HashiCorp Vault v6.1.0, Apr 4 24

HashiCorp Vault v6.1.0 published on Thursday, Apr 4, 2024 by Pulumi

vault.managed.Keys

Explore with Pulumi AI

HashiCorp Vault v6.1.0 published on Thursday, Apr 4, 2024 by Pulumi

Create Keys Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Keys(name: string, args?: KeysArgs, opts?: CustomResourceOptions);

@overload
def Keys(resource_name: str,
         args: Optional[KeysArgs] = None,
         opts: Optional[ResourceOptions] = None)

@overload
def Keys(resource_name: str,
         opts: Optional[ResourceOptions] = None,
         aws: Optional[Sequence[KeysAwArgs]] = None,
         azures: Optional[Sequence[KeysAzureArgs]] = None,
         namespace: Optional[str] = None,
         pkcs: Optional[Sequence[KeysPkcArgs]] = None)

func NewKeys(ctx *Context, name string, args *KeysArgs, opts ...ResourceOption) (*Keys, error)

public Keys(string name, KeysArgs? args = null, CustomResourceOptions? opts = null)

public Keys(String name, KeysArgs args)
public Keys(String name, KeysArgs args, CustomResourceOptions options)

type: vault:managed:Keys
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args KeysArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args KeysArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args KeysArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args KeysArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args KeysArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Example

The following reference example uses placeholder values for all input properties.

var keysResource = new Vault.Managed.Keys("keysResource", new()
{
    Aws = new[]
    {
        new Vault.Managed.Inputs.KeysAwArgs
        {
            KeyBits = "string",
            SecretKey = "string",
            Name = "string",
            AccessKey = "string",
            KmsKey = "string",
            KeyType = "string",
            AllowStoreKey = false,
            Endpoint = "string",
            Curve = "string",
            AnyMount = false,
            AllowReplaceKey = false,
            Region = "string",
            AllowGenerateKey = false,
            Uuid = "string",
        },
    },
    Azures = new[]
    {
        new Vault.Managed.Inputs.KeysAzureArgs
        {
            KeyName = "string",
            VaultName = "string",
            TenantId = "string",
            Name = "string",
            ClientId = "string",
            ClientSecret = "string",
            KeyType = "string",
            AnyMount = false,
            KeyBits = "string",
            Environment = "string",
            AllowGenerateKey = false,
            Resource = "string",
            AllowStoreKey = false,
            Uuid = "string",
            AllowReplaceKey = false,
        },
    },
    Namespace = "string",
    Pkcs = new[]
    {
        new Vault.Managed.Inputs.KeysPkcArgs
        {
            Pin = "string",
            Mechanism = "string",
            Name = "string",
            KeyId = "string",
            KeyLabel = "string",
            Library = "string",
            AllowReplaceKey = false,
            KeyBits = "string",
            Curve = "string",
            ForceRwSession = "string",
            AnyMount = false,
            AllowStoreKey = false,
            AllowGenerateKey = false,
            Slot = "string",
            TokenLabel = "string",
            Uuid = "string",
        },
    },
});

example, err := managed.NewKeys(ctx, "keysResource", &managed.KeysArgs{
	Aws: managed.KeysAwArray{
		&managed.KeysAwArgs{
			KeyBits:          pulumi.String("string"),
			SecretKey:        pulumi.String("string"),
			Name:             pulumi.String("string"),
			AccessKey:        pulumi.String("string"),
			KmsKey:           pulumi.String("string"),
			KeyType:          pulumi.String("string"),
			AllowStoreKey:    pulumi.Bool(false),
			Endpoint:         pulumi.String("string"),
			Curve:            pulumi.String("string"),
			AnyMount:         pulumi.Bool(false),
			AllowReplaceKey:  pulumi.Bool(false),
			Region:           pulumi.String("string"),
			AllowGenerateKey: pulumi.Bool(false),
			Uuid:             pulumi.String("string"),
		},
	},
	Azures: managed.KeysAzureArray{
		&managed.KeysAzureArgs{
			KeyName:          pulumi.String("string"),
			VaultName:        pulumi.String("string"),
			TenantId:         pulumi.String("string"),
			Name:             pulumi.String("string"),
			ClientId:         pulumi.String("string"),
			ClientSecret:     pulumi.String("string"),
			KeyType:          pulumi.String("string"),
			AnyMount:         pulumi.Bool(false),
			KeyBits:          pulumi.String("string"),
			Environment:      pulumi.String("string"),
			AllowGenerateKey: pulumi.Bool(false),
			Resource:         pulumi.String("string"),
			AllowStoreKey:    pulumi.Bool(false),
			Uuid:             pulumi.String("string"),
			AllowReplaceKey:  pulumi.Bool(false),
		},
	},
	Namespace: pulumi.String("string"),
	Pkcs: managed.KeysPkcArray{
		&managed.KeysPkcArgs{
			Pin:              pulumi.String("string"),
			Mechanism:        pulumi.String("string"),
			Name:             pulumi.String("string"),
			KeyId:            pulumi.String("string"),
			KeyLabel:         pulumi.String("string"),
			Library:          pulumi.String("string"),
			AllowReplaceKey:  pulumi.Bool(false),
			KeyBits:          pulumi.String("string"),
			Curve:            pulumi.String("string"),
			ForceRwSession:   pulumi.String("string"),
			AnyMount:         pulumi.Bool(false),
			AllowStoreKey:    pulumi.Bool(false),
			AllowGenerateKey: pulumi.Bool(false),
			Slot:             pulumi.String("string"),
			TokenLabel:       pulumi.String("string"),
			Uuid:             pulumi.String("string"),
		},
	},
})

var keysResource = new Keys("keysResource", KeysArgs.builder()        
    .aws(KeysAwArgs.builder()
        .keyBits("string")
        .secretKey("string")
        .name("string")
        .accessKey("string")
        .kmsKey("string")
        .keyType("string")
        .allowStoreKey(false)
        .endpoint("string")
        .curve("string")
        .anyMount(false)
        .allowReplaceKey(false)
        .region("string")
        .allowGenerateKey(false)
        .uuid("string")
        .build())
    .azures(KeysAzureArgs.builder()
        .keyName("string")
        .vaultName("string")
        .tenantId("string")
        .name("string")
        .clientId("string")
        .clientSecret("string")
        .keyType("string")
        .anyMount(false)
        .keyBits("string")
        .environment("string")
        .allowGenerateKey(false)
        .resource("string")
        .allowStoreKey(false)
        .uuid("string")
        .allowReplaceKey(false)
        .build())
    .namespace("string")
    .pkcs(KeysPkcArgs.builder()
        .pin("string")
        .mechanism("string")
        .name("string")
        .keyId("string")
        .keyLabel("string")
        .library("string")
        .allowReplaceKey(false)
        .keyBits("string")
        .curve("string")
        .forceRwSession("string")
        .anyMount(false)
        .allowStoreKey(false)
        .allowGenerateKey(false)
        .slot("string")
        .tokenLabel("string")
        .uuid("string")
        .build())
    .build());

keys_resource = vault.managed.Keys("keysResource",
    aws=[vault.managed.KeysAwArgs(
        key_bits="string",
        secret_key="string",
        name="string",
        access_key="string",
        kms_key="string",
        key_type="string",
        allow_store_key=False,
        endpoint="string",
        curve="string",
        any_mount=False,
        allow_replace_key=False,
        region="string",
        allow_generate_key=False,
        uuid="string",
    )],
    azures=[vault.managed.KeysAzureArgs(
        key_name="string",
        vault_name="string",
        tenant_id="string",
        name="string",
        client_id="string",
        client_secret="string",
        key_type="string",
        any_mount=False,
        key_bits="string",
        environment="string",
        allow_generate_key=False,
        resource="string",
        allow_store_key=False,
        uuid="string",
        allow_replace_key=False,
    )],
    namespace="string",
    pkcs=[vault.managed.KeysPkcArgs(
        pin="string",
        mechanism="string",
        name="string",
        key_id="string",
        key_label="string",
        library="string",
        allow_replace_key=False,
        key_bits="string",
        curve="string",
        force_rw_session="string",
        any_mount=False,
        allow_store_key=False,
        allow_generate_key=False,
        slot="string",
        token_label="string",
        uuid="string",
    )])

const keysResource = new vault.managed.Keys("keysResource", {
    aws: [{
        keyBits: "string",
        secretKey: "string",
        name: "string",
        accessKey: "string",
        kmsKey: "string",
        keyType: "string",
        allowStoreKey: false,
        endpoint: "string",
        curve: "string",
        anyMount: false,
        allowReplaceKey: false,
        region: "string",
        allowGenerateKey: false,
        uuid: "string",
    }],
    azures: [{
        keyName: "string",
        vaultName: "string",
        tenantId: "string",
        name: "string",
        clientId: "string",
        clientSecret: "string",
        keyType: "string",
        anyMount: false,
        keyBits: "string",
        environment: "string",
        allowGenerateKey: false,
        resource: "string",
        allowStoreKey: false,
        uuid: "string",
        allowReplaceKey: false,
    }],
    namespace: "string",
    pkcs: [{
        pin: "string",
        mechanism: "string",
        name: "string",
        keyId: "string",
        keyLabel: "string",
        library: "string",
        allowReplaceKey: false,
        keyBits: "string",
        curve: "string",
        forceRwSession: "string",
        anyMount: false,
        allowStoreKey: false,
        allowGenerateKey: false,
        slot: "string",
        tokenLabel: "string",
        uuid: "string",
    }],
});

type: vault:managed:Keys
properties:
    aws:
        - accessKey: string
          allowGenerateKey: false
          allowReplaceKey: false
          allowStoreKey: false
          anyMount: false
          curve: string
          endpoint: string
          keyBits: string
          keyType: string
          kmsKey: string
          name: string
          region: string
          secretKey: string
          uuid: string
    azures:
        - allowGenerateKey: false
          allowReplaceKey: false
          allowStoreKey: false
          anyMount: false
          clientId: string
          clientSecret: string
          environment: string
          keyBits: string
          keyName: string
          keyType: string
          name: string
          resource: string
          tenantId: string
          uuid: string
          vaultName: string
    namespace: string
    pkcs:
        - allowGenerateKey: false
          allowReplaceKey: false
          allowStoreKey: false
          anyMount: false
          curve: string
          forceRwSession: string
          keyBits: string
          keyId: string
          keyLabel: string
          library: string
          mechanism: string
          name: string
          pin: string
          slot: string
          tokenLabel: string
          uuid: string

Keys Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Keys resource accepts the following input properties:

Aws List<KeysAw>: Configuration block for AWS Managed Keys
Azures List<KeysAzure>: Configuration block for Azure Managed Keys
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
Pkcs List<KeysPkc>: Configuration block for PKCS Managed Keys

Aws []KeysAwArgs: Configuration block for AWS Managed Keys
Azures []KeysAzureArgs: Configuration block for Azure Managed Keys
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
Pkcs []KeysPkcArgs: Configuration block for PKCS Managed Keys

aws List<KeysAw>: Configuration block for AWS Managed Keys
azures List<KeysAzure>: Configuration block for Azure Managed Keys
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
pkcs List<KeysPkc>: Configuration block for PKCS Managed Keys

aws KeysAw[]: Configuration block for AWS Managed Keys
azures KeysAzure[]: Configuration block for Azure Managed Keys
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
pkcs KeysPkc[]: Configuration block for PKCS Managed Keys

aws Sequence[KeysAwArgs]: Configuration block for AWS Managed Keys
azures Sequence[KeysAzureArgs]: Configuration block for Azure Managed Keys
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
pkcs Sequence[KeysPkcArgs]: Configuration block for PKCS Managed Keys

aws List<Property Map>: Configuration block for AWS Managed Keys
azures List<Property Map>: Configuration block for Azure Managed Keys
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
pkcs List<Property Map>: Configuration block for PKCS Managed Keys

Outputs

All input properties are implicitly available as output properties. Additionally, the Keys resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing Keys Resource

Get an existing Keys resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: KeysState, opts?: CustomResourceOptions): Keys

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        aws: Optional[Sequence[KeysAwArgs]] = None,
        azures: Optional[Sequence[KeysAzureArgs]] = None,
        namespace: Optional[str] = None,
        pkcs: Optional[Sequence[KeysPkcArgs]] = None) -> Keys

func GetKeys(ctx *Context, name string, id IDInput, state *KeysState, opts ...ResourceOption) (*Keys, error)

public static Keys Get(string name, Input<string> id, KeysState? state, CustomResourceOptions? opts = null)

public static Keys get(String name, Output<String> id, KeysState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Aws List<KeysAw>: Configuration block for AWS Managed Keys
Azures List<KeysAzure>: Configuration block for Azure Managed Keys
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
Pkcs List<KeysPkc>: Configuration block for PKCS Managed Keys

Aws []KeysAwArgs: Configuration block for AWS Managed Keys
Azures []KeysAzureArgs: Configuration block for Azure Managed Keys
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
Pkcs []KeysPkcArgs: Configuration block for PKCS Managed Keys

aws List<KeysAw>: Configuration block for AWS Managed Keys
azures List<KeysAzure>: Configuration block for Azure Managed Keys
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
pkcs List<KeysPkc>: Configuration block for PKCS Managed Keys

aws KeysAw[]: Configuration block for AWS Managed Keys
azures KeysAzure[]: Configuration block for Azure Managed Keys
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
pkcs KeysPkc[]: Configuration block for PKCS Managed Keys

aws Sequence[KeysAwArgs]: Configuration block for AWS Managed Keys
azures Sequence[KeysAzureArgs]: Configuration block for Azure Managed Keys
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
pkcs Sequence[KeysPkcArgs]: Configuration block for PKCS Managed Keys

aws List<Property Map>: Configuration block for AWS Managed Keys
azures List<Property Map>: Configuration block for Azure Managed Keys
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
pkcs List<Property Map>: Configuration block for PKCS Managed Keys

Supporting Types

KeysAw, KeysAwArgs

AccessKey string: The AWS access key to use.
KeyBits string: The size in bits for an RSA key.
KeyType string: The type of key to use.
KmsKey string: An identifier for the key.
Name string: A unique lowercase name that serves as identifying the key.
SecretKey string: The AWS access key to use.
AllowGenerateKey bool: If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
AllowReplaceKey bool: Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
AllowStoreKey bool: Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
AnyMount bool: If true, allows usage from any mount point within the namespace.
Curve string: The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
Endpoint string: Used to specify a custom AWS endpoint.
Region string: The AWS region where the keys are stored (or will be stored).
Uuid string: ID of the managed key read from Vault

AccessKey string: The AWS access key to use.
KeyBits string: The size in bits for an RSA key.
KeyType string: The type of key to use.
KmsKey string: An identifier for the key.
Name string: A unique lowercase name that serves as identifying the key.
SecretKey string: The AWS access key to use.
AllowGenerateKey bool: If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
AllowReplaceKey bool: Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
AllowStoreKey bool: Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
AnyMount bool: If true, allows usage from any mount point within the namespace.
Curve string: The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
Endpoint string: Used to specify a custom AWS endpoint.
Region string: The AWS region where the keys are stored (or will be stored).
Uuid string: ID of the managed key read from Vault

accessKey String: The AWS access key to use.
keyBits String: The size in bits for an RSA key.
keyType String: The type of key to use.
kmsKey String: An identifier for the key.
name String: A unique lowercase name that serves as identifying the key.
secretKey String: The AWS access key to use.
allowGenerateKey Boolean: If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
allowReplaceKey Boolean: Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
allowStoreKey Boolean: Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
anyMount Boolean: If true, allows usage from any mount point within the namespace.
curve String: The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
endpoint String: Used to specify a custom AWS endpoint.
region String: The AWS region where the keys are stored (or will be stored).
uuid String: ID of the managed key read from Vault

accessKey string: The AWS access key to use.
keyBits string: The size in bits for an RSA key.
keyType string: The type of key to use.
kmsKey string: An identifier for the key.
name string: A unique lowercase name that serves as identifying the key.
secretKey string: The AWS access key to use.
allowGenerateKey boolean: If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
allowReplaceKey boolean: Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
allowStoreKey boolean: Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
anyMount boolean: If true, allows usage from any mount point within the namespace.
curve string: The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
endpoint string: Used to specify a custom AWS endpoint.
region string: The AWS region where the keys are stored (or will be stored).
uuid string: ID of the managed key read from Vault

access_key str: The AWS access key to use.
key_bits str: The size in bits for an RSA key.
key_type str: The type of key to use.
kms_key str: An identifier for the key.
name str: A unique lowercase name that serves as identifying the key.
secret_key str: The AWS access key to use.
allow_generate_key bool: If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
allow_replace_key bool: Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
allow_store_key bool: Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
any_mount bool: If true, allows usage from any mount point within the namespace.
curve str: The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
endpoint str: Used to specify a custom AWS endpoint.
region str: The AWS region where the keys are stored (or will be stored).
uuid str: ID of the managed key read from Vault

accessKey String: The AWS access key to use.
keyBits String: The size in bits for an RSA key.
keyType String: The type of key to use.
kmsKey String: An identifier for the key.
name String: A unique lowercase name that serves as identifying the key.
secretKey String: The AWS access key to use.
allowGenerateKey Boolean: If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
allowReplaceKey Boolean: Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
allowStoreKey Boolean: Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
anyMount Boolean: If true, allows usage from any mount point within the namespace.
curve String: The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
endpoint String: Used to specify a custom AWS endpoint.
region String: The AWS region where the keys are stored (or will be stored).
uuid String: ID of the managed key read from Vault

KeysAzure, KeysAzureArgs

ClientId string: The client id for credentials to query the Azure APIs.
ClientSecret string: The client secret for credentials to query the Azure APIs.
KeyName string: The Key Vault key to use for encryption and decryption.
KeyType string: The type of key to use.
Name string: A unique lowercase name that serves as identifying the key.
TenantId string: The tenant id for the Azure Active Directory organization.
VaultName string: The Key Vault vault to use for encryption and decryption.
AllowGenerateKey bool: If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
AllowReplaceKey bool: Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
AllowStoreKey bool: Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
AnyMount bool: If true, allows usage from any mount point within the namespace.
Environment string: The Azure Cloud environment API endpoints to use.
KeyBits string: The size in bits for an RSA key.
Resource string: The Azure Key Vault resource's DNS Suffix to connect to.
Uuid string: ID of the managed key read from Vault

ClientId string: The client id for credentials to query the Azure APIs.
ClientSecret string: The client secret for credentials to query the Azure APIs.
KeyName string: The Key Vault key to use for encryption and decryption.
KeyType string: The type of key to use.
Name string: A unique lowercase name that serves as identifying the key.
TenantId string: The tenant id for the Azure Active Directory organization.
VaultName string: The Key Vault vault to use for encryption and decryption.
AllowGenerateKey bool: If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
AllowReplaceKey bool: Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
AllowStoreKey bool: Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
AnyMount bool: If true, allows usage from any mount point within the namespace.
Environment string: The Azure Cloud environment API endpoints to use.
KeyBits string: The size in bits for an RSA key.
Resource string: The Azure Key Vault resource's DNS Suffix to connect to.
Uuid string: ID of the managed key read from Vault

clientId String: The client id for credentials to query the Azure APIs.
clientSecret String: The client secret for credentials to query the Azure APIs.
keyName String: The Key Vault key to use for encryption and decryption.
keyType String: The type of key to use.
name String: A unique lowercase name that serves as identifying the key.
tenantId String: The tenant id for the Azure Active Directory organization.
vaultName String: The Key Vault vault to use for encryption and decryption.
allowGenerateKey Boolean: If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
allowReplaceKey Boolean: Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
allowStoreKey Boolean: Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
anyMount Boolean: If true, allows usage from any mount point within the namespace.
environment String: The Azure Cloud environment API endpoints to use.
keyBits String: The size in bits for an RSA key.
resource String: The Azure Key Vault resource's DNS Suffix to connect to.
uuid String: ID of the managed key read from Vault

clientId string: The client id for credentials to query the Azure APIs.
clientSecret string: The client secret for credentials to query the Azure APIs.
keyName string: The Key Vault key to use for encryption and decryption.
keyType string: The type of key to use.
name string: A unique lowercase name that serves as identifying the key.
tenantId string: The tenant id for the Azure Active Directory organization.
vaultName string: The Key Vault vault to use for encryption and decryption.
allowGenerateKey boolean: If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
allowReplaceKey boolean: Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
allowStoreKey boolean: Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
anyMount boolean: If true, allows usage from any mount point within the namespace.
environment string: The Azure Cloud environment API endpoints to use.
keyBits string: The size in bits for an RSA key.
resource string: The Azure Key Vault resource's DNS Suffix to connect to.
uuid string: ID of the managed key read from Vault

client_id str: The client id for credentials to query the Azure APIs.
client_secret str: The client secret for credentials to query the Azure APIs.
key_name str: The Key Vault key to use for encryption and decryption.
key_type str: The type of key to use.
name str: A unique lowercase name that serves as identifying the key.
tenant_id str: The tenant id for the Azure Active Directory organization.
vault_name str: The Key Vault vault to use for encryption and decryption.
allow_generate_key bool: If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
allow_replace_key bool: Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
allow_store_key bool: Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
any_mount bool: If true, allows usage from any mount point within the namespace.
environment str: The Azure Cloud environment API endpoints to use.
key_bits str: The size in bits for an RSA key.
resource str: The Azure Key Vault resource's DNS Suffix to connect to.
uuid str: ID of the managed key read from Vault

clientId String: The client id for credentials to query the Azure APIs.
clientSecret String: The client secret for credentials to query the Azure APIs.
keyName String: The Key Vault key to use for encryption and decryption.
keyType String: The type of key to use.
name String: A unique lowercase name that serves as identifying the key.
tenantId String: The tenant id for the Azure Active Directory organization.
vaultName String: The Key Vault vault to use for encryption and decryption.
allowGenerateKey Boolean: If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
allowReplaceKey Boolean: Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
allowStoreKey Boolean: Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
anyMount Boolean: If true, allows usage from any mount point within the namespace.
environment String: The Azure Cloud environment API endpoints to use.
keyBits String: The size in bits for an RSA key.
resource String: The Azure Key Vault resource's DNS Suffix to connect to.
uuid String: ID of the managed key read from Vault

KeysPkc, KeysPkcArgs

KeyId string: The id of a PKCS#11 key to use.
KeyLabel string: The label of the key to use.
Library string: The name of the kms_library stanza to use from Vault's config to lookup the local library path.
Mechanism string: The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
Name string: A unique lowercase name that serves as identifying the key.
Pin string: The PIN for login.
AllowGenerateKey bool: If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
AllowReplaceKey bool: Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
AllowStoreKey bool: Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
AnyMount bool: If true, allows usage from any mount point within the namespace.
Curve string: The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
ForceRwSession string: Force all operations to open up a read-write session to the HSM.
KeyBits string: The size in bits for an RSA key.
Slot string: The slot number to use, specified as a string in a decimal format (e.g. 2305843009213693953).
TokenLabel string: The slot token label to use.
Uuid string: ID of the managed key read from Vault

KeyId string: The id of a PKCS#11 key to use.
KeyLabel string: The label of the key to use.
Library string: The name of the kms_library stanza to use from Vault's config to lookup the local library path.
Mechanism string: The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
Name string: A unique lowercase name that serves as identifying the key.
Pin string: The PIN for login.
AllowGenerateKey bool: If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
AllowReplaceKey bool: Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
AllowStoreKey bool: Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
AnyMount bool: If true, allows usage from any mount point within the namespace.
Curve string: The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
ForceRwSession string: Force all operations to open up a read-write session to the HSM.
KeyBits string: The size in bits for an RSA key.
Slot string: The slot number to use, specified as a string in a decimal format (e.g. 2305843009213693953).
TokenLabel string: The slot token label to use.
Uuid string: ID of the managed key read from Vault

keyId String: The id of a PKCS#11 key to use.
keyLabel String: The label of the key to use.
library String: The name of the kms_library stanza to use from Vault's config to lookup the local library path.
mechanism String: The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
name String: A unique lowercase name that serves as identifying the key.
pin String: The PIN for login.
allowGenerateKey Boolean: If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
allowReplaceKey Boolean: Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
allowStoreKey Boolean: Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
anyMount Boolean: If true, allows usage from any mount point within the namespace.
curve String: The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
forceRwSession String: Force all operations to open up a read-write session to the HSM.
keyBits String: The size in bits for an RSA key.
slot String: The slot number to use, specified as a string in a decimal format (e.g. 2305843009213693953).
tokenLabel String: The slot token label to use.
uuid String: ID of the managed key read from Vault

keyId string: The id of a PKCS#11 key to use.
keyLabel string: The label of the key to use.
library string: The name of the kms_library stanza to use from Vault's config to lookup the local library path.
mechanism string: The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
name string: A unique lowercase name that serves as identifying the key.
pin string: The PIN for login.
allowGenerateKey boolean: If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
allowReplaceKey boolean: Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
allowStoreKey boolean: Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
anyMount boolean: If true, allows usage from any mount point within the namespace.
curve string: The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
forceRwSession string: Force all operations to open up a read-write session to the HSM.
keyBits string: The size in bits for an RSA key.
slot string: The slot number to use, specified as a string in a decimal format (e.g. 2305843009213693953).
tokenLabel string: The slot token label to use.
uuid string: ID of the managed key read from Vault

key_id str: The id of a PKCS#11 key to use.
key_label str: The label of the key to use.
library str: The name of the kms_library stanza to use from Vault's config to lookup the local library path.
mechanism str: The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
name str: A unique lowercase name that serves as identifying the key.
pin str: The PIN for login.
allow_generate_key bool: If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
allow_replace_key bool: Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
allow_store_key bool: Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
any_mount bool: If true, allows usage from any mount point within the namespace.
curve str: The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
force_rw_session str: Force all operations to open up a read-write session to the HSM.
key_bits str: The size in bits for an RSA key.
slot str: The slot number to use, specified as a string in a decimal format (e.g. 2305843009213693953).
token_label str: The slot token label to use.
uuid str: ID of the managed key read from Vault

keyId String: The id of a PKCS#11 key to use.
keyLabel String: The label of the key to use.
library String: The name of the kms_library stanza to use from Vault's config to lookup the local library path.
mechanism String: The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
name String: A unique lowercase name that serves as identifying the key.
pin String: The PIN for login.
allowGenerateKey Boolean: If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
allowReplaceKey Boolean: Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
allowStoreKey Boolean: Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
anyMount Boolean: If true, allows usage from any mount point within the namespace.
curve String: The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
forceRwSession String: Force all operations to open up a read-write session to the HSM.
keyBits String: The size in bits for an RSA key.
slot String: The slot number to use, specified as a string in a decimal format (e.g. 2305843009213693953).
tokenLabel String: The slot token label to use.
uuid String: ID of the managed key read from Vault

Import

Mounts can be imported using the id of default, e.g.

$ pulumi import vault:managed/keys:Keys keys default

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

HashiCorp Vault v6.1.0 published on Thursday, Apr 4, 2024 by Pulumi

pulumi/pulumi-vault

vault.managed.Keys

On this page

On this page

Create Keys Resource

Constructor syntax

Parameters

Example

Keys Resource Properties

Inputs

Outputs

Look up Existing Keys Resource

Supporting Types

KeysAw, KeysAwArgs

KeysAzure, KeysAzureArgs

KeysPkc, KeysPkcArgs

Import

Package Details

On this page

On this page