vault.CertAuthBackendRole
Explore with Pulumi AI
Provides a resource to create a role in an Cert auth backend within Vault.
Example Usage
using System.Collections.Generic;
using System.IO;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var certAuthBackend = new Vault.AuthBackend("certAuthBackend", new()
{
Path = "cert",
Type = "cert",
});
var certCertAuthBackendRole = new Vault.CertAuthBackendRole("certCertAuthBackendRole", new()
{
Certificate = File.ReadAllText("/path/to/certs/ca-cert.pem"),
Backend = certAuthBackend.Path,
AllowedNames = new[]
{
"foo.example.org",
"baz.example.org",
},
TokenTtl = 300,
TokenMaxTtl = 600,
TokenPolicies = new[]
{
"foo",
},
});
});
package main
import (
"io/ioutil"
"github.com/pulumi/pulumi-vault/sdk/v5/go/vault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func readFileOrPanic(path string) pulumi.StringPtrInput {
data, err := ioutil.ReadFile(path)
if err != nil {
panic(err.Error())
}
return pulumi.String(string(data))
}
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
certAuthBackend, err := vault.NewAuthBackend(ctx, "certAuthBackend", &vault.AuthBackendArgs{
Path: pulumi.String("cert"),
Type: pulumi.String("cert"),
})
if err != nil {
return err
}
_, err = vault.NewCertAuthBackendRole(ctx, "certCertAuthBackendRole", &vault.CertAuthBackendRoleArgs{
Certificate: readFileOrPanic("/path/to/certs/ca-cert.pem"),
Backend: certAuthBackend.Path,
AllowedNames: pulumi.StringArray{
pulumi.String("foo.example.org"),
pulumi.String("baz.example.org"),
},
TokenTtl: pulumi.Int(300),
TokenMaxTtl: pulumi.Int(600),
TokenPolicies: pulumi.StringArray{
pulumi.String("foo"),
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import com.pulumi.vault.CertAuthBackendRole;
import com.pulumi.vault.CertAuthBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var certAuthBackend = new AuthBackend("certAuthBackend", AuthBackendArgs.builder()
.path("cert")
.type("cert")
.build());
var certCertAuthBackendRole = new CertAuthBackendRole("certCertAuthBackendRole", CertAuthBackendRoleArgs.builder()
.certificate(Files.readString(Paths.get("/path/to/certs/ca-cert.pem")))
.backend(certAuthBackend.path())
.allowedNames(
"foo.example.org",
"baz.example.org")
.tokenTtl(300)
.tokenMaxTtl(600)
.tokenPolicies("foo")
.build());
}
}
import pulumi
import pulumi_vault as vault
cert_auth_backend = vault.AuthBackend("certAuthBackend",
path="cert",
type="cert")
cert_cert_auth_backend_role = vault.CertAuthBackendRole("certCertAuthBackendRole",
certificate=(lambda path: open(path).read())("/path/to/certs/ca-cert.pem"),
backend=cert_auth_backend.path,
allowed_names=[
"foo.example.org",
"baz.example.org",
],
token_ttl=300,
token_max_ttl=600,
token_policies=["foo"])
import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as vault from "@pulumi/vault";
const certAuthBackend = new vault.AuthBackend("certAuthBackend", {
path: "cert",
type: "cert",
});
const certCertAuthBackendRole = new vault.CertAuthBackendRole("certCertAuthBackendRole", {
certificate: fs.readFileSync("/path/to/certs/ca-cert.pem"),
backend: certAuthBackend.path,
allowedNames: [
"foo.example.org",
"baz.example.org",
],
tokenTtl: 300,
tokenMaxTtl: 600,
tokenPolicies: ["foo"],
});
Coming soon!
Create CertAuthBackendRole Resource
new CertAuthBackendRole(name: string, args: CertAuthBackendRoleArgs, opts?: CustomResourceOptions);
@overload
def CertAuthBackendRole(resource_name: str,
opts: Optional[ResourceOptions] = None,
allowed_common_names: Optional[Sequence[str]] = None,
allowed_dns_sans: Optional[Sequence[str]] = None,
allowed_email_sans: Optional[Sequence[str]] = None,
allowed_names: Optional[Sequence[str]] = None,
allowed_organization_units: Optional[Sequence[str]] = None,
allowed_organizational_units: Optional[Sequence[str]] = None,
allowed_uri_sans: Optional[Sequence[str]] = None,
backend: Optional[str] = None,
certificate: Optional[str] = None,
display_name: Optional[str] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
required_extensions: Optional[Sequence[str]] = None,
token_bound_cidrs: Optional[Sequence[str]] = None,
token_explicit_max_ttl: Optional[int] = None,
token_max_ttl: Optional[int] = None,
token_no_default_policy: Optional[bool] = None,
token_num_uses: Optional[int] = None,
token_period: Optional[int] = None,
token_policies: Optional[Sequence[str]] = None,
token_ttl: Optional[int] = None,
token_type: Optional[str] = None)
@overload
def CertAuthBackendRole(resource_name: str,
args: CertAuthBackendRoleArgs,
opts: Optional[ResourceOptions] = None)
func NewCertAuthBackendRole(ctx *Context, name string, args CertAuthBackendRoleArgs, opts ...ResourceOption) (*CertAuthBackendRole, error)
public CertAuthBackendRole(string name, CertAuthBackendRoleArgs args, CustomResourceOptions? opts = null)
public CertAuthBackendRole(String name, CertAuthBackendRoleArgs args)
public CertAuthBackendRole(String name, CertAuthBackendRoleArgs args, CustomResourceOptions options)
type: vault:CertAuthBackendRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args CertAuthBackendRoleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
CertAuthBackendRole Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The CertAuthBackendRole resource accepts the following input properties:
- Certificate string
CA certificate used to validate client certificates
- Allowed
Common List<string>Names Allowed the common names for authenticated client certificates
- Allowed
Dns List<string>Sans Allowed alternative dns names for authenticated client certificates
- Allowed
Email List<string>Sans Allowed emails for authenticated client certificates
- Allowed
Names List<string> Allowed subject names for authenticated client certificates
- Allowed
Organization List<string>Units Use allowed_organizational_units
- Allowed
Organizational List<string>Units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- Allowed
Uri List<string>Sans Allowed URIs for authenticated client certificates
- Backend string
Path to the mounted Cert auth backend
- Display
Name string The name to display on tokens issued under this role.
- Name string
Name of the role
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- Required
Extensions List<string> TLS extensions required on client certificates
- Token
Bound List<string>Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- Token
Explicit intMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- Token
Max intTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
No boolDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- Token
Num intUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- Token
Period int If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- Token
Policies List<string> List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- Token
Ttl int The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
Type string The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.
- Certificate string
CA certificate used to validate client certificates
- Allowed
Common []stringNames Allowed the common names for authenticated client certificates
- Allowed
Dns []stringSans Allowed alternative dns names for authenticated client certificates
- Allowed
Email []stringSans Allowed emails for authenticated client certificates
- Allowed
Names []string Allowed subject names for authenticated client certificates
- Allowed
Organization []stringUnits Use allowed_organizational_units
- Allowed
Organizational []stringUnits Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- Allowed
Uri []stringSans Allowed URIs for authenticated client certificates
- Backend string
Path to the mounted Cert auth backend
- Display
Name string The name to display on tokens issued under this role.
- Name string
Name of the role
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- Required
Extensions []string TLS extensions required on client certificates
- Token
Bound []stringCidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- Token
Explicit intMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- Token
Max intTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
No boolDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- Token
Num intUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- Token
Period int If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- Token
Policies []string List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- Token
Ttl int The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
Type string The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.
- certificate String
CA certificate used to validate client certificates
- allowed
Common List<String>Names Allowed the common names for authenticated client certificates
- allowed
Dns List<String>Sans Allowed alternative dns names for authenticated client certificates
- allowed
Email List<String>Sans Allowed emails for authenticated client certificates
- allowed
Names List<String> Allowed subject names for authenticated client certificates
- allowed
Organization List<String>Units Use allowed_organizational_units
- allowed
Organizational List<String>Units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- allowed
Uri List<String>Sans Allowed URIs for authenticated client certificates
- backend String
Path to the mounted Cert auth backend
- display
Name String The name to display on tokens issued under this role.
- name String
Name of the role
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- required
Extensions List<String> TLS extensions required on client certificates
- token
Bound List<String>Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit IntegerMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- token
Max IntegerTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No BooleanDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num IntegerUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token
Period Integer If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token
Policies List<String> List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl Integer The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type String The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.
- certificate string
CA certificate used to validate client certificates
- allowed
Common string[]Names Allowed the common names for authenticated client certificates
- allowed
Dns string[]Sans Allowed alternative dns names for authenticated client certificates
- allowed
Email string[]Sans Allowed emails for authenticated client certificates
- allowed
Names string[] Allowed subject names for authenticated client certificates
- allowed
Organization string[]Units Use allowed_organizational_units
- allowed
Organizational string[]Units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- allowed
Uri string[]Sans Allowed URIs for authenticated client certificates
- backend string
Path to the mounted Cert auth backend
- display
Name string The name to display on tokens issued under this role.
- name string
Name of the role
- namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- required
Extensions string[] TLS extensions required on client certificates
- token
Bound string[]Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit numberMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- token
Max numberTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No booleanDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num numberUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token
Period number If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token
Policies string[] List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl number The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type string The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.
- certificate str
CA certificate used to validate client certificates
- allowed_
common_ Sequence[str]names Allowed the common names for authenticated client certificates
- allowed_
dns_ Sequence[str]sans Allowed alternative dns names for authenticated client certificates
- allowed_
email_ Sequence[str]sans Allowed emails for authenticated client certificates
- allowed_
names Sequence[str] Allowed subject names for authenticated client certificates
- allowed_
organization_ Sequence[str]units Use allowed_organizational_units
- allowed_
organizational_ Sequence[str]units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- allowed_
uri_ Sequence[str]sans Allowed URIs for authenticated client certificates
- backend str
Path to the mounted Cert auth backend
- display_
name str The name to display on tokens issued under this role.
- name str
Name of the role
- namespace str
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- required_
extensions Sequence[str] TLS extensions required on client certificates
- token_
bound_ Sequence[str]cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token_
explicit_ intmax_ ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- token_
max_ intttl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token_
no_ booldefault_ policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token_
num_ intuses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token_
period int If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token_
policies Sequence[str] List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token_
ttl int The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token_
type str The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.
- certificate String
CA certificate used to validate client certificates
- allowed
Common List<String>Names Allowed the common names for authenticated client certificates
- allowed
Dns List<String>Sans Allowed alternative dns names for authenticated client certificates
- allowed
Email List<String>Sans Allowed emails for authenticated client certificates
- allowed
Names List<String> Allowed subject names for authenticated client certificates
- allowed
Organization List<String>Units Use allowed_organizational_units
- allowed
Organizational List<String>Units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- allowed
Uri List<String>Sans Allowed URIs for authenticated client certificates
- backend String
Path to the mounted Cert auth backend
- display
Name String The name to display on tokens issued under this role.
- name String
Name of the role
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- required
Extensions List<String> TLS extensions required on client certificates
- token
Bound List<String>Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit NumberMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- token
Max NumberTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No BooleanDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num NumberUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token
Period Number If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token
Policies List<String> List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl Number The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type String The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.
Outputs
All input properties are implicitly available as output properties. Additionally, the CertAuthBackendRole resource produces the following output properties:
- Id string
The provider-assigned unique ID for this managed resource.
- Id string
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
- id string
The provider-assigned unique ID for this managed resource.
- id str
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
Look up Existing CertAuthBackendRole Resource
Get an existing CertAuthBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: CertAuthBackendRoleState, opts?: CustomResourceOptions): CertAuthBackendRole
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
allowed_common_names: Optional[Sequence[str]] = None,
allowed_dns_sans: Optional[Sequence[str]] = None,
allowed_email_sans: Optional[Sequence[str]] = None,
allowed_names: Optional[Sequence[str]] = None,
allowed_organization_units: Optional[Sequence[str]] = None,
allowed_organizational_units: Optional[Sequence[str]] = None,
allowed_uri_sans: Optional[Sequence[str]] = None,
backend: Optional[str] = None,
certificate: Optional[str] = None,
display_name: Optional[str] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
required_extensions: Optional[Sequence[str]] = None,
token_bound_cidrs: Optional[Sequence[str]] = None,
token_explicit_max_ttl: Optional[int] = None,
token_max_ttl: Optional[int] = None,
token_no_default_policy: Optional[bool] = None,
token_num_uses: Optional[int] = None,
token_period: Optional[int] = None,
token_policies: Optional[Sequence[str]] = None,
token_ttl: Optional[int] = None,
token_type: Optional[str] = None) -> CertAuthBackendRole
func GetCertAuthBackendRole(ctx *Context, name string, id IDInput, state *CertAuthBackendRoleState, opts ...ResourceOption) (*CertAuthBackendRole, error)
public static CertAuthBackendRole Get(string name, Input<string> id, CertAuthBackendRoleState? state, CustomResourceOptions? opts = null)
public static CertAuthBackendRole get(String name, Output<String> id, CertAuthBackendRoleState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Allowed
Common List<string>Names Allowed the common names for authenticated client certificates
- Allowed
Dns List<string>Sans Allowed alternative dns names for authenticated client certificates
- Allowed
Email List<string>Sans Allowed emails for authenticated client certificates
- Allowed
Names List<string> Allowed subject names for authenticated client certificates
- Allowed
Organization List<string>Units Use allowed_organizational_units
- Allowed
Organizational List<string>Units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- Allowed
Uri List<string>Sans Allowed URIs for authenticated client certificates
- Backend string
Path to the mounted Cert auth backend
- Certificate string
CA certificate used to validate client certificates
- Display
Name string The name to display on tokens issued under this role.
- Name string
Name of the role
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- Required
Extensions List<string> TLS extensions required on client certificates
- Token
Bound List<string>Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- Token
Explicit intMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- Token
Max intTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
No boolDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- Token
Num intUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- Token
Period int If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- Token
Policies List<string> List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- Token
Ttl int The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
Type string The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.
- Allowed
Common []stringNames Allowed the common names for authenticated client certificates
- Allowed
Dns []stringSans Allowed alternative dns names for authenticated client certificates
- Allowed
Email []stringSans Allowed emails for authenticated client certificates
- Allowed
Names []string Allowed subject names for authenticated client certificates
- Allowed
Organization []stringUnits Use allowed_organizational_units
- Allowed
Organizational []stringUnits Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- Allowed
Uri []stringSans Allowed URIs for authenticated client certificates
- Backend string
Path to the mounted Cert auth backend
- Certificate string
CA certificate used to validate client certificates
- Display
Name string The name to display on tokens issued under this role.
- Name string
Name of the role
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- Required
Extensions []string TLS extensions required on client certificates
- Token
Bound []stringCidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- Token
Explicit intMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- Token
Max intTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
No boolDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- Token
Num intUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- Token
Period int If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- Token
Policies []string List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- Token
Ttl int The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- Token
Type string The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.
- allowed
Common List<String>Names Allowed the common names for authenticated client certificates
- allowed
Dns List<String>Sans Allowed alternative dns names for authenticated client certificates
- allowed
Email List<String>Sans Allowed emails for authenticated client certificates
- allowed
Names List<String> Allowed subject names for authenticated client certificates
- allowed
Organization List<String>Units Use allowed_organizational_units
- allowed
Organizational List<String>Units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- allowed
Uri List<String>Sans Allowed URIs for authenticated client certificates
- backend String
Path to the mounted Cert auth backend
- certificate String
CA certificate used to validate client certificates
- display
Name String The name to display on tokens issued under this role.
- name String
Name of the role
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- required
Extensions List<String> TLS extensions required on client certificates
- token
Bound List<String>Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit IntegerMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- token
Max IntegerTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No BooleanDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num IntegerUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token
Period Integer If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token
Policies List<String> List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl Integer The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type String The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.
- allowed
Common string[]Names Allowed the common names for authenticated client certificates
- allowed
Dns string[]Sans Allowed alternative dns names for authenticated client certificates
- allowed
Email string[]Sans Allowed emails for authenticated client certificates
- allowed
Names string[] Allowed subject names for authenticated client certificates
- allowed
Organization string[]Units Use allowed_organizational_units
- allowed
Organizational string[]Units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- allowed
Uri string[]Sans Allowed URIs for authenticated client certificates
- backend string
Path to the mounted Cert auth backend
- certificate string
CA certificate used to validate client certificates
- display
Name string The name to display on tokens issued under this role.
- name string
Name of the role
- namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- required
Extensions string[] TLS extensions required on client certificates
- token
Bound string[]Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit numberMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- token
Max numberTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No booleanDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num numberUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token
Period number If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token
Policies string[] List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl number The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type string The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.
- allowed_
common_ Sequence[str]names Allowed the common names for authenticated client certificates
- allowed_
dns_ Sequence[str]sans Allowed alternative dns names for authenticated client certificates
- allowed_
email_ Sequence[str]sans Allowed emails for authenticated client certificates
- allowed_
names Sequence[str] Allowed subject names for authenticated client certificates
- allowed_
organization_ Sequence[str]units Use allowed_organizational_units
- allowed_
organizational_ Sequence[str]units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- allowed_
uri_ Sequence[str]sans Allowed URIs for authenticated client certificates
- backend str
Path to the mounted Cert auth backend
- certificate str
CA certificate used to validate client certificates
- display_
name str The name to display on tokens issued under this role.
- name str
Name of the role
- namespace str
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- required_
extensions Sequence[str] TLS extensions required on client certificates
- token_
bound_ Sequence[str]cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token_
explicit_ intmax_ ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- token_
max_ intttl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token_
no_ booldefault_ policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token_
num_ intuses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token_
period int If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token_
policies Sequence[str] List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token_
ttl int The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token_
type str The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.
- allowed
Common List<String>Names Allowed the common names for authenticated client certificates
- allowed
Dns List<String>Sans Allowed alternative dns names for authenticated client certificates
- allowed
Email List<String>Sans Allowed emails for authenticated client certificates
- allowed
Names List<String> Allowed subject names for authenticated client certificates
- allowed
Organization List<String>Units Use allowed_organizational_units
- allowed
Organizational List<String>Units Allowed organization units for authenticated client certificates. In previous provider releases this field was incorrectly named
allowed_organization_units
, please update accordingly- allowed
Uri List<String>Sans Allowed URIs for authenticated client certificates
- backend String
Path to the mounted Cert auth backend
- certificate String
CA certificate used to validate client certificates
- display
Name String The name to display on tokens issued under this role.
- name String
Name of the role
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- required
Extensions List<String> TLS extensions required on client certificates
- token
Bound List<String>Cidrs List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
- token
Explicit NumberMax Ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if
token_ttl
andtoken_max_ttl
would otherwise allow a renewal.- token
Max NumberTtl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
No BooleanDefault Policy If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
- token
Num NumberUses The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
- token
Period Number If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
- token
Policies List<String> List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
- token
Ttl Number The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
- token
Type String The type of token that should be generated. Can be
service
,batch
, ordefault
to use the mount's tuned default (which unless changed will beservice
tokens). For token store roles, there are two additional possibilities:default-service
anddefault-batch
which specify the type to return unless the client requests a different type at generation time.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
vault
Terraform Provider.