subject
allowedUriSans List<String>: Defines allowed URI SANs
allowedUriSansTemplate Boolean: Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowedUserIds List<String>: Defines allowed User IDs
basicConstraintsValidForNonCa Boolean: Flag to mark basic constraints valid when issuing non-CA certificates
clientFlag Boolean: Flag to specify certificates for client use
codeSigningFlag Boolean: Flag to specify certificates for code signing use
countries List<String>: The country of generated certificates
emailProtectionFlag Boolean: Flag to specify certificates for email protection use
enforceHostnames Boolean: Flag to allow only valid host names
extKeyUsageOids List<String>: Specify the allowed extended key usage OIDs constraint on issued certificates
extKeyUsages List<String>: Specify the allowed extended key usage constraint on issued certificates
generateLease Boolean: Flag to generate leases with certificates
issuerRef String: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
keyBits Number: The number of bits of generated keys
keyType String: The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
keyUsages List<String>: Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
localities List<String>: The locality of generated certificates
maxTtl String: The maximum lease TTL, in seconds, for the role.
name String: The name to identify this role within the backend. Must be unique within the backend.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
noStore Boolean: Flag to not store certificates in the storage backend
notBeforeDuration String: Specifies the duration by which to backdate the NotBefore property.
organizationUnit List<String>: The organization unit of generated certificates
organizations List<String>: The organization of generated certificates
policyIdentifier List<Property Map>: (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
policyIdentifiers List<String>: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
postalCodes List<String>: The postal code of generated certificates
provinces List<String>: The province of generated certificates
requireCn Boolean: Flag to force CN usage
serverFlag Boolean: Flag to specify certificates for server use
streetAddresses List<String>: The street address of generated certificates
ttl String: The TTL, in seconds, for any certificate issued against this role.
useCsrCommonName Boolean: Flag to use the CN in the CSR
useCsrSans Boolean: Flag to use the SANs in the CSR

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretBackendRole resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing SecretBackendRole Resource

Get an existing SecretBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretBackendRoleState, opts?: CustomResourceOptions): SecretBackendRole

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        allow_any_name: Optional[bool] = None,
        allow_bare_domains: Optional[bool] = None,
        allow_glob_domains: Optional[bool] = None,
        allow_ip_sans: Optional[bool] = None,
        allow_localhost: Optional[bool] = None,
        allow_subdomains: Optional[bool] = None,
        allow_wildcard_certificates: Optional[bool] = None,
        allowed_domains: Optional[Sequence[str]] = None,
        allowed_domains_template: Optional[bool] = None,
        allowed_other_sans: Optional[Sequence[str]] = None,
        allowed_serial_numbers: Optional[Sequence[str]] = None,
        allowed_uri_sans: Optional[Sequence[str]] = None,
        allowed_uri_sans_template: Optional[bool] = None,
        allowed_user_ids: Optional[Sequence[str]] = None,
        backend: Optional[str] = None,
        basic_constraints_valid_for_non_ca: Optional[bool] = None,
        client_flag: Optional[bool] = None,
        code_signing_flag: Optional[bool] = None,
        countries: Optional[Sequence[str]] = None,
        email_protection_flag: Optional[bool] = None,
        enforce_hostnames: Optional[bool] = None,
        ext_key_usage_oids: Optional[Sequence[str]] = None,
        ext_key_usages: Optional[Sequence[str]] = None,
        generate_lease: Optional[bool] = None,
        issuer_ref: Optional[str] = None,
        key_bits: Optional[int] = None,
        key_type: Optional[str] = None,
        key_usages: Optional[Sequence[str]] = None,
        localities: Optional[Sequence[str]] = None,
        max_ttl: Optional[str] = None,
        name: Optional[str] = None,
        namespace: Optional[str] = None,
        no_store: Optional[bool] = None,
        not_before_duration: Optional[str] = None,
        organization_unit: Optional[Sequence[str]] = None,
        organizations: Optional[Sequence[str]] = None,
        policy_identifier: Optional[Sequence[_pkisecret.SecretBackendRolePolicyIdentifierArgs]] = None,
        policy_identifiers: Optional[Sequence[str]] = None,
        postal_codes: Optional[Sequence[str]] = None,
        provinces: Optional[Sequence[str]] = None,
        require_cn: Optional[bool] = None,
        server_flag: Optional[bool] = None,
        street_addresses: Optional[Sequence[str]] = None,
        ttl: Optional[str] = None,
        use_csr_common_name: Optional[bool] = None,
        use_csr_sans: Optional[bool] = None) -> SecretBackendRole

func GetSecretBackendRole(ctx *Context, name string, id IDInput, state *SecretBackendRoleState, opts ...ResourceOption) (*SecretBackendRole, error)

public static SecretBackendRole Get(string name, Input<string> id, SecretBackendRoleState? state, CustomResourceOptions? opts = null)

public static SecretBackendRole get(String name, Output<String> id, SecretBackendRoleState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AllowAnyName bool: Flag to allow any name
AllowBareDomains bool: Flag to allow certificates matching the actual domain
AllowGlobDomains bool: Flag to allow names containing glob patterns.
AllowIpSans bool: Flag to allow IP SANs
AllowLocalhost bool: Flag to allow certificates for localhost
AllowSubdomains bool: Flag to allow certificates matching subdomains
AllowWildcardCertificates bool: Flag to allow wildcard certificates.
AllowedDomains List<string>: List of allowed domains for certificates
AllowedDomainsTemplate bool: Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
AllowedOtherSans List<string>: Defines allowed custom SANs
AllowedSerialNumbers List<string>: An array of allowed serial numbers to put in Subject
AllowedUriSans List<string>: Defines allowed URI SANs
AllowedUriSansTemplate bool: Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
AllowedUserIds List<string>: Defines allowed User IDs
Backend string: The path the PKI secret backend is mounted at, with no leading or trailing /s.
BasicConstraintsValidForNonCa bool: Flag to mark basic constraints valid when issuing non-CA certificates
ClientFlag bool: Flag to specify certificates for client use
CodeSigningFlag bool: Flag to specify certificates for code signing use
Countries List<string>: The country of generated certificates
EmailProtectionFlag bool: Flag to specify certificates for email protection use
EnforceHostnames bool: Flag to allow only valid host names
ExtKeyUsageOids List<string>: Specify the allowed extended key usage OIDs constraint on issued certificates
ExtKeyUsages List<string>: Specify the allowed extended key usage constraint on issued certificates
GenerateLease bool: Flag to generate leases with certificates
IssuerRef string: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
KeyBits int: The number of bits of generated keys
KeyType string: The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
KeyUsages List<string>: Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
Localities List<string>: The locality of generated certificates
MaxTtl string: The maximum lease TTL, in seconds, for the role.
Name string: The name to identify this role within the backend. Must be unique within the backend.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NoStore bool: Flag to not store certificates in the storage backend
NotBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
OrganizationUnit List<string>: The organization unit of generated certificates
Organizations List<string>: The organization of generated certificates
PolicyIdentifier List<SecretBackendRolePolicyIdentifier>: (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
PolicyIdentifiers List<string>: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
PostalCodes List<string>: The postal code of generated certificates
Provinces List<string>: The province of generated certificates
RequireCn bool: Flag to force CN usage
ServerFlag bool: Flag to specify certificates for server use
StreetAddresses List<string>: The street address of generated certificates
Ttl string: The TTL, in seconds, for any certificate issued against this role.
UseCsrCommonName bool: Flag to use the CN in the CSR
UseCsrSans bool: Flag to use the SANs in the CSR

AllowAnyName bool: Flag to allow any name
AllowBareDomains bool: Flag to allow certificates matching the actual domain
AllowGlobDomains bool: Flag to allow names containing glob patterns.
AllowIpSans bool: Flag to allow IP SANs
AllowLocalhost bool: Flag to allow certificates for localhost
AllowSubdomains bool: Flag to allow certificates matching subdomains
AllowWildcardCertificates bool: Flag to allow wildcard certificates.
AllowedDomains []string: List of allowed domains for certificates
AllowedDomainsTemplate bool: Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
AllowedOtherSans []string: Defines allowed custom SANs
AllowedSerialNumbers []string: An array of allowed serial numbers to put in Subject
AllowedUriSans []string: Defines allowed URI SANs
AllowedUriSansTemplate bool: Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
AllowedUserIds []string: Defines allowed User IDs
Backend string: The path the PKI secret backend is mounted at, with no leading or trailing /s.
BasicConstraintsValidForNonCa bool: Flag to mark basic constraints valid when issuing non-CA certificates
ClientFlag bool: Flag to specify certificates for client use
CodeSigningFlag bool: Flag to specify certificates for code signing use
Countries []string: The country of generated certificates
EmailProtectionFlag bool: Flag to specify certificates for email protection use
EnforceHostnames bool: Flag to allow only valid host names
ExtKeyUsageOids []string: Specify the allowed extended key usage OIDs constraint on issued certificates
ExtKeyUsages []string: Specify the allowed extended key usage constraint on issued certificates
GenerateLease bool: Flag to generate leases with certificates
IssuerRef string: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
KeyBits int: The number of bits of generated keys
KeyType string: The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
KeyUsages []string: Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
Localities []string: The locality of generated certificates
MaxTtl string: The maximum lease TTL, in seconds, for the role.
Name string: The name to identify this role within the backend. Must be unique within the backend.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NoStore bool: Flag to not store certificates in the storage backend
NotBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
OrganizationUnit []string: The organization unit of generated certificates
Organizations []string: The organization of generated certificates
PolicyIdentifier []SecretBackendRolePolicyIdentifierArgs: (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
PolicyIdentifiers []string: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
PostalCodes []string: The postal code of generated certificates
Provinces []string: The province of generated certificates
RequireCn bool: Flag to force CN usage
ServerFlag bool: Flag to specify certificates for server use
StreetAddresses []string: The street address of generated certificates
Ttl string: The TTL, in seconds, for any certificate issued against this role.
UseCsrCommonName bool: Flag to use the CN in the CSR
UseCsrSans bool: Flag to use the SANs in the CSR

allowAnyName Boolean: Flag to allow any name
allowBareDomains Boolean: Flag to allow certificates matching the actual domain
allowGlobDomains Boolean: Flag to allow names containing glob patterns.
allowIpSans Boolean: Flag to allow IP SANs
allowLocalhost Boolean: Flag to allow certificates for localhost
allowSubdomains Boolean: Flag to allow certificates matching subdomains
allowWildcardCertificates Boolean: Flag to allow wildcard certificates.
allowedDomains List<String>: List of allowed domains for certificates
allowedDomainsTemplate Boolean: Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowedOtherSans List<String>: Defines allowed custom SANs
allowedSerialNumbers List<String>: An array of allowed serial numbers to put in Subject
allowedUriSans List<String>: Defines allowed URI SANs
allowedUriSansTemplate Boolean: Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowedUserIds List<String>: Defines allowed User IDs
backend String: The path the PKI secret backend is mounted at, with no leading or trailing /s.
basicConstraintsValidForNonCa Boolean: Flag to mark basic constraints valid when issuing non-CA certificates
clientFlag Boolean: Flag to specify certificates for client use
codeSigningFlag Boolean: Flag to specify certificates for code signing use
countries List<String>: The country of generated certificates
emailProtectionFlag Boolean: Flag to specify certificates for email protection use
enforceHostnames Boolean: Flag to allow only valid host names
extKeyUsageOids List<String>: Specify the allowed extended key usage OIDs constraint on issued certificates
extKeyUsages List<String>: Specify the allowed extended key usage constraint on issued certificates
generateLease Boolean: Flag to generate leases with certificates
issuerRef String: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
keyBits Integer: The number of bits of generated keys
keyType String: The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
keyUsages List<String>: Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
localities List<String>: The locality of generated certificates
maxTtl String: The maximum lease TTL, in seconds, for the role.
name String: The name to identify this role within the backend. Must be unique within the backend.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
noStore Boolean: Flag to not store certificates in the storage backend
notBeforeDuration String: Specifies the duration by which to backdate the NotBefore property.
organizationUnit List<String>: The organization unit of generated certificates
organizations List<String>: The organization of generated certificates
policyIdentifier List<SecretBackendRolePolicyIdentifier>: (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
policyIdentifiers List<String>: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
postalCodes List<String>: The postal code of generated certificates
provinces List<String>: The province of generated certificates
requireCn Boolean: Flag to force CN usage
serverFlag Boolean: Flag to specify certificates for server use
streetAddresses List<String>: The street address of generated certificates
ttl String: The TTL, in seconds, for any certificate issued against this role.
useCsrCommonName Boolean: Flag to use the CN in the CSR
useCsrSans Boolean: Flag to use the SANs in the CSR

allowAnyName boolean: Flag to allow any name
allowBareDomains boolean: Flag to allow certificates matching the actual domain
allowGlobDomains boolean: Flag to allow names containing glob patterns.
allowIpSans boolean: Flag to allow IP SANs
allowLocalhost boolean: Flag to allow certificates for localhost
allowSubdomains boolean: Flag to allow certificates matching subdomains
allowWildcardCertificates boolean: Flag to allow wildcard certificates.
allowedDomains string[]: List of allowed domains for certificates
allowedDomainsTemplate boolean: Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowedOtherSans string[]: Defines allowed custom SANs
allowedSerialNumbers string[]: An array of allowed serial numbers to put in Subject
allowedUriSans string[]: Defines allowed URI SANs
allowedUriSansTemplate boolean: Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowedUserIds string[]: Defines allowed User IDs
backend string: The path the PKI secret backend is mounted at, with no leading or trailing /s.
basicConstraintsValidForNonCa boolean: Flag to mark basic constraints valid when issuing non-CA certificates
clientFlag boolean: Flag to specify certificates for client use
codeSigningFlag boolean: Flag to specify certificates for code signing use
countries string[]: The country of generated certificates
emailProtectionFlag boolean: Flag to specify certificates for email protection use
enforceHostnames boolean: Flag to allow only valid host names
extKeyUsageOids string[]: Specify the allowed extended key usage OIDs constraint on issued certificates
extKeyUsages string[]: Specify the allowed extended key usage constraint on issued certificates
generateLease boolean: Flag to generate leases with certificates
issuerRef string: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
keyBits number: The number of bits of generated keys
keyType string: The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
keyUsages string[]: Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
localities string[]: The locality of generated certificates
maxTtl string: The maximum lease TTL, in seconds, for the role.
name string: The name to identify this role within the backend. Must be unique within the backend.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
noStore boolean: Flag to not store certificates in the storage backend
notBeforeDuration string: Specifies the duration by which to backdate the NotBefore property.
organizationUnit string[]: The organization unit of generated certificates
organizations string[]: The organization of generated certificates
policyIdentifier SecretBackendRolePolicyIdentifier[]: (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
policyIdentifiers string[]: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
postalCodes string[]: The postal code of generated certificates
provinces string[]: The province of generated certificates
requireCn boolean: Flag to force CN usage
serverFlag boolean: Flag to specify certificates for server use
streetAddresses string[]: The street address of generated certificates
ttl string: The TTL, in seconds, for any certificate issued against this role.
useCsrCommonName boolean: Flag to use the CN in the CSR
useCsrSans boolean: Flag to use the SANs in the CSR

allow_any_name bool: Flag to allow any name
allow_bare_domains bool: Flag to allow certificates matching the actual domain
allow_glob_domains bool: Flag to allow names containing glob patterns.
allow_ip_sans bool: Flag to allow IP SANs
allow_localhost bool: Flag to allow certificates for localhost
allow_subdomains bool: Flag to allow certificates matching subdomains
allow_wildcard_certificates bool: Flag to allow wildcard certificates.
allowed_domains Sequence[str]: List of allowed domains for certificates
allowed_domains_template bool: Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowed_other_sans Sequence[str]: Defines allowed custom SANs
allowed_serial_numbers Sequence[str]: An array of allowed serial numbers to put in Subject
allowed_uri_sans Sequence[str]: Defines allowed URI SANs
allowed_uri_sans_template bool: Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowed_user_ids Sequence[str]: Defines allowed User IDs
backend str: The path the PKI secret backend is mounted at, with no leading or trailing /s.
basic_constraints_valid_for_non_ca bool: Flag to mark basic constraints valid when issuing non-CA certificates
client_flag bool: Flag to specify certificates for client use
code_signing_flag bool: Flag to specify certificates for code signing use
countries Sequence[str]: The country of generated certificates
email_protection_flag bool: Flag to specify certificates for email protection use
enforce_hostnames bool: Flag to allow only valid host names
ext_key_usage_oids Sequence[str]: Specify the allowed extended key usage OIDs constraint on issued certificates
ext_key_usages Sequence[str]: Specify the allowed extended key usage constraint on issued certificates
generate_lease bool: Flag to generate leases with certificates
issuer_ref str: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
key_bits int: The number of bits of generated keys
key_type str: The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
key_usages Sequence[str]: Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
localities Sequence[str]: The locality of generated certificates
max_ttl str: The maximum lease TTL, in seconds, for the role.
name str: The name to identify this role within the backend. Must be unique within the backend.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
no_store bool: Flag to not store certificates in the storage backend
not_before_duration str: Specifies the duration by which to backdate the NotBefore property.
organization_unit Sequence[str]: The organization unit of generated certificates
organizations Sequence[str]: The organization of generated certificates
policy_identifier Sequence[pkisecret.SecretBackendRolePolicyIdentifierArgs]: (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
policy_identifiers Sequence[str]: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
postal_codes Sequence[str]: The postal code of generated certificates
provinces Sequence[str]: The province of generated certificates
require_cn bool: Flag to force CN usage
server_flag bool: Flag to specify certificates for server use
street_addresses Sequence[str]: The street address of generated certificates
ttl str: The TTL, in seconds, for any certificate issued against this role.
use_csr_common_name bool: Flag to use the CN in the CSR
use_csr_sans bool: Flag to use the SANs in the CSR

allowAnyName Boolean: Flag to allow any name
allowBareDomains Boolean: Flag to allow certificates matching the actual domain
allowGlobDomains Boolean: Flag to allow names containing glob patterns.
allowIpSans Boolean: Flag to allow IP SANs
allowLocalhost Boolean: Flag to allow certificates for localhost
allowSubdomains Boolean: Flag to allow certificates matching subdomains
allowWildcardCertificates Boolean: Flag to allow wildcard certificates.
allowedDomains List<String>: List of allowed domains for certificates
allowedDomainsTemplate Boolean: Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowedOtherSans List<String>: Defines allowed custom SANs
allowedSerialNumbers List<String>: An array of allowed serial numbers to put in Subject
allowedUriSans List<String>: Defines allowed URI SANs
allowedUriSansTemplate Boolean: Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowedUserIds List<String>: Defines allowed User IDs
backend String: The path the PKI secret backend is mounted at, with no leading or trailing /s.
basicConstraintsValidForNonCa Boolean: Flag to mark basic constraints valid when issuing non-CA certificates
clientFlag Boolean: Flag to specify certificates for client use
codeSigningFlag Boolean: Flag to specify certificates for code signing use
countries List<String>: The country of generated certificates
emailProtectionFlag Boolean: Flag to specify certificates for email protection use
enforceHostnames Boolean: Flag to allow only valid host names
extKeyUsageOids List<String>: Specify the allowed extended key usage OIDs constraint on issued certificates
extKeyUsages List<String>: Specify the allowed extended key usage constraint on issued certificates
generateLease Boolean: Flag to generate leases with certificates
issuerRef String: Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
keyBits Number: The number of bits of generated keys
keyType String: The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
keyUsages List<String>: Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
localities List<String>: The locality of generated certificates
maxTtl String: The maximum lease TTL, in seconds, for the role.
name String: The name to identify this role within the backend. Must be unique within the backend.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
noStore Boolean: Flag to not store certificates in the storage backend
notBeforeDuration String: Specifies the duration by which to backdate the NotBefore property.
organizationUnit List<String>: The organization unit of generated certificates
organizations List<String>: The organization of generated certificates
policyIdentifier List<Property Map>: (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
policyIdentifiers List<String>: Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
postalCodes List<String>: The postal code of generated certificates
provinces List<String>: The province of generated certificates
requireCn Boolean: Flag to force CN usage
serverFlag Boolean: Flag to specify certificates for server use
streetAddresses List<String>: The street address of generated certificates
ttl String: The TTL, in seconds, for any certificate issued against this role.
useCsrCommonName Boolean: Flag to use the CN in the CSR
useCsrSans Boolean: Flag to use the SANs in the CSR

Supporting Types

SecretBackendRolePolicyIdentifier, SecretBackendRolePolicyIdentifierArgs

Oid string

The OID for the policy identifier

Cps string

The URL of the CPS for the policy identifier

Example usage:

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
    var pki = new Mount(&quot;pki&quot;, MountArgs.builder()
        .path(&quot;pki&quot;)
        .type(&quot;pki&quot;)
        .defaultLeaseTtlSeconds(3600)
        .maxLeaseTtlSeconds(86400)
        .build());

    var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()
        .backend(pki.path())
        .name(&quot;my_role&quot;)
        .ttl(3600)
        .allowIpSans(true)
        .keyType(&quot;rsa&quot;)
        .keyBits(4096)
        .allowedDomains(            
            &quot;example.com&quot;,
            &quot;my.domain&quot;)
        .allowSubdomains(true)
        .policyIdentifiers(            
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
            ),
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
            ))
        .build());

}
}

resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true
      policyIdentifiers:
        - oid: 1.3.6.1.4.1.7.8
          notice: I am a user Notice
        - oid: 1.3.6.1.4.1.44947.1.2.4
          cps: https://example.com

Notice string

A notice for the policy identifier

Oid string

The OID for the policy identifier

Cps string

The URL of the CPS for the policy identifier

Example usage:

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
    var pki = new Mount(&quot;pki&quot;, MountArgs.builder()
        .path(&quot;pki&quot;)
        .type(&quot;pki&quot;)
        .defaultLeaseTtlSeconds(3600)
        .maxLeaseTtlSeconds(86400)
        .build());

    var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()
        .backend(pki.path())
        .name(&quot;my_role&quot;)
        .ttl(3600)
        .allowIpSans(true)
        .keyType(&quot;rsa&quot;)
        .keyBits(4096)
        .allowedDomains(            
            &quot;example.com&quot;,
            &quot;my.domain&quot;)
        .allowSubdomains(true)
        .policyIdentifiers(            
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
            ),
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
            ))
        .build());

}
}

resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true
      policyIdentifiers:
        - oid: 1.3.6.1.4.1.7.8
          notice: I am a user Notice
        - oid: 1.3.6.1.4.1.44947.1.2.4
          cps: https://example.com

Notice string

A notice for the policy identifier

oid String

The OID for the policy identifier

cps String

The URL of the CPS for the policy identifier

Example usage:

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
    var pki = new Mount(&quot;pki&quot;, MountArgs.builder()
        .path(&quot;pki&quot;)
        .type(&quot;pki&quot;)
        .defaultLeaseTtlSeconds(3600)
        .maxLeaseTtlSeconds(86400)
        .build());

    var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()
        .backend(pki.path())
        .name(&quot;my_role&quot;)
        .ttl(3600)
        .allowIpSans(true)
        .keyType(&quot;rsa&quot;)
        .keyBits(4096)
        .allowedDomains(            
            &quot;example.com&quot;,
            &quot;my.domain&quot;)
        .allowSubdomains(true)
        .policyIdentifiers(            
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
            ),
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
            ))
        .build());

}
}

resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true
      policyIdentifiers:
        - oid: 1.3.6.1.4.1.7.8
          notice: I am a user Notice
        - oid: 1.3.6.1.4.1.44947.1.2.4
          cps: https://example.com

notice String

A notice for the policy identifier

oid string

The OID for the policy identifier

cps string

The URL of the CPS for the policy identifier

Example usage:

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
    var pki = new Mount(&quot;pki&quot;, MountArgs.builder()
        .path(&quot;pki&quot;)
        .type(&quot;pki&quot;)
        .defaultLeaseTtlSeconds(3600)
        .maxLeaseTtlSeconds(86400)
        .build());

    var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()
        .backend(pki.path())
        .name(&quot;my_role&quot;)
        .ttl(3600)
        .allowIpSans(true)
        .keyType(&quot;rsa&quot;)
        .keyBits(4096)
        .allowedDomains(            
            &quot;example.com&quot;,
            &quot;my.domain&quot;)
        .allowSubdomains(true)
        .policyIdentifiers(            
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
            ),
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
            ))
        .build());

}
}

resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true
      policyIdentifiers:
        - oid: 1.3.6.1.4.1.7.8
          notice: I am a user Notice
        - oid: 1.3.6.1.4.1.44947.1.2.4
          cps: https://example.com

notice string

A notice for the policy identifier

oid str

The OID for the policy identifier

cps str

The URL of the CPS for the policy identifier

Example usage:

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
    var pki = new Mount(&quot;pki&quot;, MountArgs.builder()
        .path(&quot;pki&quot;)
        .type(&quot;pki&quot;)
        .defaultLeaseTtlSeconds(3600)
        .maxLeaseTtlSeconds(86400)
        .build());

    var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()
        .backend(pki.path())
        .name(&quot;my_role&quot;)
        .ttl(3600)
        .allowIpSans(true)
        .keyType(&quot;rsa&quot;)
        .keyBits(4096)
        .allowedDomains(            
            &quot;example.com&quot;,
            &quot;my.domain&quot;)
        .allowSubdomains(true)
        .policyIdentifiers(            
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
            ),
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
            ))
        .build());

}
}

resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true
      policyIdentifiers:
        - oid: 1.3.6.1.4.1.7.8
          notice: I am a user Notice
        - oid: 1.3.6.1.4.1.44947.1.2.4
          cps: https://example.com

notice str

A notice for the policy identifier

oid String

The OID for the policy identifier

cps String

The URL of the CPS for the policy identifier

Example usage:

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
    var pki = new Mount(&quot;pki&quot;, MountArgs.builder()
        .path(&quot;pki&quot;)
        .type(&quot;pki&quot;)
        .defaultLeaseTtlSeconds(3600)
        .maxLeaseTtlSeconds(86400)
        .build());

    var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()
        .backend(pki.path())
        .name(&quot;my_role&quot;)
        .ttl(3600)
        .allowIpSans(true)
        .keyType(&quot;rsa&quot;)
        .keyBits(4096)
        .allowedDomains(            
            &quot;example.com&quot;,
            &quot;my.domain&quot;)
        .allowSubdomains(true)
        .policyIdentifiers(            
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
            ),
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
            ))
        .build());

}
}

resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true
      policyIdentifiers:
        - oid: 1.3.6.1.4.1.7.8
          notice: I am a user Notice
        - oid: 1.3.6.1.4.1.44947.1.2.4
          cps: https://example.com

notice String

A notice for the policy identifier

Import

PKI secret backend roles can be imported using the path, e.g.

$ pulumi import vault:pkiSecret/secretBackendRole:SecretBackendRole role pki/roles/my_role

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

HashiCorp Vault v6.2.0 published on Friday, Jun 21, 2024 by Pulumi

pulumi/pulumi-vault

vault.pkiSecret.SecretBackendRole

On this page

On this page

Example Usage

Create SecretBackendRole Resource

Constructor syntax

Parameters

Constructor example

SecretBackendRole Resource Properties

Inputs

Outputs

Look up Existing SecretBackendRole Resource

Supporting Types

SecretBackendRolePolicyIdentifier, SecretBackendRolePolicyIdentifierArgs

Import

Package Details

On this page

On this page