Docs Home
HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi
vault.CertAuthBackendRole
Explore with Pulumi AI
Provides a resource to create a role in an Cert auth backend within Vault.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const cert = new vault.AuthBackend("cert", {
path: "cert",
type: "cert",
});
const certCertAuthBackendRole = new vault.CertAuthBackendRole("cert", {
name: "foo",
certificate: std.file({
input: "/path/to/certs/ca-cert.pem",
}).then(invoke => invoke.result),
backend: cert.path,
allowedNames: [
"foo.example.org",
"baz.example.org",
],
tokenTtl: 300,
tokenMaxTtl: 600,
tokenPolicies: ["foo"],
});
import pulumi
import pulumi_std as std
import pulumi_vault as vault
cert = vault.AuthBackend("cert",
path="cert",
type="cert")
cert_cert_auth_backend_role = vault.CertAuthBackendRole("cert",
name="foo",
certificate=std.file(input="/path/to/certs/ca-cert.pem").result,
backend=cert.path,
allowed_names=[
"foo.example.org",
"baz.example.org",
],
token_ttl=300,
token_max_ttl=600,
token_policies=["foo"])
package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
cert, err := vault.NewAuthBackend(ctx, "cert", &vault.AuthBackendArgs{
Path: pulumi.String("cert"),
Type: pulumi.String("cert"),
})
if err != nil {
return err
}
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/certs/ca-cert.pem",
}, nil)
if err != nil {
return err
}
_, err = vault.NewCertAuthBackendRole(ctx, "cert", &vault.CertAuthBackendRoleArgs{
Name: pulumi.String("foo"),
Certificate: pulumi.String(invokeFile.Result),
Backend: cert.Path,
AllowedNames: pulumi.StringArray{
pulumi.String("foo.example.org"),
pulumi.String("baz.example.org"),
},
TokenTtl: pulumi.Int(300),
TokenMaxTtl: pulumi.Int(600),
TokenPolicies: pulumi.StringArray{
pulumi.String("foo"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var cert = new Vault.AuthBackend("cert", new()
{
Path = "cert",
Type = "cert",
});
var certCertAuthBackendRole = new Vault.CertAuthBackendRole("cert", new()
{
Name = "foo",
Certificate = Std.File.Invoke(new()
{
Input = "/path/to/certs/ca-cert.pem",
}).Apply(invoke => invoke.Result),
Backend = cert.Path,
AllowedNames = new[]
{
"foo.example.org",
"baz.example.org",
},
TokenTtl = 300,
TokenMaxTtl = 600,
TokenPolicies = new[]
{
"foo",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import com.pulumi.vault.CertAuthBackendRole;
import com.pulumi.vault.CertAuthBackendRoleArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var cert = new AuthBackend("cert", AuthBackendArgs.builder()
.path("cert")
.type("cert")
.build());
var certCertAuthBackendRole = new CertAuthBackendRole("certCertAuthBackendRole", CertAuthBackendRoleArgs.builder()
.name("foo")
.certificate(StdFunctions.file(FileArgs.builder()
.input("/path/to/certs/ca-cert.pem")
.build()).result())
.backend(cert.path())
.allowedNames(
"foo.example.org",
"baz.example.org")
.tokenTtl(300)
.tokenMaxTtl(600)
.tokenPolicies("foo")
.build());
}
}
resources:
cert:
type: vault:AuthBackend
properties:
path: cert
type: cert
certCertAuthBackendRole:
type: vault:CertAuthBackendRole
name: cert
properties:
name: foo
certificate:
fn::invoke:
function: std:file
arguments:
input: /path/to/certs/ca-cert.pem
return: result
backend: ${cert.path}
allowedNames:
- foo.example.org
- baz.example.org
tokenTtl: 300
tokenMaxTtl: 600
tokenPolicies:
- foo
Create CertAuthBackendRole Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new CertAuthBackendRole(name: string, args: CertAuthBackendRoleArgs, opts?: CustomResourceOptions);@overload
def CertAuthBackendRole(resource_name: str,
args: CertAuthBackendRoleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def CertAuthBackendRole(resource_name: str,
opts: Optional[ResourceOptions] = None,
certificate: Optional[str] = None,
ocsp_enabled: Optional[bool] = None,
token_period: Optional[int] = None,
allowed_names: Optional[Sequence[str]] = None,
allowed_organizational_units: Optional[Sequence[str]] = None,
allowed_uri_sans: Optional[Sequence[str]] = None,
backend: Optional[str] = None,
allowed_dns_sans: Optional[Sequence[str]] = None,
display_name: Optional[str] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
ocsp_ca_certificates: Optional[str] = None,
allowed_common_names: Optional[Sequence[str]] = None,
allowed_email_sans: Optional[Sequence[str]] = None,
ocsp_servers_overrides: Optional[Sequence[str]] = None,
ocsp_fail_open: Optional[bool] = None,
required_extensions: Optional[Sequence[str]] = None,
token_bound_cidrs: Optional[Sequence[str]] = None,
token_explicit_max_ttl: Optional[int] = None,
token_max_ttl: Optional[int] = None,
token_no_default_policy: Optional[bool] = None,
token_num_uses: Optional[int] = None,
ocsp_query_all_servers: Optional[bool] = None,
token_policies: Optional[Sequence[str]] = None,
token_ttl: Optional[int] = None,
token_type: Optional[str] = None)func NewCertAuthBackendRole(ctx *Context, name string, args CertAuthBackendRoleArgs, opts ...ResourceOption) (*CertAuthBackendRole, error)public CertAuthBackendRole(string name, CertAuthBackendRoleArgs args, CustomResourceOptions? opts = null)
public CertAuthBackendRole(String name, CertAuthBackendRoleArgs args)
public CertAuthBackendRole(String name, CertAuthBackendRoleArgs args, CustomResourceOptions options)
type: vault:CertAuthBackendRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var certAuthBackendRoleResource = new Vault.CertAuthBackendRole("certAuthBackendRoleResource", new()
{
Certificate = "string",
OcspEnabled = false,
TokenPeriod = 0,
AllowedNames = new[]
{
"string",
},
AllowedOrganizationalUnits = new[]
{
"string",
},
AllowedUriSans = new[]
{
"string",
},
Backend = "string",
AllowedDnsSans = new[]
{
"string",
},
DisplayName = "string",
Name = "string",
Namespace = "string",
OcspCaCertificates = "string",
AllowedCommonNames = new[]
{
"string",
},
AllowedEmailSans = new[]
{
"string",
},
OcspServersOverrides = new[]
{
"string",
},
OcspFailOpen = false,
RequiredExtensions = new[]
{
"string",
},
TokenBoundCidrs = new[]
{
"string",
},
TokenExplicitMaxTtl = 0,
TokenMaxTtl = 0,
TokenNoDefaultPolicy = false,
TokenNumUses = 0,
OcspQueryAllServers = false,
TokenPolicies = new[]
{
"string",
},
TokenTtl = 0,
TokenType = "string",
});
example, err := vault.NewCertAuthBackendRole(ctx, "certAuthBackendRoleResource", &vault.CertAuthBackendRoleArgs{
Certificate: pulumi.String("string"),
OcspEnabled: pulumi.Bool(false),
TokenPeriod: pulumi.Int(0),
AllowedNames: pulumi.StringArray{
pulumi.String("string"),
},
AllowedOrganizationalUnits: pulumi.StringArray{
pulumi.String("string"),
},
AllowedUriSans: pulumi.StringArray{
pulumi.String("string"),
},
Backend: pulumi.String("string"),
AllowedDnsSans: pulumi.StringArray{
pulumi.String("string"),
},
DisplayName: pulumi.String("string"),
Name: pulumi.String("string"),
Namespace: pulumi.String("string"),
OcspCaCertificates: pulumi.String("string"),
AllowedCommonNames: pulumi.StringArray{
pulumi.String("string"),
},
AllowedEmailSans: pulumi.StringArray{
pulumi.String("string"),
},
OcspServersOverrides: pulumi.StringArray{
pulumi.String("string"),
},
OcspFailOpen: pulumi.Bool(false),
RequiredExtensions: pulumi.StringArray{
pulumi.String("string"),
},
TokenBoundCidrs: pulumi.StringArray{
pulumi.String("string"),
},
TokenExplicitMaxTtl: pulumi.Int(0),
TokenMaxTtl: pulumi.Int(0),
TokenNoDefaultPolicy: pulumi.Bool(false),
TokenNumUses: pulumi.Int(0),
OcspQueryAllServers: pulumi.Bool(false),
TokenPolicies: pulumi.StringArray{
pulumi.String("string"),
},
TokenTtl: pulumi.Int(0),
TokenType: pulumi.String("string"),
})
var certAuthBackendRoleResource = new CertAuthBackendRole("certAuthBackendRoleResource", CertAuthBackendRoleArgs.builder()
.certificate("string")
.ocspEnabled(false)
.tokenPeriod(0)
.allowedNames("string")
.allowedOrganizationalUnits("string")
.allowedUriSans("string")
.backend("string")
.allowedDnsSans("string")
.displayName("string")
.name("string")
.namespace("string")
.ocspCaCertificates("string")
.allowedCommonNames("string")
.allowedEmailSans("string")
.ocspServersOverrides("string")
.ocspFailOpen(false)
.requiredExtensions("string")
.tokenBoundCidrs("string")
.tokenExplicitMaxTtl(0)
.tokenMaxTtl(0)
.tokenNoDefaultPolicy(false)
.tokenNumUses(0)
.ocspQueryAllServers(false)
.tokenPolicies("string")
.tokenTtl(0)
.tokenType("string")
.build());
cert_auth_backend_role_resource = vault.CertAuthBackendRole("certAuthBackendRoleResource",
certificate="string",
ocsp_enabled=False,
token_period=0,
allowed_names=["string"],
allowed_organizational_units=["string"],
allowed_uri_sans=["string"],
backend="string",
allowed_dns_sans=["string"],
display_name="string",
name="string",
namespace="string",
ocsp_ca_certificates="string",
allowed_common_names=["string"],
allowed_email_sans=["string"],
ocsp_servers_overrides=["string"],
ocsp_fail_open=False,
required_extensions=["string"],
token_bound_cidrs=["string"],
token_explicit_max_ttl=0,
token_max_ttl=0,
token_no_default_policy=False,
token_num_uses=0,
ocsp_query_all_servers=False,
token_policies=["string"],
token_ttl=0,
token_type="string")
const certAuthBackendRoleResource = new vault.CertAuthBackendRole("certAuthBackendRoleResource", {
certificate: "string",
ocspEnabled: false,
tokenPeriod: 0,
allowedNames: ["string"],
allowedOrganizationalUnits: ["string"],
allowedUriSans: ["string"],
backend: "string",
allowedDnsSans: ["string"],
displayName: "string",
name: "string",
namespace: "string",
ocspCaCertificates: "string",
allowedCommonNames: ["string"],
allowedEmailSans: ["string"],
ocspServersOverrides: ["string"],
ocspFailOpen: false,
requiredExtensions: ["string"],
tokenBoundCidrs: ["string"],
tokenExplicitMaxTtl: 0,
tokenMaxTtl: 0,
tokenNoDefaultPolicy: false,
tokenNumUses: 0,
ocspQueryAllServers: false,
tokenPolicies: ["string"],
tokenTtl: 0,
tokenType: "string",
});
type: vault:CertAuthBackendRole
properties:
allowedCommonNames:
- string
allowedDnsSans:
- string
allowedEmailSans:
- string
allowedNames:
- string
allowedOrganizationalUnits:
- string
allowedUriSans:
- string
backend: string
certificate: string
displayName: string
name: string
namespace: string
ocspCaCertificates: string
ocspEnabled: false
ocspFailOpen: false
ocspQueryAllServers: false
ocspServersOverrides:
- string
requiredExtensions:
- string
tokenBoundCidrs:
- string
tokenExplicitMaxTtl: 0
tokenMaxTtl: 0
tokenNoDefaultPolicy: false
tokenNumUses: 0
tokenPeriod: 0
tokenPolicies:
- string
tokenTtl: 0
tokenType: string
CertAuthBackendRole Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The CertAuthBackendRole resource accepts the following input properties:
- Certificate string
- CA certificate used to validate client certificates
- Allowed
Common List<string>Names - Allowed the common names for authenticated client certificates
- Allowed
Dns List<string>Sans - Allowed alternative dns names for authenticated client certificates
- Allowed
Email List<string>Sans - Allowed emails for authenticated client certificates
- Allowed
Names List<string> - DEPRECATED: Please use the individual
allowed_X_sansparameters instead. Allowed subject names for authenticated client certificates - Allowed
Organizational List<string>Units - Allowed organization units for authenticated client certificates.
- Allowed
Uri List<string>Sans - Allowed URIs for authenticated client certificates
- Backend string
- Path to the mounted Cert auth backend
- Display
Name string - The name to display on tokens issued under this role.
- Name string
- Name of the role
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Ocsp
Ca stringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- Ocsp
Enabled bool - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- Ocsp
Fail boolOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- Ocsp
Query boolAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- Ocsp
Servers List<string>Overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- Required
Extensions List<string> - TLS extensions required on client certificates
- Token
Bound List<string>Cidrs - Specifies the blocks of IP addresses which are allowed to use the generated token
- Token
Explicit intMax Ttl - Generated Token's Explicit Maximum TTL in seconds
- Token
Max intTtl - The maximum lifetime of the generated token
- Token
No boolDefault Policy - If true, the 'default' policy will not automatically be added to generated tokens
- Token
Num intUses - The maximum number of times a token may be used, a value of zero means unlimited
- Token
Period int - Generated Token's Period
- Token
Policies List<string> - Generated Token's Policies
- Token
Ttl int - The initial ttl of the token to generate in seconds
- Token
Type string - The type of token to generate, service or batch
- Certificate string
- CA certificate used to validate client certificates
- Allowed
Common []stringNames - Allowed the common names for authenticated client certificates
- Allowed
Dns []stringSans - Allowed alternative dns names for authenticated client certificates
- Allowed
Email []stringSans - Allowed emails for authenticated client certificates
- Allowed
Names []string - DEPRECATED: Please use the individual
allowed_X_sansparameters instead. Allowed subject names for authenticated client certificates - Allowed
Organizational []stringUnits - Allowed organization units for authenticated client certificates.
- Allowed
Uri []stringSans - Allowed URIs for authenticated client certificates
- Backend string
- Path to the mounted Cert auth backend
- Display
Name string - The name to display on tokens issued under this role.
- Name string
- Name of the role
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Ocsp
Ca stringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- Ocsp
Enabled bool - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- Ocsp
Fail boolOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- Ocsp
Query boolAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- Ocsp
Servers []stringOverrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- Required
Extensions []string - TLS extensions required on client certificates
- Token
Bound []stringCidrs - Specifies the blocks of IP addresses which are allowed to use the generated token
- Token
Explicit intMax Ttl - Generated Token's Explicit Maximum TTL in seconds
- Token
Max intTtl - The maximum lifetime of the generated token
- Token
No boolDefault Policy - If true, the 'default' policy will not automatically be added to generated tokens
- Token
Num intUses - The maximum number of times a token may be used, a value of zero means unlimited
- Token
Period int - Generated Token's Period
- Token
Policies []string - Generated Token's Policies
- Token
Ttl int - The initial ttl of the token to generate in seconds
- Token
Type string - The type of token to generate, service or batch
- certificate String
- CA certificate used to validate client certificates
- allowed
Common List<String>Names - Allowed the common names for authenticated client certificates
- allowed
Dns List<String>Sans - Allowed alternative dns names for authenticated client certificates
- allowed
Email List<String>Sans - Allowed emails for authenticated client certificates
- allowed
Names List<String> - DEPRECATED: Please use the individual
allowed_X_sansparameters instead. Allowed subject names for authenticated client certificates - allowed
Organizational List<String>Units - Allowed organization units for authenticated client certificates.
- allowed
Uri List<String>Sans - Allowed URIs for authenticated client certificates
- backend String
- Path to the mounted Cert auth backend
- display
Name String - The name to display on tokens issued under this role.
- name String
- Name of the role
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - ocsp
Ca StringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp
Enabled Boolean - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp
Fail BooleanOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp
Query BooleanAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp
Servers List<String>Overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required
Extensions List<String> - TLS extensions required on client certificates
- token
Bound List<String>Cidrs - Specifies the blocks of IP addresses which are allowed to use the generated token
- token
Explicit IntegerMax Ttl - Generated Token's Explicit Maximum TTL in seconds
- token
Max IntegerTtl - The maximum lifetime of the generated token
- token
No BooleanDefault Policy - If true, the 'default' policy will not automatically be added to generated tokens
- token
Num IntegerUses - The maximum number of times a token may be used, a value of zero means unlimited
- token
Period Integer - Generated Token's Period
- token
Policies List<String> - Generated Token's Policies
- token
Ttl Integer - The initial ttl of the token to generate in seconds
- token
Type String - The type of token to generate, service or batch
- certificate string
- CA certificate used to validate client certificates
- allowed
Common string[]Names - Allowed the common names for authenticated client certificates
- allowed
Dns string[]Sans - Allowed alternative dns names for authenticated client certificates
- allowed
Email string[]Sans - Allowed emails for authenticated client certificates
- allowed
Names string[] - DEPRECATED: Please use the individual
allowed_X_sansparameters instead. Allowed subject names for authenticated client certificates - allowed
Organizational string[]Units - Allowed organization units for authenticated client certificates.
- allowed
Uri string[]Sans - Allowed URIs for authenticated client certificates
- backend string
- Path to the mounted Cert auth backend
- display
Name string - The name to display on tokens issued under this role.
- name string
- Name of the role
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - ocsp
Ca stringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp
Enabled boolean - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp
Fail booleanOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp
Query booleanAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp
Servers string[]Overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required
Extensions string[] - TLS extensions required on client certificates
- token
Bound string[]Cidrs - Specifies the blocks of IP addresses which are allowed to use the generated token
- token
Explicit numberMax Ttl - Generated Token's Explicit Maximum TTL in seconds
- token
Max numberTtl - The maximum lifetime of the generated token
- token
No booleanDefault Policy - If true, the 'default' policy will not automatically be added to generated tokens
- token
Num numberUses - The maximum number of times a token may be used, a value of zero means unlimited
- token
Period number - Generated Token's Period
- token
Policies string[] - Generated Token's Policies
- token
Ttl number - The initial ttl of the token to generate in seconds
- token
Type string - The type of token to generate, service or batch
- certificate str
- CA certificate used to validate client certificates
- allowed_
common_ Sequence[str]names - Allowed the common names for authenticated client certificates
- allowed_
dns_ Sequence[str]sans - Allowed alternative dns names for authenticated client certificates
- allowed_
email_ Sequence[str]sans - Allowed emails for authenticated client certificates
- allowed_
names Sequence[str] - DEPRECATED: Please use the individual
allowed_X_sansparameters instead. Allowed subject names for authenticated client certificates - allowed_
organizational_ Sequence[str]units - Allowed organization units for authenticated client certificates.
- allowed_
uri_ Sequence[str]sans - Allowed URIs for authenticated client certificates
- backend str
- Path to the mounted Cert auth backend
- display_
name str - The name to display on tokens issued under this role.
- name str
- Name of the role
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - ocsp_
ca_ strcertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp_
enabled bool - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp_
fail_ boolopen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp_
query_ boolall_ servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp_
servers_ Sequence[str]overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required_
extensions Sequence[str] - TLS extensions required on client certificates
- token_
bound_ Sequence[str]cidrs - Specifies the blocks of IP addresses which are allowed to use the generated token
- token_
explicit_ intmax_ ttl - Generated Token's Explicit Maximum TTL in seconds
- token_
max_ intttl - The maximum lifetime of the generated token
- token_
no_ booldefault_ policy - If true, the 'default' policy will not automatically be added to generated tokens
- token_
num_ intuses - The maximum number of times a token may be used, a value of zero means unlimited
- token_
period int - Generated Token's Period
- token_
policies Sequence[str] - Generated Token's Policies
- token_
ttl int - The initial ttl of the token to generate in seconds
- token_
type str - The type of token to generate, service or batch
- certificate String
- CA certificate used to validate client certificates
- allowed
Common List<String>Names - Allowed the common names for authenticated client certificates
- allowed
Dns List<String>Sans - Allowed alternative dns names for authenticated client certificates
- allowed
Email List<String>Sans - Allowed emails for authenticated client certificates
- allowed
Names List<String> - DEPRECATED: Please use the individual
allowed_X_sansparameters instead. Allowed subject names for authenticated client certificates - allowed
Organizational List<String>Units - Allowed organization units for authenticated client certificates.
- allowed
Uri List<String>Sans - Allowed URIs for authenticated client certificates
- backend String
- Path to the mounted Cert auth backend
- display
Name String - The name to display on tokens issued under this role.
- name String
- Name of the role
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - ocsp
Ca StringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp
Enabled Boolean - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp
Fail BooleanOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp
Query BooleanAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp
Servers List<String>Overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required
Extensions List<String> - TLS extensions required on client certificates
- token
Bound List<String>Cidrs - Specifies the blocks of IP addresses which are allowed to use the generated token
- token
Explicit NumberMax Ttl - Generated Token's Explicit Maximum TTL in seconds
- token
Max NumberTtl - The maximum lifetime of the generated token
- token
No BooleanDefault Policy - If true, the 'default' policy will not automatically be added to generated tokens
- token
Num NumberUses - The maximum number of times a token may be used, a value of zero means unlimited
- token
Period Number - Generated Token's Period
- token
Policies List<String> - Generated Token's Policies
- token
Ttl Number - The initial ttl of the token to generate in seconds
- token
Type String - The type of token to generate, service or batch
Outputs
All input properties are implicitly available as output properties. Additionally, the CertAuthBackendRole resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing CertAuthBackendRole Resource
Get an existing CertAuthBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: CertAuthBackendRoleState, opts?: CustomResourceOptions): CertAuthBackendRole@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
allowed_common_names: Optional[Sequence[str]] = None,
allowed_dns_sans: Optional[Sequence[str]] = None,
allowed_email_sans: Optional[Sequence[str]] = None,
allowed_names: Optional[Sequence[str]] = None,
allowed_organizational_units: Optional[Sequence[str]] = None,
allowed_uri_sans: Optional[Sequence[str]] = None,
backend: Optional[str] = None,
certificate: Optional[str] = None,
display_name: Optional[str] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
ocsp_ca_certificates: Optional[str] = None,
ocsp_enabled: Optional[bool] = None,
ocsp_fail_open: Optional[bool] = None,
ocsp_query_all_servers: Optional[bool] = None,
ocsp_servers_overrides: Optional[Sequence[str]] = None,
required_extensions: Optional[Sequence[str]] = None,
token_bound_cidrs: Optional[Sequence[str]] = None,
token_explicit_max_ttl: Optional[int] = None,
token_max_ttl: Optional[int] = None,
token_no_default_policy: Optional[bool] = None,
token_num_uses: Optional[int] = None,
token_period: Optional[int] = None,
token_policies: Optional[Sequence[str]] = None,
token_ttl: Optional[int] = None,
token_type: Optional[str] = None) -> CertAuthBackendRolefunc GetCertAuthBackendRole(ctx *Context, name string, id IDInput, state *CertAuthBackendRoleState, opts ...ResourceOption) (*CertAuthBackendRole, error)public static CertAuthBackendRole Get(string name, Input<string> id, CertAuthBackendRoleState? state, CustomResourceOptions? opts = null)public static CertAuthBackendRole get(String name, Output<String> id, CertAuthBackendRoleState state, CustomResourceOptions options)resources: _: type: vault:CertAuthBackendRole get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Allowed
Common List<string>Names - Allowed the common names for authenticated client certificates
- Allowed
Dns List<string>Sans - Allowed alternative dns names for authenticated client certificates
- Allowed
Email List<string>Sans - Allowed emails for authenticated client certificates
- Allowed
Names List<string> - DEPRECATED: Please use the individual
allowed_X_sansparameters instead. Allowed subject names for authenticated client certificates - Allowed
Organizational List<string>Units - Allowed organization units for authenticated client certificates.
- Allowed
Uri List<string>Sans - Allowed URIs for authenticated client certificates
- Backend string
- Path to the mounted Cert auth backend
- Certificate string
- CA certificate used to validate client certificates
- Display
Name string - The name to display on tokens issued under this role.
- Name string
- Name of the role
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Ocsp
Ca stringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- Ocsp
Enabled bool - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- Ocsp
Fail boolOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- Ocsp
Query boolAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- Ocsp
Servers List<string>Overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- Required
Extensions List<string> - TLS extensions required on client certificates
- Token
Bound List<string>Cidrs - Specifies the blocks of IP addresses which are allowed to use the generated token
- Token
Explicit intMax Ttl - Generated Token's Explicit Maximum TTL in seconds
- Token
Max intTtl - The maximum lifetime of the generated token
- Token
No boolDefault Policy - If true, the 'default' policy will not automatically be added to generated tokens
- Token
Num intUses - The maximum number of times a token may be used, a value of zero means unlimited
- Token
Period int - Generated Token's Period
- Token
Policies List<string> - Generated Token's Policies
- Token
Ttl int - The initial ttl of the token to generate in seconds
- Token
Type string - The type of token to generate, service or batch
- Allowed
Common []stringNames - Allowed the common names for authenticated client certificates
- Allowed
Dns []stringSans - Allowed alternative dns names for authenticated client certificates
- Allowed
Email []stringSans - Allowed emails for authenticated client certificates
- Allowed
Names []string - DEPRECATED: Please use the individual
allowed_X_sansparameters instead. Allowed subject names for authenticated client certificates - Allowed
Organizational []stringUnits - Allowed organization units for authenticated client certificates.
- Allowed
Uri []stringSans - Allowed URIs for authenticated client certificates
- Backend string
- Path to the mounted Cert auth backend
- Certificate string
- CA certificate used to validate client certificates
- Display
Name string - The name to display on tokens issued under this role.
- Name string
- Name of the role
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Ocsp
Ca stringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- Ocsp
Enabled bool - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- Ocsp
Fail boolOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- Ocsp
Query boolAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- Ocsp
Servers []stringOverrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- Required
Extensions []string - TLS extensions required on client certificates
- Token
Bound []stringCidrs - Specifies the blocks of IP addresses which are allowed to use the generated token
- Token
Explicit intMax Ttl - Generated Token's Explicit Maximum TTL in seconds
- Token
Max intTtl - The maximum lifetime of the generated token
- Token
No boolDefault Policy - If true, the 'default' policy will not automatically be added to generated tokens
- Token
Num intUses - The maximum number of times a token may be used, a value of zero means unlimited
- Token
Period int - Generated Token's Period
- Token
Policies []string - Generated Token's Policies
- Token
Ttl int - The initial ttl of the token to generate in seconds
- Token
Type string - The type of token to generate, service or batch
- allowed
Common List<String>Names - Allowed the common names for authenticated client certificates
- allowed
Dns List<String>Sans - Allowed alternative dns names for authenticated client certificates
- allowed
Email List<String>Sans - Allowed emails for authenticated client certificates
- allowed
Names List<String> - DEPRECATED: Please use the individual
allowed_X_sansparameters instead. Allowed subject names for authenticated client certificates - allowed
Organizational List<String>Units - Allowed organization units for authenticated client certificates.
- allowed
Uri List<String>Sans - Allowed URIs for authenticated client certificates
- backend String
- Path to the mounted Cert auth backend
- certificate String
- CA certificate used to validate client certificates
- display
Name String - The name to display on tokens issued under this role.
- name String
- Name of the role
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - ocsp
Ca StringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp
Enabled Boolean - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp
Fail BooleanOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp
Query BooleanAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp
Servers List<String>Overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required
Extensions List<String> - TLS extensions required on client certificates
- token
Bound List<String>Cidrs - Specifies the blocks of IP addresses which are allowed to use the generated token
- token
Explicit IntegerMax Ttl - Generated Token's Explicit Maximum TTL in seconds
- token
Max IntegerTtl - The maximum lifetime of the generated token
- token
No BooleanDefault Policy - If true, the 'default' policy will not automatically be added to generated tokens
- token
Num IntegerUses - The maximum number of times a token may be used, a value of zero means unlimited
- token
Period Integer - Generated Token's Period
- token
Policies List<String> - Generated Token's Policies
- token
Ttl Integer - The initial ttl of the token to generate in seconds
- token
Type String - The type of token to generate, service or batch
- allowed
Common string[]Names - Allowed the common names for authenticated client certificates
- allowed
Dns string[]Sans - Allowed alternative dns names for authenticated client certificates
- allowed
Email string[]Sans - Allowed emails for authenticated client certificates
- allowed
Names string[] - DEPRECATED: Please use the individual
allowed_X_sansparameters instead. Allowed subject names for authenticated client certificates - allowed
Organizational string[]Units - Allowed organization units for authenticated client certificates.
- allowed
Uri string[]Sans - Allowed URIs for authenticated client certificates
- backend string
- Path to the mounted Cert auth backend
- certificate string
- CA certificate used to validate client certificates
- display
Name string - The name to display on tokens issued under this role.
- name string
- Name of the role
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - ocsp
Ca stringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp
Enabled boolean - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp
Fail booleanOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp
Query booleanAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp
Servers string[]Overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required
Extensions string[] - TLS extensions required on client certificates
- token
Bound string[]Cidrs - Specifies the blocks of IP addresses which are allowed to use the generated token
- token
Explicit numberMax Ttl - Generated Token's Explicit Maximum TTL in seconds
- token
Max numberTtl - The maximum lifetime of the generated token
- token
No booleanDefault Policy - If true, the 'default' policy will not automatically be added to generated tokens
- token
Num numberUses - The maximum number of times a token may be used, a value of zero means unlimited
- token
Period number - Generated Token's Period
- token
Policies string[] - Generated Token's Policies
- token
Ttl number - The initial ttl of the token to generate in seconds
- token
Type string - The type of token to generate, service or batch
- allowed_
common_ Sequence[str]names - Allowed the common names for authenticated client certificates
- allowed_
dns_ Sequence[str]sans - Allowed alternative dns names for authenticated client certificates
- allowed_
email_ Sequence[str]sans - Allowed emails for authenticated client certificates
- allowed_
names Sequence[str] - DEPRECATED: Please use the individual
allowed_X_sansparameters instead. Allowed subject names for authenticated client certificates - allowed_
organizational_ Sequence[str]units - Allowed organization units for authenticated client certificates.
- allowed_
uri_ Sequence[str]sans - Allowed URIs for authenticated client certificates
- backend str
- Path to the mounted Cert auth backend
- certificate str
- CA certificate used to validate client certificates
- display_
name str - The name to display on tokens issued under this role.
- name str
- Name of the role
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - ocsp_
ca_ strcertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp_
enabled bool - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp_
fail_ boolopen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp_
query_ boolall_ servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp_
servers_ Sequence[str]overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required_
extensions Sequence[str] - TLS extensions required on client certificates
- token_
bound_ Sequence[str]cidrs - Specifies the blocks of IP addresses which are allowed to use the generated token
- token_
explicit_ intmax_ ttl - Generated Token's Explicit Maximum TTL in seconds
- token_
max_ intttl - The maximum lifetime of the generated token
- token_
no_ booldefault_ policy - If true, the 'default' policy will not automatically be added to generated tokens
- token_
num_ intuses - The maximum number of times a token may be used, a value of zero means unlimited
- token_
period int - Generated Token's Period
- token_
policies Sequence[str] - Generated Token's Policies
- token_
ttl int - The initial ttl of the token to generate in seconds
- token_
type str - The type of token to generate, service or batch
- allowed
Common List<String>Names - Allowed the common names for authenticated client certificates
- allowed
Dns List<String>Sans - Allowed alternative dns names for authenticated client certificates
- allowed
Email List<String>Sans - Allowed emails for authenticated client certificates
- allowed
Names List<String> - DEPRECATED: Please use the individual
allowed_X_sansparameters instead. Allowed subject names for authenticated client certificates - allowed
Organizational List<String>Units - Allowed organization units for authenticated client certificates.
- allowed
Uri List<String>Sans - Allowed URIs for authenticated client certificates
- backend String
- Path to the mounted Cert auth backend
- certificate String
- CA certificate used to validate client certificates
- display
Name String - The name to display on tokens issued under this role.
- name String
- Name of the role
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - ocsp
Ca StringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp
Enabled Boolean - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp
Fail BooleanOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp
Query BooleanAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp
Servers List<String>Overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required
Extensions List<String> - TLS extensions required on client certificates
- token
Bound List<String>Cidrs - Specifies the blocks of IP addresses which are allowed to use the generated token
- token
Explicit NumberMax Ttl - Generated Token's Explicit Maximum TTL in seconds
- token
Max NumberTtl - The maximum lifetime of the generated token
- token
No BooleanDefault Policy - If true, the 'default' policy will not automatically be added to generated tokens
- token
Num NumberUses - The maximum number of times a token may be used, a value of zero means unlimited
- token
Period Number - Generated Token's Period
- token
Policies List<String> - Generated Token's Policies
- token
Ttl Number - The initial ttl of the token to generate in seconds
- token
Type String - The type of token to generate, service or batch
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.