Docs Home
HashiCorp Vault v7.1.0 published on Thursday, Jul 10, 2025 by Pulumi
vault.pkiSecret.BackendConfigScep
Explore with Pulumi AI
Allows setting the SCEP configuration on a PKI Secret Backend.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const scep = new vault.AuthBackend("scep", {
path: "scep-auth",
type: "scep",
});
const scepChallenge = new vault.ScepAuthBackendRole("scep_challenge", {
backend: scep.id,
name: "scep-auth",
displayName: "Static challenge for SCEP clients",
authType: "static-challenge",
challenge: "ac7e4ada-c8ef-4393-9098-d69d08736833",
});
const pki = new vault.Mount("pki", {
path: "pki_scep",
type: "pki",
description: "PKI secret engine mount",
});
const test = new vault.pkisecret.BackendConfigScep("test", {
backend: pki.path,
enabled: true,
defaultPathPolicy: "sign-verbatim",
restrictCaChainToIssuer: true,
authenticators: {
scep: {
accessor: scep.accessor,
scep_role: scepChallenge.name,
},
},
});
import pulumi
import pulumi_vault as vault
scep = vault.AuthBackend("scep",
path="scep-auth",
type="scep")
scep_challenge = vault.ScepAuthBackendRole("scep_challenge",
backend=scep.id,
name="scep-auth",
display_name="Static challenge for SCEP clients",
auth_type="static-challenge",
challenge="ac7e4ada-c8ef-4393-9098-d69d08736833")
pki = vault.Mount("pki",
path="pki_scep",
type="pki",
description="PKI secret engine mount")
test = vault.pki_secret.BackendConfigScep("test",
backend=pki.path,
enabled=True,
default_path_policy="sign-verbatim",
restrict_ca_chain_to_issuer=True,
authenticators={
"scep": {
"accessor": scep.accessor,
"scep_role": scep_challenge.name,
},
})
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v7/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
scep, err := vault.NewAuthBackend(ctx, "scep", &vault.AuthBackendArgs{
Path: pulumi.String("scep-auth"),
Type: pulumi.String("scep"),
})
if err != nil {
return err
}
scepChallenge, err := vault.NewScepAuthBackendRole(ctx, "scep_challenge", &vault.ScepAuthBackendRoleArgs{
Backend: scep.ID(),
Name: pulumi.String("scep-auth"),
DisplayName: pulumi.String("Static challenge for SCEP clients"),
AuthType: pulumi.String("static-challenge"),
Challenge: pulumi.String("ac7e4ada-c8ef-4393-9098-d69d08736833"),
})
if err != nil {
return err
}
pki, err := vault.NewMount(ctx, "pki", &vault.MountArgs{
Path: pulumi.String("pki_scep"),
Type: pulumi.String("pki"),
Description: pulumi.String("PKI secret engine mount"),
})
if err != nil {
return err
}
_, err = pkisecret.NewBackendConfigScep(ctx, "test", &pkisecret.BackendConfigScepArgs{
Backend: pki.Path,
Enabled: pulumi.Bool(true),
DefaultPathPolicy: pulumi.String("sign-verbatim"),
RestrictCaChainToIssuer: pulumi.Bool(true),
Authenticators: &pkisecret.BackendConfigScepAuthenticatorsArgs{
Scep: pulumi.StringMap{
"accessor": scep.Accessor,
"scep_role": scepChallenge.Name,
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var scep = new Vault.AuthBackend("scep", new()
{
Path = "scep-auth",
Type = "scep",
});
var scepChallenge = new Vault.ScepAuthBackendRole("scep_challenge", new()
{
Backend = scep.Id,
Name = "scep-auth",
DisplayName = "Static challenge for SCEP clients",
AuthType = "static-challenge",
Challenge = "ac7e4ada-c8ef-4393-9098-d69d08736833",
});
var pki = new Vault.Mount("pki", new()
{
Path = "pki_scep",
Type = "pki",
Description = "PKI secret engine mount",
});
var test = new Vault.PkiSecret.BackendConfigScep("test", new()
{
Backend = pki.Path,
Enabled = true,
DefaultPathPolicy = "sign-verbatim",
RestrictCaChainToIssuer = true,
Authenticators = new Vault.PkiSecret.Inputs.BackendConfigScepAuthenticatorsArgs
{
Scep =
{
{ "accessor", scep.Accessor },
{ "scep_role", scepChallenge.Name },
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import com.pulumi.vault.ScepAuthBackendRole;
import com.pulumi.vault.ScepAuthBackendRoleArgs;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.BackendConfigScep;
import com.pulumi.vault.pkiSecret.BackendConfigScepArgs;
import com.pulumi.vault.pkiSecret.inputs.BackendConfigScepAuthenticatorsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var scep = new AuthBackend("scep", AuthBackendArgs.builder()
.path("scep-auth")
.type("scep")
.build());
var scepChallenge = new ScepAuthBackendRole("scepChallenge", ScepAuthBackendRoleArgs.builder()
.backend(scep.id())
.name("scep-auth")
.displayName("Static challenge for SCEP clients")
.authType("static-challenge")
.challenge("ac7e4ada-c8ef-4393-9098-d69d08736833")
.build());
var pki = new Mount("pki", MountArgs.builder()
.path("pki_scep")
.type("pki")
.description("PKI secret engine mount")
.build());
var test = new BackendConfigScep("test", BackendConfigScepArgs.builder()
.backend(pki.path())
.enabled(true)
.defaultPathPolicy("sign-verbatim")
.restrictCaChainToIssuer(true)
.authenticators(BackendConfigScepAuthenticatorsArgs.builder()
.scep(Map.ofEntries(
Map.entry("accessor", scep.accessor()),
Map.entry("scep_role", scepChallenge.name())
))
.build())
.build());
}
}
resources:
scep:
type: vault:AuthBackend
properties:
path: scep-auth
type: scep
scepChallenge:
type: vault:ScepAuthBackendRole
name: scep_challenge
properties:
backend: ${scep.id}
name: scep-auth
displayName: Static challenge for SCEP clients
authType: static-challenge
challenge: ac7e4ada-c8ef-4393-9098-d69d08736833
pki:
type: vault:Mount
properties:
path: pki_scep
type: pki
description: PKI secret engine mount
test:
type: vault:pkiSecret:BackendConfigScep
properties:
backend: ${pki.path}
enabled: true
defaultPathPolicy: sign-verbatim
restrictCaChainToIssuer: true
authenticators:
scep:
accessor: ${scep.accessor}
scep_role: ${scepChallenge.name}
Create BackendConfigScep Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new BackendConfigScep(name: string, args: BackendConfigScepArgs, opts?: CustomResourceOptions);@overload
def BackendConfigScep(resource_name: str,
args: BackendConfigScepArgs,
opts: Optional[ResourceOptions] = None)
@overload
def BackendConfigScep(resource_name: str,
opts: Optional[ResourceOptions] = None,
backend: Optional[str] = None,
allowed_digest_algorithms: Optional[Sequence[str]] = None,
allowed_encryption_algorithms: Optional[Sequence[str]] = None,
authenticators: Optional[BackendConfigScepAuthenticatorsArgs] = None,
default_path_policy: Optional[str] = None,
enabled: Optional[bool] = None,
external_validations: Optional[Sequence[BackendConfigScepExternalValidationArgs]] = None,
namespace: Optional[str] = None,
restrict_ca_chain_to_issuer: Optional[bool] = None)func NewBackendConfigScep(ctx *Context, name string, args BackendConfigScepArgs, opts ...ResourceOption) (*BackendConfigScep, error)public BackendConfigScep(string name, BackendConfigScepArgs args, CustomResourceOptions? opts = null)
public BackendConfigScep(String name, BackendConfigScepArgs args)
public BackendConfigScep(String name, BackendConfigScepArgs args, CustomResourceOptions options)
type: vault:pkiSecret:BackendConfigScep
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args BackendConfigScepArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args BackendConfigScepArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args BackendConfigScepArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args BackendConfigScepArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args BackendConfigScepArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var backendConfigScepResource = new Vault.PkiSecret.BackendConfigScep("backendConfigScepResource", new()
{
Backend = "string",
AllowedDigestAlgorithms = new[]
{
"string",
},
AllowedEncryptionAlgorithms = new[]
{
"string",
},
Authenticators = new Vault.PkiSecret.Inputs.BackendConfigScepAuthenticatorsArgs
{
Cert =
{
{ "string", "string" },
},
Scep =
{
{ "string", "string" },
},
},
DefaultPathPolicy = "string",
Enabled = false,
ExternalValidations = new[]
{
new Vault.PkiSecret.Inputs.BackendConfigScepExternalValidationArgs
{
Intune =
{
{ "string", "string" },
},
},
},
Namespace = "string",
RestrictCaChainToIssuer = false,
});
example, err := pkisecret.NewBackendConfigScep(ctx, "backendConfigScepResource", &pkisecret.BackendConfigScepArgs{
Backend: pulumi.String("string"),
AllowedDigestAlgorithms: pulumi.StringArray{
pulumi.String("string"),
},
AllowedEncryptionAlgorithms: pulumi.StringArray{
pulumi.String("string"),
},
Authenticators: &pkisecret.BackendConfigScepAuthenticatorsArgs{
Cert: pulumi.StringMap{
"string": pulumi.String("string"),
},
Scep: pulumi.StringMap{
"string": pulumi.String("string"),
},
},
DefaultPathPolicy: pulumi.String("string"),
Enabled: pulumi.Bool(false),
ExternalValidations: pkisecret.BackendConfigScepExternalValidationArray{
&pkisecret.BackendConfigScepExternalValidationArgs{
Intune: pulumi.StringMap{
"string": pulumi.String("string"),
},
},
},
Namespace: pulumi.String("string"),
RestrictCaChainToIssuer: pulumi.Bool(false),
})
var backendConfigScepResource = new BackendConfigScep("backendConfigScepResource", BackendConfigScepArgs.builder()
.backend("string")
.allowedDigestAlgorithms("string")
.allowedEncryptionAlgorithms("string")
.authenticators(BackendConfigScepAuthenticatorsArgs.builder()
.cert(Map.of("string", "string"))
.scep(Map.of("string", "string"))
.build())
.defaultPathPolicy("string")
.enabled(false)
.externalValidations(BackendConfigScepExternalValidationArgs.builder()
.intune(Map.of("string", "string"))
.build())
.namespace("string")
.restrictCaChainToIssuer(false)
.build());
backend_config_scep_resource = vault.pkisecret.BackendConfigScep("backendConfigScepResource",
backend="string",
allowed_digest_algorithms=["string"],
allowed_encryption_algorithms=["string"],
authenticators={
"cert": {
"string": "string",
},
"scep": {
"string": "string",
},
},
default_path_policy="string",
enabled=False,
external_validations=[{
"intune": {
"string": "string",
},
}],
namespace="string",
restrict_ca_chain_to_issuer=False)
const backendConfigScepResource = new vault.pkisecret.BackendConfigScep("backendConfigScepResource", {
backend: "string",
allowedDigestAlgorithms: ["string"],
allowedEncryptionAlgorithms: ["string"],
authenticators: {
cert: {
string: "string",
},
scep: {
string: "string",
},
},
defaultPathPolicy: "string",
enabled: false,
externalValidations: [{
intune: {
string: "string",
},
}],
namespace: "string",
restrictCaChainToIssuer: false,
});
type: vault:pkiSecret:BackendConfigScep
properties:
allowedDigestAlgorithms:
- string
allowedEncryptionAlgorithms:
- string
authenticators:
cert:
string: string
scep:
string: string
backend: string
defaultPathPolicy: string
enabled: false
externalValidations:
- intune:
string: string
namespace: string
restrictCaChainToIssuer: false
BackendConfigScep Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The BackendConfigScep resource accepts the following input properties:
- Backend string
- The path to the PKI secret backend to
read the SCEP configuration from, with no leading or trailing
/s. - Allowed
Digest List<string>Algorithms - List of allowed digest algorithms for SCEP requests.
- Allowed
Encryption List<string>Algorithms - List of allowed encryption algorithms for SCEP requests.
- Authenticators
Backend
Config Scep Authenticators - Lists the mount accessors SCEP should delegate authentication requests towards (see below for nested schema).
- Default
Path stringPolicy - Specifies the policy to be used for non-role-qualified SCEP requests; valid values are 'sign-verbatim', or "role:<role_name>" to specify a role to use as this policy.
- Enabled bool
- Specifies whether SCEP is enabled.
- External
Validations List<BackendConfig Scep External Validation> - Lists the 3rd party validation of SCEP requests (see below for nested schema).
- Namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Restrict
Ca boolChain To Issuer If true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount.
- Backend string
- The path to the PKI secret backend to
read the SCEP configuration from, with no leading or trailing
/s. - Allowed
Digest []stringAlgorithms - List of allowed digest algorithms for SCEP requests.
- Allowed
Encryption []stringAlgorithms - List of allowed encryption algorithms for SCEP requests.
- Authenticators
Backend
Config Scep Authenticators Args - Lists the mount accessors SCEP should delegate authentication requests towards (see below for nested schema).
- Default
Path stringPolicy - Specifies the policy to be used for non-role-qualified SCEP requests; valid values are 'sign-verbatim', or "role:<role_name>" to specify a role to use as this policy.
- Enabled bool
- Specifies whether SCEP is enabled.
- External
Validations []BackendConfig Scep External Validation Args - Lists the 3rd party validation of SCEP requests (see below for nested schema).
- Namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Restrict
Ca boolChain To Issuer If true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount.
- backend String
- The path to the PKI secret backend to
read the SCEP configuration from, with no leading or trailing
/s. - allowed
Digest List<String>Algorithms - List of allowed digest algorithms for SCEP requests.
- allowed
Encryption List<String>Algorithms - List of allowed encryption algorithms for SCEP requests.
- authenticators
Backend
Config Scep Authenticators - Lists the mount accessors SCEP should delegate authentication requests towards (see below for nested schema).
- default
Path StringPolicy - Specifies the policy to be used for non-role-qualified SCEP requests; valid values are 'sign-verbatim', or "role:<role_name>" to specify a role to use as this policy.
- enabled Boolean
- Specifies whether SCEP is enabled.
- external
Validations List<BackendConfig Scep External Validation> - Lists the 3rd party validation of SCEP requests (see below for nested schema).
- namespace String
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - restrict
Ca BooleanChain To Issuer If true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount.
- backend string
- The path to the PKI secret backend to
read the SCEP configuration from, with no leading or trailing
/s. - allowed
Digest string[]Algorithms - List of allowed digest algorithms for SCEP requests.
- allowed
Encryption string[]Algorithms - List of allowed encryption algorithms for SCEP requests.
- authenticators
Backend
Config Scep Authenticators - Lists the mount accessors SCEP should delegate authentication requests towards (see below for nested schema).
- default
Path stringPolicy - Specifies the policy to be used for non-role-qualified SCEP requests; valid values are 'sign-verbatim', or "role:<role_name>" to specify a role to use as this policy.
- enabled boolean
- Specifies whether SCEP is enabled.
- external
Validations BackendConfig Scep External Validation[] - Lists the 3rd party validation of SCEP requests (see below for nested schema).
- namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - restrict
Ca booleanChain To Issuer If true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount.
- backend str
- The path to the PKI secret backend to
read the SCEP configuration from, with no leading or trailing
/s. - allowed_
digest_ Sequence[str]algorithms - List of allowed digest algorithms for SCEP requests.
- allowed_
encryption_ Sequence[str]algorithms - List of allowed encryption algorithms for SCEP requests.
- authenticators
Backend
Config Scep Authenticators Args - Lists the mount accessors SCEP should delegate authentication requests towards (see below for nested schema).
- default_
path_ strpolicy - Specifies the policy to be used for non-role-qualified SCEP requests; valid values are 'sign-verbatim', or "role:<role_name>" to specify a role to use as this policy.
- enabled bool
- Specifies whether SCEP is enabled.
- external_
validations Sequence[BackendConfig Scep External Validation Args] - Lists the 3rd party validation of SCEP requests (see below for nested schema).
- namespace str
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - restrict_
ca_ boolchain_ to_ issuer If true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount.
- backend String
- The path to the PKI secret backend to
read the SCEP configuration from, with no leading or trailing
/s. - allowed
Digest List<String>Algorithms - List of allowed digest algorithms for SCEP requests.
- allowed
Encryption List<String>Algorithms - List of allowed encryption algorithms for SCEP requests.
- authenticators Property Map
- Lists the mount accessors SCEP should delegate authentication requests towards (see below for nested schema).
- default
Path StringPolicy - Specifies the policy to be used for non-role-qualified SCEP requests; valid values are 'sign-verbatim', or "role:<role_name>" to specify a role to use as this policy.
- enabled Boolean
- Specifies whether SCEP is enabled.
- external
Validations List<Property Map> - Lists the 3rd party validation of SCEP requests (see below for nested schema).
- namespace String
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - restrict
Ca BooleanChain To Issuer If true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount.
Outputs
All input properties are implicitly available as output properties. Additionally, the BackendConfigScep resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Last
Updated string - A read-only timestamp representing the last time the configuration was updated.
- Id string
- The provider-assigned unique ID for this managed resource.
- Last
Updated string - A read-only timestamp representing the last time the configuration was updated.
- id String
- The provider-assigned unique ID for this managed resource.
- last
Updated String - A read-only timestamp representing the last time the configuration was updated.
- id string
- The provider-assigned unique ID for this managed resource.
- last
Updated string - A read-only timestamp representing the last time the configuration was updated.
- id str
- The provider-assigned unique ID for this managed resource.
- last_
updated str - A read-only timestamp representing the last time the configuration was updated.
- id String
- The provider-assigned unique ID for this managed resource.
- last
Updated String - A read-only timestamp representing the last time the configuration was updated.
Look up Existing BackendConfigScep Resource
Get an existing BackendConfigScep resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: BackendConfigScepState, opts?: CustomResourceOptions): BackendConfigScep@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
allowed_digest_algorithms: Optional[Sequence[str]] = None,
allowed_encryption_algorithms: Optional[Sequence[str]] = None,
authenticators: Optional[BackendConfigScepAuthenticatorsArgs] = None,
backend: Optional[str] = None,
default_path_policy: Optional[str] = None,
enabled: Optional[bool] = None,
external_validations: Optional[Sequence[BackendConfigScepExternalValidationArgs]] = None,
last_updated: Optional[str] = None,
namespace: Optional[str] = None,
restrict_ca_chain_to_issuer: Optional[bool] = None) -> BackendConfigScepfunc GetBackendConfigScep(ctx *Context, name string, id IDInput, state *BackendConfigScepState, opts ...ResourceOption) (*BackendConfigScep, error)public static BackendConfigScep Get(string name, Input<string> id, BackendConfigScepState? state, CustomResourceOptions? opts = null)public static BackendConfigScep get(String name, Output<String> id, BackendConfigScepState state, CustomResourceOptions options)resources: _: type: vault:pkiSecret:BackendConfigScep get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Allowed
Digest List<string>Algorithms - List of allowed digest algorithms for SCEP requests.
- Allowed
Encryption List<string>Algorithms - List of allowed encryption algorithms for SCEP requests.
- Authenticators
Backend
Config Scep Authenticators - Lists the mount accessors SCEP should delegate authentication requests towards (see below for nested schema).
- Backend string
- The path to the PKI secret backend to
read the SCEP configuration from, with no leading or trailing
/s. - Default
Path stringPolicy - Specifies the policy to be used for non-role-qualified SCEP requests; valid values are 'sign-verbatim', or "role:<role_name>" to specify a role to use as this policy.
- Enabled bool
- Specifies whether SCEP is enabled.
- External
Validations List<BackendConfig Scep External Validation> - Lists the 3rd party validation of SCEP requests (see below for nested schema).
- Last
Updated string - A read-only timestamp representing the last time the configuration was updated.
- Namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Restrict
Ca boolChain To Issuer If true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount.
- Allowed
Digest []stringAlgorithms - List of allowed digest algorithms for SCEP requests.
- Allowed
Encryption []stringAlgorithms - List of allowed encryption algorithms for SCEP requests.
- Authenticators
Backend
Config Scep Authenticators Args - Lists the mount accessors SCEP should delegate authentication requests towards (see below for nested schema).
- Backend string
- The path to the PKI secret backend to
read the SCEP configuration from, with no leading or trailing
/s. - Default
Path stringPolicy - Specifies the policy to be used for non-role-qualified SCEP requests; valid values are 'sign-verbatim', or "role:<role_name>" to specify a role to use as this policy.
- Enabled bool
- Specifies whether SCEP is enabled.
- External
Validations []BackendConfig Scep External Validation Args - Lists the 3rd party validation of SCEP requests (see below for nested schema).
- Last
Updated string - A read-only timestamp representing the last time the configuration was updated.
- Namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Restrict
Ca boolChain To Issuer If true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount.
- allowed
Digest List<String>Algorithms - List of allowed digest algorithms for SCEP requests.
- allowed
Encryption List<String>Algorithms - List of allowed encryption algorithms for SCEP requests.
- authenticators
Backend
Config Scep Authenticators - Lists the mount accessors SCEP should delegate authentication requests towards (see below for nested schema).
- backend String
- The path to the PKI secret backend to
read the SCEP configuration from, with no leading or trailing
/s. - default
Path StringPolicy - Specifies the policy to be used for non-role-qualified SCEP requests; valid values are 'sign-verbatim', or "role:<role_name>" to specify a role to use as this policy.
- enabled Boolean
- Specifies whether SCEP is enabled.
- external
Validations List<BackendConfig Scep External Validation> - Lists the 3rd party validation of SCEP requests (see below for nested schema).
- last
Updated String - A read-only timestamp representing the last time the configuration was updated.
- namespace String
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - restrict
Ca BooleanChain To Issuer If true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount.
- allowed
Digest string[]Algorithms - List of allowed digest algorithms for SCEP requests.
- allowed
Encryption string[]Algorithms - List of allowed encryption algorithms for SCEP requests.
- authenticators
Backend
Config Scep Authenticators - Lists the mount accessors SCEP should delegate authentication requests towards (see below for nested schema).
- backend string
- The path to the PKI secret backend to
read the SCEP configuration from, with no leading or trailing
/s. - default
Path stringPolicy - Specifies the policy to be used for non-role-qualified SCEP requests; valid values are 'sign-verbatim', or "role:<role_name>" to specify a role to use as this policy.
- enabled boolean
- Specifies whether SCEP is enabled.
- external
Validations BackendConfig Scep External Validation[] - Lists the 3rd party validation of SCEP requests (see below for nested schema).
- last
Updated string - A read-only timestamp representing the last time the configuration was updated.
- namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - restrict
Ca booleanChain To Issuer If true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount.
- allowed_
digest_ Sequence[str]algorithms - List of allowed digest algorithms for SCEP requests.
- allowed_
encryption_ Sequence[str]algorithms - List of allowed encryption algorithms for SCEP requests.
- authenticators
Backend
Config Scep Authenticators Args - Lists the mount accessors SCEP should delegate authentication requests towards (see below for nested schema).
- backend str
- The path to the PKI secret backend to
read the SCEP configuration from, with no leading or trailing
/s. - default_
path_ strpolicy - Specifies the policy to be used for non-role-qualified SCEP requests; valid values are 'sign-verbatim', or "role:<role_name>" to specify a role to use as this policy.
- enabled bool
- Specifies whether SCEP is enabled.
- external_
validations Sequence[BackendConfig Scep External Validation Args] - Lists the 3rd party validation of SCEP requests (see below for nested schema).
- last_
updated str - A read-only timestamp representing the last time the configuration was updated.
- namespace str
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - restrict_
ca_ boolchain_ to_ issuer If true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount.
- allowed
Digest List<String>Algorithms - List of allowed digest algorithms for SCEP requests.
- allowed
Encryption List<String>Algorithms - List of allowed encryption algorithms for SCEP requests.
- authenticators Property Map
- Lists the mount accessors SCEP should delegate authentication requests towards (see below for nested schema).
- backend String
- The path to the PKI secret backend to
read the SCEP configuration from, with no leading or trailing
/s. - default
Path StringPolicy - Specifies the policy to be used for non-role-qualified SCEP requests; valid values are 'sign-verbatim', or "role:<role_name>" to specify a role to use as this policy.
- enabled Boolean
- Specifies whether SCEP is enabled.
- external
Validations List<Property Map> - Lists the 3rd party validation of SCEP requests (see below for nested schema).
- last
Updated String - A read-only timestamp representing the last time the configuration was updated.
- namespace String
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - restrict
Ca BooleanChain To Issuer If true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount.
Supporting Types
BackendConfigScepAuthenticators, BackendConfigScepAuthenticatorsArgs
BackendConfigScepExternalValidation, BackendConfigScepExternalValidationArgs
- Intune Dictionary<string, string>
- The credentials to enable Microsoft Intune validation of SCEP requests
- Intune map[string]string
- The credentials to enable Microsoft Intune validation of SCEP requests
- intune Map<String,String>
- The credentials to enable Microsoft Intune validation of SCEP requests
- intune {[key: string]: string}
- The credentials to enable Microsoft Intune validation of SCEP requests
- intune Mapping[str, str]
- The credentials to enable Microsoft Intune validation of SCEP requests
- intune Map<String>
- The credentials to enable Microsoft Intune validation of SCEP requests
Import
The PKI config cluster can be imported using the resource’s id.
In the case of the example above the id would be pki-root/config/scep,
where the pki-root component is the resource’s backend, e.g.
$ pulumi import vault:pkiSecret/backendConfigScep:BackendConfigScep example pki-root/config/scep
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.