vault.CertAuthBackendRole
Explore with Pulumi AI
Provides a resource to create a role in an Cert auth backend within Vault.
Example Usage
using System.Collections.Generic;
using System.IO;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var certAuthBackend = new Vault.AuthBackend("certAuthBackend", new()
{
Path = "cert",
Type = "cert",
});
var certCertAuthBackendRole = new Vault.CertAuthBackendRole("certCertAuthBackendRole", new()
{
Certificate = File.ReadAllText("/path/to/certs/ca-cert.pem"),
Backend = certAuthBackend.Path,
AllowedNames = new[]
{
"foo.example.org",
"baz.example.org",
},
TokenTtl = 300,
TokenMaxTtl = 600,
TokenPolicies = new[]
{
"foo",
},
});
});
package main
import (
"os"
"github.com/pulumi/pulumi-vault/sdk/v5/go/vault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func readFileOrPanic(path string) pulumi.StringPtrInput {
data, err := os.ReadFile(path)
if err != nil {
panic(err.Error())
}
return pulumi.String(string(data))
}
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
certAuthBackend, err := vault.NewAuthBackend(ctx, "certAuthBackend", &vault.AuthBackendArgs{
Path: pulumi.String("cert"),
Type: pulumi.String("cert"),
})
if err != nil {
return err
}
_, err = vault.NewCertAuthBackendRole(ctx, "certCertAuthBackendRole", &vault.CertAuthBackendRoleArgs{
Certificate: readFileOrPanic("/path/to/certs/ca-cert.pem"),
Backend: certAuthBackend.Path,
AllowedNames: pulumi.StringArray{
pulumi.String("foo.example.org"),
pulumi.String("baz.example.org"),
},
TokenTtl: pulumi.Int(300),
TokenMaxTtl: pulumi.Int(600),
TokenPolicies: pulumi.StringArray{
pulumi.String("foo"),
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import com.pulumi.vault.CertAuthBackendRole;
import com.pulumi.vault.CertAuthBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var certAuthBackend = new AuthBackend("certAuthBackend", AuthBackendArgs.builder()
.path("cert")
.type("cert")
.build());
var certCertAuthBackendRole = new CertAuthBackendRole("certCertAuthBackendRole", CertAuthBackendRoleArgs.builder()
.certificate(Files.readString(Paths.get("/path/to/certs/ca-cert.pem")))
.backend(certAuthBackend.path())
.allowedNames(
"foo.example.org",
"baz.example.org")
.tokenTtl(300)
.tokenMaxTtl(600)
.tokenPolicies("foo")
.build());
}
}
import pulumi
import pulumi_vault as vault
cert_auth_backend = vault.AuthBackend("certAuthBackend",
path="cert",
type="cert")
cert_cert_auth_backend_role = vault.CertAuthBackendRole("certCertAuthBackendRole",
certificate=(lambda path: open(path).read())("/path/to/certs/ca-cert.pem"),
backend=cert_auth_backend.path,
allowed_names=[
"foo.example.org",
"baz.example.org",
],
token_ttl=300,
token_max_ttl=600,
token_policies=["foo"])
import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as vault from "@pulumi/vault";
const certAuthBackend = new vault.AuthBackend("certAuthBackend", {
path: "cert",
type: "cert",
});
const certCertAuthBackendRole = new vault.CertAuthBackendRole("certCertAuthBackendRole", {
certificate: fs.readFileSync("/path/to/certs/ca-cert.pem"),
backend: certAuthBackend.path,
allowedNames: [
"foo.example.org",
"baz.example.org",
],
tokenTtl: 300,
tokenMaxTtl: 600,
tokenPolicies: ["foo"],
});
resources:
certAuthBackend:
type: vault:AuthBackend
properties:
path: cert
type: cert
certCertAuthBackendRole:
type: vault:CertAuthBackendRole
properties:
certificate:
fn::readFile: /path/to/certs/ca-cert.pem
backend: ${certAuthBackend.path}
allowedNames:
- foo.example.org
- baz.example.org
tokenTtl: 300
tokenMaxTtl: 600
tokenPolicies:
- foo
Create CertAuthBackendRole Resource
new CertAuthBackendRole(name: string, args: CertAuthBackendRoleArgs, opts?: CustomResourceOptions);
@overload
def CertAuthBackendRole(resource_name: str,
opts: Optional[ResourceOptions] = None,
allowed_common_names: Optional[Sequence[str]] = None,
allowed_dns_sans: Optional[Sequence[str]] = None,
allowed_email_sans: Optional[Sequence[str]] = None,
allowed_names: Optional[Sequence[str]] = None,
allowed_organization_units: Optional[Sequence[str]] = None,
allowed_organizational_units: Optional[Sequence[str]] = None,
allowed_uri_sans: Optional[Sequence[str]] = None,
backend: Optional[str] = None,
certificate: Optional[str] = None,
display_name: Optional[str] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
ocsp_ca_certificates: Optional[str] = None,
ocsp_enabled: Optional[bool] = None,
ocsp_fail_open: Optional[bool] = None,
ocsp_query_all_servers: Optional[bool] = None,
ocsp_servers_overrides: Optional[Sequence[str]] = None,
required_extensions: Optional[Sequence[str]] = None,
token_bound_cidrs: Optional[Sequence[str]] = None,
token_explicit_max_ttl: Optional[int] = None,
token_max_ttl: Optional[int] = None,
token_no_default_policy: Optional[bool] = None,
token_num_uses: Optional[int] = None,
token_period: Optional[int] = None,
token_policies: Optional[Sequence[str]] = None,
token_ttl: Optional[int] = None,
token_type: Optional[str] = None)
@overload
def CertAuthBackendRole(resource_name: str,
args: CertAuthBackendRoleArgs,
opts: Optional[ResourceOptions] = None)
func NewCertAuthBackendRole(ctx *Context, name string, args CertAuthBackendRoleArgs, opts ...ResourceOption) (*CertAuthBackendRole, error)
public CertAuthBackendRole(string name, CertAuthBackendRoleArgs args, CustomResourceOptions? opts = null)
public CertAuthBackendRole(String name, CertAuthBackendRoleArgs args)
public CertAuthBackendRole(String name, CertAuthBackendRoleArgs args, CustomResourceOptions options)
type: vault:CertAuthBackendRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
CertAuthBackendRole Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The CertAuthBackendRole resource accepts the following input properties:
- Certificate string
CA certificate used to validate client certificates
- Allowed
Common List<string>Names Allowed the common names for authenticated client certificates
- Allowed
Dns List<string>Sans Allowed alternative dns names for authenticated client certificates
- Allowed
Email List<string>Sans Allowed emails for authenticated client certificates
- Allowed
Names List<string> DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates- Allowed
Organization List<string>Units Use allowed_organizational_units
- Allowed
Organizational List<string>Units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- Allowed
Uri List<string>Sans Allowed URIs for authenticated client certificates
- Backend string
Path to the mounted Cert auth backend
- Display
Name string The name to display on tokens issued under this role.
- Name string
Name of the role
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- Ocsp
Ca stringCertificates Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- Ocsp
Enabled bool If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- Ocsp
Fail boolOpen If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- Ocsp
Query boolAll Servers If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- Ocsp
Servers List<string>Overrides : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- Required
Extensions List<string> TLS extensions required on client certificates
- Token
Bound List<string>Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- Token
Explicit intMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- Token
Max intTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
No boolDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- Token
Num intUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- Token
Period int If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- Token
Policies List<string> List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- Token
Ttl int The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
Type string The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- Certificate string
CA certificate used to validate client certificates
- Allowed
Common []stringNames Allowed the common names for authenticated client certificates
- Allowed
Dns []stringSans Allowed alternative dns names for authenticated client certificates
- Allowed
Email []stringSans Allowed emails for authenticated client certificates
- Allowed
Names []string DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates- Allowed
Organization []stringUnits Use allowed_organizational_units
- Allowed
Organizational []stringUnits Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- Allowed
Uri []stringSans Allowed URIs for authenticated client certificates
- Backend string
Path to the mounted Cert auth backend
- Display
Name string The name to display on tokens issued under this role.
- Name string
Name of the role
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- Ocsp
Ca stringCertificates Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- Ocsp
Enabled bool If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- Ocsp
Fail boolOpen If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- Ocsp
Query boolAll Servers If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- Ocsp
Servers []stringOverrides : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- Required
Extensions []string TLS extensions required on client certificates
- Token
Bound []stringCidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- Token
Explicit intMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- Token
Max intTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
No boolDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- Token
Num intUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- Token
Period int If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- Token
Policies []string List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- Token
Ttl int The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
Type string The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- certificate String
CA certificate used to validate client certificates
- allowed
Common List<String>Names Allowed the common names for authenticated client certificates
- allowed
Dns List<String>Sans Allowed alternative dns names for authenticated client certificates
- allowed
Email List<String>Sans Allowed emails for authenticated client certificates
- allowed
Names List<String> DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates- allowed
Organization List<String>Units Use allowed_organizational_units
- allowed
Organizational List<String>Units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- allowed
Uri List<String>Sans Allowed URIs for authenticated client certificates
- backend String
Path to the mounted Cert auth backend
- display
Name String The name to display on tokens issued under this role.
- name String
Name of the role
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- ocsp
Ca StringCertificates Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp
Enabled Boolean If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp
Fail BooleanOpen If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp
Query BooleanAll Servers If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp
Servers List<String>Overrides : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required
Extensions List<String> TLS extensions required on client certificates
- token
Bound List<String>Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit IntegerMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- token
Max IntegerTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No BooleanDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num IntegerUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token
Period Integer If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token
Policies List<String> List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl Integer The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type String The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- certificate string
CA certificate used to validate client certificates
- allowed
Common string[]Names Allowed the common names for authenticated client certificates
- allowed
Dns string[]Sans Allowed alternative dns names for authenticated client certificates
- allowed
Email string[]Sans Allowed emails for authenticated client certificates
- allowed
Names string[] DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates- allowed
Organization string[]Units Use allowed_organizational_units
- allowed
Organizational string[]Units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- allowed
Uri string[]Sans Allowed URIs for authenticated client certificates
- backend string
Path to the mounted Cert auth backend
- display
Name string The name to display on tokens issued under this role.
- name string
Name of the role
- namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- ocsp
Ca stringCertificates Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp
Enabled boolean If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp
Fail booleanOpen If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp
Query booleanAll Servers If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp
Servers string[]Overrides : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required
Extensions string[] TLS extensions required on client certificates
- token
Bound string[]Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit numberMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- token
Max numberTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No booleanDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num numberUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token
Period number If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token
Policies string[] List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl number The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type string The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- certificate str
CA certificate used to validate client certificates
- allowed_
common_ Sequence[str]names Allowed the common names for authenticated client certificates
- allowed_
dns_ Sequence[str]sans Allowed alternative dns names for authenticated client certificates
- allowed_
email_ Sequence[str]sans Allowed emails for authenticated client certificates
- allowed_
names Sequence[str] DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates- allowed_
organization_ Sequence[str]units Use allowed_organizational_units
- allowed_
organizational_ Sequence[str]units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- allowed_
uri_ Sequence[str]sans Allowed URIs for authenticated client certificates
- backend str
Path to the mounted Cert auth backend
- display_
name str The name to display on tokens issued under this role.
- name str
Name of the role
- namespace str
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- ocsp_
ca_ strcertificates Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp_
enabled bool If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp_
fail_ boolopen If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp_
query_ boolall_ servers If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp_
servers_ Sequence[str]overrides : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required_
extensions Sequence[str] TLS extensions required on client certificates
- token_
bound_ Sequence[str]cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token_
explicit_ intmax_ ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- token_
max_ intttl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token_
no_ booldefault_ policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token_
num_ intuses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token_
period int If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token_
policies Sequence[str] List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token_
ttl int The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token_
type str The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- certificate String
CA certificate used to validate client certificates
- allowed
Common List<String>Names Allowed the common names for authenticated client certificates
- allowed
Dns List<String>Sans Allowed alternative dns names for authenticated client certificates
- allowed
Email List<String>Sans Allowed emails for authenticated client certificates
- allowed
Names List<String> DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates- allowed
Organization List<String>Units Use allowed_organizational_units
- allowed
Organizational List<String>Units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- allowed
Uri List<String>Sans Allowed URIs for authenticated client certificates
- backend String
Path to the mounted Cert auth backend
- display
Name String The name to display on tokens issued under this role.
- name String
Name of the role
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- ocsp
Ca StringCertificates Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp
Enabled Boolean If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp
Fail BooleanOpen If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp
Query BooleanAll Servers If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp
Servers List<String>Overrides : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required
Extensions List<String> TLS extensions required on client certificates
- token
Bound List<String>Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit NumberMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- token
Max NumberTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No BooleanDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num NumberUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token
Period Number If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token
Policies List<String> List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl Number The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type String The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
Outputs
All input properties are implicitly available as output properties. Additionally, the CertAuthBackendRole resource produces the following output properties:
- Id string
The provider-assigned unique ID for this managed resource.
- Id string
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
- id string
The provider-assigned unique ID for this managed resource.
- id str
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
Look up Existing CertAuthBackendRole Resource
Get an existing CertAuthBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: CertAuthBackendRoleState, opts?: CustomResourceOptions): CertAuthBackendRole
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
allowed_common_names: Optional[Sequence[str]] = None,
allowed_dns_sans: Optional[Sequence[str]] = None,
allowed_email_sans: Optional[Sequence[str]] = None,
allowed_names: Optional[Sequence[str]] = None,
allowed_organization_units: Optional[Sequence[str]] = None,
allowed_organizational_units: Optional[Sequence[str]] = None,
allowed_uri_sans: Optional[Sequence[str]] = None,
backend: Optional[str] = None,
certificate: Optional[str] = None,
display_name: Optional[str] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
ocsp_ca_certificates: Optional[str] = None,
ocsp_enabled: Optional[bool] = None,
ocsp_fail_open: Optional[bool] = None,
ocsp_query_all_servers: Optional[bool] = None,
ocsp_servers_overrides: Optional[Sequence[str]] = None,
required_extensions: Optional[Sequence[str]] = None,
token_bound_cidrs: Optional[Sequence[str]] = None,
token_explicit_max_ttl: Optional[int] = None,
token_max_ttl: Optional[int] = None,
token_no_default_policy: Optional[bool] = None,
token_num_uses: Optional[int] = None,
token_period: Optional[int] = None,
token_policies: Optional[Sequence[str]] = None,
token_ttl: Optional[int] = None,
token_type: Optional[str] = None) -> CertAuthBackendRole
func GetCertAuthBackendRole(ctx *Context, name string, id IDInput, state *CertAuthBackendRoleState, opts ...ResourceOption) (*CertAuthBackendRole, error)
public static CertAuthBackendRole Get(string name, Input<string> id, CertAuthBackendRoleState? state, CustomResourceOptions? opts = null)
public static CertAuthBackendRole get(String name, Output<String> id, CertAuthBackendRoleState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Allowed
Common List<string>Names Allowed the common names for authenticated client certificates
- Allowed
Dns List<string>Sans Allowed alternative dns names for authenticated client certificates
- Allowed
Email List<string>Sans Allowed emails for authenticated client certificates
- Allowed
Names List<string> DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates- Allowed
Organization List<string>Units Use allowed_organizational_units
- Allowed
Organizational List<string>Units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- Allowed
Uri List<string>Sans Allowed URIs for authenticated client certificates
- Backend string
Path to the mounted Cert auth backend
- Certificate string
CA certificate used to validate client certificates
- Display
Name string The name to display on tokens issued under this role.
- Name string
Name of the role
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- Ocsp
Ca stringCertificates Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- Ocsp
Enabled bool If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- Ocsp
Fail boolOpen If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- Ocsp
Query boolAll Servers If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- Ocsp
Servers List<string>Overrides : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- Required
Extensions List<string> TLS extensions required on client certificates
- Token
Bound List<string>Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- Token
Explicit intMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- Token
Max intTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
No boolDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- Token
Num intUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- Token
Period int If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- Token
Policies List<string> List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- Token
Ttl int The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
Type string The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- Allowed
Common []stringNames Allowed the common names for authenticated client certificates
- Allowed
Dns []stringSans Allowed alternative dns names for authenticated client certificates
- Allowed
Email []stringSans Allowed emails for authenticated client certificates
- Allowed
Names []string DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates- Allowed
Organization []stringUnits Use allowed_organizational_units
- Allowed
Organizational []stringUnits Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- Allowed
Uri []stringSans Allowed URIs for authenticated client certificates
- Backend string
Path to the mounted Cert auth backend
- Certificate string
CA certificate used to validate client certificates
- Display
Name string The name to display on tokens issued under this role.
- Name string
Name of the role
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- Ocsp
Ca stringCertificates Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- Ocsp
Enabled bool If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- Ocsp
Fail boolOpen If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- Ocsp
Query boolAll Servers If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- Ocsp
Servers []stringOverrides : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- Required
Extensions []string TLS extensions required on client certificates
- Token
Bound []stringCidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- Token
Explicit intMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- Token
Max intTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
No boolDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- Token
Num intUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- Token
Period int If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- Token
Policies []string List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- Token
Ttl int The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
Type string The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- allowed
Common List<String>Names Allowed the common names for authenticated client certificates
- allowed
Dns List<String>Sans Allowed alternative dns names for authenticated client certificates
- allowed
Email List<String>Sans Allowed emails for authenticated client certificates
- allowed
Names List<String> DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates- allowed
Organization List<String>Units Use allowed_organizational_units
- allowed
Organizational List<String>Units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- allowed
Uri List<String>Sans Allowed URIs for authenticated client certificates
- backend String
Path to the mounted Cert auth backend
- certificate String
CA certificate used to validate client certificates
- display
Name String The name to display on tokens issued under this role.
- name String
Name of the role
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- ocsp
Ca StringCertificates Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp
Enabled Boolean If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp
Fail BooleanOpen If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp
Query BooleanAll Servers If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp
Servers List<String>Overrides : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required
Extensions List<String> TLS extensions required on client certificates
- token
Bound List<String>Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit IntegerMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- token
Max IntegerTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No BooleanDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num IntegerUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token
Period Integer If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token
Policies List<String> List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl Integer The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type String The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- allowed
Common string[]Names Allowed the common names for authenticated client certificates
- allowed
Dns string[]Sans Allowed alternative dns names for authenticated client certificates
- allowed
Email string[]Sans Allowed emails for authenticated client certificates
- allowed
Names string[] DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates- allowed
Organization string[]Units Use allowed_organizational_units
- allowed
Organizational string[]Units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- allowed
Uri string[]Sans Allowed URIs for authenticated client certificates
- backend string
Path to the mounted Cert auth backend
- certificate string
CA certificate used to validate client certificates
- display
Name string The name to display on tokens issued under this role.
- name string
Name of the role
- namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- ocsp
Ca stringCertificates Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp
Enabled boolean If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp
Fail booleanOpen If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp
Query booleanAll Servers If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp
Servers string[]Overrides : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required
Extensions string[] TLS extensions required on client certificates
- token
Bound string[]Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit numberMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- token
Max numberTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No booleanDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num numberUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token
Period number If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token
Policies string[] List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl number The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type string The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- allowed_
common_ Sequence[str]names Allowed the common names for authenticated client certificates
- allowed_
dns_ Sequence[str]sans Allowed alternative dns names for authenticated client certificates
- allowed_
email_ Sequence[str]sans Allowed emails for authenticated client certificates
- allowed_
names Sequence[str] DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates- allowed_
organization_ Sequence[str]units Use allowed_organizational_units
- allowed_
organizational_ Sequence[str]units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- allowed_
uri_ Sequence[str]sans Allowed URIs for authenticated client certificates
- backend str
Path to the mounted Cert auth backend
- certificate str
CA certificate used to validate client certificates
- display_
name str The name to display on tokens issued under this role.
- name str
Name of the role
- namespace str
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- ocsp_
ca_ strcertificates Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp_
enabled bool If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp_
fail_ boolopen If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp_
query_ boolall_ servers If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp_
servers_ Sequence[str]overrides : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required_
extensions Sequence[str] TLS extensions required on client certificates
- token_
bound_ Sequence[str]cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token_
explicit_ intmax_ ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- token_
max_ intttl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token_
no_ booldefault_ policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token_
num_ intuses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token_
period int If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token_
policies Sequence[str] List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token_
ttl int The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token_
type str The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- allowed
Common List<String>Names Allowed the common names for authenticated client certificates
- allowed
Dns List<String>Sans Allowed alternative dns names for authenticated client certificates
- allowed
Email List<String>Sans Allowed emails for authenticated client certificates
- allowed
Names List<String> DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates- allowed
Organization List<String>Units Use allowed_organizational_units
- allowed
Organizational List<String>Units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- allowed
Uri List<String>Sans Allowed URIs for authenticated client certificates
- backend String
Path to the mounted Cert auth backend
- certificate String
CA certificate used to validate client certificates
- display
Name String The name to display on tokens issued under this role.
- name String
Name of the role
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- ocsp
Ca StringCertificates Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp
Enabled Boolean If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp
Fail BooleanOpen If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp
Query BooleanAll Servers If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp
Servers List<String>Overrides : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required
Extensions List<String> TLS extensions required on client certificates
- token
Bound List<String>Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit NumberMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- token
Max NumberTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No BooleanDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num NumberUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token
Period Number If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token
Policies List<String> List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl Number The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type String The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
vault
Terraform Provider.