HashiCorp Vault v7.0.0, Jun 21 25

HashiCorp Vault v7.0.0 published on Saturday, Jun 21, 2025 by Pulumi

vault.ad.SecretBackend

Explore with Pulumi AI

HashiCorp Vault v7.0.0 published on Saturday, Jun 21, 2025 by Pulumi

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const config = new vault.ad.SecretBackend("config", {
    backend: "ad",
    binddn: "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
    bindpass: "SuperSecretPassw0rd",
    url: "ldaps://ad",
    insecureTls: true,
    userdn: "CN=Users,DC=corp,DC=example,DC=net",
});

import pulumi
import pulumi_vault as vault

config = vault.ad.SecretBackend("config",
    backend="ad",
    binddn="CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
    bindpass="SuperSecretPassw0rd",
    url="ldaps://ad",
    insecure_tls=True,
    userdn="CN=Users,DC=corp,DC=example,DC=net")

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/ad"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := ad.NewSecretBackend(ctx, "config", &ad.SecretBackendArgs{
			Backend:     pulumi.String("ad"),
			Binddn:      pulumi.String("CN=Administrator,CN=Users,DC=corp,DC=example,DC=net"),
			Bindpass:    pulumi.String("SuperSecretPassw0rd"),
			Url:         pulumi.String("ldaps://ad"),
			InsecureTls: pulumi.Bool(true),
			Userdn:      pulumi.String("CN=Users,DC=corp,DC=example,DC=net"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var config = new Vault.AD.SecretBackend("config", new()
    {
        Backend = "ad",
        Binddn = "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
        Bindpass = "SuperSecretPassw0rd",
        Url = "ldaps://ad",
        InsecureTls = true,
        Userdn = "CN=Users,DC=corp,DC=example,DC=net",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.ad.SecretBackend;
import com.pulumi.vault.ad.SecretBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var config = new SecretBackend("config", SecretBackendArgs.builder()
            .backend("ad")
            .binddn("CN=Administrator,CN=Users,DC=corp,DC=example,DC=net")
            .bindpass("SuperSecretPassw0rd")
            .url("ldaps://ad")
            .insecureTls(true)
            .userdn("CN=Users,DC=corp,DC=example,DC=net")
            .build());

    }
}

resources:
  config:
    type: vault:ad:SecretBackend
    properties:
      backend: ad
      binddn: CN=Administrator,CN=Users,DC=corp,DC=example,DC=net
      bindpass: SuperSecretPassw0rd
      url: ldaps://ad
      insecureTls: 'true'
      userdn: CN=Users,DC=corp,DC=example,DC=net

Create SecretBackend Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SecretBackend(name: string, args: SecretBackendArgs, opts?: CustomResourceOptions);

@overload
def SecretBackend(resource_name: str,
                  args: SecretBackendArgs,
                  opts: Optional[ResourceOptions] = None)

@overload
def SecretBackend(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  binddn: Optional[str] = None,
                  bindpass: Optional[str] = None,
                  insecure_tls: Optional[bool] = None,
                  max_lease_ttl_seconds: Optional[int] = None,
                  case_sensitive_names: Optional[bool] = None,
                  certificate: Optional[str] = None,
                  client_tls_cert: Optional[str] = None,
                  client_tls_key: Optional[str] = None,
                  default_lease_ttl_seconds: Optional[int] = None,
                  deny_null_bind: Optional[bool] = None,
                  local: Optional[bool] = None,
                  disable_remount: Optional[bool] = None,
                  discoverdn: Optional[bool] = None,
                  groupattr: Optional[str] = None,
                  groupdn: Optional[str] = None,
                  groupfilter: Optional[str] = None,
                  backend: Optional[str] = None,
                  anonymous_group_search: Optional[bool] = None,
                  description: Optional[str] = None,
                  last_rotation_tolerance: Optional[int] = None,
                  max_ttl: Optional[int] = None,
                  namespace: Optional[str] = None,
                  password_policy: Optional[str] = None,
                  request_timeout: Optional[int] = None,
                  starttls: Optional[bool] = None,
                  tls_max_version: Optional[str] = None,
                  tls_min_version: Optional[str] = None,
                  ttl: Optional[int] = None,
                  upndomain: Optional[str] = None,
                  url: Optional[str] = None,
                  use_pre111_group_cn_behavior: Optional[bool] = None,
                  use_token_groups: Optional[bool] = None,
                  userattr: Optional[str] = None,
                  userdn: Optional[str] = None)

func NewSecretBackend(ctx *Context, name string, args SecretBackendArgs, opts ...ResourceOption) (*SecretBackend, error)

public SecretBackend(string name, SecretBackendArgs args, CustomResourceOptions? opts = null)

public SecretBackend(String name, SecretBackendArgs args)
public SecretBackend(String name, SecretBackendArgs args, CustomResourceOptions options)

type: vault:ad:SecretBackend
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SecretBackendArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SecretBackendArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecretBackendArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecretBackendArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SecretBackendArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var secretBackendResource = new Vault.AD.SecretBackend("secretBackendResource", new()
{
    Binddn = "string",
    Bindpass = "string",
    InsecureTls = false,
    MaxLeaseTtlSeconds = 0,
    CaseSensitiveNames = false,
    Certificate = "string",
    ClientTlsCert = "string",
    ClientTlsKey = "string",
    DefaultLeaseTtlSeconds = 0,
    DenyNullBind = false,
    Local = false,
    DisableRemount = false,
    Discoverdn = false,
    Groupattr = "string",
    Groupdn = "string",
    Groupfilter = "string",
    Backend = "string",
    AnonymousGroupSearch = false,
    Description = "string",
    LastRotationTolerance = 0,
    MaxTtl = 0,
    Namespace = "string",
    PasswordPolicy = "string",
    RequestTimeout = 0,
    Starttls = false,
    TlsMaxVersion = "string",
    TlsMinVersion = "string",
    Ttl = 0,
    Upndomain = "string",
    Url = "string",
    UsePre111GroupCnBehavior = false,
    UseTokenGroups = false,
    Userattr = "string",
    Userdn = "string",
});

example, err := ad.NewSecretBackend(ctx, "secretBackendResource", &ad.SecretBackendArgs{
	Binddn:                   pulumi.String("string"),
	Bindpass:                 pulumi.String("string"),
	InsecureTls:              pulumi.Bool(false),
	MaxLeaseTtlSeconds:       pulumi.Int(0),
	CaseSensitiveNames:       pulumi.Bool(false),
	Certificate:              pulumi.String("string"),
	ClientTlsCert:            pulumi.String("string"),
	ClientTlsKey:             pulumi.String("string"),
	DefaultLeaseTtlSeconds:   pulumi.Int(0),
	DenyNullBind:             pulumi.Bool(false),
	Local:                    pulumi.Bool(false),
	DisableRemount:           pulumi.Bool(false),
	Discoverdn:               pulumi.Bool(false),
	Groupattr:                pulumi.String("string"),
	Groupdn:                  pulumi.String("string"),
	Groupfilter:              pulumi.String("string"),
	Backend:                  pulumi.String("string"),
	AnonymousGroupSearch:     pulumi.Bool(false),
	Description:              pulumi.String("string"),
	LastRotationTolerance:    pulumi.Int(0),
	MaxTtl:                   pulumi.Int(0),
	Namespace:                pulumi.String("string"),
	PasswordPolicy:           pulumi.String("string"),
	RequestTimeout:           pulumi.Int(0),
	Starttls:                 pulumi.Bool(false),
	TlsMaxVersion:            pulumi.String("string"),
	TlsMinVersion:            pulumi.String("string"),
	Ttl:                      pulumi.Int(0),
	Upndomain:                pulumi.String("string"),
	Url:                      pulumi.String("string"),
	UsePre111GroupCnBehavior: pulumi.Bool(false),
	UseTokenGroups:           pulumi.Bool(false),
	Userattr:                 pulumi.String("string"),
	Userdn:                   pulumi.String("string"),
})

var secretBackendResource = new com.pulumi.vault.ad.SecretBackend("secretBackendResource", com.pulumi.vault.ad.SecretBackendArgs.builder()
    .binddn("string")
    .bindpass("string")
    .insecureTls(false)
    .maxLeaseTtlSeconds(0)
    .caseSensitiveNames(false)
    .certificate("string")
    .clientTlsCert("string")
    .clientTlsKey("string")
    .defaultLeaseTtlSeconds(0)
    .denyNullBind(false)
    .local(false)
    .disableRemount(false)
    .discoverdn(false)
    .groupattr("string")
    .groupdn("string")
    .groupfilter("string")
    .backend("string")
    .anonymousGroupSearch(false)
    .description("string")
    .lastRotationTolerance(0)
    .maxTtl(0)
    .namespace("string")
    .passwordPolicy("string")
    .requestTimeout(0)
    .starttls(false)
    .tlsMaxVersion("string")
    .tlsMinVersion("string")
    .ttl(0)
    .upndomain("string")
    .url("string")
    .usePre111GroupCnBehavior(false)
    .useTokenGroups(false)
    .userattr("string")
    .userdn("string")
    .build());

secret_backend_resource = vault.ad.SecretBackend("secretBackendResource",
    binddn="string",
    bindpass="string",
    insecure_tls=False,
    max_lease_ttl_seconds=0,
    case_sensitive_names=False,
    certificate="string",
    client_tls_cert="string",
    client_tls_key="string",
    default_lease_ttl_seconds=0,
    deny_null_bind=False,
    local=False,
    disable_remount=False,
    discoverdn=False,
    groupattr="string",
    groupdn="string",
    groupfilter="string",
    backend="string",
    anonymous_group_search=False,
    description="string",
    last_rotation_tolerance=0,
    max_ttl=0,
    namespace="string",
    password_policy="string",
    request_timeout=0,
    starttls=False,
    tls_max_version="string",
    tls_min_version="string",
    ttl=0,
    upndomain="string",
    url="string",
    use_pre111_group_cn_behavior=False,
    use_token_groups=False,
    userattr="string",
    userdn="string")

const secretBackendResource = new vault.ad.SecretBackend("secretBackendResource", {
    binddn: "string",
    bindpass: "string",
    insecureTls: false,
    maxLeaseTtlSeconds: 0,
    caseSensitiveNames: false,
    certificate: "string",
    clientTlsCert: "string",
    clientTlsKey: "string",
    defaultLeaseTtlSeconds: 0,
    denyNullBind: false,
    local: false,
    disableRemount: false,
    discoverdn: false,
    groupattr: "string",
    groupdn: "string",
    groupfilter: "string",
    backend: "string",
    anonymousGroupSearch: false,
    description: "string",
    lastRotationTolerance: 0,
    maxTtl: 0,
    namespace: "string",
    passwordPolicy: "string",
    requestTimeout: 0,
    starttls: false,
    tlsMaxVersion: "string",
    tlsMinVersion: "string",
    ttl: 0,
    upndomain: "string",
    url: "string",
    usePre111GroupCnBehavior: false,
    useTokenGroups: false,
    userattr: "string",
    userdn: "string",
});

type: vault:ad:SecretBackend
properties:
    anonymousGroupSearch: false
    backend: string
    binddn: string
    bindpass: string
    caseSensitiveNames: false
    certificate: string
    clientTlsCert: string
    clientTlsKey: string
    defaultLeaseTtlSeconds: 0
    denyNullBind: false
    description: string
    disableRemount: false
    discoverdn: false
    groupattr: string
    groupdn: string
    groupfilter: string
    insecureTls: false
    lastRotationTolerance: 0
    local: false
    maxLeaseTtlSeconds: 0
    maxTtl: 0
    namespace: string
    passwordPolicy: string
    requestTimeout: 0
    starttls: false
    tlsMaxVersion: string
    tlsMinVersion: string
    ttl: 0
    upndomain: string
    url: string
    usePre111GroupCnBehavior: false
    useTokenGroups: false
    userattr: string
    userdn: string

SecretBackend Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The SecretBackend resource accepts the following input properties:

Binddn string: Distinguished name of object to bind when performing user and group search.
Bindpass string: Password to use along with binddn when performing user search.
AnonymousGroupSearch bool: Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
Backend string: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
CaseSensitiveNames bool: If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
Certificate string: CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
ClientTlsCert string: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
ClientTlsKey string: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
DefaultLeaseTtlSeconds int: Default lease duration for secrets in seconds.
DenyNullBind bool: Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
Description string: Human-friendly description of the mount for the Active Directory backend.
DisableRemount bool: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
Discoverdn bool: Use anonymous bind to discover the bind Distinguished Name of a user.
Groupattr string: LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
Groupdn string: LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
Groupfilter string: Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
InsecureTls bool: Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
LastRotationTolerance int: The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
Local bool: Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
MaxLeaseTtlSeconds int: Maximum possible lease duration for secrets in seconds.
MaxTtl int: In seconds, the maximum password time-to-live.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
PasswordPolicy string: Name of the password policy to use to generate passwords.
RequestTimeout int: Timeout, in seconds, for the connection when making requests against the server before returning back an error.
Starttls bool: Issue a StartTLS command after establishing unencrypted connection.
TlsMaxVersion string: Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
TlsMinVersion string: Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
Ttl int: In seconds, the default password time-to-live.
Upndomain string: Enables userPrincipalDomain login with [username]@UPNDomain.
Url string: LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
UsePre111GroupCnBehavior bool: In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
UseTokenGroups bool: If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
Userattr string: Attribute used when searching users. Defaults to cn.
Userdn string: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

Binddn string: Distinguished name of object to bind when performing user and group search.
Bindpass string: Password to use along with binddn when performing user search.
AnonymousGroupSearch bool: Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
Backend string: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
CaseSensitiveNames bool: If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
Certificate string: CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
ClientTlsCert string: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
ClientTlsKey string: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
DefaultLeaseTtlSeconds int: Default lease duration for secrets in seconds.
DenyNullBind bool: Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
Description string: Human-friendly description of the mount for the Active Directory backend.
DisableRemount bool: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
Discoverdn bool: Use anonymous bind to discover the bind Distinguished Name of a user.
Groupattr string: LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
Groupdn string: LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
Groupfilter string: Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
InsecureTls bool: Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
LastRotationTolerance int: The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
Local bool: Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
MaxLeaseTtlSeconds int: Maximum possible lease duration for secrets in seconds.
MaxTtl int: In seconds, the maximum password time-to-live.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
PasswordPolicy string: Name of the password policy to use to generate passwords.
RequestTimeout int: Timeout, in seconds, for the connection when making requests against the server before returning back an error.
Starttls bool: Issue a StartTLS command after establishing unencrypted connection.
TlsMaxVersion string: Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
TlsMinVersion string: Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
Ttl int: In seconds, the default password time-to-live.
Upndomain string: Enables userPrincipalDomain login with [username]@UPNDomain.
Url string: LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
UsePre111GroupCnBehavior bool: In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
UseTokenGroups bool: If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
Userattr string: Attribute used when searching users. Defaults to cn.
Userdn string: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

binddn String: Distinguished name of object to bind when performing user and group search.
bindpass String: Password to use along with binddn when performing user search.
anonymousGroupSearch Boolean: Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend String: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
caseSensitiveNames Boolean: If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate String: CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
clientTlsCert String: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
clientTlsKey String: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
defaultLeaseTtlSeconds Integer: Default lease duration for secrets in seconds.
denyNullBind Boolean: Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
description String: Human-friendly description of the mount for the Active Directory backend.
disableRemount Boolean: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
discoverdn Boolean: Use anonymous bind to discover the bind Distinguished Name of a user.
groupattr String: LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn String: LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter String: Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecureTls Boolean: Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
lastRotationTolerance Integer: The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
local Boolean: Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
maxLeaseTtlSeconds Integer: Maximum possible lease duration for secrets in seconds.
maxTtl Integer: In seconds, the maximum password time-to-live.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
passwordPolicy String: Name of the password policy to use to generate passwords.
requestTimeout Integer: Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls Boolean: Issue a StartTLS command after establishing unencrypted connection.
tlsMaxVersion String: Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tlsMinVersion String: Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl Integer: In seconds, the default password time-to-live.
upndomain String: Enables userPrincipalDomain login with [username]@UPNDomain.
url String: LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
usePre111GroupCnBehavior Boolean: In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
useTokenGroups Boolean: If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr String: Attribute used when searching users. Defaults to cn.
userdn String: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

binddn string: Distinguished name of object to bind when performing user and group search.
bindpass string: Password to use along with binddn when performing user search.
anonymousGroupSearch boolean: Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend string: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
caseSensitiveNames boolean: If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate string: CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
clientTlsCert string: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
clientTlsKey string: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
defaultLeaseTtlSeconds number: Default lease duration for secrets in seconds.
denyNullBind boolean: Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
description string: Human-friendly description of the mount for the Active Directory backend.
disableRemount boolean: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
discoverdn boolean: Use anonymous bind to discover the bind Distinguished Name of a user.
groupattr string: LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn string: LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter string: Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecureTls boolean: Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
lastRotationTolerance number: The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
local boolean: Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
maxLeaseTtlSeconds number: Maximum possible lease duration for secrets in seconds.
maxTtl number: In seconds, the maximum password time-to-live.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
passwordPolicy string: Name of the password policy to use to generate passwords.
requestTimeout number: Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls boolean: Issue a StartTLS command after establishing unencrypted connection.
tlsMaxVersion string: Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tlsMinVersion string: Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl number: In seconds, the default password time-to-live.
upndomain string: Enables userPrincipalDomain login with [username]@UPNDomain.
url string: LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
usePre111GroupCnBehavior boolean: In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
useTokenGroups boolean: If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr string: Attribute used when searching users. Defaults to cn.
userdn string: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

binddn str: Distinguished name of object to bind when performing user and group search.
bindpass str: Password to use along with binddn when performing user search.
anonymous_group_search bool: Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend str: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
case_sensitive_names bool: If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate str: CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
client_tls_cert str: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
client_tls_key str: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
default_lease_ttl_seconds int: Default lease duration for secrets in seconds.
deny_null_bind bool: Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
description str: Human-friendly description of the mount for the Active Directory backend.
disable_remount bool: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
discoverdn bool: Use anonymous bind to discover the bind Distinguished Name of a user.
groupattr str: LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn str: LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter str: Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecure_tls bool: Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
last_rotation_tolerance int: The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
local bool: Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
max_lease_ttl_seconds int: Maximum possible lease duration for secrets in seconds.
max_ttl int: In seconds, the maximum password time-to-live.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
password_policy str: Name of the password policy to use to generate passwords.
request_timeout int: Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls bool: Issue a StartTLS command after establishing unencrypted connection.
tls_max_version str: Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tls_min_version str: Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl int: In seconds, the default password time-to-live.
upndomain str: Enables userPrincipalDomain login with [username]@UPNDomain.
url str: LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
use_pre111_group_cn_behavior bool: In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
use_token_groups bool: If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr str: Attribute used when searching users. Defaults to cn.
userdn str: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

binddn String: Distinguished name of object to bind when performing user and group search.
bindpass String: Password to use along with binddn when performing user search.
anonymousGroupSearch Boolean: Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend String: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
caseSensitiveNames Boolean: If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate String: CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
clientTlsCert String: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
clientTlsKey String: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
defaultLeaseTtlSeconds Number: Default lease duration for secrets in seconds.
denyNullBind Boolean: Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
description String: Human-friendly description of the mount for the Active Directory backend.
disableRemount Boolean: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
discoverdn Boolean: Use anonymous bind to discover the bind Distinguished Name of a user.
groupattr String: LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn String: LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter String: Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecureTls Boolean: Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
lastRotationTolerance Number: The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
local Boolean: Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
maxLeaseTtlSeconds Number: Maximum possible lease duration for secrets in seconds.
maxTtl Number: In seconds, the maximum password time-to-live.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
passwordPolicy String: Name of the password policy to use to generate passwords.
requestTimeout Number: Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls Boolean: Issue a StartTLS command after establishing unencrypted connection.
tlsMaxVersion String: Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tlsMinVersion String: Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl Number: In seconds, the default password time-to-live.
upndomain String: Enables userPrincipalDomain login with [username]@UPNDomain.
url String: LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
usePre111GroupCnBehavior Boolean: In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
useTokenGroups Boolean: If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr String: Attribute used when searching users. Defaults to cn.
userdn String: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretBackend resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing SecretBackend Resource

Get an existing SecretBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretBackendState, opts?: CustomResourceOptions): SecretBackend

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        anonymous_group_search: Optional[bool] = None,
        backend: Optional[str] = None,
        binddn: Optional[str] = None,
        bindpass: Optional[str] = None,
        case_sensitive_names: Optional[bool] = None,
        certificate: Optional[str] = None,
        client_tls_cert: Optional[str] = None,
        client_tls_key: Optional[str] = None,
        default_lease_ttl_seconds: Optional[int] = None,
        deny_null_bind: Optional[bool] = None,
        description: Optional[str] = None,
        disable_remount: Optional[bool] = None,
        discoverdn: Optional[bool] = None,
        groupattr: Optional[str] = None,
        groupdn: Optional[str] = None,
        groupfilter: Optional[str] = None,
        insecure_tls: Optional[bool] = None,
        last_rotation_tolerance: Optional[int] = None,
        local: Optional[bool] = None,
        max_lease_ttl_seconds: Optional[int] = None,
        max_ttl: Optional[int] = None,
        namespace: Optional[str] = None,
        password_policy: Optional[str] = None,
        request_timeout: Optional[int] = None,
        starttls: Optional[bool] = None,
        tls_max_version: Optional[str] = None,
        tls_min_version: Optional[str] = None,
        ttl: Optional[int] = None,
        upndomain: Optional[str] = None,
        url: Optional[str] = None,
        use_pre111_group_cn_behavior: Optional[bool] = None,
        use_token_groups: Optional[bool] = None,
        userattr: Optional[str] = None,
        userdn: Optional[str] = None) -> SecretBackend

func GetSecretBackend(ctx *Context, name string, id IDInput, state *SecretBackendState, opts ...ResourceOption) (*SecretBackend, error)

public static SecretBackend Get(string name, Input<string> id, SecretBackendState? state, CustomResourceOptions? opts = null)

public static SecretBackend get(String name, Output<String> id, SecretBackendState state, CustomResourceOptions options)

resources:  _:    type: vault:ad:SecretBackend    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AnonymousGroupSearch bool: Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
Backend string: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
Binddn string: Distinguished name of object to bind when performing user and group search.
Bindpass string: Password to use along with binddn when performing user search.
CaseSensitiveNames bool: If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
Certificate string: CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
ClientTlsCert string: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
ClientTlsKey string: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
DefaultLeaseTtlSeconds int: Default lease duration for secrets in seconds.
DenyNullBind bool: Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
Description string: Human-friendly description of the mount for the Active Directory backend.
DisableRemount bool: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
Discoverdn bool: Use anonymous bind to discover the bind Distinguished Name of a user.
Groupattr string: LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
Groupdn string: LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
Groupfilter string: Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
InsecureTls bool: Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
LastRotationTolerance int: The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
Local bool: Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
MaxLeaseTtlSeconds int: Maximum possible lease duration for secrets in seconds.
MaxTtl int: In seconds, the maximum password time-to-live.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
PasswordPolicy string: Name of the password policy to use to generate passwords.
RequestTimeout int: Timeout, in seconds, for the connection when making requests against the server before returning back an error.
Starttls bool: Issue a StartTLS command after establishing unencrypted connection.
TlsMaxVersion string: Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
TlsMinVersion string: Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
Ttl int: In seconds, the default password time-to-live.
Upndomain string: Enables userPrincipalDomain login with [username]@UPNDomain.
Url string: LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
UsePre111GroupCnBehavior bool: In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
UseTokenGroups bool: If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
Userattr string: Attribute used when searching users. Defaults to cn.
Userdn string: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

AnonymousGroupSearch bool: Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
Backend string: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
Binddn string: Distinguished name of object to bind when performing user and group search.
Bindpass string: Password to use along with binddn when performing user search.
CaseSensitiveNames bool: If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
Certificate string: CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
ClientTlsCert string: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
ClientTlsKey string: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
DefaultLeaseTtlSeconds int: Default lease duration for secrets in seconds.
DenyNullBind bool: Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
Description string: Human-friendly description of the mount for the Active Directory backend.
DisableRemount bool: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
Discoverdn bool: Use anonymous bind to discover the bind Distinguished Name of a user.
Groupattr string: LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
Groupdn string: LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
Groupfilter string: Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
InsecureTls bool: Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
LastRotationTolerance int: The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
Local bool: Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
MaxLeaseTtlSeconds int: Maximum possible lease duration for secrets in seconds.
MaxTtl int: In seconds, the maximum password time-to-live.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
PasswordPolicy string: Name of the password policy to use to generate passwords.
RequestTimeout int: Timeout, in seconds, for the connection when making requests against the server before returning back an error.
Starttls bool: Issue a StartTLS command after establishing unencrypted connection.
TlsMaxVersion string: Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
TlsMinVersion string: Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
Ttl int: In seconds, the default password time-to-live.
Upndomain string: Enables userPrincipalDomain login with [username]@UPNDomain.
Url string: LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
UsePre111GroupCnBehavior bool: In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
UseTokenGroups bool: If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
Userattr string: Attribute used when searching users. Defaults to cn.
Userdn string: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

anonymousGroupSearch Boolean: Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend String: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
binddn String: Distinguished name of object to bind when performing user and group search.
bindpass String: Password to use along with binddn when performing user search.
caseSensitiveNames Boolean: If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate String: CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
clientTlsCert String: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
clientTlsKey String: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
defaultLeaseTtlSeconds Integer: Default lease duration for secrets in seconds.
denyNullBind Boolean: Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
description String: Human-friendly description of the mount for the Active Directory backend.
disableRemount Boolean: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
discoverdn Boolean: Use anonymous bind to discover the bind Distinguished Name of a user.
groupattr String: LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn String: LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter String: Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecureTls Boolean: Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
lastRotationTolerance Integer: The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
local Boolean: Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
maxLeaseTtlSeconds Integer: Maximum possible lease duration for secrets in seconds.
maxTtl Integer: In seconds, the maximum password time-to-live.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
passwordPolicy String: Name of the password policy to use to generate passwords.
requestTimeout Integer: Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls Boolean: Issue a StartTLS command after establishing unencrypted connection.
tlsMaxVersion String: Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tlsMinVersion String: Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl Integer: In seconds, the default password time-to-live.
upndomain String: Enables userPrincipalDomain login with [username]@UPNDomain.
url String: LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
usePre111GroupCnBehavior Boolean: In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
useTokenGroups Boolean: If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr String: Attribute used when searching users. Defaults to cn.
userdn String: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

anonymousGroupSearch boolean: Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend string: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
binddn string: Distinguished name of object to bind when performing user and group search.
bindpass string: Password to use along with binddn when performing user search.
caseSensitiveNames boolean: If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate string: CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
clientTlsCert string: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
clientTlsKey string: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
defaultLeaseTtlSeconds number: Default lease duration for secrets in seconds.
denyNullBind boolean: Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
description string: Human-friendly description of the mount for the Active Directory backend.
disableRemount boolean: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
discoverdn boolean: Use anonymous bind to discover the bind Distinguished Name of a user.
groupattr string: LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn string: LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter string: Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecureTls boolean: Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
lastRotationTolerance number: The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
local boolean: Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
maxLeaseTtlSeconds number: Maximum possible lease duration for secrets in seconds.
maxTtl number: In seconds, the maximum password time-to-live.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
passwordPolicy string: Name of the password policy to use to generate passwords.
requestTimeout number: Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls boolean: Issue a StartTLS command after establishing unencrypted connection.
tlsMaxVersion string: Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tlsMinVersion string: Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl number: In seconds, the default password time-to-live.
upndomain string: Enables userPrincipalDomain login with [username]@UPNDomain.
url string: LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
usePre111GroupCnBehavior boolean: In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
useTokenGroups boolean: If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr string: Attribute used when searching users. Defaults to cn.
userdn string: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

anonymous_group_search bool: Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend str: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
binddn str: Distinguished name of object to bind when performing user and group search.
bindpass str: Password to use along with binddn when performing user search.
case_sensitive_names bool: If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate str: CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
client_tls_cert str: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
client_tls_key str: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
default_lease_ttl_seconds int: Default lease duration for secrets in seconds.
deny_null_bind bool: Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
description str: Human-friendly description of the mount for the Active Directory backend.
disable_remount bool: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
discoverdn bool: Use anonymous bind to discover the bind Distinguished Name of a user.
groupattr str: LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn str: LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter str: Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecure_tls bool: Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
last_rotation_tolerance int: The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
local bool: Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
max_lease_ttl_seconds int: Maximum possible lease duration for secrets in seconds.
max_ttl int: In seconds, the maximum password time-to-live.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
password_policy str: Name of the password policy to use to generate passwords.
request_timeout int: Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls bool: Issue a StartTLS command after establishing unencrypted connection.
tls_max_version str: Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tls_min_version str: Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl int: In seconds, the default password time-to-live.
upndomain str: Enables userPrincipalDomain login with [username]@UPNDomain.
url str: LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
use_pre111_group_cn_behavior bool: In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
use_token_groups bool: If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr str: Attribute used when searching users. Defaults to cn.
userdn str: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

anonymousGroupSearch Boolean: Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend String: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
binddn String: Distinguished name of object to bind when performing user and group search.
bindpass String: Password to use along with binddn when performing user search.
caseSensitiveNames Boolean: If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate String: CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
clientTlsCert String: Client certificate to provide to the LDAP server, must be x509 PEM encoded.
clientTlsKey String: Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
defaultLeaseTtlSeconds Number: Default lease duration for secrets in seconds.
denyNullBind Boolean: Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
description String: Human-friendly description of the mount for the Active Directory backend.
disableRemount Boolean: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
discoverdn Boolean: Use anonymous bind to discover the bind Distinguished Name of a user.
groupattr String: LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn String: LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter String: Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecureTls Boolean: Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
lastRotationTolerance Number: The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
local Boolean: Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
maxLeaseTtlSeconds Number: Maximum possible lease duration for secrets in seconds.
maxTtl Number: In seconds, the maximum password time-to-live.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
passwordPolicy String: Name of the password policy to use to generate passwords.
requestTimeout Number: Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls Boolean: Issue a StartTLS command after establishing unencrypted connection.
tlsMaxVersion String: Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tlsMinVersion String: Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl Number: In seconds, the default password time-to-live.
upndomain String: Enables userPrincipalDomain login with [username]@UPNDomain.
url String: LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
usePre111GroupCnBehavior Boolean: In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
useTokenGroups Boolean: If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr String: Attribute used when searching users. Defaults to cn.
userdn String: LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

Import

AD secret backend can be imported using the backend, e.g.

$ pulumi import vault:ad/secretBackend:SecretBackend ad ad

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

HashiCorp Vault v7.0.0 published on Saturday, Jun 21, 2025 by Pulumi

pulumi/pulumi-vault

vault.ad.SecretBackend

On this page

On this page

Example Usage

Create SecretBackend Resource

Constructor syntax

Parameters

Constructor example

SecretBackend Resource Properties

Inputs

Outputs

Look up Existing SecretBackend Resource

Import

Package Details

On this page

On this page