SecretBackendRole

Creates a role on an PKI Secret Backend for Vault.

Example Usage

using Pulumi;
using Vault = Pulumi.Vault;

class MyStack : Stack
{
    public MyStack()
    {
        var pki = new Vault.PkiSecret.SecretBackend("pki", new Vault.PkiSecret.SecretBackendArgs
        {
            Path = "pki",
            DefaultLeaseTtlSeconds = 3600,
            MaxLeaseTtlSeconds = 86400,
        });
        var role = new Vault.PkiSecret.SecretBackendRole("role", new Vault.PkiSecret.SecretBackendRoleArgs
        {
            Backend = pki.Path,
            Ttl = "3600",
            AllowIpSans = true,
            KeyType = "rsa",
            KeyBits = 4096,
            AllowedDomains = 
            {
                "example.com",
                "my.domain",
            },
            AllowSubdomains = true,
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v4/go/vault/pkiSecret"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pki, err := pkiSecret.NewSecretBackend(ctx, "pki", &pkiSecret.SecretBackendArgs{
			Path:                   pulumi.String("pki"),
			DefaultLeaseTtlSeconds: pulumi.Int(3600),
			MaxLeaseTtlSeconds:     pulumi.Int(86400),
		})
		if err != nil {
			return err
		}
		_, err = pkiSecret.NewSecretBackendRole(ctx, "role", &pkiSecret.SecretBackendRoleArgs{
			Backend:     pki.Path,
			Ttl:         pulumi.String("3600"),
			AllowIpSans: pulumi.Bool(true),
			KeyType:     pulumi.String("rsa"),
			KeyBits:     pulumi.Int(4096),
			AllowedDomains: pulumi.StringArray{
				pulumi.String("example.com"),
				pulumi.String("my.domain"),
			},
			AllowSubdomains: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_vault as vault

pki = vault.pki_secret.SecretBackend("pki",
    path="pki",
    default_lease_ttl_seconds=3600,
    max_lease_ttl_seconds=86400)
role = vault.pki_secret.SecretBackendRole("role",
    backend=pki.path,
    ttl="3600",
    allow_ip_sans=True,
    key_type="rsa",
    key_bits=4096,
    allowed_domains=[
        "example.com",
        "my.domain",
    ],
    allow_subdomains=True)
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const pki = new vault.pkiSecret.SecretBackend("pki", {
    path: "pki",
    defaultLeaseTtlSeconds: 3600,
    maxLeaseTtlSeconds: 86400,
});
const role = new vault.pkiSecret.SecretBackendRole("role", {
    backend: pki.path,
    ttl: 3600,
    allowIpSans: true,
    keyType: "rsa",
    keyBits: 4096,
    allowedDomains: [
        "example.com",
        "my.domain",
    ],
    allowSubdomains: true,
});

Create a SecretBackendRole Resource

new SecretBackendRole(name: string, args: SecretBackendRoleArgs, opts?: CustomResourceOptions);
@overload
def SecretBackendRole(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      allow_any_name: Optional[bool] = None,
                      allow_bare_domains: Optional[bool] = None,
                      allow_glob_domains: Optional[bool] = None,
                      allow_ip_sans: Optional[bool] = None,
                      allow_localhost: Optional[bool] = None,
                      allow_subdomains: Optional[bool] = None,
                      allowed_domains: Optional[Sequence[str]] = None,
                      allowed_domains_template: Optional[bool] = None,
                      allowed_other_sans: Optional[Sequence[str]] = None,
                      allowed_uri_sans: Optional[Sequence[str]] = None,
                      backend: Optional[str] = None,
                      basic_constraints_valid_for_non_ca: Optional[bool] = None,
                      client_flag: Optional[bool] = None,
                      code_signing_flag: Optional[bool] = None,
                      countries: Optional[Sequence[str]] = None,
                      email_protection_flag: Optional[bool] = None,
                      enforce_hostnames: Optional[bool] = None,
                      ext_key_usages: Optional[Sequence[str]] = None,
                      generate_lease: Optional[bool] = None,
                      key_bits: Optional[int] = None,
                      key_type: Optional[str] = None,
                      key_usages: Optional[Sequence[str]] = None,
                      localities: Optional[Sequence[str]] = None,
                      max_ttl: Optional[str] = None,
                      name: Optional[str] = None,
                      no_store: Optional[bool] = None,
                      not_before_duration: Optional[str] = None,
                      organization_unit: Optional[Sequence[str]] = None,
                      organizations: Optional[Sequence[str]] = None,
                      policy_identifiers: Optional[Sequence[str]] = None,
                      postal_codes: Optional[Sequence[str]] = None,
                      provinces: Optional[Sequence[str]] = None,
                      require_cn: Optional[bool] = None,
                      server_flag: Optional[bool] = None,
                      street_addresses: Optional[Sequence[str]] = None,
                      ttl: Optional[str] = None,
                      use_csr_common_name: Optional[bool] = None,
                      use_csr_sans: Optional[bool] = None)
@overload
def SecretBackendRole(resource_name: str,
                      args: SecretBackendRoleArgs,
                      opts: Optional[ResourceOptions] = None)
func NewSecretBackendRole(ctx *Context, name string, args SecretBackendRoleArgs, opts ...ResourceOption) (*SecretBackendRole, error)
public SecretBackendRole(string name, SecretBackendRoleArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args SecretBackendRoleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args SecretBackendRoleArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args SecretBackendRoleArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args SecretBackendRoleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

SecretBackendRole Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The SecretBackendRole resource accepts the following input properties:

Backend string
The path the PKI secret backend is mounted at, with no leading or trailing /s.
AllowAnyName bool
Flag to allow any name
AllowBareDomains bool
Flag to allow certificates matching the actual domain
AllowGlobDomains bool
Flag to allow names containing glob patterns.
AllowIpSans bool
Flag to allow IP SANs
AllowLocalhost bool
Flag to allow certificates for localhost
AllowSubdomains bool
Flag to allow certificates matching subdomains
AllowedDomains List<string>
List of allowed domains for certificates
AllowedDomainsTemplate bool
Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
AllowedOtherSans List<string>
Defines allowed custom SANs
AllowedUriSans List<string>
Defines allowed URI SANs
BasicConstraintsValidForNonCa bool
Flag to mark basic constraints valid when issuing non-CA certificates
ClientFlag bool
Flag to specify certificates for client use
CodeSigningFlag bool
Flag to specify certificates for code signing use
Countries List<string>
The country of generated certificates
EmailProtectionFlag bool
Flag to specify certificates for email protection use
EnforceHostnames bool
Flag to allow only valid host names
ExtKeyUsages List<string>
Specify the allowed extended key usage constraint on issued certificates
GenerateLease bool
Flag to generate leases with certificates
KeyBits int
The number of bits of generated keys
KeyType string
The type of generated keys
KeyUsages List<string>
Specify the allowed key usage constraint on issued certificates
Localities List<string>
The locality of generated certificates
MaxTtl string
The maximum TTL
Name string
The name to identify this role within the backend. Must be unique within the backend.
NoStore bool
Flag to not store certificates in the storage backend
NotBeforeDuration string
Specifies the duration by which to backdate the NotBefore property.
OrganizationUnit List<string>
The organization unit of generated certificates
Organizations List<string>
The organization of generated certificates
PolicyIdentifiers List<string>
Specify the list of allowed policies IODs
PostalCodes List<string>
The postal code of generated certificates
Provinces List<string>
The province of generated certificates
RequireCn bool
Flag to force CN usage
ServerFlag bool
Flag to specify certificates for server use
StreetAddresses List<string>
The street address of generated certificates
Ttl string
The TTL
UseCsrCommonName bool
Flag to use the CN in the CSR
UseCsrSans bool
Flag to use the SANs in the CSR
Backend string
The path the PKI secret backend is mounted at, with no leading or trailing /s.
AllowAnyName bool
Flag to allow any name
AllowBareDomains bool
Flag to allow certificates matching the actual domain
AllowGlobDomains bool
Flag to allow names containing glob patterns.
AllowIpSans bool
Flag to allow IP SANs
AllowLocalhost bool
Flag to allow certificates for localhost
AllowSubdomains bool
Flag to allow certificates matching subdomains
AllowedDomains []string
List of allowed domains for certificates
AllowedDomainsTemplate bool
Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
AllowedOtherSans []string
Defines allowed custom SANs
AllowedUriSans []string
Defines allowed URI SANs
BasicConstraintsValidForNonCa bool
Flag to mark basic constraints valid when issuing non-CA certificates
ClientFlag bool
Flag to specify certificates for client use
CodeSigningFlag bool
Flag to specify certificates for code signing use
Countries []string
The country of generated certificates
EmailProtectionFlag bool
Flag to specify certificates for email protection use
EnforceHostnames bool
Flag to allow only valid host names
ExtKeyUsages []string
Specify the allowed extended key usage constraint on issued certificates
GenerateLease bool
Flag to generate leases with certificates
KeyBits int
The number of bits of generated keys
KeyType string
The type of generated keys
KeyUsages []string
Specify the allowed key usage constraint on issued certificates
Localities []string
The locality of generated certificates
MaxTtl string
The maximum TTL
Name string
The name to identify this role within the backend. Must be unique within the backend.
NoStore bool
Flag to not store certificates in the storage backend
NotBeforeDuration string
Specifies the duration by which to backdate the NotBefore property.
OrganizationUnit []string
The organization unit of generated certificates
Organizations []string
The organization of generated certificates
PolicyIdentifiers []string
Specify the list of allowed policies IODs
PostalCodes []string
The postal code of generated certificates
Provinces []string
The province of generated certificates
RequireCn bool
Flag to force CN usage
ServerFlag bool
Flag to specify certificates for server use
StreetAddresses []string
The street address of generated certificates
Ttl string
The TTL
UseCsrCommonName bool
Flag to use the CN in the CSR
UseCsrSans bool
Flag to use the SANs in the CSR
backend string
The path the PKI secret backend is mounted at, with no leading or trailing /s.
allowAnyName boolean
Flag to allow any name
allowBareDomains boolean
Flag to allow certificates matching the actual domain
allowGlobDomains boolean
Flag to allow names containing glob patterns.
allowIpSans boolean
Flag to allow IP SANs
allowLocalhost boolean
Flag to allow certificates for localhost
allowSubdomains boolean
Flag to allow certificates matching subdomains
allowedDomains string[]
List of allowed domains for certificates
allowedDomainsTemplate boolean
Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowedOtherSans string[]
Defines allowed custom SANs
allowedUriSans string[]
Defines allowed URI SANs
basicConstraintsValidForNonCa boolean
Flag to mark basic constraints valid when issuing non-CA certificates
clientFlag boolean
Flag to specify certificates for client use
codeSigningFlag boolean
Flag to specify certificates for code signing use
countries string[]
The country of generated certificates
emailProtectionFlag boolean
Flag to specify certificates for email protection use
enforceHostnames boolean
Flag to allow only valid host names
extKeyUsages string[]
Specify the allowed extended key usage constraint on issued certificates
generateLease boolean
Flag to generate leases with certificates
keyBits number
The number of bits of generated keys
keyType string
The type of generated keys
keyUsages string[]
Specify the allowed key usage constraint on issued certificates
localities string[]
The locality of generated certificates
maxTtl string
The maximum TTL
name string
The name to identify this role within the backend. Must be unique within the backend.
noStore boolean
Flag to not store certificates in the storage backend
notBeforeDuration string
Specifies the duration by which to backdate the NotBefore property.
organizationUnit string[]
The organization unit of generated certificates
organizations string[]
The organization of generated certificates
policyIdentifiers string[]
Specify the list of allowed policies IODs
postalCodes string[]
The postal code of generated certificates
provinces string[]
The province of generated certificates
requireCn boolean
Flag to force CN usage
serverFlag boolean
Flag to specify certificates for server use
streetAddresses string[]
The street address of generated certificates
ttl string
The TTL
useCsrCommonName boolean
Flag to use the CN in the CSR
useCsrSans boolean
Flag to use the SANs in the CSR
backend str
The path the PKI secret backend is mounted at, with no leading or trailing /s.
allow_any_name bool
Flag to allow any name
allow_bare_domains bool
Flag to allow certificates matching the actual domain
allow_glob_domains bool
Flag to allow names containing glob patterns.
allow_ip_sans bool
Flag to allow IP SANs
allow_localhost bool
Flag to allow certificates for localhost
allow_subdomains bool
Flag to allow certificates matching subdomains
allowed_domains Sequence[str]
List of allowed domains for certificates
allowed_domains_template bool
Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowed_other_sans Sequence[str]
Defines allowed custom SANs
allowed_uri_sans Sequence[str]
Defines allowed URI SANs
basic_constraints_valid_for_non_ca bool
Flag to mark basic constraints valid when issuing non-CA certificates
client_flag bool
Flag to specify certificates for client use
code_signing_flag bool
Flag to specify certificates for code signing use
countries Sequence[str]
The country of generated certificates
email_protection_flag bool
Flag to specify certificates for email protection use
enforce_hostnames bool
Flag to allow only valid host names
ext_key_usages Sequence[str]
Specify the allowed extended key usage constraint on issued certificates
generate_lease bool
Flag to generate leases with certificates
key_bits int
The number of bits of generated keys
key_type str
The type of generated keys
key_usages Sequence[str]
Specify the allowed key usage constraint on issued certificates
localities Sequence[str]
The locality of generated certificates
max_ttl str
The maximum TTL
name str
The name to identify this role within the backend. Must be unique within the backend.
no_store bool
Flag to not store certificates in the storage backend
not_before_duration str
Specifies the duration by which to backdate the NotBefore property.
organization_unit Sequence[str]
The organization unit of generated certificates
organizations Sequence[str]
The organization of generated certificates
policy_identifiers Sequence[str]
Specify the list of allowed policies IODs
postal_codes Sequence[str]
The postal code of generated certificates
provinces Sequence[str]
The province of generated certificates
require_cn bool
Flag to force CN usage
server_flag bool
Flag to specify certificates for server use
street_addresses Sequence[str]
The street address of generated certificates
ttl str
The TTL
use_csr_common_name bool
Flag to use the CN in the CSR
use_csr_sans bool
Flag to use the SANs in the CSR

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretBackendRole resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
Id string
The provider-assigned unique ID for this managed resource.
id string
The provider-assigned unique ID for this managed resource.
id str
The provider-assigned unique ID for this managed resource.

Look up an Existing SecretBackendRole Resource

Get an existing SecretBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretBackendRoleState, opts?: CustomResourceOptions): SecretBackendRole
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        allow_any_name: Optional[bool] = None,
        allow_bare_domains: Optional[bool] = None,
        allow_glob_domains: Optional[bool] = None,
        allow_ip_sans: Optional[bool] = None,
        allow_localhost: Optional[bool] = None,
        allow_subdomains: Optional[bool] = None,
        allowed_domains: Optional[Sequence[str]] = None,
        allowed_domains_template: Optional[bool] = None,
        allowed_other_sans: Optional[Sequence[str]] = None,
        allowed_uri_sans: Optional[Sequence[str]] = None,
        backend: Optional[str] = None,
        basic_constraints_valid_for_non_ca: Optional[bool] = None,
        client_flag: Optional[bool] = None,
        code_signing_flag: Optional[bool] = None,
        countries: Optional[Sequence[str]] = None,
        email_protection_flag: Optional[bool] = None,
        enforce_hostnames: Optional[bool] = None,
        ext_key_usages: Optional[Sequence[str]] = None,
        generate_lease: Optional[bool] = None,
        key_bits: Optional[int] = None,
        key_type: Optional[str] = None,
        key_usages: Optional[Sequence[str]] = None,
        localities: Optional[Sequence[str]] = None,
        max_ttl: Optional[str] = None,
        name: Optional[str] = None,
        no_store: Optional[bool] = None,
        not_before_duration: Optional[str] = None,
        organization_unit: Optional[Sequence[str]] = None,
        organizations: Optional[Sequence[str]] = None,
        policy_identifiers: Optional[Sequence[str]] = None,
        postal_codes: Optional[Sequence[str]] = None,
        provinces: Optional[Sequence[str]] = None,
        require_cn: Optional[bool] = None,
        server_flag: Optional[bool] = None,
        street_addresses: Optional[Sequence[str]] = None,
        ttl: Optional[str] = None,
        use_csr_common_name: Optional[bool] = None,
        use_csr_sans: Optional[bool] = None) -> SecretBackendRole
func GetSecretBackendRole(ctx *Context, name string, id IDInput, state *SecretBackendRoleState, opts ...ResourceOption) (*SecretBackendRole, error)
public static SecretBackendRole Get(string name, Input<string> id, SecretBackendRoleState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

AllowAnyName bool
Flag to allow any name
AllowBareDomains bool
Flag to allow certificates matching the actual domain
AllowGlobDomains bool
Flag to allow names containing glob patterns.
AllowIpSans bool
Flag to allow IP SANs
AllowLocalhost bool
Flag to allow certificates for localhost
AllowSubdomains bool
Flag to allow certificates matching subdomains
AllowedDomains List<string>
List of allowed domains for certificates
AllowedDomainsTemplate bool
Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
AllowedOtherSans List<string>
Defines allowed custom SANs
AllowedUriSans List<string>
Defines allowed URI SANs
Backend string
The path the PKI secret backend is mounted at, with no leading or trailing /s.
BasicConstraintsValidForNonCa bool
Flag to mark basic constraints valid when issuing non-CA certificates
ClientFlag bool
Flag to specify certificates for client use
CodeSigningFlag bool
Flag to specify certificates for code signing use
Countries List<string>
The country of generated certificates
EmailProtectionFlag bool
Flag to specify certificates for email protection use
EnforceHostnames bool
Flag to allow only valid host names
ExtKeyUsages List<string>
Specify the allowed extended key usage constraint on issued certificates
GenerateLease bool
Flag to generate leases with certificates
KeyBits int
The number of bits of generated keys
KeyType string
The type of generated keys
KeyUsages List<string>
Specify the allowed key usage constraint on issued certificates
Localities List<string>
The locality of generated certificates
MaxTtl string
The maximum TTL
Name string
The name to identify this role within the backend. Must be unique within the backend.
NoStore bool
Flag to not store certificates in the storage backend
NotBeforeDuration string
Specifies the duration by which to backdate the NotBefore property.
OrganizationUnit List<string>
The organization unit of generated certificates
Organizations List<string>
The organization of generated certificates
PolicyIdentifiers List<string>
Specify the list of allowed policies IODs
PostalCodes List<string>
The postal code of generated certificates
Provinces List<string>
The province of generated certificates
RequireCn bool
Flag to force CN usage
ServerFlag bool
Flag to specify certificates for server use
StreetAddresses List<string>
The street address of generated certificates
Ttl string
The TTL
UseCsrCommonName bool
Flag to use the CN in the CSR
UseCsrSans bool
Flag to use the SANs in the CSR
AllowAnyName bool
Flag to allow any name
AllowBareDomains bool
Flag to allow certificates matching the actual domain
AllowGlobDomains bool
Flag to allow names containing glob patterns.
AllowIpSans bool
Flag to allow IP SANs
AllowLocalhost bool
Flag to allow certificates for localhost
AllowSubdomains bool
Flag to allow certificates matching subdomains
AllowedDomains []string
List of allowed domains for certificates
AllowedDomainsTemplate bool
Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
AllowedOtherSans []string
Defines allowed custom SANs
AllowedUriSans []string
Defines allowed URI SANs
Backend string
The path the PKI secret backend is mounted at, with no leading or trailing /s.
BasicConstraintsValidForNonCa bool
Flag to mark basic constraints valid when issuing non-CA certificates
ClientFlag bool
Flag to specify certificates for client use
CodeSigningFlag bool
Flag to specify certificates for code signing use
Countries []string
The country of generated certificates
EmailProtectionFlag bool
Flag to specify certificates for email protection use
EnforceHostnames bool
Flag to allow only valid host names
ExtKeyUsages []string
Specify the allowed extended key usage constraint on issued certificates
GenerateLease bool
Flag to generate leases with certificates
KeyBits int
The number of bits of generated keys
KeyType string
The type of generated keys
KeyUsages []string
Specify the allowed key usage constraint on issued certificates
Localities []string
The locality of generated certificates
MaxTtl string
The maximum TTL
Name string
The name to identify this role within the backend. Must be unique within the backend.
NoStore bool
Flag to not store certificates in the storage backend
NotBeforeDuration string
Specifies the duration by which to backdate the NotBefore property.
OrganizationUnit []string
The organization unit of generated certificates
Organizations []string
The organization of generated certificates
PolicyIdentifiers []string
Specify the list of allowed policies IODs
PostalCodes []string
The postal code of generated certificates
Provinces []string
The province of generated certificates
RequireCn bool
Flag to force CN usage
ServerFlag bool
Flag to specify certificates for server use
StreetAddresses []string
The street address of generated certificates
Ttl string
The TTL
UseCsrCommonName bool
Flag to use the CN in the CSR
UseCsrSans bool
Flag to use the SANs in the CSR
allowAnyName boolean
Flag to allow any name
allowBareDomains boolean
Flag to allow certificates matching the actual domain
allowGlobDomains boolean
Flag to allow names containing glob patterns.
allowIpSans boolean
Flag to allow IP SANs
allowLocalhost boolean
Flag to allow certificates for localhost
allowSubdomains boolean
Flag to allow certificates matching subdomains
allowedDomains string[]
List of allowed domains for certificates
allowedDomainsTemplate boolean
Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowedOtherSans string[]
Defines allowed custom SANs
allowedUriSans string[]
Defines allowed URI SANs
backend string
The path the PKI secret backend is mounted at, with no leading or trailing /s.
basicConstraintsValidForNonCa boolean
Flag to mark basic constraints valid when issuing non-CA certificates
clientFlag boolean
Flag to specify certificates for client use
codeSigningFlag boolean
Flag to specify certificates for code signing use
countries string[]
The country of generated certificates
emailProtectionFlag boolean
Flag to specify certificates for email protection use
enforceHostnames boolean
Flag to allow only valid host names
extKeyUsages string[]
Specify the allowed extended key usage constraint on issued certificates
generateLease boolean
Flag to generate leases with certificates
keyBits number
The number of bits of generated keys
keyType string
The type of generated keys
keyUsages string[]
Specify the allowed key usage constraint on issued certificates
localities string[]
The locality of generated certificates
maxTtl string
The maximum TTL
name string
The name to identify this role within the backend. Must be unique within the backend.
noStore boolean
Flag to not store certificates in the storage backend
notBeforeDuration string
Specifies the duration by which to backdate the NotBefore property.
organizationUnit string[]
The organization unit of generated certificates
organizations string[]
The organization of generated certificates
policyIdentifiers string[]
Specify the list of allowed policies IODs
postalCodes string[]
The postal code of generated certificates
provinces string[]
The province of generated certificates
requireCn boolean
Flag to force CN usage
serverFlag boolean
Flag to specify certificates for server use
streetAddresses string[]
The street address of generated certificates
ttl string
The TTL
useCsrCommonName boolean
Flag to use the CN in the CSR
useCsrSans boolean
Flag to use the SANs in the CSR
allow_any_name bool
Flag to allow any name
allow_bare_domains bool
Flag to allow certificates matching the actual domain
allow_glob_domains bool
Flag to allow names containing glob patterns.
allow_ip_sans bool
Flag to allow IP SANs
allow_localhost bool
Flag to allow certificates for localhost
allow_subdomains bool
Flag to allow certificates matching subdomains
allowed_domains Sequence[str]
List of allowed domains for certificates
allowed_domains_template bool
Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
allowed_other_sans Sequence[str]
Defines allowed custom SANs
allowed_uri_sans Sequence[str]
Defines allowed URI SANs
backend str
The path the PKI secret backend is mounted at, with no leading or trailing /s.
basic_constraints_valid_for_non_ca bool
Flag to mark basic constraints valid when issuing non-CA certificates
client_flag bool
Flag to specify certificates for client use
code_signing_flag bool
Flag to specify certificates for code signing use
countries Sequence[str]
The country of generated certificates
email_protection_flag bool
Flag to specify certificates for email protection use
enforce_hostnames bool
Flag to allow only valid host names
ext_key_usages Sequence[str]
Specify the allowed extended key usage constraint on issued certificates
generate_lease bool
Flag to generate leases with certificates
key_bits int
The number of bits of generated keys
key_type str
The type of generated keys
key_usages Sequence[str]
Specify the allowed key usage constraint on issued certificates
localities Sequence[str]
The locality of generated certificates
max_ttl str
The maximum TTL
name str
The name to identify this role within the backend. Must be unique within the backend.
no_store bool
Flag to not store certificates in the storage backend
not_before_duration str
Specifies the duration by which to backdate the NotBefore property.
organization_unit Sequence[str]
The organization unit of generated certificates
organizations Sequence[str]
The organization of generated certificates
policy_identifiers Sequence[str]
Specify the list of allowed policies IODs
postal_codes Sequence[str]
The postal code of generated certificates
provinces Sequence[str]
The province of generated certificates
require_cn bool
Flag to force CN usage
server_flag bool
Flag to specify certificates for server use
street_addresses Sequence[str]
The street address of generated certificates
ttl str
The TTL
use_csr_common_name bool
Flag to use the CN in the CSR
use_csr_sans bool
Flag to use the SANs in the CSR

Import

PKI secret backend roles can be imported using the path, e.g.

 $ pulumi import vault:pkiSecret/secretBackendRole:SecretBackendRole role pki/roles/my_role

Package Details

Repository
https://github.com/pulumi/pulumi-vault
License
Apache-2.0
Notes
This Pulumi package is based on the vault Terraform Provider.