HashiCorp Vault v5.17.0, Nov 9 23

HashiCorp Vault v5.17.0 published on Thursday, Nov 9, 2023 by Pulumi

vault.CertAuthBackendRole

Explore with Pulumi AI

HashiCorp Vault v5.17.0 published on Thursday, Nov 9, 2023 by Pulumi

Example Usage

using System.Collections.Generic;
using System.IO;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var certAuthBackend = new Vault.AuthBackend("certAuthBackend", new()
    {
        Path = "cert",
        Type = "cert",
    });

    var certCertAuthBackendRole = new Vault.CertAuthBackendRole("certCertAuthBackendRole", new()
    {
        Certificate = File.ReadAllText("/path/to/certs/ca-cert.pem"),
        Backend = certAuthBackend.Path,
        AllowedNames = new[]
        {
            "foo.example.org",
            "baz.example.org",
        },
        TokenTtl = 300,
        TokenMaxTtl = 600,
        TokenPolicies = new[]
        {
            "foo",
        },
    });

});

package main

import (
	"os"

	"github.com/pulumi/pulumi-vault/sdk/v5/go/vault"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func readFileOrPanic(path string) pulumi.StringPtrInput {
	data, err := os.ReadFile(path)
	if err != nil {
		panic(err.Error())
	}
	return pulumi.String(string(data))
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		certAuthBackend, err := vault.NewAuthBackend(ctx, "certAuthBackend", &vault.AuthBackendArgs{
			Path: pulumi.String("cert"),
			Type: pulumi.String("cert"),
		})
		if err != nil {
			return err
		}
		_, err = vault.NewCertAuthBackendRole(ctx, "certCertAuthBackendRole", &vault.CertAuthBackendRoleArgs{
			Certificate: readFileOrPanic("/path/to/certs/ca-cert.pem"),
			Backend:     certAuthBackend.Path,
			AllowedNames: pulumi.StringArray{
				pulumi.String("foo.example.org"),
				pulumi.String("baz.example.org"),
			},
			TokenTtl:    pulumi.Int(300),
			TokenMaxTtl: pulumi.Int(600),
			TokenPolicies: pulumi.StringArray{
				pulumi.String("foo"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import com.pulumi.vault.CertAuthBackendRole;
import com.pulumi.vault.CertAuthBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var certAuthBackend = new AuthBackend("certAuthBackend", AuthBackendArgs.builder()        
            .path("cert")
            .type("cert")
            .build());

        var certCertAuthBackendRole = new CertAuthBackendRole("certCertAuthBackendRole", CertAuthBackendRoleArgs.builder()        
            .certificate(Files.readString(Paths.get("/path/to/certs/ca-cert.pem")))
            .backend(certAuthBackend.path())
            .allowedNames(            
                "foo.example.org",
                "baz.example.org")
            .tokenTtl(300)
            .tokenMaxTtl(600)
            .tokenPolicies("foo")
            .build());

    }
}

import pulumi
import pulumi_vault as vault

cert_auth_backend = vault.AuthBackend("certAuthBackend",
    path="cert",
    type="cert")
cert_cert_auth_backend_role = vault.CertAuthBackendRole("certCertAuthBackendRole",
    certificate=(lambda path: open(path).read())("/path/to/certs/ca-cert.pem"),
    backend=cert_auth_backend.path,
    allowed_names=[
        "foo.example.org",
        "baz.example.org",
    ],
    token_ttl=300,
    token_max_ttl=600,
    token_policies=["foo"])

import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as vault from "@pulumi/vault";

const certAuthBackend = new vault.AuthBackend("certAuthBackend", {
    path: "cert",
    type: "cert",
});
const certCertAuthBackendRole = new vault.CertAuthBackendRole("certCertAuthBackendRole", {
    certificate: fs.readFileSync("/path/to/certs/ca-cert.pem"),
    backend: certAuthBackend.path,
    allowedNames: [
        "foo.example.org",
        "baz.example.org",
    ],
    tokenTtl: 300,
    tokenMaxTtl: 600,
    tokenPolicies: ["foo"],
});

resources:
  certAuthBackend:
    type: vault:AuthBackend
    properties:
      path: cert
      type: cert
  certCertAuthBackendRole:
    type: vault:CertAuthBackendRole
    properties:
      certificate:
        fn::readFile: /path/to/certs/ca-cert.pem
      backend: ${certAuthBackend.path}
      allowedNames:
        - foo.example.org
        - baz.example.org
      tokenTtl: 300
      tokenMaxTtl: 600
      tokenPolicies:
        - foo

Create CertAuthBackendRole Resource

new CertAuthBackendRole(name: string, args: CertAuthBackendRoleArgs, opts?: CustomResourceOptions);

@overload
def CertAuthBackendRole(resource_name: str,
                        opts: Optional[ResourceOptions] = None,
                        allowed_common_names: Optional[Sequence[str]] = None,
                        allowed_dns_sans: Optional[Sequence[str]] = None,
                        allowed_email_sans: Optional[Sequence[str]] = None,
                        allowed_names: Optional[Sequence[str]] = None,
                        allowed_organization_units: Optional[Sequence[str]] = None,
                        allowed_organizational_units: Optional[Sequence[str]] = None,
                        allowed_uri_sans: Optional[Sequence[str]] = None,
                        backend: Optional[str] = None,
                        certificate: Optional[str] = None,
                        display_name: Optional[str] = None,
                        name: Optional[str] = None,
                        namespace: Optional[str] = None,
                        ocsp_ca_certificates: Optional[str] = None,
                        ocsp_enabled: Optional[bool] = None,
                        ocsp_fail_open: Optional[bool] = None,
                        ocsp_query_all_servers: Optional[bool] = None,
                        ocsp_servers_overrides: Optional[Sequence[str]] = None,
                        required_extensions: Optional[Sequence[str]] = None,
                        token_bound_cidrs: Optional[Sequence[str]] = None,
                        token_explicit_max_ttl: Optional[int] = None,
                        token_max_ttl: Optional[int] = None,
                        token_no_default_policy: Optional[bool] = None,
                        token_num_uses: Optional[int] = None,
                        token_period: Optional[int] = None,
                        token_policies: Optional[Sequence[str]] = None,
                        token_ttl: Optional[int] = None,
                        token_type: Optional[str] = None)
@overload
def CertAuthBackendRole(resource_name: str,
                        args: CertAuthBackendRoleArgs,
                        opts: Optional[ResourceOptions] = None)

func NewCertAuthBackendRole(ctx *Context, name string, args CertAuthBackendRoleArgs, opts ...ResourceOption) (*CertAuthBackendRole, error)

public CertAuthBackendRole(string name, CertAuthBackendRoleArgs args, CustomResourceOptions? opts = null)

public CertAuthBackendRole(String name, CertAuthBackendRoleArgs args)
public CertAuthBackendRole(String name, CertAuthBackendRoleArgs args, CustomResourceOptions options)

type: vault:CertAuthBackendRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string: The unique name of the resource.
args CertAuthBackendRoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args CertAuthBackendRoleArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args CertAuthBackendRoleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args CertAuthBackendRoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args CertAuthBackendRoleArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

CertAuthBackendRole Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The CertAuthBackendRole resource accepts the following input properties:

Certificate string

CA certificate used to validate client certificates

AllowedCommonNames List<string>

Allowed the common names for authenticated client certificates

AllowedDnsSans List<string>

Allowed alternative dns names for authenticated client certificates

AllowedEmailSans List<string>

Allowed emails for authenticated client certificates

AllowedNames List<string>

DEPRECATED: Please use the individual allowed_X_sans parameters instead. Allowed subject names for authenticated client certificates

AllowedOrganizationUnits List<string>

Deprecated:

Use allowed_organizational_units

AllowedOrganizationalUnits List<string>

Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named allowed_organization_units, please update accordingly

AllowedUriSans List<string>

Allowed URIs for authenticated client certificates

Backend string

Path to the mounted Cert auth backend

DisplayName string

The name to display on tokens issued under this role.

Name string

Name of the role

Namespace string

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

OcspCaCertificates string

Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.

OcspEnabled bool

If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.

OcspFailOpen bool

If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.

OcspQueryAllServers bool

If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.

OcspServersOverrides List<string>

: A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.

RequiredExtensions List<string>

TLS extensions required on client certificates

TokenBoundCidrs List<string>

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

TokenExplicitMaxTtl int

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

TokenMaxTtl int

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

TokenNoDefaultPolicy bool

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

TokenNumUses int

The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.

TokenPeriod int

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.

TokenPolicies List<string>

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

TokenTtl int

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

TokenType string

The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

For more details on the usage of each argument consult the Vault Cert API documentation.

Certificate string

CA certificate used to validate client certificates

AllowedCommonNames []string

Allowed the common names for authenticated client certificates

AllowedDnsSans []string

Allowed alternative dns names for authenticated client certificates

AllowedEmailSans []string

Allowed emails for authenticated client certificates

AllowedNames []string

DEPRECATED: Please use the individual allowed_X_sans parameters instead. Allowed subject names for authenticated client certificates

AllowedOrganizationUnits []string

Deprecated:

Use allowed_organizational_units

AllowedOrganizationalUnits []string

Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named allowed_organization_units, please update accordingly

AllowedUriSans []string

Allowed URIs for authenticated client certificates

Backend string

Path to the mounted Cert auth backend

DisplayName string

The name to display on tokens issued under this role.

Name string

Name of the role

Namespace string

OcspCaCertificates string

Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.

OcspEnabled bool

If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.

OcspFailOpen bool

If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.

OcspQueryAllServers bool

If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.

OcspServersOverrides []string

RequiredExtensions []string

TLS extensions required on client certificates

TokenBoundCidrs []string

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

TokenExplicitMaxTtl int

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

TokenMaxTtl int

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

TokenNoDefaultPolicy bool

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

TokenNumUses int

The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.

TokenPeriod int

TokenPolicies []string

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

TokenTtl int

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

TokenType string

For more details on the usage of each argument consult the Vault Cert API documentation.

certificate String

CA certificate used to validate client certificates

allowedCommonNames List<String>

Allowed the common names for authenticated client certificates

allowedDnsSans List<String>

Allowed alternative dns names for authenticated client certificates

allowedEmailSans List<String>

Allowed emails for authenticated client certificates

allowedNames List<String>

DEPRECATED: Please use the individual allowed_X_sans parameters instead. Allowed subject names for authenticated client certificates

allowedOrganizationUnits List<String>

Deprecated:

Use allowed_organizational_units

allowedOrganizationalUnits List<String>

Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named allowed_organization_units, please update accordingly

allowedUriSans List<String>

Allowed URIs for authenticated client certificates

backend String

Path to the mounted Cert auth backend

displayName String

The name to display on tokens issued under this role.

name String

Name of the role

namespace String

ocspCaCertificates String

Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.

ocspEnabled Boolean

If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.

ocspFailOpen Boolean

If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.

ocspQueryAllServers Boolean

If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.

ocspServersOverrides List<String>

requiredExtensions List<String>

TLS extensions required on client certificates

tokenBoundCidrs List<String>

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

tokenExplicitMaxTtl Integer

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

tokenMaxTtl Integer

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

tokenNoDefaultPolicy Boolean

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

tokenNumUses Integer

The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.

tokenPeriod Integer

tokenPolicies List<String>

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

tokenTtl Integer

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

tokenType String

For more details on the usage of each argument consult the Vault Cert API documentation.

certificate string

CA certificate used to validate client certificates

allowedCommonNames string[]

Allowed the common names for authenticated client certificates

allowedDnsSans string[]

Allowed alternative dns names for authenticated client certificates

allowedEmailSans string[]

Allowed emails for authenticated client certificates

allowedNames string[]

DEPRECATED: Please use the individual allowed_X_sans parameters instead. Allowed subject names for authenticated client certificates

allowedOrganizationUnits string[]

Deprecated:

Use allowed_organizational_units

allowedOrganizationalUnits string[]

Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named allowed_organization_units, please update accordingly

allowedUriSans string[]

Allowed URIs for authenticated client certificates

backend string

Path to the mounted Cert auth backend

displayName string

The name to display on tokens issued under this role.

name string

Name of the role

namespace string

ocspCaCertificates string

Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.

ocspEnabled boolean

If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.

ocspFailOpen boolean

If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.

ocspQueryAllServers boolean

If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.

ocspServersOverrides string[]

requiredExtensions string[]

TLS extensions required on client certificates

tokenBoundCidrs string[]

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

tokenExplicitMaxTtl number

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

tokenMaxTtl number

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

tokenNoDefaultPolicy boolean

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

tokenNumUses number

The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.

tokenPeriod number

tokenPolicies string[]

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

tokenTtl number

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

tokenType string

For more details on the usage of each argument consult the Vault Cert API documentation.

certificate str

CA certificate used to validate client certificates

allowed_common_names Sequence[str]

Allowed the common names for authenticated client certificates

allowed_dns_sans Sequence[str]

Allowed alternative dns names for authenticated client certificates

allowed_email_sans Sequence[str]

Allowed emails for authenticated client certificates

allowed_names Sequence[str]

DEPRECATED: Please use the individual allowed_X_sans parameters instead. Allowed subject names for authenticated client certificates

allowed_organization_units Sequence[str]

Deprecated:

Use allowed_organizational_units

allowed_organizational_units Sequence[str]

Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named allowed_organization_units, please update accordingly

allowed_uri_sans Sequence[str]

Allowed URIs for authenticated client certificates

backend str

Path to the mounted Cert auth backend

display_name str

The name to display on tokens issued under this role.

name str

Name of the role

namespace str

ocsp_ca_certificates str

Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.

ocsp_enabled bool

If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.

ocsp_fail_open bool

If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.

ocsp_query_all_servers bool

If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.

ocsp_servers_overrides Sequence[str]

required_extensions Sequence[str]

TLS extensions required on client certificates

token_bound_cidrs Sequence[str]

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

token_explicit_max_ttl int

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

token_max_ttl int

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

token_no_default_policy bool

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

token_num_uses int

The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.

token_period int

token_policies Sequence[str]

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

token_ttl int

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

token_type str

For more details on the usage of each argument consult the Vault Cert API documentation.

certificate String

CA certificate used to validate client certificates

allowedCommonNames List<String>

Allowed the common names for authenticated client certificates

allowedDnsSans List<String>

Allowed alternative dns names for authenticated client certificates

allowedEmailSans List<String>

Allowed emails for authenticated client certificates

allowedNames List<String>

DEPRECATED: Please use the individual allowed_X_sans parameters instead. Allowed subject names for authenticated client certificates

allowedOrganizationUnits List<String>

Deprecated:

Use allowed_organizational_units

allowedOrganizationalUnits List<String>

Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named allowed_organization_units, please update accordingly

allowedUriSans List<String>

Allowed URIs for authenticated client certificates

backend String

Path to the mounted Cert auth backend

displayName String

The name to display on tokens issued under this role.

name String

Name of the role

namespace String

ocspCaCertificates String

Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.

ocspEnabled Boolean

If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.

ocspFailOpen Boolean

If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.

ocspQueryAllServers Boolean

If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.

ocspServersOverrides List<String>

requiredExtensions List<String>

TLS extensions required on client certificates

tokenBoundCidrs List<String>

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

tokenExplicitMaxTtl Number

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

tokenMaxTtl Number

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

tokenNoDefaultPolicy Boolean

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

tokenNumUses Number

The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.

tokenPeriod Number

tokenPolicies List<String>

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

tokenTtl Number

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

tokenType String

For more details on the usage of each argument consult the Vault Cert API documentation.

Outputs

All input properties are implicitly available as output properties. Additionally, the CertAuthBackendRole resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing CertAuthBackendRole Resource

Get an existing CertAuthBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: CertAuthBackendRoleState, opts?: CustomResourceOptions): CertAuthBackendRole

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        allowed_common_names: Optional[Sequence[str]] = None,
        allowed_dns_sans: Optional[Sequence[str]] = None,
        allowed_email_sans: Optional[Sequence[str]] = None,
        allowed_names: Optional[Sequence[str]] = None,
        allowed_organization_units: Optional[Sequence[str]] = None,
        allowed_organizational_units: Optional[Sequence[str]] = None,
        allowed_uri_sans: Optional[Sequence[str]] = None,
        backend: Optional[str] = None,
        certificate: Optional[str] = None,
        display_name: Optional[str] = None,
        name: Optional[str] = None,
        namespace: Optional[str] = None,
        ocsp_ca_certificates: Optional[str] = None,
        ocsp_enabled: Optional[bool] = None,
        ocsp_fail_open: Optional[bool] = None,
        ocsp_query_all_servers: Optional[bool] = None,
        ocsp_servers_overrides: Optional[Sequence[str]] = None,
        required_extensions: Optional[Sequence[str]] = None,
        token_bound_cidrs: Optional[Sequence[str]] = None,
        token_explicit_max_ttl: Optional[int] = None,
        token_max_ttl: Optional[int] = None,
        token_no_default_policy: Optional[bool] = None,
        token_num_uses: Optional[int] = None,
        token_period: Optional[int] = None,
        token_policies: Optional[Sequence[str]] = None,
        token_ttl: Optional[int] = None,
        token_type: Optional[str] = None) -> CertAuthBackendRole

func GetCertAuthBackendRole(ctx *Context, name string, id IDInput, state *CertAuthBackendRoleState, opts ...ResourceOption) (*CertAuthBackendRole, error)

public static CertAuthBackendRole Get(string name, Input<string> id, CertAuthBackendRoleState? state, CustomResourceOptions? opts = null)

public static CertAuthBackendRole get(String name, Output<String> id, CertAuthBackendRoleState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AllowedCommonNames List<string>

Allowed the common names for authenticated client certificates

AllowedDnsSans List<string>

Allowed alternative dns names for authenticated client certificates

AllowedEmailSans List<string>

Allowed emails for authenticated client certificates

AllowedNames List<string>

DEPRECATED: Please use the individual allowed_X_sans parameters instead. Allowed subject names for authenticated client certificates

AllowedOrganizationUnits List<string>

Deprecated:

Use allowed_organizational_units

AllowedOrganizationalUnits List<string>

Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named allowed_organization_units, please update accordingly

AllowedUriSans List<string>

Allowed URIs for authenticated client certificates

Backend string

Path to the mounted Cert auth backend

Certificate string

CA certificate used to validate client certificates

DisplayName string

The name to display on tokens issued under this role.

Name string

Name of the role

Namespace string

OcspCaCertificates string

Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.

OcspEnabled bool

If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.

OcspFailOpen bool

If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.

OcspQueryAllServers bool

If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.

OcspServersOverrides List<string>

RequiredExtensions List<string>

TLS extensions required on client certificates

TokenBoundCidrs List<string>

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

TokenExplicitMaxTtl int

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

TokenMaxTtl int

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

TokenNoDefaultPolicy bool

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

TokenNumUses int

The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.

TokenPeriod int

TokenPolicies List<string>

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

TokenTtl int

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

TokenType string

For more details on the usage of each argument consult the Vault Cert API documentation.

AllowedCommonNames []string

Allowed the common names for authenticated client certificates

AllowedDnsSans []string

Allowed alternative dns names for authenticated client certificates

AllowedEmailSans []string

Allowed emails for authenticated client certificates

AllowedNames []string

DEPRECATED: Please use the individual allowed_X_sans parameters instead. Allowed subject names for authenticated client certificates

AllowedOrganizationUnits []string

Deprecated:

Use allowed_organizational_units

AllowedOrganizationalUnits []string

Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named allowed_organization_units, please update accordingly

AllowedUriSans []string

Allowed URIs for authenticated client certificates

Backend string

Path to the mounted Cert auth backend

Certificate string

CA certificate used to validate client certificates

DisplayName string

The name to display on tokens issued under this role.

Name string

Name of the role

Namespace string

OcspCaCertificates string

Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.

OcspEnabled bool

If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.

OcspFailOpen bool

If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.

OcspQueryAllServers bool

If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.

OcspServersOverrides []string

RequiredExtensions []string

TLS extensions required on client certificates

TokenBoundCidrs []string

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

TokenExplicitMaxTtl int

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

TokenMaxTtl int

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

TokenNoDefaultPolicy bool

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

TokenNumUses int

The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.

TokenPeriod int

TokenPolicies []string

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

TokenTtl int

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

TokenType string

For more details on the usage of each argument consult the Vault Cert API documentation.

allowedCommonNames List<String>

Allowed the common names for authenticated client certificates

allowedDnsSans List<String>

Allowed alternative dns names for authenticated client certificates

allowedEmailSans List<String>

Allowed emails for authenticated client certificates

allowedNames List<String>

DEPRECATED: Please use the individual allowed_X_sans parameters instead. Allowed subject names for authenticated client certificates

allowedOrganizationUnits List<String>

Deprecated:

Use allowed_organizational_units

allowedOrganizationalUnits List<String>

Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named allowed_organization_units, please update accordingly

allowedUriSans List<String>

Allowed URIs for authenticated client certificates

backend String

Path to the mounted Cert auth backend

certificate String

CA certificate used to validate client certificates

displayName String

The name to display on tokens issued under this role.

name String

Name of the role

namespace String

ocspCaCertificates String

Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.

ocspEnabled Boolean

If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.

ocspFailOpen Boolean

If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.

ocspQueryAllServers Boolean

If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.

ocspServersOverrides List<String>

requiredExtensions List<String>

TLS extensions required on client certificates

tokenBoundCidrs List<String>

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

tokenExplicitMaxTtl Integer

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

tokenMaxTtl Integer

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

tokenNoDefaultPolicy Boolean

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

tokenNumUses Integer

The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.

tokenPeriod Integer

tokenPolicies List<String>

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

tokenTtl Integer

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

tokenType String

For more details on the usage of each argument consult the Vault Cert API documentation.

allowedCommonNames string[]

Allowed the common names for authenticated client certificates

allowedDnsSans string[]

Allowed alternative dns names for authenticated client certificates

allowedEmailSans string[]

Allowed emails for authenticated client certificates

allowedNames string[]

DEPRECATED: Please use the individual allowed_X_sans parameters instead. Allowed subject names for authenticated client certificates

allowedOrganizationUnits string[]

Deprecated:

Use allowed_organizational_units

allowedOrganizationalUnits string[]

Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named allowed_organization_units, please update accordingly

allowedUriSans string[]

Allowed URIs for authenticated client certificates

backend string

Path to the mounted Cert auth backend

certificate string

CA certificate used to validate client certificates

displayName string

The name to display on tokens issued under this role.

name string

Name of the role

namespace string

ocspCaCertificates string

Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.

ocspEnabled boolean

If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.

ocspFailOpen boolean

If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.

ocspQueryAllServers boolean

If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.

ocspServersOverrides string[]

requiredExtensions string[]

TLS extensions required on client certificates

tokenBoundCidrs string[]

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

tokenExplicitMaxTtl number

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

tokenMaxTtl number

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

tokenNoDefaultPolicy boolean

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

tokenNumUses number

The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.

tokenPeriod number

tokenPolicies string[]

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

tokenTtl number

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

tokenType string

For more details on the usage of each argument consult the Vault Cert API documentation.

allowed_common_names Sequence[str]

Allowed the common names for authenticated client certificates

allowed_dns_sans Sequence[str]

Allowed alternative dns names for authenticated client certificates

allowed_email_sans Sequence[str]

Allowed emails for authenticated client certificates

allowed_names Sequence[str]

DEPRECATED: Please use the individual allowed_X_sans parameters instead. Allowed subject names for authenticated client certificates

allowed_organization_units Sequence[str]

Deprecated:

Use allowed_organizational_units

allowed_organizational_units Sequence[str]

Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named allowed_organization_units, please update accordingly

allowed_uri_sans Sequence[str]

Allowed URIs for authenticated client certificates

backend str

Path to the mounted Cert auth backend

certificate str

CA certificate used to validate client certificates

display_name str

The name to display on tokens issued under this role.

name str

Name of the role

namespace str

ocsp_ca_certificates str

Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.

ocsp_enabled bool

If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.

ocsp_fail_open bool

If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.

ocsp_query_all_servers bool

If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.

ocsp_servers_overrides Sequence[str]

required_extensions Sequence[str]

TLS extensions required on client certificates

token_bound_cidrs Sequence[str]

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

token_explicit_max_ttl int

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

token_max_ttl int

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

token_no_default_policy bool

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

token_num_uses int

The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.

token_period int

token_policies Sequence[str]

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

token_ttl int

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

token_type str

For more details on the usage of each argument consult the Vault Cert API documentation.

allowedCommonNames List<String>

Allowed the common names for authenticated client certificates

allowedDnsSans List<String>

Allowed alternative dns names for authenticated client certificates

allowedEmailSans List<String>

Allowed emails for authenticated client certificates

allowedNames List<String>

DEPRECATED: Please use the individual allowed_X_sans parameters instead. Allowed subject names for authenticated client certificates

allowedOrganizationUnits List<String>

Deprecated:

Use allowed_organizational_units

allowedOrganizationalUnits List<String>

Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named allowed_organization_units, please update accordingly

allowedUriSans List<String>

Allowed URIs for authenticated client certificates

backend String

Path to the mounted Cert auth backend

certificate String

CA certificate used to validate client certificates

displayName String

The name to display on tokens issued under this role.

name String

Name of the role

namespace String

ocspCaCertificates String

Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.

ocspEnabled Boolean

If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.

ocspFailOpen Boolean

If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.

ocspQueryAllServers Boolean

If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.

ocspServersOverrides List<String>

requiredExtensions List<String>

TLS extensions required on client certificates

tokenBoundCidrs List<String>

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

tokenExplicitMaxTtl Number

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

tokenMaxTtl Number

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

tokenNoDefaultPolicy Boolean

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

tokenNumUses Number

The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.

tokenPeriod Number

tokenPolicies List<String>

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

tokenTtl Number

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

tokenType String

For more details on the usage of each argument consult the Vault Cert API documentation.

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

HashiCorp Vault v5.17.0 published on Thursday, Nov 9, 2023 by Pulumi

pulumi/pulumi-vault

vault.CertAuthBackendRole

On this page

On this page

Example Usage

Create CertAuthBackendRole Resource

CertAuthBackendRole Resource Properties

Inputs

Outputs

Look up Existing CertAuthBackendRole Resource

Package Details

On this page

On this page