HashiCorp Vault

Pulumi Official
Package maintained by Pulumi
v5.5.0 published on Tuesday, May 31, 2022 by Pulumi

SecretBackend

Import

AD secret backend can be imported using the backend, e.g.

 $ pulumi import vault:ad/secretBackend:SecretBackend ad ad

Example Usage

using Pulumi;
using Vault = Pulumi.Vault;

class MyStack : Stack
{
    public MyStack()
    {
        var config = new Vault.AD.SecretBackend("config", new Vault.AD.SecretBackendArgs
        {
            Backend = "ad",
            Binddn = "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
            Bindpass = "SuperSecretPassw0rd",
            InsecureTls = true,
            Url = "ldaps://ad",
            Userdn = "CN=Users,DC=corp,DC=example,DC=net",
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v5/go/vault/ad"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := ad.NewSecretBackend(ctx, "config", &ad.SecretBackendArgs{
			Backend:     pulumi.String("ad"),
			Binddn:      pulumi.String("CN=Administrator,CN=Users,DC=corp,DC=example,DC=net"),
			Bindpass:    pulumi.String("SuperSecretPassw0rd"),
			InsecureTls: pulumi.Bool(true),
			Url:         pulumi.String("ldaps://ad"),
			Userdn:      pulumi.String("CN=Users,DC=corp,DC=example,DC=net"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

Coming soon!

import pulumi
import pulumi_vault as vault

config = vault.ad.SecretBackend("config",
    backend="ad",
    binddn="CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
    bindpass="SuperSecretPassw0rd",
    insecure_tls=True,
    url="ldaps://ad",
    userdn="CN=Users,DC=corp,DC=example,DC=net")
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const config = new vault.ad.SecretBackend("config", {
    backend: "ad",
    binddn: "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
    bindpass: "SuperSecretPassw0rd",
    insecureTls: true,
    url: "ldaps://ad",
    userdn: "CN=Users,DC=corp,DC=example,DC=net",
});

Coming soon!

Create a SecretBackend Resource

new SecretBackend(name: string, args: SecretBackendArgs, opts?: CustomResourceOptions);
@overload
def SecretBackend(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  anonymous_group_search: Optional[bool] = None,
                  backend: Optional[str] = None,
                  binddn: Optional[str] = None,
                  bindpass: Optional[str] = None,
                  case_sensitive_names: Optional[bool] = None,
                  certificate: Optional[str] = None,
                  client_tls_cert: Optional[str] = None,
                  client_tls_key: Optional[str] = None,
                  default_lease_ttl_seconds: Optional[int] = None,
                  deny_null_bind: Optional[bool] = None,
                  description: Optional[str] = None,
                  discoverdn: Optional[bool] = None,
                  formatter: Optional[str] = None,
                  groupattr: Optional[str] = None,
                  groupdn: Optional[str] = None,
                  groupfilter: Optional[str] = None,
                  insecure_tls: Optional[bool] = None,
                  last_rotation_tolerance: Optional[int] = None,
                  length: Optional[int] = None,
                  local: Optional[bool] = None,
                  max_lease_ttl_seconds: Optional[int] = None,
                  max_ttl: Optional[int] = None,
                  password_policy: Optional[str] = None,
                  request_timeout: Optional[int] = None,
                  starttls: Optional[bool] = None,
                  tls_max_version: Optional[str] = None,
                  tls_min_version: Optional[str] = None,
                  ttl: Optional[int] = None,
                  upndomain: Optional[str] = None,
                  url: Optional[str] = None,
                  use_pre111_group_cn_behavior: Optional[bool] = None,
                  use_token_groups: Optional[bool] = None,
                  userattr: Optional[str] = None,
                  userdn: Optional[str] = None)
@overload
def SecretBackend(resource_name: str,
                  args: SecretBackendArgs,
                  opts: Optional[ResourceOptions] = None)
func NewSecretBackend(ctx *Context, name string, args SecretBackendArgs, opts ...ResourceOption) (*SecretBackend, error)
public SecretBackend(string name, SecretBackendArgs args, CustomResourceOptions? opts = null)
public SecretBackend(String name, SecretBackendArgs args)
public SecretBackend(String name, SecretBackendArgs args, CustomResourceOptions options)
type: vault:ad:SecretBackend
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args SecretBackendArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args SecretBackendArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args SecretBackendArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args SecretBackendArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args SecretBackendArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

SecretBackend Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The SecretBackend resource accepts the following input properties:

Binddn string

Distinguished name of object to bind when performing user and group search.

Bindpass string

Password to use along with binddn when performing user search.

AnonymousGroupSearch bool

Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).

Backend string

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.

CaseSensitiveNames bool

If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.

Certificate string

CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.

ClientTlsCert string

Client certificate to provide to the LDAP server, must be x509 PEM encoded.

ClientTlsKey string

Client certificate key to provide to the LDAP server, must be x509 PEM encoded.

DefaultLeaseTtlSeconds int

Default lease duration for secrets in seconds.

DenyNullBind bool

Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.

Description string

Human-friendly description of the mount for the Active Directory backend.

Discoverdn bool

Use anonymous bind to discover the bind Distinguished Name of a user.

Formatter string

Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".

Deprecated:

Formatter is deprecated and password_policy should be used with Vault >= 1.5.

Groupattr string

LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.

Groupdn string

LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).

Groupfilter string

Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))

InsecureTls bool

Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.

LastRotationTolerance int

The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band

Length int

Deprecated use password_policy. The desired length of passwords that Vault generates.

Deprecated:

Length is deprecated and password_policy should be used with Vault >= 1.5.

Local bool

Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.

MaxLeaseTtlSeconds int

Maximum possible lease duration for secrets in seconds.

MaxTtl int

In seconds, the maximum password time-to-live.

PasswordPolicy string

Name of the password policy to use to generate passwords.

RequestTimeout int

Timeout, in seconds, for the connection when making requests against the server before returning back an error.

Starttls bool

Issue a StartTLS command after establishing unencrypted connection.

TlsMaxVersion string

Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

TlsMinVersion string

Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

Ttl int

In seconds, the default password time-to-live.

Upndomain string

Enables userPrincipalDomain login with [username]@UPNDomain.

Url string

LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.

UsePre111GroupCnBehavior bool

In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.

UseTokenGroups bool

If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.

Userattr string

Attribute used when searching users. Defaults to cn.

Userdn string

LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

Binddn string

Distinguished name of object to bind when performing user and group search.

Bindpass string

Password to use along with binddn when performing user search.

AnonymousGroupSearch bool

Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).

Backend string

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.

CaseSensitiveNames bool

If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.

Certificate string

CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.

ClientTlsCert string

Client certificate to provide to the LDAP server, must be x509 PEM encoded.

ClientTlsKey string

Client certificate key to provide to the LDAP server, must be x509 PEM encoded.

DefaultLeaseTtlSeconds int

Default lease duration for secrets in seconds.

DenyNullBind bool

Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.

Description string

Human-friendly description of the mount for the Active Directory backend.

Discoverdn bool

Use anonymous bind to discover the bind Distinguished Name of a user.

Formatter string

Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".

Deprecated:

Formatter is deprecated and password_policy should be used with Vault >= 1.5.

Groupattr string

LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.

Groupdn string

LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).

Groupfilter string

Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))

InsecureTls bool

Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.

LastRotationTolerance int

The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band

Length int

Deprecated use password_policy. The desired length of passwords that Vault generates.

Deprecated:

Length is deprecated and password_policy should be used with Vault >= 1.5.

Local bool

Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.

MaxLeaseTtlSeconds int

Maximum possible lease duration for secrets in seconds.

MaxTtl int

In seconds, the maximum password time-to-live.

PasswordPolicy string

Name of the password policy to use to generate passwords.

RequestTimeout int

Timeout, in seconds, for the connection when making requests against the server before returning back an error.

Starttls bool

Issue a StartTLS command after establishing unencrypted connection.

TlsMaxVersion string

Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

TlsMinVersion string

Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

Ttl int

In seconds, the default password time-to-live.

Upndomain string

Enables userPrincipalDomain login with [username]@UPNDomain.

Url string

LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.

UsePre111GroupCnBehavior bool

In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.

UseTokenGroups bool

If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.

Userattr string

Attribute used when searching users. Defaults to cn.

Userdn string

LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

binddn String

Distinguished name of object to bind when performing user and group search.

bindpass String

Password to use along with binddn when performing user search.

anonymousGroupSearch Boolean

Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).

backend String

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.

caseSensitiveNames Boolean

If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.

certificate String

CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.

clientTlsCert String

Client certificate to provide to the LDAP server, must be x509 PEM encoded.

clientTlsKey String

Client certificate key to provide to the LDAP server, must be x509 PEM encoded.

defaultLeaseTtlSeconds Integer

Default lease duration for secrets in seconds.

denyNullBind Boolean

Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.

description String

Human-friendly description of the mount for the Active Directory backend.

discoverdn Boolean

Use anonymous bind to discover the bind Distinguished Name of a user.

formatter String

Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".

Deprecated:

Formatter is deprecated and password_policy should be used with Vault >= 1.5.

groupattr String

LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.

groupdn String

LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).

groupfilter String

Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))

insecureTls Boolean

Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.

lastRotationTolerance Integer

The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band

length Integer

Deprecated use password_policy. The desired length of passwords that Vault generates.

Deprecated:

Length is deprecated and password_policy should be used with Vault >= 1.5.

local Boolean

Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.

maxLeaseTtlSeconds Integer

Maximum possible lease duration for secrets in seconds.

maxTtl Integer

In seconds, the maximum password time-to-live.

passwordPolicy String

Name of the password policy to use to generate passwords.

requestTimeout Integer

Timeout, in seconds, for the connection when making requests against the server before returning back an error.

starttls Boolean

Issue a StartTLS command after establishing unencrypted connection.

tlsMaxVersion String

Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

tlsMinVersion String

Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

ttl Integer

In seconds, the default password time-to-live.

upndomain String

Enables userPrincipalDomain login with [username]@UPNDomain.

url String

LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.

usePre111GroupCnBehavior Boolean

In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.

useTokenGroups Boolean

If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.

userattr String

Attribute used when searching users. Defaults to cn.

userdn String

LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

binddn string

Distinguished name of object to bind when performing user and group search.

bindpass string

Password to use along with binddn when performing user search.

anonymousGroupSearch boolean

Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).

backend string

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.

caseSensitiveNames boolean

If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.

certificate string

CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.

clientTlsCert string

Client certificate to provide to the LDAP server, must be x509 PEM encoded.

clientTlsKey string

Client certificate key to provide to the LDAP server, must be x509 PEM encoded.

defaultLeaseTtlSeconds number

Default lease duration for secrets in seconds.

denyNullBind boolean

Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.

description string

Human-friendly description of the mount for the Active Directory backend.

discoverdn boolean

Use anonymous bind to discover the bind Distinguished Name of a user.

formatter string

Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".

Deprecated:

Formatter is deprecated and password_policy should be used with Vault >= 1.5.

groupattr string

LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.

groupdn string

LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).

groupfilter string

Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))

insecureTls boolean

Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.

lastRotationTolerance number

The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band

length number

Deprecated use password_policy. The desired length of passwords that Vault generates.

Deprecated:

Length is deprecated and password_policy should be used with Vault >= 1.5.

local boolean

Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.

maxLeaseTtlSeconds number

Maximum possible lease duration for secrets in seconds.

maxTtl number

In seconds, the maximum password time-to-live.

passwordPolicy string

Name of the password policy to use to generate passwords.

requestTimeout number

Timeout, in seconds, for the connection when making requests against the server before returning back an error.

starttls boolean

Issue a StartTLS command after establishing unencrypted connection.

tlsMaxVersion string

Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

tlsMinVersion string

Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

ttl number

In seconds, the default password time-to-live.

upndomain string

Enables userPrincipalDomain login with [username]@UPNDomain.

url string

LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.

usePre111GroupCnBehavior boolean

In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.

useTokenGroups boolean

If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.

userattr string

Attribute used when searching users. Defaults to cn.

userdn string

LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

binddn str

Distinguished name of object to bind when performing user and group search.

bindpass str

Password to use along with binddn when performing user search.

anonymous_group_search bool

Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).

backend str

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.

case_sensitive_names bool

If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.

certificate str

CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.

client_tls_cert str

Client certificate to provide to the LDAP server, must be x509 PEM encoded.

client_tls_key str

Client certificate key to provide to the LDAP server, must be x509 PEM encoded.

default_lease_ttl_seconds int

Default lease duration for secrets in seconds.

deny_null_bind bool

Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.

description str

Human-friendly description of the mount for the Active Directory backend.

discoverdn bool

Use anonymous bind to discover the bind Distinguished Name of a user.

formatter str

Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".

Deprecated:

Formatter is deprecated and password_policy should be used with Vault >= 1.5.

groupattr str

LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.

groupdn str

LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).

groupfilter str

Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))

insecure_tls bool

Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.

last_rotation_tolerance int

The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band

length int

Deprecated use password_policy. The desired length of passwords that Vault generates.

Deprecated:

Length is deprecated and password_policy should be used with Vault >= 1.5.

local bool

Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.

max_lease_ttl_seconds int

Maximum possible lease duration for secrets in seconds.

max_ttl int

In seconds, the maximum password time-to-live.

password_policy str

Name of the password policy to use to generate passwords.

request_timeout int

Timeout, in seconds, for the connection when making requests against the server before returning back an error.

starttls bool

Issue a StartTLS command after establishing unencrypted connection.

tls_max_version str

Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

tls_min_version str

Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

ttl int

In seconds, the default password time-to-live.

upndomain str

Enables userPrincipalDomain login with [username]@UPNDomain.

url str

LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.

use_pre111_group_cn_behavior bool

In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.

use_token_groups bool

If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.

userattr str

Attribute used when searching users. Defaults to cn.

userdn str

LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

binddn String

Distinguished name of object to bind when performing user and group search.

bindpass String

Password to use along with binddn when performing user search.

anonymousGroupSearch Boolean

Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).

backend String

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.

caseSensitiveNames Boolean

If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.

certificate String

CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.

clientTlsCert String

Client certificate to provide to the LDAP server, must be x509 PEM encoded.

clientTlsKey String

Client certificate key to provide to the LDAP server, must be x509 PEM encoded.

defaultLeaseTtlSeconds Number

Default lease duration for secrets in seconds.

denyNullBind Boolean

Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.

description String

Human-friendly description of the mount for the Active Directory backend.

discoverdn Boolean

Use anonymous bind to discover the bind Distinguished Name of a user.

formatter String

Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".

Deprecated:

Formatter is deprecated and password_policy should be used with Vault >= 1.5.

groupattr String

LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.

groupdn String

LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).

groupfilter String

Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))

insecureTls Boolean

Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.

lastRotationTolerance Number

The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band

length Number

Deprecated use password_policy. The desired length of passwords that Vault generates.

Deprecated:

Length is deprecated and password_policy should be used with Vault >= 1.5.

local Boolean

Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.

maxLeaseTtlSeconds Number

Maximum possible lease duration for secrets in seconds.

maxTtl Number

In seconds, the maximum password time-to-live.

passwordPolicy String

Name of the password policy to use to generate passwords.

requestTimeout Number

Timeout, in seconds, for the connection when making requests against the server before returning back an error.

starttls Boolean

Issue a StartTLS command after establishing unencrypted connection.

tlsMaxVersion String

Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

tlsMinVersion String

Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

ttl Number

In seconds, the default password time-to-live.

upndomain String

Enables userPrincipalDomain login with [username]@UPNDomain.

url String

LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.

usePre111GroupCnBehavior Boolean

In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.

useTokenGroups Boolean

If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.

userattr String

Attribute used when searching users. Defaults to cn.

userdn String

LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretBackend resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Id string

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

id string

The provider-assigned unique ID for this managed resource.

id str

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

Look up an Existing SecretBackend Resource

Get an existing SecretBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretBackendState, opts?: CustomResourceOptions): SecretBackend
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        anonymous_group_search: Optional[bool] = None,
        backend: Optional[str] = None,
        binddn: Optional[str] = None,
        bindpass: Optional[str] = None,
        case_sensitive_names: Optional[bool] = None,
        certificate: Optional[str] = None,
        client_tls_cert: Optional[str] = None,
        client_tls_key: Optional[str] = None,
        default_lease_ttl_seconds: Optional[int] = None,
        deny_null_bind: Optional[bool] = None,
        description: Optional[str] = None,
        discoverdn: Optional[bool] = None,
        formatter: Optional[str] = None,
        groupattr: Optional[str] = None,
        groupdn: Optional[str] = None,
        groupfilter: Optional[str] = None,
        insecure_tls: Optional[bool] = None,
        last_rotation_tolerance: Optional[int] = None,
        length: Optional[int] = None,
        local: Optional[bool] = None,
        max_lease_ttl_seconds: Optional[int] = None,
        max_ttl: Optional[int] = None,
        password_policy: Optional[str] = None,
        request_timeout: Optional[int] = None,
        starttls: Optional[bool] = None,
        tls_max_version: Optional[str] = None,
        tls_min_version: Optional[str] = None,
        ttl: Optional[int] = None,
        upndomain: Optional[str] = None,
        url: Optional[str] = None,
        use_pre111_group_cn_behavior: Optional[bool] = None,
        use_token_groups: Optional[bool] = None,
        userattr: Optional[str] = None,
        userdn: Optional[str] = None) -> SecretBackend
func GetSecretBackend(ctx *Context, name string, id IDInput, state *SecretBackendState, opts ...ResourceOption) (*SecretBackend, error)
public static SecretBackend Get(string name, Input<string> id, SecretBackendState? state, CustomResourceOptions? opts = null)
public static SecretBackend get(String name, Output<String> id, SecretBackendState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AnonymousGroupSearch bool

Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).

Backend string

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.

Binddn string

Distinguished name of object to bind when performing user and group search.

Bindpass string

Password to use along with binddn when performing user search.

CaseSensitiveNames bool

If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.

Certificate string

CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.

ClientTlsCert string

Client certificate to provide to the LDAP server, must be x509 PEM encoded.

ClientTlsKey string

Client certificate key to provide to the LDAP server, must be x509 PEM encoded.

DefaultLeaseTtlSeconds int

Default lease duration for secrets in seconds.

DenyNullBind bool

Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.

Description string

Human-friendly description of the mount for the Active Directory backend.

Discoverdn bool

Use anonymous bind to discover the bind Distinguished Name of a user.

Formatter string

Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".

Deprecated:

Formatter is deprecated and password_policy should be used with Vault >= 1.5.

Groupattr string

LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.

Groupdn string

LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).

Groupfilter string

Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))

InsecureTls bool

Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.

LastRotationTolerance int

The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band

Length int

Deprecated use password_policy. The desired length of passwords that Vault generates.

Deprecated:

Length is deprecated and password_policy should be used with Vault >= 1.5.

Local bool

Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.

MaxLeaseTtlSeconds int

Maximum possible lease duration for secrets in seconds.

MaxTtl int

In seconds, the maximum password time-to-live.

PasswordPolicy string

Name of the password policy to use to generate passwords.

RequestTimeout int

Timeout, in seconds, for the connection when making requests against the server before returning back an error.

Starttls bool

Issue a StartTLS command after establishing unencrypted connection.

TlsMaxVersion string

Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

TlsMinVersion string

Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

Ttl int

In seconds, the default password time-to-live.

Upndomain string

Enables userPrincipalDomain login with [username]@UPNDomain.

Url string

LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.

UsePre111GroupCnBehavior bool

In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.

UseTokenGroups bool

If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.

Userattr string

Attribute used when searching users. Defaults to cn.

Userdn string

LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

AnonymousGroupSearch bool

Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).

Backend string

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.

Binddn string

Distinguished name of object to bind when performing user and group search.

Bindpass string

Password to use along with binddn when performing user search.

CaseSensitiveNames bool

If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.

Certificate string

CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.

ClientTlsCert string

Client certificate to provide to the LDAP server, must be x509 PEM encoded.

ClientTlsKey string

Client certificate key to provide to the LDAP server, must be x509 PEM encoded.

DefaultLeaseTtlSeconds int

Default lease duration for secrets in seconds.

DenyNullBind bool

Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.

Description string

Human-friendly description of the mount for the Active Directory backend.

Discoverdn bool

Use anonymous bind to discover the bind Distinguished Name of a user.

Formatter string

Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".

Deprecated:

Formatter is deprecated and password_policy should be used with Vault >= 1.5.

Groupattr string

LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.

Groupdn string

LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).

Groupfilter string

Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))

InsecureTls bool

Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.

LastRotationTolerance int

The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band

Length int

Deprecated use password_policy. The desired length of passwords that Vault generates.

Deprecated:

Length is deprecated and password_policy should be used with Vault >= 1.5.

Local bool

Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.

MaxLeaseTtlSeconds int

Maximum possible lease duration for secrets in seconds.

MaxTtl int

In seconds, the maximum password time-to-live.

PasswordPolicy string

Name of the password policy to use to generate passwords.

RequestTimeout int

Timeout, in seconds, for the connection when making requests against the server before returning back an error.

Starttls bool

Issue a StartTLS command after establishing unencrypted connection.

TlsMaxVersion string

Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

TlsMinVersion string

Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

Ttl int

In seconds, the default password time-to-live.

Upndomain string

Enables userPrincipalDomain login with [username]@UPNDomain.

Url string

LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.

UsePre111GroupCnBehavior bool

In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.

UseTokenGroups bool

If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.

Userattr string

Attribute used when searching users. Defaults to cn.

Userdn string

LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

anonymousGroupSearch Boolean

Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).

backend String

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.

binddn String

Distinguished name of object to bind when performing user and group search.

bindpass String

Password to use along with binddn when performing user search.

caseSensitiveNames Boolean

If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.

certificate String

CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.

clientTlsCert String

Client certificate to provide to the LDAP server, must be x509 PEM encoded.

clientTlsKey String

Client certificate key to provide to the LDAP server, must be x509 PEM encoded.

defaultLeaseTtlSeconds Integer

Default lease duration for secrets in seconds.

denyNullBind Boolean

Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.

description String

Human-friendly description of the mount for the Active Directory backend.

discoverdn Boolean

Use anonymous bind to discover the bind Distinguished Name of a user.

formatter String

Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".

Deprecated:

Formatter is deprecated and password_policy should be used with Vault >= 1.5.

groupattr String

LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.

groupdn String

LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).

groupfilter String

Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))

insecureTls Boolean

Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.

lastRotationTolerance Integer

The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band

length Integer

Deprecated use password_policy. The desired length of passwords that Vault generates.

Deprecated:

Length is deprecated and password_policy should be used with Vault >= 1.5.

local Boolean

Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.

maxLeaseTtlSeconds Integer

Maximum possible lease duration for secrets in seconds.

maxTtl Integer

In seconds, the maximum password time-to-live.

passwordPolicy String

Name of the password policy to use to generate passwords.

requestTimeout Integer

Timeout, in seconds, for the connection when making requests against the server before returning back an error.

starttls Boolean

Issue a StartTLS command after establishing unencrypted connection.

tlsMaxVersion String

Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

tlsMinVersion String

Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

ttl Integer

In seconds, the default password time-to-live.

upndomain String

Enables userPrincipalDomain login with [username]@UPNDomain.

url String

LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.

usePre111GroupCnBehavior Boolean

In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.

useTokenGroups Boolean

If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.

userattr String

Attribute used when searching users. Defaults to cn.

userdn String

LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

anonymousGroupSearch boolean

Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).

backend string

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.

binddn string

Distinguished name of object to bind when performing user and group search.

bindpass string

Password to use along with binddn when performing user search.

caseSensitiveNames boolean

If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.

certificate string

CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.

clientTlsCert string

Client certificate to provide to the LDAP server, must be x509 PEM encoded.

clientTlsKey string

Client certificate key to provide to the LDAP server, must be x509 PEM encoded.

defaultLeaseTtlSeconds number

Default lease duration for secrets in seconds.

denyNullBind boolean

Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.

description string

Human-friendly description of the mount for the Active Directory backend.

discoverdn boolean

Use anonymous bind to discover the bind Distinguished Name of a user.

formatter string

Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".

Deprecated:

Formatter is deprecated and password_policy should be used with Vault >= 1.5.

groupattr string

LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.

groupdn string

LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).

groupfilter string

Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))

insecureTls boolean

Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.

lastRotationTolerance number

The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band

length number

Deprecated use password_policy. The desired length of passwords that Vault generates.

Deprecated:

Length is deprecated and password_policy should be used with Vault >= 1.5.

local boolean

Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.

maxLeaseTtlSeconds number

Maximum possible lease duration for secrets in seconds.

maxTtl number

In seconds, the maximum password time-to-live.

passwordPolicy string

Name of the password policy to use to generate passwords.

requestTimeout number

Timeout, in seconds, for the connection when making requests against the server before returning back an error.

starttls boolean

Issue a StartTLS command after establishing unencrypted connection.

tlsMaxVersion string

Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

tlsMinVersion string

Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

ttl number

In seconds, the default password time-to-live.

upndomain string

Enables userPrincipalDomain login with [username]@UPNDomain.

url string

LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.

usePre111GroupCnBehavior boolean

In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.

useTokenGroups boolean

If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.

userattr string

Attribute used when searching users. Defaults to cn.

userdn string

LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

anonymous_group_search bool

Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).

backend str

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.

binddn str

Distinguished name of object to bind when performing user and group search.

bindpass str

Password to use along with binddn when performing user search.

case_sensitive_names bool

If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.

certificate str

CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.

client_tls_cert str

Client certificate to provide to the LDAP server, must be x509 PEM encoded.

client_tls_key str

Client certificate key to provide to the LDAP server, must be x509 PEM encoded.

default_lease_ttl_seconds int

Default lease duration for secrets in seconds.

deny_null_bind bool

Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.

description str

Human-friendly description of the mount for the Active Directory backend.

discoverdn bool

Use anonymous bind to discover the bind Distinguished Name of a user.

formatter str

Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".

Deprecated:

Formatter is deprecated and password_policy should be used with Vault >= 1.5.

groupattr str

LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.

groupdn str

LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).

groupfilter str

Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))

insecure_tls bool

Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.

last_rotation_tolerance int

The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band

length int

Deprecated use password_policy. The desired length of passwords that Vault generates.

Deprecated:

Length is deprecated and password_policy should be used with Vault >= 1.5.

local bool

Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.

max_lease_ttl_seconds int

Maximum possible lease duration for secrets in seconds.

max_ttl int

In seconds, the maximum password time-to-live.

password_policy str

Name of the password policy to use to generate passwords.

request_timeout int

Timeout, in seconds, for the connection when making requests against the server before returning back an error.

starttls bool

Issue a StartTLS command after establishing unencrypted connection.

tls_max_version str

Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

tls_min_version str

Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

ttl int

In seconds, the default password time-to-live.

upndomain str

Enables userPrincipalDomain login with [username]@UPNDomain.

url str

LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.

use_pre111_group_cn_behavior bool

In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.

use_token_groups bool

If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.

userattr str

Attribute used when searching users. Defaults to cn.

userdn str

LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

anonymousGroupSearch Boolean

Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).

backend String

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.

binddn String

Distinguished name of object to bind when performing user and group search.

bindpass String

Password to use along with binddn when performing user search.

caseSensitiveNames Boolean

If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.

certificate String

CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.

clientTlsCert String

Client certificate to provide to the LDAP server, must be x509 PEM encoded.

clientTlsKey String

Client certificate key to provide to the LDAP server, must be x509 PEM encoded.

defaultLeaseTtlSeconds Number

Default lease duration for secrets in seconds.

denyNullBind Boolean

Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.

description String

Human-friendly description of the mount for the Active Directory backend.

discoverdn Boolean

Use anonymous bind to discover the bind Distinguished Name of a user.

formatter String

Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".

Deprecated:

Formatter is deprecated and password_policy should be used with Vault >= 1.5.

groupattr String

LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.

groupdn String

LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).

groupfilter String

Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))

insecureTls Boolean

Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.

lastRotationTolerance Number

The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band

length Number

Deprecated use password_policy. The desired length of passwords that Vault generates.

Deprecated:

Length is deprecated and password_policy should be used with Vault >= 1.5.

local Boolean

Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.

maxLeaseTtlSeconds Number

Maximum possible lease duration for secrets in seconds.

maxTtl Number

In seconds, the maximum password time-to-live.

passwordPolicy String

Name of the password policy to use to generate passwords.

requestTimeout Number

Timeout, in seconds, for the connection when making requests against the server before returning back an error.

starttls Boolean

Issue a StartTLS command after establishing unencrypted connection.

tlsMaxVersion String

Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

tlsMinVersion String

Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.

ttl Number

In seconds, the default password time-to-live.

upndomain String

Enables userPrincipalDomain login with [username]@UPNDomain.

url String

LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.

usePre111GroupCnBehavior Boolean

In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.

useTokenGroups Boolean

If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.

userattr String

Attribute used when searching users. Defaults to cn.

userdn String

LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

Package Details

Repository
https://github.com/pulumi/pulumi-vault
License
Apache-2.0
Notes

This Pulumi package is based on the vault Terraform Provider.