HashiCorp Vault
SecretBackend
Import
AD secret backend can be imported using the backend
, e.g.
$ pulumi import vault:ad/secretBackend:SecretBackend ad ad
Example Usage
using Pulumi;
using Vault = Pulumi.Vault;
class MyStack : Stack
{
public MyStack()
{
var config = new Vault.AD.SecretBackend("config", new Vault.AD.SecretBackendArgs
{
Backend = "ad",
Binddn = "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
Bindpass = "SuperSecretPassw0rd",
InsecureTls = true,
Url = "ldaps://ad",
Userdn = "CN=Users,DC=corp,DC=example,DC=net",
});
}
}
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v5/go/vault/ad"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ad.NewSecretBackend(ctx, "config", &ad.SecretBackendArgs{
Backend: pulumi.String("ad"),
Binddn: pulumi.String("CN=Administrator,CN=Users,DC=corp,DC=example,DC=net"),
Bindpass: pulumi.String("SuperSecretPassw0rd"),
InsecureTls: pulumi.Bool(true),
Url: pulumi.String("ldaps://ad"),
Userdn: pulumi.String("CN=Users,DC=corp,DC=example,DC=net"),
})
if err != nil {
return err
}
return nil
})
}
Coming soon!
import pulumi
import pulumi_vault as vault
config = vault.ad.SecretBackend("config",
backend="ad",
binddn="CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
bindpass="SuperSecretPassw0rd",
insecure_tls=True,
url="ldaps://ad",
userdn="CN=Users,DC=corp,DC=example,DC=net")
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const config = new vault.ad.SecretBackend("config", {
backend: "ad",
binddn: "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
bindpass: "SuperSecretPassw0rd",
insecureTls: true,
url: "ldaps://ad",
userdn: "CN=Users,DC=corp,DC=example,DC=net",
});
Coming soon!
Create a SecretBackend Resource
new SecretBackend(name: string, args: SecretBackendArgs, opts?: CustomResourceOptions);
@overload
def SecretBackend(resource_name: str,
opts: Optional[ResourceOptions] = None,
anonymous_group_search: Optional[bool] = None,
backend: Optional[str] = None,
binddn: Optional[str] = None,
bindpass: Optional[str] = None,
case_sensitive_names: Optional[bool] = None,
certificate: Optional[str] = None,
client_tls_cert: Optional[str] = None,
client_tls_key: Optional[str] = None,
default_lease_ttl_seconds: Optional[int] = None,
deny_null_bind: Optional[bool] = None,
description: Optional[str] = None,
discoverdn: Optional[bool] = None,
formatter: Optional[str] = None,
groupattr: Optional[str] = None,
groupdn: Optional[str] = None,
groupfilter: Optional[str] = None,
insecure_tls: Optional[bool] = None,
last_rotation_tolerance: Optional[int] = None,
length: Optional[int] = None,
local: Optional[bool] = None,
max_lease_ttl_seconds: Optional[int] = None,
max_ttl: Optional[int] = None,
password_policy: Optional[str] = None,
request_timeout: Optional[int] = None,
starttls: Optional[bool] = None,
tls_max_version: Optional[str] = None,
tls_min_version: Optional[str] = None,
ttl: Optional[int] = None,
upndomain: Optional[str] = None,
url: Optional[str] = None,
use_pre111_group_cn_behavior: Optional[bool] = None,
use_token_groups: Optional[bool] = None,
userattr: Optional[str] = None,
userdn: Optional[str] = None)
@overload
def SecretBackend(resource_name: str,
args: SecretBackendArgs,
opts: Optional[ResourceOptions] = None)
func NewSecretBackend(ctx *Context, name string, args SecretBackendArgs, opts ...ResourceOption) (*SecretBackend, error)
public SecretBackend(string name, SecretBackendArgs args, CustomResourceOptions? opts = null)
public SecretBackend(String name, SecretBackendArgs args)
public SecretBackend(String name, SecretBackendArgs args, CustomResourceOptions options)
type: vault:ad:SecretBackend
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
SecretBackend Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The SecretBackend resource accepts the following input properties:
- Binddn string
Distinguished name of object to bind when performing user and group search.
- Bindpass string
Password to use along with binddn when performing user search.
- Anonymous
Group boolSearch Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- Backend string
The unique path this backend should be mounted at. Must not begin or end with a
/
. Defaults toad
.- Case
Sensitive boolNames If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- Certificate string
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- Client
Tls stringCert Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- Client
Tls stringKey Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- Default
Lease intTtl Seconds Default lease duration for secrets in seconds.
- Deny
Null boolBind Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- Description string
Human-friendly description of the mount for the Active Directory backend.
- Discoverdn bool
Use anonymous bind to discover the bind Distinguished Name of a user.
- Formatter string
Deprecated use
password_policy
. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".Formatter is deprecated and password_policy should be used with Vault >= 1.5.
- Groupattr string
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
.- Groupdn string
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- Groupfilter string
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- Insecure
Tls bool Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to
false
.- Last
Rotation intTolerance The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- Length int
Deprecated use
password_policy
. The desired length of passwords that Vault generates.Length is deprecated and password_policy should be used with Vault >= 1.5.
- Local bool
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- Max
Lease intTtl Seconds Maximum possible lease duration for secrets in seconds.
- Max
Ttl int In seconds, the maximum password time-to-live.
- Password
Policy string Name of the password policy to use to generate passwords.
- Request
Timeout int Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- Starttls bool
Issue a StartTLS command after establishing unencrypted connection.
- Tls
Max stringVersion Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- Tls
Min stringVersion Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- Ttl int
In seconds, the default password time-to-live.
- Upndomain string
Enables userPrincipalDomain login with [username]@UPNDomain.
- Url string
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
.- Use
Pre111Group boolCn Behavior In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- Use
Token boolGroups If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- Userattr string
Attribute used when searching users. Defaults to
cn
.- Userdn string
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- Binddn string
Distinguished name of object to bind when performing user and group search.
- Bindpass string
Password to use along with binddn when performing user search.
- Anonymous
Group boolSearch Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- Backend string
The unique path this backend should be mounted at. Must not begin or end with a
/
. Defaults toad
.- Case
Sensitive boolNames If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- Certificate string
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- Client
Tls stringCert Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- Client
Tls stringKey Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- Default
Lease intTtl Seconds Default lease duration for secrets in seconds.
- Deny
Null boolBind Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- Description string
Human-friendly description of the mount for the Active Directory backend.
- Discoverdn bool
Use anonymous bind to discover the bind Distinguished Name of a user.
- Formatter string
Deprecated use
password_policy
. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".Formatter is deprecated and password_policy should be used with Vault >= 1.5.
- Groupattr string
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
.- Groupdn string
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- Groupfilter string
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- Insecure
Tls bool Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to
false
.- Last
Rotation intTolerance The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- Length int
Deprecated use
password_policy
. The desired length of passwords that Vault generates.Length is deprecated and password_policy should be used with Vault >= 1.5.
- Local bool
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- Max
Lease intTtl Seconds Maximum possible lease duration for secrets in seconds.
- Max
Ttl int In seconds, the maximum password time-to-live.
- Password
Policy string Name of the password policy to use to generate passwords.
- Request
Timeout int Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- Starttls bool
Issue a StartTLS command after establishing unencrypted connection.
- Tls
Max stringVersion Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- Tls
Min stringVersion Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- Ttl int
In seconds, the default password time-to-live.
- Upndomain string
Enables userPrincipalDomain login with [username]@UPNDomain.
- Url string
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
.- Use
Pre111Group boolCn Behavior In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- Use
Token boolGroups If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- Userattr string
Attribute used when searching users. Defaults to
cn
.- Userdn string
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- binddn String
Distinguished name of object to bind when performing user and group search.
- bindpass String
Password to use along with binddn when performing user search.
- anonymous
Group BooleanSearch Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- backend String
The unique path this backend should be mounted at. Must not begin or end with a
/
. Defaults toad
.- case
Sensitive BooleanNames If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- certificate String
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client
Tls StringCert Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client
Tls StringKey Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- default
Lease IntegerTtl Seconds Default lease duration for secrets in seconds.
- deny
Null BooleanBind Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- description String
Human-friendly description of the mount for the Active Directory backend.
- discoverdn Boolean
Use anonymous bind to discover the bind Distinguished Name of a user.
- formatter String
Deprecated use
password_policy
. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".Formatter is deprecated and password_policy should be used with Vault >= 1.5.
- groupattr String
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
.- groupdn String
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- groupfilter String
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- insecure
Tls Boolean Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to
false
.- last
Rotation IntegerTolerance The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- length Integer
Deprecated use
password_policy
. The desired length of passwords that Vault generates.Length is deprecated and password_policy should be used with Vault >= 1.5.
- local Boolean
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max
Lease IntegerTtl Seconds Maximum possible lease duration for secrets in seconds.
- max
Ttl Integer In seconds, the maximum password time-to-live.
- password
Policy String Name of the password policy to use to generate passwords.
- request
Timeout Integer Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- starttls Boolean
Issue a StartTLS command after establishing unencrypted connection.
- tls
Max StringVersion Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- tls
Min StringVersion Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- ttl Integer
In seconds, the default password time-to-live.
- upndomain String
Enables userPrincipalDomain login with [username]@UPNDomain.
- url String
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
.- use
Pre111Group BooleanCn Behavior In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- use
Token BooleanGroups If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- userattr String
Attribute used when searching users. Defaults to
cn
.- userdn String
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- binddn string
Distinguished name of object to bind when performing user and group search.
- bindpass string
Password to use along with binddn when performing user search.
- anonymous
Group booleanSearch Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- backend string
The unique path this backend should be mounted at. Must not begin or end with a
/
. Defaults toad
.- case
Sensitive booleanNames If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- certificate string
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client
Tls stringCert Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client
Tls stringKey Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- default
Lease numberTtl Seconds Default lease duration for secrets in seconds.
- deny
Null booleanBind Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- description string
Human-friendly description of the mount for the Active Directory backend.
- discoverdn boolean
Use anonymous bind to discover the bind Distinguished Name of a user.
- formatter string
Deprecated use
password_policy
. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".Formatter is deprecated and password_policy should be used with Vault >= 1.5.
- groupattr string
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
.- groupdn string
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- groupfilter string
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- insecure
Tls boolean Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to
false
.- last
Rotation numberTolerance The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- length number
Deprecated use
password_policy
. The desired length of passwords that Vault generates.Length is deprecated and password_policy should be used with Vault >= 1.5.
- local boolean
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max
Lease numberTtl Seconds Maximum possible lease duration for secrets in seconds.
- max
Ttl number In seconds, the maximum password time-to-live.
- password
Policy string Name of the password policy to use to generate passwords.
- request
Timeout number Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- starttls boolean
Issue a StartTLS command after establishing unencrypted connection.
- tls
Max stringVersion Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- tls
Min stringVersion Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- ttl number
In seconds, the default password time-to-live.
- upndomain string
Enables userPrincipalDomain login with [username]@UPNDomain.
- url string
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
.- use
Pre111Group booleanCn Behavior In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- use
Token booleanGroups If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- userattr string
Attribute used when searching users. Defaults to
cn
.- userdn string
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- binddn str
Distinguished name of object to bind when performing user and group search.
- bindpass str
Password to use along with binddn when performing user search.
- anonymous_
group_ boolsearch Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- backend str
The unique path this backend should be mounted at. Must not begin or end with a
/
. Defaults toad
.- case_
sensitive_ boolnames If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- certificate str
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client_
tls_ strcert Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client_
tls_ strkey Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- default_
lease_ intttl_ seconds Default lease duration for secrets in seconds.
- deny_
null_ boolbind Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- description str
Human-friendly description of the mount for the Active Directory backend.
- discoverdn bool
Use anonymous bind to discover the bind Distinguished Name of a user.
- formatter str
Deprecated use
password_policy
. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".Formatter is deprecated and password_policy should be used with Vault >= 1.5.
- groupattr str
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
.- groupdn str
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- groupfilter str
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- insecure_
tls bool Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to
false
.- last_
rotation_ inttolerance The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- length int
Deprecated use
password_policy
. The desired length of passwords that Vault generates.Length is deprecated and password_policy should be used with Vault >= 1.5.
- local bool
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max_
lease_ intttl_ seconds Maximum possible lease duration for secrets in seconds.
- max_
ttl int In seconds, the maximum password time-to-live.
- password_
policy str Name of the password policy to use to generate passwords.
- request_
timeout int Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- starttls bool
Issue a StartTLS command after establishing unencrypted connection.
- tls_
max_ strversion Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- tls_
min_ strversion Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- ttl int
In seconds, the default password time-to-live.
- upndomain str
Enables userPrincipalDomain login with [username]@UPNDomain.
- url str
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
.- use_
pre111_ boolgroup_ cn_ behavior In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- use_
token_ boolgroups If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- userattr str
Attribute used when searching users. Defaults to
cn
.- userdn str
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- binddn String
Distinguished name of object to bind when performing user and group search.
- bindpass String
Password to use along with binddn when performing user search.
- anonymous
Group BooleanSearch Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- backend String
The unique path this backend should be mounted at. Must not begin or end with a
/
. Defaults toad
.- case
Sensitive BooleanNames If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- certificate String
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client
Tls StringCert Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client
Tls StringKey Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- default
Lease NumberTtl Seconds Default lease duration for secrets in seconds.
- deny
Null BooleanBind Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- description String
Human-friendly description of the mount for the Active Directory backend.
- discoverdn Boolean
Use anonymous bind to discover the bind Distinguished Name of a user.
- formatter String
Deprecated use
password_policy
. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".Formatter is deprecated and password_policy should be used with Vault >= 1.5.
- groupattr String
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
.- groupdn String
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- groupfilter String
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- insecure
Tls Boolean Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to
false
.- last
Rotation NumberTolerance The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- length Number
Deprecated use
password_policy
. The desired length of passwords that Vault generates.Length is deprecated and password_policy should be used with Vault >= 1.5.
- local Boolean
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max
Lease NumberTtl Seconds Maximum possible lease duration for secrets in seconds.
- max
Ttl Number In seconds, the maximum password time-to-live.
- password
Policy String Name of the password policy to use to generate passwords.
- request
Timeout Number Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- starttls Boolean
Issue a StartTLS command after establishing unencrypted connection.
- tls
Max StringVersion Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- tls
Min StringVersion Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- ttl Number
In seconds, the default password time-to-live.
- upndomain String
Enables userPrincipalDomain login with [username]@UPNDomain.
- url String
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
.- use
Pre111Group BooleanCn Behavior In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- use
Token BooleanGroups If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- userattr String
Attribute used when searching users. Defaults to
cn
.- userdn String
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
Outputs
All input properties are implicitly available as output properties. Additionally, the SecretBackend resource produces the following output properties:
- Id string
The provider-assigned unique ID for this managed resource.
- Id string
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
- id string
The provider-assigned unique ID for this managed resource.
- id str
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
Look up an Existing SecretBackend Resource
Get an existing SecretBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SecretBackendState, opts?: CustomResourceOptions): SecretBackend
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
anonymous_group_search: Optional[bool] = None,
backend: Optional[str] = None,
binddn: Optional[str] = None,
bindpass: Optional[str] = None,
case_sensitive_names: Optional[bool] = None,
certificate: Optional[str] = None,
client_tls_cert: Optional[str] = None,
client_tls_key: Optional[str] = None,
default_lease_ttl_seconds: Optional[int] = None,
deny_null_bind: Optional[bool] = None,
description: Optional[str] = None,
discoverdn: Optional[bool] = None,
formatter: Optional[str] = None,
groupattr: Optional[str] = None,
groupdn: Optional[str] = None,
groupfilter: Optional[str] = None,
insecure_tls: Optional[bool] = None,
last_rotation_tolerance: Optional[int] = None,
length: Optional[int] = None,
local: Optional[bool] = None,
max_lease_ttl_seconds: Optional[int] = None,
max_ttl: Optional[int] = None,
password_policy: Optional[str] = None,
request_timeout: Optional[int] = None,
starttls: Optional[bool] = None,
tls_max_version: Optional[str] = None,
tls_min_version: Optional[str] = None,
ttl: Optional[int] = None,
upndomain: Optional[str] = None,
url: Optional[str] = None,
use_pre111_group_cn_behavior: Optional[bool] = None,
use_token_groups: Optional[bool] = None,
userattr: Optional[str] = None,
userdn: Optional[str] = None) -> SecretBackend
func GetSecretBackend(ctx *Context, name string, id IDInput, state *SecretBackendState, opts ...ResourceOption) (*SecretBackend, error)
public static SecretBackend Get(string name, Input<string> id, SecretBackendState? state, CustomResourceOptions? opts = null)
public static SecretBackend get(String name, Output<String> id, SecretBackendState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Anonymous
Group boolSearch Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- Backend string
The unique path this backend should be mounted at. Must not begin or end with a
/
. Defaults toad
.- Binddn string
Distinguished name of object to bind when performing user and group search.
- Bindpass string
Password to use along with binddn when performing user search.
- Case
Sensitive boolNames If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- Certificate string
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- Client
Tls stringCert Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- Client
Tls stringKey Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- Default
Lease intTtl Seconds Default lease duration for secrets in seconds.
- Deny
Null boolBind Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- Description string
Human-friendly description of the mount for the Active Directory backend.
- Discoverdn bool
Use anonymous bind to discover the bind Distinguished Name of a user.
- Formatter string
Deprecated use
password_policy
. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".Formatter is deprecated and password_policy should be used with Vault >= 1.5.
- Groupattr string
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
.- Groupdn string
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- Groupfilter string
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- Insecure
Tls bool Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to
false
.- Last
Rotation intTolerance The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- Length int
Deprecated use
password_policy
. The desired length of passwords that Vault generates.Length is deprecated and password_policy should be used with Vault >= 1.5.
- Local bool
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- Max
Lease intTtl Seconds Maximum possible lease duration for secrets in seconds.
- Max
Ttl int In seconds, the maximum password time-to-live.
- Password
Policy string Name of the password policy to use to generate passwords.
- Request
Timeout int Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- Starttls bool
Issue a StartTLS command after establishing unencrypted connection.
- Tls
Max stringVersion Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- Tls
Min stringVersion Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- Ttl int
In seconds, the default password time-to-live.
- Upndomain string
Enables userPrincipalDomain login with [username]@UPNDomain.
- Url string
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
.- Use
Pre111Group boolCn Behavior In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- Use
Token boolGroups If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- Userattr string
Attribute used when searching users. Defaults to
cn
.- Userdn string
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- Anonymous
Group boolSearch Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- Backend string
The unique path this backend should be mounted at. Must not begin or end with a
/
. Defaults toad
.- Binddn string
Distinguished name of object to bind when performing user and group search.
- Bindpass string
Password to use along with binddn when performing user search.
- Case
Sensitive boolNames If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- Certificate string
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- Client
Tls stringCert Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- Client
Tls stringKey Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- Default
Lease intTtl Seconds Default lease duration for secrets in seconds.
- Deny
Null boolBind Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- Description string
Human-friendly description of the mount for the Active Directory backend.
- Discoverdn bool
Use anonymous bind to discover the bind Distinguished Name of a user.
- Formatter string
Deprecated use
password_policy
. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".Formatter is deprecated and password_policy should be used with Vault >= 1.5.
- Groupattr string
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
.- Groupdn string
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- Groupfilter string
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- Insecure
Tls bool Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to
false
.- Last
Rotation intTolerance The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- Length int
Deprecated use
password_policy
. The desired length of passwords that Vault generates.Length is deprecated and password_policy should be used with Vault >= 1.5.
- Local bool
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- Max
Lease intTtl Seconds Maximum possible lease duration for secrets in seconds.
- Max
Ttl int In seconds, the maximum password time-to-live.
- Password
Policy string Name of the password policy to use to generate passwords.
- Request
Timeout int Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- Starttls bool
Issue a StartTLS command after establishing unencrypted connection.
- Tls
Max stringVersion Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- Tls
Min stringVersion Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- Ttl int
In seconds, the default password time-to-live.
- Upndomain string
Enables userPrincipalDomain login with [username]@UPNDomain.
- Url string
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
.- Use
Pre111Group boolCn Behavior In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- Use
Token boolGroups If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- Userattr string
Attribute used when searching users. Defaults to
cn
.- Userdn string
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- anonymous
Group BooleanSearch Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- backend String
The unique path this backend should be mounted at. Must not begin or end with a
/
. Defaults toad
.- binddn String
Distinguished name of object to bind when performing user and group search.
- bindpass String
Password to use along with binddn when performing user search.
- case
Sensitive BooleanNames If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- certificate String
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client
Tls StringCert Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client
Tls StringKey Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- default
Lease IntegerTtl Seconds Default lease duration for secrets in seconds.
- deny
Null BooleanBind Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- description String
Human-friendly description of the mount for the Active Directory backend.
- discoverdn Boolean
Use anonymous bind to discover the bind Distinguished Name of a user.
- formatter String
Deprecated use
password_policy
. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".Formatter is deprecated and password_policy should be used with Vault >= 1.5.
- groupattr String
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
.- groupdn String
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- groupfilter String
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- insecure
Tls Boolean Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to
false
.- last
Rotation IntegerTolerance The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- length Integer
Deprecated use
password_policy
. The desired length of passwords that Vault generates.Length is deprecated and password_policy should be used with Vault >= 1.5.
- local Boolean
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max
Lease IntegerTtl Seconds Maximum possible lease duration for secrets in seconds.
- max
Ttl Integer In seconds, the maximum password time-to-live.
- password
Policy String Name of the password policy to use to generate passwords.
- request
Timeout Integer Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- starttls Boolean
Issue a StartTLS command after establishing unencrypted connection.
- tls
Max StringVersion Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- tls
Min StringVersion Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- ttl Integer
In seconds, the default password time-to-live.
- upndomain String
Enables userPrincipalDomain login with [username]@UPNDomain.
- url String
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
.- use
Pre111Group BooleanCn Behavior In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- use
Token BooleanGroups If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- userattr String
Attribute used when searching users. Defaults to
cn
.- userdn String
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- anonymous
Group booleanSearch Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- backend string
The unique path this backend should be mounted at. Must not begin or end with a
/
. Defaults toad
.- binddn string
Distinguished name of object to bind when performing user and group search.
- bindpass string
Password to use along with binddn when performing user search.
- case
Sensitive booleanNames If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- certificate string
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client
Tls stringCert Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client
Tls stringKey Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- default
Lease numberTtl Seconds Default lease duration for secrets in seconds.
- deny
Null booleanBind Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- description string
Human-friendly description of the mount for the Active Directory backend.
- discoverdn boolean
Use anonymous bind to discover the bind Distinguished Name of a user.
- formatter string
Deprecated use
password_policy
. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".Formatter is deprecated and password_policy should be used with Vault >= 1.5.
- groupattr string
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
.- groupdn string
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- groupfilter string
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- insecure
Tls boolean Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to
false
.- last
Rotation numberTolerance The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- length number
Deprecated use
password_policy
. The desired length of passwords that Vault generates.Length is deprecated and password_policy should be used with Vault >= 1.5.
- local boolean
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max
Lease numberTtl Seconds Maximum possible lease duration for secrets in seconds.
- max
Ttl number In seconds, the maximum password time-to-live.
- password
Policy string Name of the password policy to use to generate passwords.
- request
Timeout number Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- starttls boolean
Issue a StartTLS command after establishing unencrypted connection.
- tls
Max stringVersion Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- tls
Min stringVersion Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- ttl number
In seconds, the default password time-to-live.
- upndomain string
Enables userPrincipalDomain login with [username]@UPNDomain.
- url string
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
.- use
Pre111Group booleanCn Behavior In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- use
Token booleanGroups If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- userattr string
Attribute used when searching users. Defaults to
cn
.- userdn string
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- anonymous_
group_ boolsearch Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- backend str
The unique path this backend should be mounted at. Must not begin or end with a
/
. Defaults toad
.- binddn str
Distinguished name of object to bind when performing user and group search.
- bindpass str
Password to use along with binddn when performing user search.
- case_
sensitive_ boolnames If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- certificate str
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client_
tls_ strcert Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client_
tls_ strkey Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- default_
lease_ intttl_ seconds Default lease duration for secrets in seconds.
- deny_
null_ boolbind Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- description str
Human-friendly description of the mount for the Active Directory backend.
- discoverdn bool
Use anonymous bind to discover the bind Distinguished Name of a user.
- formatter str
Deprecated use
password_policy
. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".Formatter is deprecated and password_policy should be used with Vault >= 1.5.
- groupattr str
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
.- groupdn str
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- groupfilter str
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- insecure_
tls bool Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to
false
.- last_
rotation_ inttolerance The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- length int
Deprecated use
password_policy
. The desired length of passwords that Vault generates.Length is deprecated and password_policy should be used with Vault >= 1.5.
- local bool
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max_
lease_ intttl_ seconds Maximum possible lease duration for secrets in seconds.
- max_
ttl int In seconds, the maximum password time-to-live.
- password_
policy str Name of the password policy to use to generate passwords.
- request_
timeout int Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- starttls bool
Issue a StartTLS command after establishing unencrypted connection.
- tls_
max_ strversion Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- tls_
min_ strversion Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- ttl int
In seconds, the default password time-to-live.
- upndomain str
Enables userPrincipalDomain login with [username]@UPNDomain.
- url str
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
.- use_
pre111_ boolgroup_ cn_ behavior In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- use_
token_ boolgroups If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- userattr str
Attribute used when searching users. Defaults to
cn
.- userdn str
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- anonymous
Group BooleanSearch Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- backend String
The unique path this backend should be mounted at. Must not begin or end with a
/
. Defaults toad
.- binddn String
Distinguished name of object to bind when performing user and group search.
- bindpass String
Password to use along with binddn when performing user search.
- case
Sensitive BooleanNames If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- certificate String
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client
Tls StringCert Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client
Tls StringKey Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- default
Lease NumberTtl Seconds Default lease duration for secrets in seconds.
- deny
Null BooleanBind Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- description String
Human-friendly description of the mount for the Active Directory backend.
- discoverdn Boolean
Use anonymous bind to discover the bind Distinguished Name of a user.
- formatter String
Deprecated use
password_policy
. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".Formatter is deprecated and password_policy should be used with Vault >= 1.5.
- groupattr String
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
.- groupdn String
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- groupfilter String
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- insecure
Tls Boolean Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to
false
.- last
Rotation NumberTolerance The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- length Number
Deprecated use
password_policy
. The desired length of passwords that Vault generates.Length is deprecated and password_policy should be used with Vault >= 1.5.
- local Boolean
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max
Lease NumberTtl Seconds Maximum possible lease duration for secrets in seconds.
- max
Ttl Number In seconds, the maximum password time-to-live.
- password
Policy String Name of the password policy to use to generate passwords.
- request
Timeout Number Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- starttls Boolean
Issue a StartTLS command after establishing unencrypted connection.
- tls
Max StringVersion Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- tls
Min StringVersion Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
.- ttl Number
In seconds, the default password time-to-live.
- upndomain String
Enables userPrincipalDomain login with [username]@UPNDomain.
- url String
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
.- use
Pre111Group BooleanCn Behavior In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- use
Token BooleanGroups If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- userattr String
Attribute used when searching users. Defaults to
cn
.- userdn String
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
Package Details
- Repository
- https://github.com/pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
vault
Terraform Provider.