1. Packages
  2. HashiCorp Vault
  3. API Docs
  4. managed
  5. Keys
HashiCorp Vault v5.20.0 published on Tuesday, Feb 20, 2024 by Pulumi

vault.managed.Keys

Explore with Pulumi AI

vault logo
HashiCorp Vault v5.20.0 published on Tuesday, Feb 20, 2024 by Pulumi

    A resource that manages the lifecycle of all Managed Keys in Vault.

    Note this feature is available only with Vault Enterprise.

    Caveats

    This single resource handles the lifecycle of all the managed keys that must be created in Vault. There can only be one such resource in the TF state, and if there are already provisioned managed keys in Vault, we recommend using pulumi import instead.

    Create Keys Resource

    new Keys(name: string, args?: KeysArgs, opts?: CustomResourceOptions);
    @overload
    def Keys(resource_name: str,
             opts: Optional[ResourceOptions] = None,
             aws: Optional[Sequence[KeysAwArgs]] = None,
             azures: Optional[Sequence[KeysAzureArgs]] = None,
             namespace: Optional[str] = None,
             pkcs: Optional[Sequence[KeysPkcArgs]] = None)
    @overload
    def Keys(resource_name: str,
             args: Optional[KeysArgs] = None,
             opts: Optional[ResourceOptions] = None)
    func NewKeys(ctx *Context, name string, args *KeysArgs, opts ...ResourceOption) (*Keys, error)
    public Keys(string name, KeysArgs? args = null, CustomResourceOptions? opts = null)
    public Keys(String name, KeysArgs args)
    public Keys(String name, KeysArgs args, CustomResourceOptions options)
    
    type: vault:managed:Keys
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args KeysArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args KeysArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args KeysArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args KeysArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args KeysArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Keys Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Keys resource accepts the following input properties:

    Aws List<KeysAw>
    Configuration block for AWS Managed Keys
    Azures List<KeysAzure>
    Configuration block for Azure Managed Keys
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Pkcs List<KeysPkc>
    Configuration block for PKCS Managed Keys
    Aws []KeysAwArgs
    Configuration block for AWS Managed Keys
    Azures []KeysAzureArgs
    Configuration block for Azure Managed Keys
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Pkcs []KeysPkcArgs
    Configuration block for PKCS Managed Keys
    aws List<KeysAw>
    Configuration block for AWS Managed Keys
    azures List<KeysAzure>
    Configuration block for Azure Managed Keys
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    pkcs List<KeysPkc>
    Configuration block for PKCS Managed Keys
    aws KeysAw[]
    Configuration block for AWS Managed Keys
    azures KeysAzure[]
    Configuration block for Azure Managed Keys
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    pkcs KeysPkc[]
    Configuration block for PKCS Managed Keys
    aws Sequence[KeysAwArgs]
    Configuration block for AWS Managed Keys
    azures Sequence[KeysAzureArgs]
    Configuration block for Azure Managed Keys
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    pkcs Sequence[KeysPkcArgs]
    Configuration block for PKCS Managed Keys
    aws List<Property Map>
    Configuration block for AWS Managed Keys
    azures List<Property Map>
    Configuration block for Azure Managed Keys
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    pkcs List<Property Map>
    Configuration block for PKCS Managed Keys

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Keys resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing Keys Resource

    Get an existing Keys resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: KeysState, opts?: CustomResourceOptions): Keys
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            aws: Optional[Sequence[KeysAwArgs]] = None,
            azures: Optional[Sequence[KeysAzureArgs]] = None,
            namespace: Optional[str] = None,
            pkcs: Optional[Sequence[KeysPkcArgs]] = None) -> Keys
    func GetKeys(ctx *Context, name string, id IDInput, state *KeysState, opts ...ResourceOption) (*Keys, error)
    public static Keys Get(string name, Input<string> id, KeysState? state, CustomResourceOptions? opts = null)
    public static Keys get(String name, Output<String> id, KeysState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Aws List<KeysAw>
    Configuration block for AWS Managed Keys
    Azures List<KeysAzure>
    Configuration block for Azure Managed Keys
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Pkcs List<KeysPkc>
    Configuration block for PKCS Managed Keys
    Aws []KeysAwArgs
    Configuration block for AWS Managed Keys
    Azures []KeysAzureArgs
    Configuration block for Azure Managed Keys
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Pkcs []KeysPkcArgs
    Configuration block for PKCS Managed Keys
    aws List<KeysAw>
    Configuration block for AWS Managed Keys
    azures List<KeysAzure>
    Configuration block for Azure Managed Keys
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    pkcs List<KeysPkc>
    Configuration block for PKCS Managed Keys
    aws KeysAw[]
    Configuration block for AWS Managed Keys
    azures KeysAzure[]
    Configuration block for Azure Managed Keys
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    pkcs KeysPkc[]
    Configuration block for PKCS Managed Keys
    aws Sequence[KeysAwArgs]
    Configuration block for AWS Managed Keys
    azures Sequence[KeysAzureArgs]
    Configuration block for Azure Managed Keys
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    pkcs Sequence[KeysPkcArgs]
    Configuration block for PKCS Managed Keys
    aws List<Property Map>
    Configuration block for AWS Managed Keys
    azures List<Property Map>
    Configuration block for Azure Managed Keys
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    pkcs List<Property Map>
    Configuration block for PKCS Managed Keys

    Supporting Types

    KeysAw, KeysAwArgs

    AccessKey string
    The AWS access key to use.
    KeyBits string
    The size in bits for an RSA key.
    KeyType string
    The type of key to use.
    KmsKey string
    An identifier for the key.
    Name string
    A unique lowercase name that serves as identifying the key.
    SecretKey string
    The AWS access key to use.
    AllowGenerateKey bool
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
    AllowReplaceKey bool
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    AllowStoreKey bool
    Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
    AnyMount bool
    If true, allows usage from any mount point within the namespace.
    Curve string
    The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
    Endpoint string
    Used to specify a custom AWS endpoint.
    Region string
    The AWS region where the keys are stored (or will be stored).
    Uuid string
    ID of the managed key read from Vault
    AccessKey string
    The AWS access key to use.
    KeyBits string
    The size in bits for an RSA key.
    KeyType string
    The type of key to use.
    KmsKey string
    An identifier for the key.
    Name string
    A unique lowercase name that serves as identifying the key.
    SecretKey string
    The AWS access key to use.
    AllowGenerateKey bool
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
    AllowReplaceKey bool
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    AllowStoreKey bool
    Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
    AnyMount bool
    If true, allows usage from any mount point within the namespace.
    Curve string
    The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
    Endpoint string
    Used to specify a custom AWS endpoint.
    Region string
    The AWS region where the keys are stored (or will be stored).
    Uuid string
    ID of the managed key read from Vault
    accessKey String
    The AWS access key to use.
    keyBits String
    The size in bits for an RSA key.
    keyType String
    The type of key to use.
    kmsKey String
    An identifier for the key.
    name String
    A unique lowercase name that serves as identifying the key.
    secretKey String
    The AWS access key to use.
    allowGenerateKey Boolean
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
    allowReplaceKey Boolean
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allowStoreKey Boolean
    Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
    anyMount Boolean
    If true, allows usage from any mount point within the namespace.
    curve String
    The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
    endpoint String
    Used to specify a custom AWS endpoint.
    region String
    The AWS region where the keys are stored (or will be stored).
    uuid String
    ID of the managed key read from Vault
    accessKey string
    The AWS access key to use.
    keyBits string
    The size in bits for an RSA key.
    keyType string
    The type of key to use.
    kmsKey string
    An identifier for the key.
    name string
    A unique lowercase name that serves as identifying the key.
    secretKey string
    The AWS access key to use.
    allowGenerateKey boolean
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
    allowReplaceKey boolean
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allowStoreKey boolean
    Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
    anyMount boolean
    If true, allows usage from any mount point within the namespace.
    curve string
    The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
    endpoint string
    Used to specify a custom AWS endpoint.
    region string
    The AWS region where the keys are stored (or will be stored).
    uuid string
    ID of the managed key read from Vault
    access_key str
    The AWS access key to use.
    key_bits str
    The size in bits for an RSA key.
    key_type str
    The type of key to use.
    kms_key str
    An identifier for the key.
    name str
    A unique lowercase name that serves as identifying the key.
    secret_key str
    The AWS access key to use.
    allow_generate_key bool
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
    allow_replace_key bool
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allow_store_key bool
    Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
    any_mount bool
    If true, allows usage from any mount point within the namespace.
    curve str
    The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
    endpoint str
    Used to specify a custom AWS endpoint.
    region str
    The AWS region where the keys are stored (or will be stored).
    uuid str
    ID of the managed key read from Vault
    accessKey String
    The AWS access key to use.
    keyBits String
    The size in bits for an RSA key.
    keyType String
    The type of key to use.
    kmsKey String
    An identifier for the key.
    name String
    A unique lowercase name that serves as identifying the key.
    secretKey String
    The AWS access key to use.
    allowGenerateKey Boolean
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
    allowReplaceKey Boolean
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allowStoreKey Boolean
    Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
    anyMount Boolean
    If true, allows usage from any mount point within the namespace.
    curve String
    The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
    endpoint String
    Used to specify a custom AWS endpoint.
    region String
    The AWS region where the keys are stored (or will be stored).
    uuid String
    ID of the managed key read from Vault

    KeysAzure, KeysAzureArgs

    ClientId string
    The client id for credentials to query the Azure APIs.
    ClientSecret string
    The client secret for credentials to query the Azure APIs.
    KeyName string
    The Key Vault key to use for encryption and decryption.
    KeyType string
    The type of key to use.
    Name string
    A unique lowercase name that serves as identifying the key.
    TenantId string
    The tenant id for the Azure Active Directory organization.
    VaultName string
    The Key Vault vault to use for encryption and decryption.
    AllowGenerateKey bool
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
    AllowReplaceKey bool
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    AllowStoreKey bool
    Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
    AnyMount bool
    If true, allows usage from any mount point within the namespace.
    Environment string
    The Azure Cloud environment API endpoints to use.
    KeyBits string
    The size in bits for an RSA key.
    Resource string
    The Azure Key Vault resource's DNS Suffix to connect to.
    Uuid string
    ID of the managed key read from Vault
    ClientId string
    The client id for credentials to query the Azure APIs.
    ClientSecret string
    The client secret for credentials to query the Azure APIs.
    KeyName string
    The Key Vault key to use for encryption and decryption.
    KeyType string
    The type of key to use.
    Name string
    A unique lowercase name that serves as identifying the key.
    TenantId string
    The tenant id for the Azure Active Directory organization.
    VaultName string
    The Key Vault vault to use for encryption and decryption.
    AllowGenerateKey bool
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
    AllowReplaceKey bool
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    AllowStoreKey bool
    Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
    AnyMount bool
    If true, allows usage from any mount point within the namespace.
    Environment string
    The Azure Cloud environment API endpoints to use.
    KeyBits string
    The size in bits for an RSA key.
    Resource string
    The Azure Key Vault resource's DNS Suffix to connect to.
    Uuid string
    ID of the managed key read from Vault
    clientId String
    The client id for credentials to query the Azure APIs.
    clientSecret String
    The client secret for credentials to query the Azure APIs.
    keyName String
    The Key Vault key to use for encryption and decryption.
    keyType String
    The type of key to use.
    name String
    A unique lowercase name that serves as identifying the key.
    tenantId String
    The tenant id for the Azure Active Directory organization.
    vaultName String
    The Key Vault vault to use for encryption and decryption.
    allowGenerateKey Boolean
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
    allowReplaceKey Boolean
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allowStoreKey Boolean
    Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
    anyMount Boolean
    If true, allows usage from any mount point within the namespace.
    environment String
    The Azure Cloud environment API endpoints to use.
    keyBits String
    The size in bits for an RSA key.
    resource String
    The Azure Key Vault resource's DNS Suffix to connect to.
    uuid String
    ID of the managed key read from Vault
    clientId string
    The client id for credentials to query the Azure APIs.
    clientSecret string
    The client secret for credentials to query the Azure APIs.
    keyName string
    The Key Vault key to use for encryption and decryption.
    keyType string
    The type of key to use.
    name string
    A unique lowercase name that serves as identifying the key.
    tenantId string
    The tenant id for the Azure Active Directory organization.
    vaultName string
    The Key Vault vault to use for encryption and decryption.
    allowGenerateKey boolean
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
    allowReplaceKey boolean
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allowStoreKey boolean
    Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
    anyMount boolean
    If true, allows usage from any mount point within the namespace.
    environment string
    The Azure Cloud environment API endpoints to use.
    keyBits string
    The size in bits for an RSA key.
    resource string
    The Azure Key Vault resource's DNS Suffix to connect to.
    uuid string
    ID of the managed key read from Vault
    client_id str
    The client id for credentials to query the Azure APIs.
    client_secret str
    The client secret for credentials to query the Azure APIs.
    key_name str
    The Key Vault key to use for encryption and decryption.
    key_type str
    The type of key to use.
    name str
    A unique lowercase name that serves as identifying the key.
    tenant_id str
    The tenant id for the Azure Active Directory organization.
    vault_name str
    The Key Vault vault to use for encryption and decryption.
    allow_generate_key bool
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
    allow_replace_key bool
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allow_store_key bool
    Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
    any_mount bool
    If true, allows usage from any mount point within the namespace.
    environment str
    The Azure Cloud environment API endpoints to use.
    key_bits str
    The size in bits for an RSA key.
    resource str
    The Azure Key Vault resource's DNS Suffix to connect to.
    uuid str
    ID of the managed key read from Vault
    clientId String
    The client id for credentials to query the Azure APIs.
    clientSecret String
    The client secret for credentials to query the Azure APIs.
    keyName String
    The Key Vault key to use for encryption and decryption.
    keyType String
    The type of key to use.
    name String
    A unique lowercase name that serves as identifying the key.
    tenantId String
    The tenant id for the Azure Active Directory organization.
    vaultName String
    The Key Vault vault to use for encryption and decryption.
    allowGenerateKey Boolean
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
    allowReplaceKey Boolean
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allowStoreKey Boolean
    Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
    anyMount Boolean
    If true, allows usage from any mount point within the namespace.
    environment String
    The Azure Cloud environment API endpoints to use.
    keyBits String
    The size in bits for an RSA key.
    resource String
    The Azure Key Vault resource's DNS Suffix to connect to.
    uuid String
    ID of the managed key read from Vault

    KeysPkc, KeysPkcArgs

    KeyId string
    The id of a PKCS#11 key to use.
    KeyLabel string
    The label of the key to use.
    Library string
    The name of the kms_library stanza to use from Vault's config to lookup the local library path.
    Mechanism string
    The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
    Name string
    A unique lowercase name that serves as identifying the key.
    Pin string
    The PIN for login.
    AllowGenerateKey bool
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
    AllowReplaceKey bool
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    AllowStoreKey bool
    Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
    AnyMount bool
    If true, allows usage from any mount point within the namespace.
    Curve string
    The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
    ForceRwSession string
    Force all operations to open up a read-write session to the HSM.
    KeyBits string
    The size in bits for an RSA key.
    Slot string
    The slot number to use, specified as a string in a decimal format (e.g. 2305843009213693953).
    TokenLabel string
    The slot token label to use.
    Uuid string
    ID of the managed key read from Vault
    KeyId string
    The id of a PKCS#11 key to use.
    KeyLabel string
    The label of the key to use.
    Library string
    The name of the kms_library stanza to use from Vault's config to lookup the local library path.
    Mechanism string
    The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
    Name string
    A unique lowercase name that serves as identifying the key.
    Pin string
    The PIN for login.
    AllowGenerateKey bool
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
    AllowReplaceKey bool
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    AllowStoreKey bool
    Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
    AnyMount bool
    If true, allows usage from any mount point within the namespace.
    Curve string
    The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
    ForceRwSession string
    Force all operations to open up a read-write session to the HSM.
    KeyBits string
    The size in bits for an RSA key.
    Slot string
    The slot number to use, specified as a string in a decimal format (e.g. 2305843009213693953).
    TokenLabel string
    The slot token label to use.
    Uuid string
    ID of the managed key read from Vault
    keyId String
    The id of a PKCS#11 key to use.
    keyLabel String
    The label of the key to use.
    library String
    The name of the kms_library stanza to use from Vault's config to lookup the local library path.
    mechanism String
    The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
    name String
    A unique lowercase name that serves as identifying the key.
    pin String
    The PIN for login.
    allowGenerateKey Boolean
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
    allowReplaceKey Boolean
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allowStoreKey Boolean
    Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
    anyMount Boolean
    If true, allows usage from any mount point within the namespace.
    curve String
    The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
    forceRwSession String
    Force all operations to open up a read-write session to the HSM.
    keyBits String
    The size in bits for an RSA key.
    slot String
    The slot number to use, specified as a string in a decimal format (e.g. 2305843009213693953).
    tokenLabel String
    The slot token label to use.
    uuid String
    ID of the managed key read from Vault
    keyId string
    The id of a PKCS#11 key to use.
    keyLabel string
    The label of the key to use.
    library string
    The name of the kms_library stanza to use from Vault's config to lookup the local library path.
    mechanism string
    The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
    name string
    A unique lowercase name that serves as identifying the key.
    pin string
    The PIN for login.
    allowGenerateKey boolean
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
    allowReplaceKey boolean
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allowStoreKey boolean
    Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
    anyMount boolean
    If true, allows usage from any mount point within the namespace.
    curve string
    The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
    forceRwSession string
    Force all operations to open up a read-write session to the HSM.
    keyBits string
    The size in bits for an RSA key.
    slot string
    The slot number to use, specified as a string in a decimal format (e.g. 2305843009213693953).
    tokenLabel string
    The slot token label to use.
    uuid string
    ID of the managed key read from Vault
    key_id str
    The id of a PKCS#11 key to use.
    key_label str
    The label of the key to use.
    library str
    The name of the kms_library stanza to use from Vault's config to lookup the local library path.
    mechanism str
    The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
    name str
    A unique lowercase name that serves as identifying the key.
    pin str
    The PIN for login.
    allow_generate_key bool
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
    allow_replace_key bool
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allow_store_key bool
    Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
    any_mount bool
    If true, allows usage from any mount point within the namespace.
    curve str
    The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
    force_rw_session str
    Force all operations to open up a read-write session to the HSM.
    key_bits str
    The size in bits for an RSA key.
    slot str
    The slot number to use, specified as a string in a decimal format (e.g. 2305843009213693953).
    token_label str
    The slot token label to use.
    uuid str
    ID of the managed key read from Vault
    keyId String
    The id of a PKCS#11 key to use.
    keyLabel String
    The label of the key to use.
    library String
    The name of the kms_library stanza to use from Vault's config to lookup the local library path.
    mechanism String
    The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
    name String
    A unique lowercase name that serves as identifying the key.
    pin String
    The PIN for login.
    allowGenerateKey Boolean
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend.
    allowReplaceKey Boolean
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allowStoreKey Boolean
    Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden.
    anyMount Boolean
    If true, allows usage from any mount point within the namespace.
    curve String
    The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true.
    forceRwSession String
    Force all operations to open up a read-write session to the HSM.
    keyBits String
    The size in bits for an RSA key.
    slot String
    The slot number to use, specified as a string in a decimal format (e.g. 2305843009213693953).
    tokenLabel String
    The slot token label to use.
    uuid String
    ID of the managed key read from Vault

    Import

    Mounts can be imported using the id of default, e.g.

     $ pulumi import vault:managed/keys:Keys keys default
    

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the vault Terraform Provider.
    vault logo
    HashiCorp Vault v5.20.0 published on Tuesday, Feb 20, 2024 by Pulumi