vault.CertAuthBackendRole
Explore with Pulumi AI
Provides a resource to create a role in an Cert auth backend within Vault.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as vault from "@pulumi/vault";
const certAuthBackend = new vault.AuthBackend("certAuthBackend", {
path: "cert",
type: "cert",
});
const certCertAuthBackendRole = new vault.CertAuthBackendRole("certCertAuthBackendRole", {
certificate: fs.readFileSync("/path/to/certs/ca-cert.pem", "utf8"),
backend: certAuthBackend.path,
allowedNames: [
"foo.example.org",
"baz.example.org",
],
tokenTtl: 300,
tokenMaxTtl: 600,
tokenPolicies: ["foo"],
});
import pulumi
import pulumi_vault as vault
cert_auth_backend = vault.AuthBackend("certAuthBackend",
path="cert",
type="cert")
cert_cert_auth_backend_role = vault.CertAuthBackendRole("certCertAuthBackendRole",
certificate=(lambda path: open(path).read())("/path/to/certs/ca-cert.pem"),
backend=cert_auth_backend.path,
allowed_names=[
"foo.example.org",
"baz.example.org",
],
token_ttl=300,
token_max_ttl=600,
token_policies=["foo"])
package main
import (
"os"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func readFileOrPanic(path string) pulumi.StringPtrInput {
data, err := os.ReadFile(path)
if err != nil {
panic(err.Error())
}
return pulumi.String(string(data))
}
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
certAuthBackend, err := vault.NewAuthBackend(ctx, "certAuthBackend", &vault.AuthBackendArgs{
Path: pulumi.String("cert"),
Type: pulumi.String("cert"),
})
if err != nil {
return err
}
_, err = vault.NewCertAuthBackendRole(ctx, "certCertAuthBackendRole", &vault.CertAuthBackendRoleArgs{
Certificate: readFileOrPanic("/path/to/certs/ca-cert.pem"),
Backend: certAuthBackend.Path,
AllowedNames: pulumi.StringArray{
pulumi.String("foo.example.org"),
pulumi.String("baz.example.org"),
},
TokenTtl: pulumi.Int(300),
TokenMaxTtl: pulumi.Int(600),
TokenPolicies: pulumi.StringArray{
pulumi.String("foo"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.IO;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var certAuthBackend = new Vault.AuthBackend("certAuthBackend", new()
{
Path = "cert",
Type = "cert",
});
var certCertAuthBackendRole = new Vault.CertAuthBackendRole("certCertAuthBackendRole", new()
{
Certificate = File.ReadAllText("/path/to/certs/ca-cert.pem"),
Backend = certAuthBackend.Path,
AllowedNames = new[]
{
"foo.example.org",
"baz.example.org",
},
TokenTtl = 300,
TokenMaxTtl = 600,
TokenPolicies = new[]
{
"foo",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import com.pulumi.vault.CertAuthBackendRole;
import com.pulumi.vault.CertAuthBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var certAuthBackend = new AuthBackend("certAuthBackend", AuthBackendArgs.builder()
.path("cert")
.type("cert")
.build());
var certCertAuthBackendRole = new CertAuthBackendRole("certCertAuthBackendRole", CertAuthBackendRoleArgs.builder()
.certificate(Files.readString(Paths.get("/path/to/certs/ca-cert.pem")))
.backend(certAuthBackend.path())
.allowedNames(
"foo.example.org",
"baz.example.org")
.tokenTtl(300)
.tokenMaxTtl(600)
.tokenPolicies("foo")
.build());
}
}
resources:
certAuthBackend:
type: vault:AuthBackend
properties:
path: cert
type: cert
certCertAuthBackendRole:
type: vault:CertAuthBackendRole
properties:
certificate:
fn::readFile: /path/to/certs/ca-cert.pem
backend: ${certAuthBackend.path}
allowedNames:
- foo.example.org
- baz.example.org
tokenTtl: 300
tokenMaxTtl: 600
tokenPolicies:
- foo
Create CertAuthBackendRole Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new CertAuthBackendRole(name: string, args: CertAuthBackendRoleArgs, opts?: CustomResourceOptions);
@overload
def CertAuthBackendRole(resource_name: str,
args: CertAuthBackendRoleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def CertAuthBackendRole(resource_name: str,
opts: Optional[ResourceOptions] = None,
certificate: Optional[str] = None,
ocsp_enabled: Optional[bool] = None,
allowed_uri_sans: Optional[Sequence[str]] = None,
ocsp_fail_open: Optional[bool] = None,
allowed_organizational_units: Optional[Sequence[str]] = None,
ocsp_query_all_servers: Optional[bool] = None,
backend: Optional[str] = None,
allowed_dns_sans: Optional[Sequence[str]] = None,
ocsp_servers_overrides: Optional[Sequence[str]] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
ocsp_ca_certificates: Optional[str] = None,
allowed_common_names: Optional[Sequence[str]] = None,
allowed_names: Optional[Sequence[str]] = None,
allowed_email_sans: Optional[Sequence[str]] = None,
display_name: Optional[str] = None,
required_extensions: Optional[Sequence[str]] = None,
token_bound_cidrs: Optional[Sequence[str]] = None,
token_explicit_max_ttl: Optional[int] = None,
token_max_ttl: Optional[int] = None,
token_no_default_policy: Optional[bool] = None,
token_num_uses: Optional[int] = None,
token_period: Optional[int] = None,
token_policies: Optional[Sequence[str]] = None,
token_ttl: Optional[int] = None,
token_type: Optional[str] = None)
func NewCertAuthBackendRole(ctx *Context, name string, args CertAuthBackendRoleArgs, opts ...ResourceOption) (*CertAuthBackendRole, error)
public CertAuthBackendRole(string name, CertAuthBackendRoleArgs args, CustomResourceOptions? opts = null)
public CertAuthBackendRole(String name, CertAuthBackendRoleArgs args)
public CertAuthBackendRole(String name, CertAuthBackendRoleArgs args, CustomResourceOptions options)
type: vault:CertAuthBackendRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Example
The following reference example uses placeholder values for all input properties.
var certAuthBackendRoleResource = new Vault.CertAuthBackendRole("certAuthBackendRoleResource", new()
{
Certificate = "string",
OcspEnabled = false,
AllowedUriSans = new[]
{
"string",
},
OcspFailOpen = false,
AllowedOrganizationalUnits = new[]
{
"string",
},
OcspQueryAllServers = false,
Backend = "string",
AllowedDnsSans = new[]
{
"string",
},
OcspServersOverrides = new[]
{
"string",
},
Name = "string",
Namespace = "string",
OcspCaCertificates = "string",
AllowedCommonNames = new[]
{
"string",
},
AllowedNames = new[]
{
"string",
},
AllowedEmailSans = new[]
{
"string",
},
DisplayName = "string",
RequiredExtensions = new[]
{
"string",
},
TokenBoundCidrs = new[]
{
"string",
},
TokenExplicitMaxTtl = 0,
TokenMaxTtl = 0,
TokenNoDefaultPolicy = false,
TokenNumUses = 0,
TokenPeriod = 0,
TokenPolicies = new[]
{
"string",
},
TokenTtl = 0,
TokenType = "string",
});
example, err := vault.NewCertAuthBackendRole(ctx, "certAuthBackendRoleResource", &vault.CertAuthBackendRoleArgs{
Certificate: pulumi.String("string"),
OcspEnabled: pulumi.Bool(false),
AllowedUriSans: pulumi.StringArray{
pulumi.String("string"),
},
OcspFailOpen: pulumi.Bool(false),
AllowedOrganizationalUnits: pulumi.StringArray{
pulumi.String("string"),
},
OcspQueryAllServers: pulumi.Bool(false),
Backend: pulumi.String("string"),
AllowedDnsSans: pulumi.StringArray{
pulumi.String("string"),
},
OcspServersOverrides: pulumi.StringArray{
pulumi.String("string"),
},
Name: pulumi.String("string"),
Namespace: pulumi.String("string"),
OcspCaCertificates: pulumi.String("string"),
AllowedCommonNames: pulumi.StringArray{
pulumi.String("string"),
},
AllowedNames: pulumi.StringArray{
pulumi.String("string"),
},
AllowedEmailSans: pulumi.StringArray{
pulumi.String("string"),
},
DisplayName: pulumi.String("string"),
RequiredExtensions: pulumi.StringArray{
pulumi.String("string"),
},
TokenBoundCidrs: pulumi.StringArray{
pulumi.String("string"),
},
TokenExplicitMaxTtl: pulumi.Int(0),
TokenMaxTtl: pulumi.Int(0),
TokenNoDefaultPolicy: pulumi.Bool(false),
TokenNumUses: pulumi.Int(0),
TokenPeriod: pulumi.Int(0),
TokenPolicies: pulumi.StringArray{
pulumi.String("string"),
},
TokenTtl: pulumi.Int(0),
TokenType: pulumi.String("string"),
})
var certAuthBackendRoleResource = new CertAuthBackendRole("certAuthBackendRoleResource", CertAuthBackendRoleArgs.builder()
.certificate("string")
.ocspEnabled(false)
.allowedUriSans("string")
.ocspFailOpen(false)
.allowedOrganizationalUnits("string")
.ocspQueryAllServers(false)
.backend("string")
.allowedDnsSans("string")
.ocspServersOverrides("string")
.name("string")
.namespace("string")
.ocspCaCertificates("string")
.allowedCommonNames("string")
.allowedNames("string")
.allowedEmailSans("string")
.displayName("string")
.requiredExtensions("string")
.tokenBoundCidrs("string")
.tokenExplicitMaxTtl(0)
.tokenMaxTtl(0)
.tokenNoDefaultPolicy(false)
.tokenNumUses(0)
.tokenPeriod(0)
.tokenPolicies("string")
.tokenTtl(0)
.tokenType("string")
.build());
cert_auth_backend_role_resource = vault.CertAuthBackendRole("certAuthBackendRoleResource",
certificate="string",
ocsp_enabled=False,
allowed_uri_sans=["string"],
ocsp_fail_open=False,
allowed_organizational_units=["string"],
ocsp_query_all_servers=False,
backend="string",
allowed_dns_sans=["string"],
ocsp_servers_overrides=["string"],
name="string",
namespace="string",
ocsp_ca_certificates="string",
allowed_common_names=["string"],
allowed_names=["string"],
allowed_email_sans=["string"],
display_name="string",
required_extensions=["string"],
token_bound_cidrs=["string"],
token_explicit_max_ttl=0,
token_max_ttl=0,
token_no_default_policy=False,
token_num_uses=0,
token_period=0,
token_policies=["string"],
token_ttl=0,
token_type="string")
const certAuthBackendRoleResource = new vault.CertAuthBackendRole("certAuthBackendRoleResource", {
certificate: "string",
ocspEnabled: false,
allowedUriSans: ["string"],
ocspFailOpen: false,
allowedOrganizationalUnits: ["string"],
ocspQueryAllServers: false,
backend: "string",
allowedDnsSans: ["string"],
ocspServersOverrides: ["string"],
name: "string",
namespace: "string",
ocspCaCertificates: "string",
allowedCommonNames: ["string"],
allowedNames: ["string"],
allowedEmailSans: ["string"],
displayName: "string",
requiredExtensions: ["string"],
tokenBoundCidrs: ["string"],
tokenExplicitMaxTtl: 0,
tokenMaxTtl: 0,
tokenNoDefaultPolicy: false,
tokenNumUses: 0,
tokenPeriod: 0,
tokenPolicies: ["string"],
tokenTtl: 0,
tokenType: "string",
});
type: vault:CertAuthBackendRole
properties:
allowedCommonNames:
- string
allowedDnsSans:
- string
allowedEmailSans:
- string
allowedNames:
- string
allowedOrganizationalUnits:
- string
allowedUriSans:
- string
backend: string
certificate: string
displayName: string
name: string
namespace: string
ocspCaCertificates: string
ocspEnabled: false
ocspFailOpen: false
ocspQueryAllServers: false
ocspServersOverrides:
- string
requiredExtensions:
- string
tokenBoundCidrs:
- string
tokenExplicitMaxTtl: 0
tokenMaxTtl: 0
tokenNoDefaultPolicy: false
tokenNumUses: 0
tokenPeriod: 0
tokenPolicies:
- string
tokenTtl: 0
tokenType: string
CertAuthBackendRole Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The CertAuthBackendRole resource accepts the following input properties:
- Certificate string
- CA certificate used to validate client certificates
- Allowed
Common List<string>Names - Allowed the common names for authenticated client certificates
- Allowed
Dns List<string>Sans - Allowed alternative dns names for authenticated client certificates
- Allowed
Email List<string>Sans - Allowed emails for authenticated client certificates
- Allowed
Names List<string> - DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates - Allowed
Organizational List<string>Units - Allowed organization units for authenticated client certificates.
- Allowed
Uri List<string>Sans - Allowed URIs for authenticated client certificates
- Backend string
- Path to the mounted Cert auth backend
- Display
Name string - The name to display on tokens issued under this role.
- Name string
- Name of the role
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Ocsp
Ca stringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- Ocsp
Enabled bool - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- Ocsp
Fail boolOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- Ocsp
Query boolAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- Ocsp
Servers List<string>Overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- Required
Extensions List<string> - TLS extensions required on client certificates
- Token
Bound List<string>Cidrs - List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- Token
Explicit intMax Ttl - If set, will encode an
explicit max TTL
onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal. - Token
Max intTtl - The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
No boolDefault Policy - If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- Token
Num intUses - The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- Token
Period int - If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- Token
Policies List<string> - List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- Token
Ttl int - The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
Type string The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- Certificate string
- CA certificate used to validate client certificates
- Allowed
Common []stringNames - Allowed the common names for authenticated client certificates
- Allowed
Dns []stringSans - Allowed alternative dns names for authenticated client certificates
- Allowed
Email []stringSans - Allowed emails for authenticated client certificates
- Allowed
Names []string - DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates - Allowed
Organizational []stringUnits - Allowed organization units for authenticated client certificates.
- Allowed
Uri []stringSans - Allowed URIs for authenticated client certificates
- Backend string
- Path to the mounted Cert auth backend
- Display
Name string - The name to display on tokens issued under this role.
- Name string
- Name of the role
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Ocsp
Ca stringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- Ocsp
Enabled bool - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- Ocsp
Fail boolOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- Ocsp
Query boolAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- Ocsp
Servers []stringOverrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- Required
Extensions []string - TLS extensions required on client certificates
- Token
Bound []stringCidrs - List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- Token
Explicit intMax Ttl - If set, will encode an
explicit max TTL
onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal. - Token
Max intTtl - The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
No boolDefault Policy - If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- Token
Num intUses - The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- Token
Period int - If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- Token
Policies []string - List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- Token
Ttl int - The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
Type string The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- certificate String
- CA certificate used to validate client certificates
- allowed
Common List<String>Names - Allowed the common names for authenticated client certificates
- allowed
Dns List<String>Sans - Allowed alternative dns names for authenticated client certificates
- allowed
Email List<String>Sans - Allowed emails for authenticated client certificates
- allowed
Names List<String> - DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates - allowed
Organizational List<String>Units - Allowed organization units for authenticated client certificates.
- allowed
Uri List<String>Sans - Allowed URIs for authenticated client certificates
- backend String
- Path to the mounted Cert auth backend
- display
Name String - The name to display on tokens issued under this role.
- name String
- Name of the role
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - ocsp
Ca StringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp
Enabled Boolean - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp
Fail BooleanOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp
Query BooleanAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp
Servers List<String>Overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required
Extensions List<String> - TLS extensions required on client certificates
- token
Bound List<String>Cidrs - List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit IntegerMax Ttl - If set, will encode an
explicit max TTL
onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal. - token
Max IntegerTtl - The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No BooleanDefault Policy - If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num IntegerUses - The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token
Period Integer - If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token
Policies List<String> - List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl Integer - The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type String The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- certificate string
- CA certificate used to validate client certificates
- allowed
Common string[]Names - Allowed the common names for authenticated client certificates
- allowed
Dns string[]Sans - Allowed alternative dns names for authenticated client certificates
- allowed
Email string[]Sans - Allowed emails for authenticated client certificates
- allowed
Names string[] - DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates - allowed
Organizational string[]Units - Allowed organization units for authenticated client certificates.
- allowed
Uri string[]Sans - Allowed URIs for authenticated client certificates
- backend string
- Path to the mounted Cert auth backend
- display
Name string - The name to display on tokens issued under this role.
- name string
- Name of the role
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - ocsp
Ca stringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp
Enabled boolean - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp
Fail booleanOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp
Query booleanAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp
Servers string[]Overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required
Extensions string[] - TLS extensions required on client certificates
- token
Bound string[]Cidrs - List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit numberMax Ttl - If set, will encode an
explicit max TTL
onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal. - token
Max numberTtl - The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No booleanDefault Policy - If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num numberUses - The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token
Period number - If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token
Policies string[] - List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl number - The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type string The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- certificate str
- CA certificate used to validate client certificates
- allowed_
common_ Sequence[str]names - Allowed the common names for authenticated client certificates
- allowed_
dns_ Sequence[str]sans - Allowed alternative dns names for authenticated client certificates
- allowed_
email_ Sequence[str]sans - Allowed emails for authenticated client certificates
- allowed_
names Sequence[str] - DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates - allowed_
organizational_ Sequence[str]units - Allowed organization units for authenticated client certificates.
- allowed_
uri_ Sequence[str]sans - Allowed URIs for authenticated client certificates
- backend str
- Path to the mounted Cert auth backend
- display_
name str - The name to display on tokens issued under this role.
- name str
- Name of the role
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - ocsp_
ca_ strcertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp_
enabled bool - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp_
fail_ boolopen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp_
query_ boolall_ servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp_
servers_ Sequence[str]overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required_
extensions Sequence[str] - TLS extensions required on client certificates
- token_
bound_ Sequence[str]cidrs - List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token_
explicit_ intmax_ ttl - If set, will encode an
explicit max TTL
onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal. - token_
max_ intttl - The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token_
no_ booldefault_ policy - If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token_
num_ intuses - The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token_
period int - If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token_
policies Sequence[str] - List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token_
ttl int - The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token_
type str The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- certificate String
- CA certificate used to validate client certificates
- allowed
Common List<String>Names - Allowed the common names for authenticated client certificates
- allowed
Dns List<String>Sans - Allowed alternative dns names for authenticated client certificates
- allowed
Email List<String>Sans - Allowed emails for authenticated client certificates
- allowed
Names List<String> - DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates - allowed
Organizational List<String>Units - Allowed organization units for authenticated client certificates.
- allowed
Uri List<String>Sans - Allowed URIs for authenticated client certificates
- backend String
- Path to the mounted Cert auth backend
- display
Name String - The name to display on tokens issued under this role.
- name String
- Name of the role
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - ocsp
Ca StringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp
Enabled Boolean - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp
Fail BooleanOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp
Query BooleanAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp
Servers List<String>Overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required
Extensions List<String> - TLS extensions required on client certificates
- token
Bound List<String>Cidrs - List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit NumberMax Ttl - If set, will encode an
explicit max TTL
onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal. - token
Max NumberTtl - The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No BooleanDefault Policy - If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num NumberUses - The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token
Period Number - If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token
Policies List<String> - List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl Number - The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type String The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
Outputs
All input properties are implicitly available as output properties. Additionally, the CertAuthBackendRole resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing CertAuthBackendRole Resource
Get an existing CertAuthBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: CertAuthBackendRoleState, opts?: CustomResourceOptions): CertAuthBackendRole
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
allowed_common_names: Optional[Sequence[str]] = None,
allowed_dns_sans: Optional[Sequence[str]] = None,
allowed_email_sans: Optional[Sequence[str]] = None,
allowed_names: Optional[Sequence[str]] = None,
allowed_organizational_units: Optional[Sequence[str]] = None,
allowed_uri_sans: Optional[Sequence[str]] = None,
backend: Optional[str] = None,
certificate: Optional[str] = None,
display_name: Optional[str] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
ocsp_ca_certificates: Optional[str] = None,
ocsp_enabled: Optional[bool] = None,
ocsp_fail_open: Optional[bool] = None,
ocsp_query_all_servers: Optional[bool] = None,
ocsp_servers_overrides: Optional[Sequence[str]] = None,
required_extensions: Optional[Sequence[str]] = None,
token_bound_cidrs: Optional[Sequence[str]] = None,
token_explicit_max_ttl: Optional[int] = None,
token_max_ttl: Optional[int] = None,
token_no_default_policy: Optional[bool] = None,
token_num_uses: Optional[int] = None,
token_period: Optional[int] = None,
token_policies: Optional[Sequence[str]] = None,
token_ttl: Optional[int] = None,
token_type: Optional[str] = None) -> CertAuthBackendRole
func GetCertAuthBackendRole(ctx *Context, name string, id IDInput, state *CertAuthBackendRoleState, opts ...ResourceOption) (*CertAuthBackendRole, error)
public static CertAuthBackendRole Get(string name, Input<string> id, CertAuthBackendRoleState? state, CustomResourceOptions? opts = null)
public static CertAuthBackendRole get(String name, Output<String> id, CertAuthBackendRoleState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Allowed
Common List<string>Names - Allowed the common names for authenticated client certificates
- Allowed
Dns List<string>Sans - Allowed alternative dns names for authenticated client certificates
- Allowed
Email List<string>Sans - Allowed emails for authenticated client certificates
- Allowed
Names List<string> - DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates - Allowed
Organizational List<string>Units - Allowed organization units for authenticated client certificates.
- Allowed
Uri List<string>Sans - Allowed URIs for authenticated client certificates
- Backend string
- Path to the mounted Cert auth backend
- Certificate string
- CA certificate used to validate client certificates
- Display
Name string - The name to display on tokens issued under this role.
- Name string
- Name of the role
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Ocsp
Ca stringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- Ocsp
Enabled bool - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- Ocsp
Fail boolOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- Ocsp
Query boolAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- Ocsp
Servers List<string>Overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- Required
Extensions List<string> - TLS extensions required on client certificates
- Token
Bound List<string>Cidrs - List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- Token
Explicit intMax Ttl - If set, will encode an
explicit max TTL
onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal. - Token
Max intTtl - The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
No boolDefault Policy - If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- Token
Num intUses - The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- Token
Period int - If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- Token
Policies List<string> - List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- Token
Ttl int - The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
Type string The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- Allowed
Common []stringNames - Allowed the common names for authenticated client certificates
- Allowed
Dns []stringSans - Allowed alternative dns names for authenticated client certificates
- Allowed
Email []stringSans - Allowed emails for authenticated client certificates
- Allowed
Names []string - DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates - Allowed
Organizational []stringUnits - Allowed organization units for authenticated client certificates.
- Allowed
Uri []stringSans - Allowed URIs for authenticated client certificates
- Backend string
- Path to the mounted Cert auth backend
- Certificate string
- CA certificate used to validate client certificates
- Display
Name string - The name to display on tokens issued under this role.
- Name string
- Name of the role
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Ocsp
Ca stringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- Ocsp
Enabled bool - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- Ocsp
Fail boolOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- Ocsp
Query boolAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- Ocsp
Servers []stringOverrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- Required
Extensions []string - TLS extensions required on client certificates
- Token
Bound []stringCidrs - List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- Token
Explicit intMax Ttl - If set, will encode an
explicit max TTL
onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal. - Token
Max intTtl - The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
No boolDefault Policy - If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- Token
Num intUses - The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- Token
Period int - If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- Token
Policies []string - List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- Token
Ttl int - The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
Type string The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- allowed
Common List<String>Names - Allowed the common names for authenticated client certificates
- allowed
Dns List<String>Sans - Allowed alternative dns names for authenticated client certificates
- allowed
Email List<String>Sans - Allowed emails for authenticated client certificates
- allowed
Names List<String> - DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates - allowed
Organizational List<String>Units - Allowed organization units for authenticated client certificates.
- allowed
Uri List<String>Sans - Allowed URIs for authenticated client certificates
- backend String
- Path to the mounted Cert auth backend
- certificate String
- CA certificate used to validate client certificates
- display
Name String - The name to display on tokens issued under this role.
- name String
- Name of the role
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - ocsp
Ca StringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp
Enabled Boolean - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp
Fail BooleanOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp
Query BooleanAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp
Servers List<String>Overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required
Extensions List<String> - TLS extensions required on client certificates
- token
Bound List<String>Cidrs - List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit IntegerMax Ttl - If set, will encode an
explicit max TTL
onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal. - token
Max IntegerTtl - The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No BooleanDefault Policy - If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num IntegerUses - The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token
Period Integer - If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token
Policies List<String> - List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl Integer - The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type String The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- allowed
Common string[]Names - Allowed the common names for authenticated client certificates
- allowed
Dns string[]Sans - Allowed alternative dns names for authenticated client certificates
- allowed
Email string[]Sans - Allowed emails for authenticated client certificates
- allowed
Names string[] - DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates - allowed
Organizational string[]Units - Allowed organization units for authenticated client certificates.
- allowed
Uri string[]Sans - Allowed URIs for authenticated client certificates
- backend string
- Path to the mounted Cert auth backend
- certificate string
- CA certificate used to validate client certificates
- display
Name string - The name to display on tokens issued under this role.
- name string
- Name of the role
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - ocsp
Ca stringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp
Enabled boolean - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp
Fail booleanOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp
Query booleanAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp
Servers string[]Overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required
Extensions string[] - TLS extensions required on client certificates
- token
Bound string[]Cidrs - List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit numberMax Ttl - If set, will encode an
explicit max TTL
onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal. - token
Max numberTtl - The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No booleanDefault Policy - If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num numberUses - The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token
Period number - If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token
Policies string[] - List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl number - The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type string The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- allowed_
common_ Sequence[str]names - Allowed the common names for authenticated client certificates
- allowed_
dns_ Sequence[str]sans - Allowed alternative dns names for authenticated client certificates
- allowed_
email_ Sequence[str]sans - Allowed emails for authenticated client certificates
- allowed_
names Sequence[str] - DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates - allowed_
organizational_ Sequence[str]units - Allowed organization units for authenticated client certificates.
- allowed_
uri_ Sequence[str]sans - Allowed URIs for authenticated client certificates
- backend str
- Path to the mounted Cert auth backend
- certificate str
- CA certificate used to validate client certificates
- display_
name str - The name to display on tokens issued under this role.
- name str
- Name of the role
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - ocsp_
ca_ strcertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp_
enabled bool - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp_
fail_ boolopen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp_
query_ boolall_ servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp_
servers_ Sequence[str]overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required_
extensions Sequence[str] - TLS extensions required on client certificates
- token_
bound_ Sequence[str]cidrs - List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token_
explicit_ intmax_ ttl - If set, will encode an
explicit max TTL
onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal. - token_
max_ intttl - The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token_
no_ booldefault_ policy - If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token_
num_ intuses - The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token_
period int - If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token_
policies Sequence[str] - List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token_
ttl int - The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token_
type str The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
- allowed
Common List<String>Names - Allowed the common names for authenticated client certificates
- allowed
Dns List<String>Sans - Allowed alternative dns names for authenticated client certificates
- allowed
Email List<String>Sans - Allowed emails for authenticated client certificates
- allowed
Names List<String> - DEPRECATED: Please use the individual
allowed_X_sans
parameters instead. Allowed subject names for authenticated client certificates - allowed
Organizational List<String>Units - Allowed organization units for authenticated client certificates.
- allowed
Uri List<String>Sans - Allowed URIs for authenticated client certificates
- backend String
- Path to the mounted Cert auth backend
- certificate String
- CA certificate used to validate client certificates
- display
Name String - The name to display on tokens issued under this role.
- name String
- Name of the role
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - ocsp
Ca StringCertificates - Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
- ocsp
Enabled Boolean - If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
- ocsp
Fail BooleanOpen - If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
- ocsp
Query BooleanAll Servers - If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
- ocsp
Servers List<String>Overrides - : A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
- required
Extensions List<String> - TLS extensions required on client certificates
- token
Bound List<String>Cidrs - List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit NumberMax Ttl - If set, will encode an
explicit max TTL
onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal. - token
Max NumberTtl - The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No BooleanDefault Policy - If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num NumberUses - The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token
Period Number - If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token
Policies List<String> - List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl Number - The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type String The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.For more details on the usage of each argument consult the Vault Cert API documentation.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vault
Terraform Provider.