Viewing docs for TLS v5.3.0
published on Saturday, Jan 31, 2026 by Pulumi
published on Saturday, Jan 31, 2026 by Pulumi
Viewing docs for TLS v5.3.0
published on Saturday, Jan 31, 2026 by Pulumi
published on Saturday, Jan 31, 2026 by Pulumi
Get a public key from a PEM-encoded private key.
Use this data source to get the public key from a PEM (RFC 1421) or OpenSSH PEM (RFC 4716) formatted private key, for use in other resources.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as tls from "@pulumi/tls";
const ed25519_example = new tls.PrivateKey("ed25519-example", {algorithm: "ED25519"});
// Public key loaded from a terraform-generated private key, using the PEM (RFC 1421) format
const privateKeyPem_example = tls.getPublicKeyOutput({
privateKeyPem: ed25519_example.privateKeyPem,
});
// Public key loaded from filesystem, using the Open SSH (RFC 4716) format
const privateKeyOpenssh_example = std.file({
input: "~/.ssh/id_rsa_rfc4716",
}).then(invoke => tls.getPublicKey({
privateKeyOpenssh: invoke.result,
}));
import pulumi
import pulumi_std as std
import pulumi_tls as tls
ed25519_example = tls.PrivateKey("ed25519-example", algorithm="ED25519")
# Public key loaded from a terraform-generated private key, using the PEM (RFC 1421) format
private_key_pem_example = tls.get_public_key_output(private_key_pem=ed25519_example.private_key_pem)
# Public key loaded from filesystem, using the Open SSH (RFC 4716) format
private_key_openssh_example = tls.get_public_key(private_key_openssh=std.file(input="~/.ssh/id_rsa_rfc4716").result)
package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-tls/sdk/v5/go/tls"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
ed25519_example, err := tls.NewPrivateKey(ctx, "ed25519-example", &tls.PrivateKeyArgs{
Algorithm: pulumi.String("ED25519"),
})
if err != nil {
return err
}
// Public key loaded from a terraform-generated private key, using the PEM (RFC 1421) format
_ = tls.GetPublicKeyOutput(ctx, tls.GetPublicKeyOutputArgs{
PrivateKeyPem: ed25519_example.PrivateKeyPem,
}, nil)
// Public key loaded from filesystem, using the Open SSH (RFC 4716) format
_, err = tls.GetPublicKey(ctx, &tls.GetPublicKeyArgs{
PrivateKeyOpenssh: pulumi.StringRef(std.File(ctx, &std.FileArgs{
Input: "~/.ssh/id_rsa_rfc4716",
}, nil).Result),
}, nil)
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Tls = Pulumi.Tls;
return await Deployment.RunAsync(() =>
{
var ed25519_example = new Tls.PrivateKey("ed25519-example", new()
{
Algorithm = "ED25519",
});
// Public key loaded from a terraform-generated private key, using the PEM (RFC 1421) format
var privateKeyPem_example = Tls.GetPublicKey.Invoke(new()
{
PrivateKeyPem = ed25519_example.PrivateKeyPem,
});
// Public key loaded from filesystem, using the Open SSH (RFC 4716) format
var privateKeyOpenssh_example = Tls.GetPublicKey.Invoke(new()
{
PrivateKeyOpenssh = Std.File.Invoke(new()
{
Input = "~/.ssh/id_rsa_rfc4716",
}).Result,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.tls.PrivateKey;
import com.pulumi.tls.PrivateKeyArgs;
import com.pulumi.tls.TlsFunctions;
import com.pulumi.tls.inputs.GetPublicKeyArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var ed25519_example = new PrivateKey("ed25519-example", PrivateKeyArgs.builder()
.algorithm("ED25519")
.build());
// Public key loaded from a terraform-generated private key, using the PEM (RFC 1421) format
final var privateKeyPem-example = TlsFunctions.getPublicKey(GetPublicKeyArgs.builder()
.privateKeyPem(ed25519_example.privateKeyPem())
.build());
// Public key loaded from filesystem, using the Open SSH (RFC 4716) format
final var privateKeyOpenssh-example = TlsFunctions.getPublicKey(GetPublicKeyArgs.builder()
.privateKeyOpenssh(StdFunctions.file(FileArgs.builder()
.input("~/.ssh/id_rsa_rfc4716")
.build()).result())
.build());
}
}
resources:
ed25519-example:
type: tls:PrivateKey
properties:
algorithm: ED25519
variables:
# Public key loaded from a terraform-generated private key, using the PEM (RFC 1421) format
privateKeyPem-example:
fn::invoke:
function: tls:getPublicKey
arguments:
privateKeyPem: ${["ed25519-example"].privateKeyPem}
# Public key loaded from filesystem, using the Open SSH (RFC 4716) format
privateKeyOpenssh-example:
fn::invoke:
function: tls:getPublicKey
arguments:
privateKeyOpenssh:
fn::invoke:
function: std:file
arguments:
input: ~/.ssh/id_rsa_rfc4716
return: result
Using getPublicKey
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getPublicKey(args: GetPublicKeyArgs, opts?: InvokeOptions): Promise<GetPublicKeyResult>
function getPublicKeyOutput(args: GetPublicKeyOutputArgs, opts?: InvokeOptions): Output<GetPublicKeyResult>def get_public_key(private_key_openssh: Optional[str] = None,
private_key_pem: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetPublicKeyResult
def get_public_key_output(private_key_openssh: Optional[pulumi.Input[str]] = None,
private_key_pem: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetPublicKeyResult]func GetPublicKey(ctx *Context, args *GetPublicKeyArgs, opts ...InvokeOption) (*GetPublicKeyResult, error)
func GetPublicKeyOutput(ctx *Context, args *GetPublicKeyOutputArgs, opts ...InvokeOption) GetPublicKeyResultOutput> Note: This function is named GetPublicKey in the Go SDK.
public static class GetPublicKey
{
public static Task<GetPublicKeyResult> InvokeAsync(GetPublicKeyArgs args, InvokeOptions? opts = null)
public static Output<GetPublicKeyResult> Invoke(GetPublicKeyInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetPublicKeyResult> getPublicKey(GetPublicKeyArgs args, InvokeOptions options)
public static Output<GetPublicKeyResult> getPublicKey(GetPublicKeyArgs args, InvokeOptions options)
fn::invoke:
function: tls:index/getPublicKey:getPublicKey
arguments:
# arguments dictionaryThe following arguments are supported:
- Private
Key stringOpenssh - The private key (in OpenSSH PEM (RFC 4716) format) to extract the public key from. This is mutually exclusive with
private_key_pem. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519. - Private
Key stringPem - The private key (in PEM (RFC 1421) format) to extract the public key from. This is mutually exclusive with
private_key_openssh. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519.
- Private
Key stringOpenssh - The private key (in OpenSSH PEM (RFC 4716) format) to extract the public key from. This is mutually exclusive with
private_key_pem. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519. - Private
Key stringPem - The private key (in PEM (RFC 1421) format) to extract the public key from. This is mutually exclusive with
private_key_openssh. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519.
- private
Key StringOpenssh - The private key (in OpenSSH PEM (RFC 4716) format) to extract the public key from. This is mutually exclusive with
private_key_pem. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519. - private
Key StringPem - The private key (in PEM (RFC 1421) format) to extract the public key from. This is mutually exclusive with
private_key_openssh. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519.
- private
Key stringOpenssh - The private key (in OpenSSH PEM (RFC 4716) format) to extract the public key from. This is mutually exclusive with
private_key_pem. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519. - private
Key stringPem - The private key (in PEM (RFC 1421) format) to extract the public key from. This is mutually exclusive with
private_key_openssh. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519.
- private_
key_ stropenssh - The private key (in OpenSSH PEM (RFC 4716) format) to extract the public key from. This is mutually exclusive with
private_key_pem. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519. - private_
key_ strpem - The private key (in PEM (RFC 1421) format) to extract the public key from. This is mutually exclusive with
private_key_openssh. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519.
- private
Key StringOpenssh - The private key (in OpenSSH PEM (RFC 4716) format) to extract the public key from. This is mutually exclusive with
private_key_pem. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519. - private
Key StringPem - The private key (in PEM (RFC 1421) format) to extract the public key from. This is mutually exclusive with
private_key_openssh. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519.
getPublicKey Result
The following output properties are available:
- Algorithm string
- The name of the algorithm used by the given private key. Possible values are:
RSA,ECDSA,ED25519. - Id string
- Unique identifier for this data source: hexadecimal representation of the SHA1 checksum of the data source.
- Public
Key stringFingerprint Md5 - The fingerprint of the public key data in OpenSSH MD5 hash format, e.g.
aa:bb:cc:.... Only available if the selected private key format is compatible, as per the rules forpublic_key_opensshand ECDSA P224 limitations. - Public
Key stringFingerprint Sha256 - The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g.
SHA256:.... Only available if the selected private key format is compatible, as per the rules forpublic_key_opensshand ECDSA P224 limitations. - Public
Key stringOpenssh - The public key, in OpenSSH PEM (RFC 4716) format. This is also known as 'Authorized Keys' format. This is not populated for
ECDSAwith curveP224, as it is not supported. NOTE: the underlying libraries that generate this value append a\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - Public
Key stringPem - The public key, in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a
\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - Private
Key stringOpenssh - The private key (in OpenSSH PEM (RFC 4716) format) to extract the public key from. This is mutually exclusive with
private_key_pem. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519. - Private
Key stringPem - The private key (in PEM (RFC 1421) format) to extract the public key from. This is mutually exclusive with
private_key_openssh. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519.
- Algorithm string
- The name of the algorithm used by the given private key. Possible values are:
RSA,ECDSA,ED25519. - Id string
- Unique identifier for this data source: hexadecimal representation of the SHA1 checksum of the data source.
- Public
Key stringFingerprint Md5 - The fingerprint of the public key data in OpenSSH MD5 hash format, e.g.
aa:bb:cc:.... Only available if the selected private key format is compatible, as per the rules forpublic_key_opensshand ECDSA P224 limitations. - Public
Key stringFingerprint Sha256 - The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g.
SHA256:.... Only available if the selected private key format is compatible, as per the rules forpublic_key_opensshand ECDSA P224 limitations. - Public
Key stringOpenssh - The public key, in OpenSSH PEM (RFC 4716) format. This is also known as 'Authorized Keys' format. This is not populated for
ECDSAwith curveP224, as it is not supported. NOTE: the underlying libraries that generate this value append a\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - Public
Key stringPem - The public key, in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a
\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - Private
Key stringOpenssh - The private key (in OpenSSH PEM (RFC 4716) format) to extract the public key from. This is mutually exclusive with
private_key_pem. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519. - Private
Key stringPem - The private key (in PEM (RFC 1421) format) to extract the public key from. This is mutually exclusive with
private_key_openssh. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519.
- algorithm String
- The name of the algorithm used by the given private key. Possible values are:
RSA,ECDSA,ED25519. - id String
- Unique identifier for this data source: hexadecimal representation of the SHA1 checksum of the data source.
- public
Key StringFingerprint Md5 - The fingerprint of the public key data in OpenSSH MD5 hash format, e.g.
aa:bb:cc:.... Only available if the selected private key format is compatible, as per the rules forpublic_key_opensshand ECDSA P224 limitations. - public
Key StringFingerprint Sha256 - The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g.
SHA256:.... Only available if the selected private key format is compatible, as per the rules forpublic_key_opensshand ECDSA P224 limitations. - public
Key StringOpenssh - The public key, in OpenSSH PEM (RFC 4716) format. This is also known as 'Authorized Keys' format. This is not populated for
ECDSAwith curveP224, as it is not supported. NOTE: the underlying libraries that generate this value append a\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - public
Key StringPem - The public key, in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a
\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - private
Key StringOpenssh - The private key (in OpenSSH PEM (RFC 4716) format) to extract the public key from. This is mutually exclusive with
private_key_pem. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519. - private
Key StringPem - The private key (in PEM (RFC 1421) format) to extract the public key from. This is mutually exclusive with
private_key_openssh. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519.
- algorithm string
- The name of the algorithm used by the given private key. Possible values are:
RSA,ECDSA,ED25519. - id string
- Unique identifier for this data source: hexadecimal representation of the SHA1 checksum of the data source.
- public
Key stringFingerprint Md5 - The fingerprint of the public key data in OpenSSH MD5 hash format, e.g.
aa:bb:cc:.... Only available if the selected private key format is compatible, as per the rules forpublic_key_opensshand ECDSA P224 limitations. - public
Key stringFingerprint Sha256 - The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g.
SHA256:.... Only available if the selected private key format is compatible, as per the rules forpublic_key_opensshand ECDSA P224 limitations. - public
Key stringOpenssh - The public key, in OpenSSH PEM (RFC 4716) format. This is also known as 'Authorized Keys' format. This is not populated for
ECDSAwith curveP224, as it is not supported. NOTE: the underlying libraries that generate this value append a\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - public
Key stringPem - The public key, in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a
\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - private
Key stringOpenssh - The private key (in OpenSSH PEM (RFC 4716) format) to extract the public key from. This is mutually exclusive with
private_key_pem. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519. - private
Key stringPem - The private key (in PEM (RFC 1421) format) to extract the public key from. This is mutually exclusive with
private_key_openssh. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519.
- algorithm str
- The name of the algorithm used by the given private key. Possible values are:
RSA,ECDSA,ED25519. - id str
- Unique identifier for this data source: hexadecimal representation of the SHA1 checksum of the data source.
- public_
key_ strfingerprint_ md5 - The fingerprint of the public key data in OpenSSH MD5 hash format, e.g.
aa:bb:cc:.... Only available if the selected private key format is compatible, as per the rules forpublic_key_opensshand ECDSA P224 limitations. - public_
key_ strfingerprint_ sha256 - The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g.
SHA256:.... Only available if the selected private key format is compatible, as per the rules forpublic_key_opensshand ECDSA P224 limitations. - public_
key_ stropenssh - The public key, in OpenSSH PEM (RFC 4716) format. This is also known as 'Authorized Keys' format. This is not populated for
ECDSAwith curveP224, as it is not supported. NOTE: the underlying libraries that generate this value append a\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - public_
key_ strpem - The public key, in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a
\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - private_
key_ stropenssh - The private key (in OpenSSH PEM (RFC 4716) format) to extract the public key from. This is mutually exclusive with
private_key_pem. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519. - private_
key_ strpem - The private key (in PEM (RFC 1421) format) to extract the public key from. This is mutually exclusive with
private_key_openssh. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519.
- algorithm String
- The name of the algorithm used by the given private key. Possible values are:
RSA,ECDSA,ED25519. - id String
- Unique identifier for this data source: hexadecimal representation of the SHA1 checksum of the data source.
- public
Key StringFingerprint Md5 - The fingerprint of the public key data in OpenSSH MD5 hash format, e.g.
aa:bb:cc:.... Only available if the selected private key format is compatible, as per the rules forpublic_key_opensshand ECDSA P224 limitations. - public
Key StringFingerprint Sha256 - The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g.
SHA256:.... Only available if the selected private key format is compatible, as per the rules forpublic_key_opensshand ECDSA P224 limitations. - public
Key StringOpenssh - The public key, in OpenSSH PEM (RFC 4716) format. This is also known as 'Authorized Keys' format. This is not populated for
ECDSAwith curveP224, as it is not supported. NOTE: the underlying libraries that generate this value append a\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - public
Key StringPem - The public key, in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a
\nat the end of the PEM. In case this disrupts your use case, we recommend usingtrimspace(). - private
Key StringOpenssh - The private key (in OpenSSH PEM (RFC 4716) format) to extract the public key from. This is mutually exclusive with
private_key_pem. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519. - private
Key StringPem - The private key (in PEM (RFC 1421) format) to extract the public key from. This is mutually exclusive with
private_key_openssh. Currently-supported algorithms for keys are:RSA,ECDSA,ED25519.
Package Details
- Repository
- TLS pulumi/pulumi-tls
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
tlsTerraform Provider.
Viewing docs for TLS v5.3.0
published on Saturday, Jan 31, 2026 by Pulumi
published on Saturday, Jan 31, 2026 by Pulumi
