SecretBackend

Import

AD secret backend can be imported using the backend, e.g.

 $ pulumi import vault:ad/secretBackend:SecretBackend ad ad

Create a SecretBackend Resource

new SecretBackend(name: string, args: SecretBackendArgs, opts?: CustomResourceOptions);
@overload
def SecretBackend(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  anonymous_group_search: Optional[bool] = None,
                  backend: Optional[str] = None,
                  binddn: Optional[str] = None,
                  bindpass: Optional[str] = None,
                  case_sensitive_names: Optional[bool] = None,
                  certificate: Optional[str] = None,
                  client_tls_cert: Optional[str] = None,
                  client_tls_key: Optional[str] = None,
                  default_lease_ttl_seconds: Optional[int] = None,
                  deny_null_bind: Optional[bool] = None,
                  description: Optional[str] = None,
                  discoverdn: Optional[bool] = None,
                  formatter: Optional[str] = None,
                  groupattr: Optional[str] = None,
                  groupdn: Optional[str] = None,
                  groupfilter: Optional[str] = None,
                  insecure_tls: Optional[bool] = None,
                  last_rotation_tolerance: Optional[int] = None,
                  length: Optional[int] = None,
                  local: Optional[bool] = None,
                  max_lease_ttl_seconds: Optional[int] = None,
                  max_ttl: Optional[int] = None,
                  password_policy: Optional[str] = None,
                  request_timeout: Optional[int] = None,
                  starttls: Optional[bool] = None,
                  tls_max_version: Optional[str] = None,
                  tls_min_version: Optional[str] = None,
                  ttl: Optional[int] = None,
                  upndomain: Optional[str] = None,
                  url: Optional[str] = None,
                  use_pre111_group_cn_behavior: Optional[bool] = None,
                  use_token_groups: Optional[bool] = None,
                  userattr: Optional[str] = None,
                  userdn: Optional[str] = None)
@overload
def SecretBackend(resource_name: str,
                  args: SecretBackendArgs,
                  opts: Optional[ResourceOptions] = None)
func NewSecretBackend(ctx *Context, name string, args SecretBackendArgs, opts ...ResourceOption) (*SecretBackend, error)
public SecretBackend(string name, SecretBackendArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args SecretBackendArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args SecretBackendArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args SecretBackendArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args SecretBackendArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

SecretBackend Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The SecretBackend resource accepts the following input properties:

Binddn string
Distinguished name of object to bind when performing user and group search.
Bindpass string
Password to use along with binddn when performing user search.
AnonymousGroupSearch bool
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
Backend string
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
CaseSensitiveNames bool
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
Certificate string
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
ClientTlsCert string
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
ClientTlsKey string
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
DefaultLeaseTtlSeconds int
Default lease duration for secrets in seconds.
DenyNullBind bool
Denies an unauthenticated LDAP bind request if the user’s password is empty; defaults to true.
Description string
Human-friendly description of the mount for the Active Directory backend.
Discoverdn bool
Use anonymous bind to discover the bind Distinguished Name of a user.
Formatter string
Text to insert the password into, ex. “customPrefix{{PASSWORD}}customSuffix”. This setting is deprecated and should instead use password_policy.

Deprecated: Formatter is deprecated and password_policy should be used with Vault >= 1.5.

Groupattr string
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
Groupdn string
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
Groupfilter string
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
InsecureTls bool
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
LastRotationTolerance int
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
Length int
The desired length of passwords that Vault generates. This setting is deprecated and should instead use password_policy.

Deprecated: Length is deprecated and password_policy should be used with Vault >= 1.5.

Local bool
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
MaxLeaseTtlSeconds int
Maximum possible lease duration for secrets in seconds.
MaxTtl int
In seconds, the maximum password time-to-live.
PasswordPolicy string
Name of the password policy to use to generate passwords.
RequestTimeout int
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
Starttls bool
Issue a StartTLS command after establishing unencrypted connection.
TlsMaxVersion string
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
TlsMinVersion string
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
Ttl int
In seconds, the default password time-to-live.
Upndomain string
Enables userPrincipalDomain login with [username]@UPNDomain.
Url string
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
UsePre111GroupCnBehavior bool
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
UseTokenGroups bool
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
Userattr string
Attribute used when searching users. Defaults to cn.
Userdn string
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
Binddn string
Distinguished name of object to bind when performing user and group search.
Bindpass string
Password to use along with binddn when performing user search.
AnonymousGroupSearch bool
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
Backend string
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
CaseSensitiveNames bool
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
Certificate string
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
ClientTlsCert string
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
ClientTlsKey string
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
DefaultLeaseTtlSeconds int
Default lease duration for secrets in seconds.
DenyNullBind bool
Denies an unauthenticated LDAP bind request if the user’s password is empty; defaults to true.
Description string
Human-friendly description of the mount for the Active Directory backend.
Discoverdn bool
Use anonymous bind to discover the bind Distinguished Name of a user.
Formatter string
Text to insert the password into, ex. “customPrefix{{PASSWORD}}customSuffix”. This setting is deprecated and should instead use password_policy.

Deprecated: Formatter is deprecated and password_policy should be used with Vault >= 1.5.

Groupattr string
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
Groupdn string
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
Groupfilter string
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
InsecureTls bool
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
LastRotationTolerance int
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
Length int
The desired length of passwords that Vault generates. This setting is deprecated and should instead use password_policy.

Deprecated: Length is deprecated and password_policy should be used with Vault >= 1.5.

Local bool
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
MaxLeaseTtlSeconds int
Maximum possible lease duration for secrets in seconds.
MaxTtl int
In seconds, the maximum password time-to-live.
PasswordPolicy string
Name of the password policy to use to generate passwords.
RequestTimeout int
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
Starttls bool
Issue a StartTLS command after establishing unencrypted connection.
TlsMaxVersion string
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
TlsMinVersion string
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
Ttl int
In seconds, the default password time-to-live.
Upndomain string
Enables userPrincipalDomain login with [username]@UPNDomain.
Url string
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
UsePre111GroupCnBehavior bool
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
UseTokenGroups bool
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
Userattr string
Attribute used when searching users. Defaults to cn.
Userdn string
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
binddn string
Distinguished name of object to bind when performing user and group search.
bindpass string
Password to use along with binddn when performing user search.
anonymousGroupSearch boolean
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend string
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
caseSensitiveNames boolean
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate string
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
clientTlsCert string
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
clientTlsKey string
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
defaultLeaseTtlSeconds number
Default lease duration for secrets in seconds.
denyNullBind boolean
Denies an unauthenticated LDAP bind request if the user’s password is empty; defaults to true.
description string
Human-friendly description of the mount for the Active Directory backend.
discoverdn boolean
Use anonymous bind to discover the bind Distinguished Name of a user.
formatter string
Text to insert the password into, ex. “customPrefix{{PASSWORD}}customSuffix”. This setting is deprecated and should instead use password_policy.

Deprecated: Formatter is deprecated and password_policy should be used with Vault >= 1.5.

groupattr string
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn string
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter string
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecureTls boolean
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
lastRotationTolerance number
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
length number
The desired length of passwords that Vault generates. This setting is deprecated and should instead use password_policy.

Deprecated: Length is deprecated and password_policy should be used with Vault >= 1.5.

local boolean
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
maxLeaseTtlSeconds number
Maximum possible lease duration for secrets in seconds.
maxTtl number
In seconds, the maximum password time-to-live.
passwordPolicy string
Name of the password policy to use to generate passwords.
requestTimeout number
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls boolean
Issue a StartTLS command after establishing unencrypted connection.
tlsMaxVersion string
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tlsMinVersion string
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl number
In seconds, the default password time-to-live.
upndomain string
Enables userPrincipalDomain login with [username]@UPNDomain.
url string
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
usePre111GroupCnBehavior boolean
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
useTokenGroups boolean
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr string
Attribute used when searching users. Defaults to cn.
userdn string
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
binddn str
Distinguished name of object to bind when performing user and group search.
bindpass str
Password to use along with binddn when performing user search.
anonymous_group_search bool
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend str
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
case_sensitive_names bool
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate str
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
client_tls_cert str
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
client_tls_key str
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
default_lease_ttl_seconds int
Default lease duration for secrets in seconds.
deny_null_bind bool
Denies an unauthenticated LDAP bind request if the user’s password is empty; defaults to true.
description str
Human-friendly description of the mount for the Active Directory backend.
discoverdn bool
Use anonymous bind to discover the bind Distinguished Name of a user.
formatter str
Text to insert the password into, ex. “customPrefix{{PASSWORD}}customSuffix”. This setting is deprecated and should instead use password_policy.

Deprecated: Formatter is deprecated and password_policy should be used with Vault >= 1.5.

groupattr str
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn str
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter str
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecure_tls bool
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
last_rotation_tolerance int
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
length int
The desired length of passwords that Vault generates. This setting is deprecated and should instead use password_policy.

Deprecated: Length is deprecated and password_policy should be used with Vault >= 1.5.

local bool
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
max_lease_ttl_seconds int
Maximum possible lease duration for secrets in seconds.
max_ttl int
In seconds, the maximum password time-to-live.
password_policy str
Name of the password policy to use to generate passwords.
request_timeout int
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls bool
Issue a StartTLS command after establishing unencrypted connection.
tls_max_version str
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tls_min_version str
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl int
In seconds, the default password time-to-live.
upndomain str
Enables userPrincipalDomain login with [username]@UPNDomain.
url str
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
use_pre111_group_cn_behavior bool
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
use_token_groups bool
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr str
Attribute used when searching users. Defaults to cn.
userdn str
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretBackend resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
Id string
The provider-assigned unique ID for this managed resource.
id string
The provider-assigned unique ID for this managed resource.
id str
The provider-assigned unique ID for this managed resource.

Look up an Existing SecretBackend Resource

Get an existing SecretBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretBackendState, opts?: CustomResourceOptions): SecretBackend
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        anonymous_group_search: Optional[bool] = None,
        backend: Optional[str] = None,
        binddn: Optional[str] = None,
        bindpass: Optional[str] = None,
        case_sensitive_names: Optional[bool] = None,
        certificate: Optional[str] = None,
        client_tls_cert: Optional[str] = None,
        client_tls_key: Optional[str] = None,
        default_lease_ttl_seconds: Optional[int] = None,
        deny_null_bind: Optional[bool] = None,
        description: Optional[str] = None,
        discoverdn: Optional[bool] = None,
        formatter: Optional[str] = None,
        groupattr: Optional[str] = None,
        groupdn: Optional[str] = None,
        groupfilter: Optional[str] = None,
        insecure_tls: Optional[bool] = None,
        last_rotation_tolerance: Optional[int] = None,
        length: Optional[int] = None,
        local: Optional[bool] = None,
        max_lease_ttl_seconds: Optional[int] = None,
        max_ttl: Optional[int] = None,
        password_policy: Optional[str] = None,
        request_timeout: Optional[int] = None,
        starttls: Optional[bool] = None,
        tls_max_version: Optional[str] = None,
        tls_min_version: Optional[str] = None,
        ttl: Optional[int] = None,
        upndomain: Optional[str] = None,
        url: Optional[str] = None,
        use_pre111_group_cn_behavior: Optional[bool] = None,
        use_token_groups: Optional[bool] = None,
        userattr: Optional[str] = None,
        userdn: Optional[str] = None) -> SecretBackend
func GetSecretBackend(ctx *Context, name string, id IDInput, state *SecretBackendState, opts ...ResourceOption) (*SecretBackend, error)
public static SecretBackend Get(string name, Input<string> id, SecretBackendState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

AnonymousGroupSearch bool
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
Backend string
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
Binddn string
Distinguished name of object to bind when performing user and group search.
Bindpass string
Password to use along with binddn when performing user search.
CaseSensitiveNames bool
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
Certificate string
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
ClientTlsCert string
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
ClientTlsKey string
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
DefaultLeaseTtlSeconds int
Default lease duration for secrets in seconds.
DenyNullBind bool
Denies an unauthenticated LDAP bind request if the user’s password is empty; defaults to true.
Description string
Human-friendly description of the mount for the Active Directory backend.
Discoverdn bool
Use anonymous bind to discover the bind Distinguished Name of a user.
Formatter string
Text to insert the password into, ex. “customPrefix{{PASSWORD}}customSuffix”. This setting is deprecated and should instead use password_policy.

Deprecated: Formatter is deprecated and password_policy should be used with Vault >= 1.5.

Groupattr string
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
Groupdn string
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
Groupfilter string
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
InsecureTls bool
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
LastRotationTolerance int
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
Length int
The desired length of passwords that Vault generates. This setting is deprecated and should instead use password_policy.

Deprecated: Length is deprecated and password_policy should be used with Vault >= 1.5.

Local bool
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
MaxLeaseTtlSeconds int
Maximum possible lease duration for secrets in seconds.
MaxTtl int
In seconds, the maximum password time-to-live.
PasswordPolicy string
Name of the password policy to use to generate passwords.
RequestTimeout int
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
Starttls bool
Issue a StartTLS command after establishing unencrypted connection.
TlsMaxVersion string
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
TlsMinVersion string
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
Ttl int
In seconds, the default password time-to-live.
Upndomain string
Enables userPrincipalDomain login with [username]@UPNDomain.
Url string
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
UsePre111GroupCnBehavior bool
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
UseTokenGroups bool
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
Userattr string
Attribute used when searching users. Defaults to cn.
Userdn string
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
AnonymousGroupSearch bool
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
Backend string
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
Binddn string
Distinguished name of object to bind when performing user and group search.
Bindpass string
Password to use along with binddn when performing user search.
CaseSensitiveNames bool
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
Certificate string
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
ClientTlsCert string
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
ClientTlsKey string
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
DefaultLeaseTtlSeconds int
Default lease duration for secrets in seconds.
DenyNullBind bool
Denies an unauthenticated LDAP bind request if the user’s password is empty; defaults to true.
Description string
Human-friendly description of the mount for the Active Directory backend.
Discoverdn bool
Use anonymous bind to discover the bind Distinguished Name of a user.
Formatter string
Text to insert the password into, ex. “customPrefix{{PASSWORD}}customSuffix”. This setting is deprecated and should instead use password_policy.

Deprecated: Formatter is deprecated and password_policy should be used with Vault >= 1.5.

Groupattr string
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
Groupdn string
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
Groupfilter string
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
InsecureTls bool
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
LastRotationTolerance int
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
Length int
The desired length of passwords that Vault generates. This setting is deprecated and should instead use password_policy.

Deprecated: Length is deprecated and password_policy should be used with Vault >= 1.5.

Local bool
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
MaxLeaseTtlSeconds int
Maximum possible lease duration for secrets in seconds.
MaxTtl int
In seconds, the maximum password time-to-live.
PasswordPolicy string
Name of the password policy to use to generate passwords.
RequestTimeout int
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
Starttls bool
Issue a StartTLS command after establishing unencrypted connection.
TlsMaxVersion string
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
TlsMinVersion string
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
Ttl int
In seconds, the default password time-to-live.
Upndomain string
Enables userPrincipalDomain login with [username]@UPNDomain.
Url string
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
UsePre111GroupCnBehavior bool
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
UseTokenGroups bool
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
Userattr string
Attribute used when searching users. Defaults to cn.
Userdn string
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
anonymousGroupSearch boolean
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend string
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
binddn string
Distinguished name of object to bind when performing user and group search.
bindpass string
Password to use along with binddn when performing user search.
caseSensitiveNames boolean
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate string
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
clientTlsCert string
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
clientTlsKey string
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
defaultLeaseTtlSeconds number
Default lease duration for secrets in seconds.
denyNullBind boolean
Denies an unauthenticated LDAP bind request if the user’s password is empty; defaults to true.
description string
Human-friendly description of the mount for the Active Directory backend.
discoverdn boolean
Use anonymous bind to discover the bind Distinguished Name of a user.
formatter string
Text to insert the password into, ex. “customPrefix{{PASSWORD}}customSuffix”. This setting is deprecated and should instead use password_policy.

Deprecated: Formatter is deprecated and password_policy should be used with Vault >= 1.5.

groupattr string
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn string
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter string
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecureTls boolean
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
lastRotationTolerance number
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
length number
The desired length of passwords that Vault generates. This setting is deprecated and should instead use password_policy.

Deprecated: Length is deprecated and password_policy should be used with Vault >= 1.5.

local boolean
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
maxLeaseTtlSeconds number
Maximum possible lease duration for secrets in seconds.
maxTtl number
In seconds, the maximum password time-to-live.
passwordPolicy string
Name of the password policy to use to generate passwords.
requestTimeout number
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls boolean
Issue a StartTLS command after establishing unencrypted connection.
tlsMaxVersion string
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tlsMinVersion string
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl number
In seconds, the default password time-to-live.
upndomain string
Enables userPrincipalDomain login with [username]@UPNDomain.
url string
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
usePre111GroupCnBehavior boolean
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
useTokenGroups boolean
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr string
Attribute used when searching users. Defaults to cn.
userdn string
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
anonymous_group_search bool
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend str
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
binddn str
Distinguished name of object to bind when performing user and group search.
bindpass str
Password to use along with binddn when performing user search.
case_sensitive_names bool
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate str
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
client_tls_cert str
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
client_tls_key str
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
default_lease_ttl_seconds int
Default lease duration for secrets in seconds.
deny_null_bind bool
Denies an unauthenticated LDAP bind request if the user’s password is empty; defaults to true.
description str
Human-friendly description of the mount for the Active Directory backend.
discoverdn bool
Use anonymous bind to discover the bind Distinguished Name of a user.
formatter str
Text to insert the password into, ex. “customPrefix{{PASSWORD}}customSuffix”. This setting is deprecated and should instead use password_policy.

Deprecated: Formatter is deprecated and password_policy should be used with Vault >= 1.5.

groupattr str
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn str
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter str
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecure_tls bool
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
last_rotation_tolerance int
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
length int
The desired length of passwords that Vault generates. This setting is deprecated and should instead use password_policy.

Deprecated: Length is deprecated and password_policy should be used with Vault >= 1.5.

local bool
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
max_lease_ttl_seconds int
Maximum possible lease duration for secrets in seconds.
max_ttl int
In seconds, the maximum password time-to-live.
password_policy str
Name of the password policy to use to generate passwords.
request_timeout int
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls bool
Issue a StartTLS command after establishing unencrypted connection.
tls_max_version str
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tls_min_version str
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl int
In seconds, the default password time-to-live.
upndomain str
Enables userPrincipalDomain login with [username]@UPNDomain.
url str
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
use_pre111_group_cn_behavior bool
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
use_token_groups bool
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr str
Attribute used when searching users. Defaults to cn.
userdn str
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

Package Details

Repository
https://github.com/pulumi/pulumi-vault
License
Apache-2.0
Notes
This Pulumi package is based on the vault Terraform Provider.