1. Packages
  2. HashiCorp Vault
  3. API Docs
  4. pkiSecret
  5. SecretBackendRole
HashiCorp Vault v5.20.0 published on Tuesday, Feb 20, 2024 by Pulumi

vault.pkiSecret.SecretBackendRole

Explore with Pulumi AI

vault logo
HashiCorp Vault v5.20.0 published on Tuesday, Feb 20, 2024 by Pulumi

    Creates a role on an PKI Secret Backend for Vault.

    Example Usage

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Vault = Pulumi.Vault;
    
    return await Deployment.RunAsync(() => 
    {
        var pki = new Vault.Mount("pki", new()
        {
            Path = "pki",
            Type = "pki",
            DefaultLeaseTtlSeconds = 3600,
            MaxLeaseTtlSeconds = 86400,
        });
    
        var role = new Vault.PkiSecret.SecretBackendRole("role", new()
        {
            Backend = pki.Path,
            Ttl = "3600",
            AllowIpSans = true,
            KeyType = "rsa",
            KeyBits = 4096,
            AllowedDomains = new[]
            {
                "example.com",
                "my.domain",
            },
            AllowSubdomains = true,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-vault/sdk/v5/go/vault"
    	"github.com/pulumi/pulumi-vault/sdk/v5/go/vault/pkiSecret"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		pki, err := vault.NewMount(ctx, "pki", &vault.MountArgs{
    			Path:                   pulumi.String("pki"),
    			Type:                   pulumi.String("pki"),
    			DefaultLeaseTtlSeconds: pulumi.Int(3600),
    			MaxLeaseTtlSeconds:     pulumi.Int(86400),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = pkiSecret.NewSecretBackendRole(ctx, "role", &pkiSecret.SecretBackendRoleArgs{
    			Backend:     pki.Path,
    			Ttl:         pulumi.String("3600"),
    			AllowIpSans: pulumi.Bool(true),
    			KeyType:     pulumi.String("rsa"),
    			KeyBits:     pulumi.Int(4096),
    			AllowedDomains: pulumi.StringArray{
    				pulumi.String("example.com"),
    				pulumi.String("my.domain"),
    			},
    			AllowSubdomains: pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.vault.Mount;
    import com.pulumi.vault.MountArgs;
    import com.pulumi.vault.pkiSecret.SecretBackendRole;
    import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var pki = new Mount("pki", MountArgs.builder()        
                .path("pki")
                .type("pki")
                .defaultLeaseTtlSeconds(3600)
                .maxLeaseTtlSeconds(86400)
                .build());
    
            var role = new SecretBackendRole("role", SecretBackendRoleArgs.builder()        
                .backend(pki.path())
                .ttl(3600)
                .allowIpSans(true)
                .keyType("rsa")
                .keyBits(4096)
                .allowedDomains(            
                    "example.com",
                    "my.domain")
                .allowSubdomains(true)
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_vault as vault
    
    pki = vault.Mount("pki",
        path="pki",
        type="pki",
        default_lease_ttl_seconds=3600,
        max_lease_ttl_seconds=86400)
    role = vault.pki_secret.SecretBackendRole("role",
        backend=pki.path,
        ttl="3600",
        allow_ip_sans=True,
        key_type="rsa",
        key_bits=4096,
        allowed_domains=[
            "example.com",
            "my.domain",
        ],
        allow_subdomains=True)
    
    import * as pulumi from "@pulumi/pulumi";
    import * as vault from "@pulumi/vault";
    
    const pki = new vault.Mount("pki", {
        path: "pki",
        type: "pki",
        defaultLeaseTtlSeconds: 3600,
        maxLeaseTtlSeconds: 86400,
    });
    const role = new vault.pkisecret.SecretBackendRole("role", {
        backend: pki.path,
        ttl: "3600",
        allowIpSans: true,
        keyType: "rsa",
        keyBits: 4096,
        allowedDomains: [
            "example.com",
            "my.domain",
        ],
        allowSubdomains: true,
    });
    
    resources:
      pki:
        type: vault:Mount
        properties:
          path: pki
          type: pki
          defaultLeaseTtlSeconds: 3600
          maxLeaseTtlSeconds: 86400
      role:
        type: vault:pkiSecret:SecretBackendRole
        properties:
          backend: ${pki.path}
          ttl: 3600
          allowIpSans: true
          keyType: rsa
          keyBits: 4096
          allowedDomains:
            - example.com
            - my.domain
          allowSubdomains: true
    

    Create SecretBackendRole Resource

    new SecretBackendRole(name: string, args: SecretBackendRoleArgs, opts?: CustomResourceOptions);
    @overload
    def SecretBackendRole(resource_name: str,
                          opts: Optional[ResourceOptions] = None,
                          allow_any_name: Optional[bool] = None,
                          allow_bare_domains: Optional[bool] = None,
                          allow_glob_domains: Optional[bool] = None,
                          allow_ip_sans: Optional[bool] = None,
                          allow_localhost: Optional[bool] = None,
                          allow_subdomains: Optional[bool] = None,
                          allow_wildcard_certificates: Optional[bool] = None,
                          allowed_domains: Optional[Sequence[str]] = None,
                          allowed_domains_template: Optional[bool] = None,
                          allowed_other_sans: Optional[Sequence[str]] = None,
                          allowed_serial_numbers: Optional[Sequence[str]] = None,
                          allowed_uri_sans: Optional[Sequence[str]] = None,
                          allowed_uri_sans_template: Optional[bool] = None,
                          allowed_user_ids: Optional[Sequence[str]] = None,
                          backend: Optional[str] = None,
                          basic_constraints_valid_for_non_ca: Optional[bool] = None,
                          client_flag: Optional[bool] = None,
                          code_signing_flag: Optional[bool] = None,
                          countries: Optional[Sequence[str]] = None,
                          email_protection_flag: Optional[bool] = None,
                          enforce_hostnames: Optional[bool] = None,
                          ext_key_usage_oids: Optional[Sequence[str]] = None,
                          ext_key_usages: Optional[Sequence[str]] = None,
                          generate_lease: Optional[bool] = None,
                          issuer_ref: Optional[str] = None,
                          key_bits: Optional[int] = None,
                          key_type: Optional[str] = None,
                          key_usages: Optional[Sequence[str]] = None,
                          localities: Optional[Sequence[str]] = None,
                          max_ttl: Optional[str] = None,
                          name: Optional[str] = None,
                          namespace: Optional[str] = None,
                          no_store: Optional[bool] = None,
                          not_before_duration: Optional[str] = None,
                          organization_unit: Optional[Sequence[str]] = None,
                          organizations: Optional[Sequence[str]] = None,
                          policy_identifier: Optional[Sequence[_pkisecret.SecretBackendRolePolicyIdentifierArgs]] = None,
                          policy_identifiers: Optional[Sequence[str]] = None,
                          postal_codes: Optional[Sequence[str]] = None,
                          provinces: Optional[Sequence[str]] = None,
                          require_cn: Optional[bool] = None,
                          server_flag: Optional[bool] = None,
                          street_addresses: Optional[Sequence[str]] = None,
                          ttl: Optional[str] = None,
                          use_csr_common_name: Optional[bool] = None,
                          use_csr_sans: Optional[bool] = None)
    @overload
    def SecretBackendRole(resource_name: str,
                          args: SecretBackendRoleArgs,
                          opts: Optional[ResourceOptions] = None)
    func NewSecretBackendRole(ctx *Context, name string, args SecretBackendRoleArgs, opts ...ResourceOption) (*SecretBackendRole, error)
    public SecretBackendRole(string name, SecretBackendRoleArgs args, CustomResourceOptions? opts = null)
    public SecretBackendRole(String name, SecretBackendRoleArgs args)
    public SecretBackendRole(String name, SecretBackendRoleArgs args, CustomResourceOptions options)
    
    type: vault:pkiSecret:SecretBackendRole
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    SecretBackendRole Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The SecretBackendRole resource accepts the following input properties:

    Backend string
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    AllowAnyName bool
    Flag to allow any name
    AllowBareDomains bool
    Flag to allow certificates matching the actual domain
    AllowGlobDomains bool
    Flag to allow names containing glob patterns.
    AllowIpSans bool
    Flag to allow IP SANs
    AllowLocalhost bool
    Flag to allow certificates for localhost
    AllowSubdomains bool
    Flag to allow certificates matching subdomains
    AllowWildcardCertificates bool
    Flag to allow wildcard certificates.
    AllowedDomains List<string>
    List of allowed domains for certificates
    AllowedDomainsTemplate bool
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    AllowedOtherSans List<string>
    Defines allowed custom SANs
    AllowedSerialNumbers List<string>
    An array of allowed serial numbers to put in Subject
    AllowedUriSans List<string>
    Defines allowed URI SANs
    AllowedUriSansTemplate bool
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    AllowedUserIds List<string>
    Defines allowed User IDs
    BasicConstraintsValidForNonCa bool
    Flag to mark basic constraints valid when issuing non-CA certificates
    ClientFlag bool
    Flag to specify certificates for client use
    CodeSigningFlag bool
    Flag to specify certificates for code signing use
    Countries List<string>
    The country of generated certificates
    EmailProtectionFlag bool
    Flag to specify certificates for email protection use
    EnforceHostnames bool
    Flag to allow only valid host names
    ExtKeyUsageOids List<string>
    Specify the allowed extended key usage OIDs constraint on issued certificates
    ExtKeyUsages List<string>
    Specify the allowed extended key usage constraint on issued certificates
    GenerateLease bool
    Flag to generate leases with certificates
    IssuerRef string
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    KeyBits int
    The number of bits of generated keys
    KeyType string
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    KeyUsages List<string>
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    Localities List<string>
    The locality of generated certificates
    MaxTtl string
    The maximum lease TTL, in seconds, for the role.
    Name string
    The name to identify this role within the backend. Must be unique within the backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    NoStore bool
    Flag to not store certificates in the storage backend
    NotBeforeDuration string
    Specifies the duration by which to backdate the NotBefore property.
    OrganizationUnit List<string>
    The organization unit of generated certificates
    Organizations List<string>
    The organization of generated certificates
    PolicyIdentifier List<SecretBackendRolePolicyIdentifier>
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    PolicyIdentifiers List<string>
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    PostalCodes List<string>
    The postal code of generated certificates
    Provinces List<string>
    The province of generated certificates
    RequireCn bool
    Flag to force CN usage
    ServerFlag bool
    Flag to specify certificates for server use
    StreetAddresses List<string>
    The street address of generated certificates
    Ttl string
    The TTL, in seconds, for any certificate issued against this role.
    UseCsrCommonName bool
    Flag to use the CN in the CSR
    UseCsrSans bool
    Flag to use the SANs in the CSR
    Backend string
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    AllowAnyName bool
    Flag to allow any name
    AllowBareDomains bool
    Flag to allow certificates matching the actual domain
    AllowGlobDomains bool
    Flag to allow names containing glob patterns.
    AllowIpSans bool
    Flag to allow IP SANs
    AllowLocalhost bool
    Flag to allow certificates for localhost
    AllowSubdomains bool
    Flag to allow certificates matching subdomains
    AllowWildcardCertificates bool
    Flag to allow wildcard certificates.
    AllowedDomains []string
    List of allowed domains for certificates
    AllowedDomainsTemplate bool
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    AllowedOtherSans []string
    Defines allowed custom SANs
    AllowedSerialNumbers []string
    An array of allowed serial numbers to put in Subject
    AllowedUriSans []string
    Defines allowed URI SANs
    AllowedUriSansTemplate bool
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    AllowedUserIds []string
    Defines allowed User IDs
    BasicConstraintsValidForNonCa bool
    Flag to mark basic constraints valid when issuing non-CA certificates
    ClientFlag bool
    Flag to specify certificates for client use
    CodeSigningFlag bool
    Flag to specify certificates for code signing use
    Countries []string
    The country of generated certificates
    EmailProtectionFlag bool
    Flag to specify certificates for email protection use
    EnforceHostnames bool
    Flag to allow only valid host names
    ExtKeyUsageOids []string
    Specify the allowed extended key usage OIDs constraint on issued certificates
    ExtKeyUsages []string
    Specify the allowed extended key usage constraint on issued certificates
    GenerateLease bool
    Flag to generate leases with certificates
    IssuerRef string
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    KeyBits int
    The number of bits of generated keys
    KeyType string
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    KeyUsages []string
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    Localities []string
    The locality of generated certificates
    MaxTtl string
    The maximum lease TTL, in seconds, for the role.
    Name string
    The name to identify this role within the backend. Must be unique within the backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    NoStore bool
    Flag to not store certificates in the storage backend
    NotBeforeDuration string
    Specifies the duration by which to backdate the NotBefore property.
    OrganizationUnit []string
    The organization unit of generated certificates
    Organizations []string
    The organization of generated certificates
    PolicyIdentifier []SecretBackendRolePolicyIdentifierArgs
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    PolicyIdentifiers []string
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    PostalCodes []string
    The postal code of generated certificates
    Provinces []string
    The province of generated certificates
    RequireCn bool
    Flag to force CN usage
    ServerFlag bool
    Flag to specify certificates for server use
    StreetAddresses []string
    The street address of generated certificates
    Ttl string
    The TTL, in seconds, for any certificate issued against this role.
    UseCsrCommonName bool
    Flag to use the CN in the CSR
    UseCsrSans bool
    Flag to use the SANs in the CSR
    backend String
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    allowAnyName Boolean
    Flag to allow any name
    allowBareDomains Boolean
    Flag to allow certificates matching the actual domain
    allowGlobDomains Boolean
    Flag to allow names containing glob patterns.
    allowIpSans Boolean
    Flag to allow IP SANs
    allowLocalhost Boolean
    Flag to allow certificates for localhost
    allowSubdomains Boolean
    Flag to allow certificates matching subdomains
    allowWildcardCertificates Boolean
    Flag to allow wildcard certificates.
    allowedDomains List<String>
    List of allowed domains for certificates
    allowedDomainsTemplate Boolean
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedOtherSans List<String>
    Defines allowed custom SANs
    allowedSerialNumbers List<String>
    An array of allowed serial numbers to put in Subject
    allowedUriSans List<String>
    Defines allowed URI SANs
    allowedUriSansTemplate Boolean
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedUserIds List<String>
    Defines allowed User IDs
    basicConstraintsValidForNonCa Boolean
    Flag to mark basic constraints valid when issuing non-CA certificates
    clientFlag Boolean
    Flag to specify certificates for client use
    codeSigningFlag Boolean
    Flag to specify certificates for code signing use
    countries List<String>
    The country of generated certificates
    emailProtectionFlag Boolean
    Flag to specify certificates for email protection use
    enforceHostnames Boolean
    Flag to allow only valid host names
    extKeyUsageOids List<String>
    Specify the allowed extended key usage OIDs constraint on issued certificates
    extKeyUsages List<String>
    Specify the allowed extended key usage constraint on issued certificates
    generateLease Boolean
    Flag to generate leases with certificates
    issuerRef String
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    keyBits Integer
    The number of bits of generated keys
    keyType String
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    keyUsages List<String>
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    localities List<String>
    The locality of generated certificates
    maxTtl String
    The maximum lease TTL, in seconds, for the role.
    name String
    The name to identify this role within the backend. Must be unique within the backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    noStore Boolean
    Flag to not store certificates in the storage backend
    notBeforeDuration String
    Specifies the duration by which to backdate the NotBefore property.
    organizationUnit List<String>
    The organization unit of generated certificates
    organizations List<String>
    The organization of generated certificates
    policyIdentifier List<SecretBackendRolePolicyIdentifier>
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    policyIdentifiers List<String>
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    postalCodes List<String>
    The postal code of generated certificates
    provinces List<String>
    The province of generated certificates
    requireCn Boolean
    Flag to force CN usage
    serverFlag Boolean
    Flag to specify certificates for server use
    streetAddresses List<String>
    The street address of generated certificates
    ttl String
    The TTL, in seconds, for any certificate issued against this role.
    useCsrCommonName Boolean
    Flag to use the CN in the CSR
    useCsrSans Boolean
    Flag to use the SANs in the CSR
    backend string
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    allowAnyName boolean
    Flag to allow any name
    allowBareDomains boolean
    Flag to allow certificates matching the actual domain
    allowGlobDomains boolean
    Flag to allow names containing glob patterns.
    allowIpSans boolean
    Flag to allow IP SANs
    allowLocalhost boolean
    Flag to allow certificates for localhost
    allowSubdomains boolean
    Flag to allow certificates matching subdomains
    allowWildcardCertificates boolean
    Flag to allow wildcard certificates.
    allowedDomains string[]
    List of allowed domains for certificates
    allowedDomainsTemplate boolean
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedOtherSans string[]
    Defines allowed custom SANs
    allowedSerialNumbers string[]
    An array of allowed serial numbers to put in Subject
    allowedUriSans string[]
    Defines allowed URI SANs
    allowedUriSansTemplate boolean
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedUserIds string[]
    Defines allowed User IDs
    basicConstraintsValidForNonCa boolean
    Flag to mark basic constraints valid when issuing non-CA certificates
    clientFlag boolean
    Flag to specify certificates for client use
    codeSigningFlag boolean
    Flag to specify certificates for code signing use
    countries string[]
    The country of generated certificates
    emailProtectionFlag boolean
    Flag to specify certificates for email protection use
    enforceHostnames boolean
    Flag to allow only valid host names
    extKeyUsageOids string[]
    Specify the allowed extended key usage OIDs constraint on issued certificates
    extKeyUsages string[]
    Specify the allowed extended key usage constraint on issued certificates
    generateLease boolean
    Flag to generate leases with certificates
    issuerRef string
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    keyBits number
    The number of bits of generated keys
    keyType string
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    keyUsages string[]
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    localities string[]
    The locality of generated certificates
    maxTtl string
    The maximum lease TTL, in seconds, for the role.
    name string
    The name to identify this role within the backend. Must be unique within the backend.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    noStore boolean
    Flag to not store certificates in the storage backend
    notBeforeDuration string
    Specifies the duration by which to backdate the NotBefore property.
    organizationUnit string[]
    The organization unit of generated certificates
    organizations string[]
    The organization of generated certificates
    policyIdentifier SecretBackendRolePolicyIdentifier[]
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    policyIdentifiers string[]
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    postalCodes string[]
    The postal code of generated certificates
    provinces string[]
    The province of generated certificates
    requireCn boolean
    Flag to force CN usage
    serverFlag boolean
    Flag to specify certificates for server use
    streetAddresses string[]
    The street address of generated certificates
    ttl string
    The TTL, in seconds, for any certificate issued against this role.
    useCsrCommonName boolean
    Flag to use the CN in the CSR
    useCsrSans boolean
    Flag to use the SANs in the CSR
    backend str
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    allow_any_name bool
    Flag to allow any name
    allow_bare_domains bool
    Flag to allow certificates matching the actual domain
    allow_glob_domains bool
    Flag to allow names containing glob patterns.
    allow_ip_sans bool
    Flag to allow IP SANs
    allow_localhost bool
    Flag to allow certificates for localhost
    allow_subdomains bool
    Flag to allow certificates matching subdomains
    allow_wildcard_certificates bool
    Flag to allow wildcard certificates.
    allowed_domains Sequence[str]
    List of allowed domains for certificates
    allowed_domains_template bool
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowed_other_sans Sequence[str]
    Defines allowed custom SANs
    allowed_serial_numbers Sequence[str]
    An array of allowed serial numbers to put in Subject
    allowed_uri_sans Sequence[str]
    Defines allowed URI SANs
    allowed_uri_sans_template bool
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowed_user_ids Sequence[str]
    Defines allowed User IDs
    basic_constraints_valid_for_non_ca bool
    Flag to mark basic constraints valid when issuing non-CA certificates
    client_flag bool
    Flag to specify certificates for client use
    code_signing_flag bool
    Flag to specify certificates for code signing use
    countries Sequence[str]
    The country of generated certificates
    email_protection_flag bool
    Flag to specify certificates for email protection use
    enforce_hostnames bool
    Flag to allow only valid host names
    ext_key_usage_oids Sequence[str]
    Specify the allowed extended key usage OIDs constraint on issued certificates
    ext_key_usages Sequence[str]
    Specify the allowed extended key usage constraint on issued certificates
    generate_lease bool
    Flag to generate leases with certificates
    issuer_ref str
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    key_bits int
    The number of bits of generated keys
    key_type str
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    key_usages Sequence[str]
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    localities Sequence[str]
    The locality of generated certificates
    max_ttl str
    The maximum lease TTL, in seconds, for the role.
    name str
    The name to identify this role within the backend. Must be unique within the backend.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    no_store bool
    Flag to not store certificates in the storage backend
    not_before_duration str
    Specifies the duration by which to backdate the NotBefore property.
    organization_unit Sequence[str]
    The organization unit of generated certificates
    organizations Sequence[str]
    The organization of generated certificates
    policy_identifier SecretBackendRolePolicyIdentifierArgs]
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    policy_identifiers Sequence[str]
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    postal_codes Sequence[str]
    The postal code of generated certificates
    provinces Sequence[str]
    The province of generated certificates
    require_cn bool
    Flag to force CN usage
    server_flag bool
    Flag to specify certificates for server use
    street_addresses Sequence[str]
    The street address of generated certificates
    ttl str
    The TTL, in seconds, for any certificate issued against this role.
    use_csr_common_name bool
    Flag to use the CN in the CSR
    use_csr_sans bool
    Flag to use the SANs in the CSR
    backend String
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    allowAnyName Boolean
    Flag to allow any name
    allowBareDomains Boolean
    Flag to allow certificates matching the actual domain
    allowGlobDomains Boolean
    Flag to allow names containing glob patterns.
    allowIpSans Boolean
    Flag to allow IP SANs
    allowLocalhost Boolean
    Flag to allow certificates for localhost
    allowSubdomains Boolean
    Flag to allow certificates matching subdomains
    allowWildcardCertificates Boolean
    Flag to allow wildcard certificates.
    allowedDomains List<String>
    List of allowed domains for certificates
    allowedDomainsTemplate Boolean
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedOtherSans List<String>
    Defines allowed custom SANs
    allowedSerialNumbers List<String>
    An array of allowed serial numbers to put in Subject
    allowedUriSans List<String>
    Defines allowed URI SANs
    allowedUriSansTemplate Boolean
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedUserIds List<String>
    Defines allowed User IDs
    basicConstraintsValidForNonCa Boolean
    Flag to mark basic constraints valid when issuing non-CA certificates
    clientFlag Boolean
    Flag to specify certificates for client use
    codeSigningFlag Boolean
    Flag to specify certificates for code signing use
    countries List<String>
    The country of generated certificates
    emailProtectionFlag Boolean
    Flag to specify certificates for email protection use
    enforceHostnames Boolean
    Flag to allow only valid host names
    extKeyUsageOids List<String>
    Specify the allowed extended key usage OIDs constraint on issued certificates
    extKeyUsages List<String>
    Specify the allowed extended key usage constraint on issued certificates
    generateLease Boolean
    Flag to generate leases with certificates
    issuerRef String
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    keyBits Number
    The number of bits of generated keys
    keyType String
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    keyUsages List<String>
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    localities List<String>
    The locality of generated certificates
    maxTtl String
    The maximum lease TTL, in seconds, for the role.
    name String
    The name to identify this role within the backend. Must be unique within the backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    noStore Boolean
    Flag to not store certificates in the storage backend
    notBeforeDuration String
    Specifies the duration by which to backdate the NotBefore property.
    organizationUnit List<String>
    The organization unit of generated certificates
    organizations List<String>
    The organization of generated certificates
    policyIdentifier List<Property Map>
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    policyIdentifiers List<String>
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    postalCodes List<String>
    The postal code of generated certificates
    provinces List<String>
    The province of generated certificates
    requireCn Boolean
    Flag to force CN usage
    serverFlag Boolean
    Flag to specify certificates for server use
    streetAddresses List<String>
    The street address of generated certificates
    ttl String
    The TTL, in seconds, for any certificate issued against this role.
    useCsrCommonName Boolean
    Flag to use the CN in the CSR
    useCsrSans Boolean
    Flag to use the SANs in the CSR

    Outputs

    All input properties are implicitly available as output properties. Additionally, the SecretBackendRole resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing SecretBackendRole Resource

    Get an existing SecretBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: SecretBackendRoleState, opts?: CustomResourceOptions): SecretBackendRole
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            allow_any_name: Optional[bool] = None,
            allow_bare_domains: Optional[bool] = None,
            allow_glob_domains: Optional[bool] = None,
            allow_ip_sans: Optional[bool] = None,
            allow_localhost: Optional[bool] = None,
            allow_subdomains: Optional[bool] = None,
            allow_wildcard_certificates: Optional[bool] = None,
            allowed_domains: Optional[Sequence[str]] = None,
            allowed_domains_template: Optional[bool] = None,
            allowed_other_sans: Optional[Sequence[str]] = None,
            allowed_serial_numbers: Optional[Sequence[str]] = None,
            allowed_uri_sans: Optional[Sequence[str]] = None,
            allowed_uri_sans_template: Optional[bool] = None,
            allowed_user_ids: Optional[Sequence[str]] = None,
            backend: Optional[str] = None,
            basic_constraints_valid_for_non_ca: Optional[bool] = None,
            client_flag: Optional[bool] = None,
            code_signing_flag: Optional[bool] = None,
            countries: Optional[Sequence[str]] = None,
            email_protection_flag: Optional[bool] = None,
            enforce_hostnames: Optional[bool] = None,
            ext_key_usage_oids: Optional[Sequence[str]] = None,
            ext_key_usages: Optional[Sequence[str]] = None,
            generate_lease: Optional[bool] = None,
            issuer_ref: Optional[str] = None,
            key_bits: Optional[int] = None,
            key_type: Optional[str] = None,
            key_usages: Optional[Sequence[str]] = None,
            localities: Optional[Sequence[str]] = None,
            max_ttl: Optional[str] = None,
            name: Optional[str] = None,
            namespace: Optional[str] = None,
            no_store: Optional[bool] = None,
            not_before_duration: Optional[str] = None,
            organization_unit: Optional[Sequence[str]] = None,
            organizations: Optional[Sequence[str]] = None,
            policy_identifier: Optional[Sequence[_pkisecret.SecretBackendRolePolicyIdentifierArgs]] = None,
            policy_identifiers: Optional[Sequence[str]] = None,
            postal_codes: Optional[Sequence[str]] = None,
            provinces: Optional[Sequence[str]] = None,
            require_cn: Optional[bool] = None,
            server_flag: Optional[bool] = None,
            street_addresses: Optional[Sequence[str]] = None,
            ttl: Optional[str] = None,
            use_csr_common_name: Optional[bool] = None,
            use_csr_sans: Optional[bool] = None) -> SecretBackendRole
    func GetSecretBackendRole(ctx *Context, name string, id IDInput, state *SecretBackendRoleState, opts ...ResourceOption) (*SecretBackendRole, error)
    public static SecretBackendRole Get(string name, Input<string> id, SecretBackendRoleState? state, CustomResourceOptions? opts = null)
    public static SecretBackendRole get(String name, Output<String> id, SecretBackendRoleState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AllowAnyName bool
    Flag to allow any name
    AllowBareDomains bool
    Flag to allow certificates matching the actual domain
    AllowGlobDomains bool
    Flag to allow names containing glob patterns.
    AllowIpSans bool
    Flag to allow IP SANs
    AllowLocalhost bool
    Flag to allow certificates for localhost
    AllowSubdomains bool
    Flag to allow certificates matching subdomains
    AllowWildcardCertificates bool
    Flag to allow wildcard certificates.
    AllowedDomains List<string>
    List of allowed domains for certificates
    AllowedDomainsTemplate bool
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    AllowedOtherSans List<string>
    Defines allowed custom SANs
    AllowedSerialNumbers List<string>
    An array of allowed serial numbers to put in Subject
    AllowedUriSans List<string>
    Defines allowed URI SANs
    AllowedUriSansTemplate bool
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    AllowedUserIds List<string>
    Defines allowed User IDs
    Backend string
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    BasicConstraintsValidForNonCa bool
    Flag to mark basic constraints valid when issuing non-CA certificates
    ClientFlag bool
    Flag to specify certificates for client use
    CodeSigningFlag bool
    Flag to specify certificates for code signing use
    Countries List<string>
    The country of generated certificates
    EmailProtectionFlag bool
    Flag to specify certificates for email protection use
    EnforceHostnames bool
    Flag to allow only valid host names
    ExtKeyUsageOids List<string>
    Specify the allowed extended key usage OIDs constraint on issued certificates
    ExtKeyUsages List<string>
    Specify the allowed extended key usage constraint on issued certificates
    GenerateLease bool
    Flag to generate leases with certificates
    IssuerRef string
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    KeyBits int
    The number of bits of generated keys
    KeyType string
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    KeyUsages List<string>
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    Localities List<string>
    The locality of generated certificates
    MaxTtl string
    The maximum lease TTL, in seconds, for the role.
    Name string
    The name to identify this role within the backend. Must be unique within the backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    NoStore bool
    Flag to not store certificates in the storage backend
    NotBeforeDuration string
    Specifies the duration by which to backdate the NotBefore property.
    OrganizationUnit List<string>
    The organization unit of generated certificates
    Organizations List<string>
    The organization of generated certificates
    PolicyIdentifier List<SecretBackendRolePolicyIdentifier>
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    PolicyIdentifiers List<string>
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    PostalCodes List<string>
    The postal code of generated certificates
    Provinces List<string>
    The province of generated certificates
    RequireCn bool
    Flag to force CN usage
    ServerFlag bool
    Flag to specify certificates for server use
    StreetAddresses List<string>
    The street address of generated certificates
    Ttl string
    The TTL, in seconds, for any certificate issued against this role.
    UseCsrCommonName bool
    Flag to use the CN in the CSR
    UseCsrSans bool
    Flag to use the SANs in the CSR
    AllowAnyName bool
    Flag to allow any name
    AllowBareDomains bool
    Flag to allow certificates matching the actual domain
    AllowGlobDomains bool
    Flag to allow names containing glob patterns.
    AllowIpSans bool
    Flag to allow IP SANs
    AllowLocalhost bool
    Flag to allow certificates for localhost
    AllowSubdomains bool
    Flag to allow certificates matching subdomains
    AllowWildcardCertificates bool
    Flag to allow wildcard certificates.
    AllowedDomains []string
    List of allowed domains for certificates
    AllowedDomainsTemplate bool
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    AllowedOtherSans []string
    Defines allowed custom SANs
    AllowedSerialNumbers []string
    An array of allowed serial numbers to put in Subject
    AllowedUriSans []string
    Defines allowed URI SANs
    AllowedUriSansTemplate bool
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    AllowedUserIds []string
    Defines allowed User IDs
    Backend string
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    BasicConstraintsValidForNonCa bool
    Flag to mark basic constraints valid when issuing non-CA certificates
    ClientFlag bool
    Flag to specify certificates for client use
    CodeSigningFlag bool
    Flag to specify certificates for code signing use
    Countries []string
    The country of generated certificates
    EmailProtectionFlag bool
    Flag to specify certificates for email protection use
    EnforceHostnames bool
    Flag to allow only valid host names
    ExtKeyUsageOids []string
    Specify the allowed extended key usage OIDs constraint on issued certificates
    ExtKeyUsages []string
    Specify the allowed extended key usage constraint on issued certificates
    GenerateLease bool
    Flag to generate leases with certificates
    IssuerRef string
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    KeyBits int
    The number of bits of generated keys
    KeyType string
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    KeyUsages []string
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    Localities []string
    The locality of generated certificates
    MaxTtl string
    The maximum lease TTL, in seconds, for the role.
    Name string
    The name to identify this role within the backend. Must be unique within the backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    NoStore bool
    Flag to not store certificates in the storage backend
    NotBeforeDuration string
    Specifies the duration by which to backdate the NotBefore property.
    OrganizationUnit []string
    The organization unit of generated certificates
    Organizations []string
    The organization of generated certificates
    PolicyIdentifier []SecretBackendRolePolicyIdentifierArgs
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    PolicyIdentifiers []string
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    PostalCodes []string
    The postal code of generated certificates
    Provinces []string
    The province of generated certificates
    RequireCn bool
    Flag to force CN usage
    ServerFlag bool
    Flag to specify certificates for server use
    StreetAddresses []string
    The street address of generated certificates
    Ttl string
    The TTL, in seconds, for any certificate issued against this role.
    UseCsrCommonName bool
    Flag to use the CN in the CSR
    UseCsrSans bool
    Flag to use the SANs in the CSR
    allowAnyName Boolean
    Flag to allow any name
    allowBareDomains Boolean
    Flag to allow certificates matching the actual domain
    allowGlobDomains Boolean
    Flag to allow names containing glob patterns.
    allowIpSans Boolean
    Flag to allow IP SANs
    allowLocalhost Boolean
    Flag to allow certificates for localhost
    allowSubdomains Boolean
    Flag to allow certificates matching subdomains
    allowWildcardCertificates Boolean
    Flag to allow wildcard certificates.
    allowedDomains List<String>
    List of allowed domains for certificates
    allowedDomainsTemplate Boolean
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedOtherSans List<String>
    Defines allowed custom SANs
    allowedSerialNumbers List<String>
    An array of allowed serial numbers to put in Subject
    allowedUriSans List<String>
    Defines allowed URI SANs
    allowedUriSansTemplate Boolean
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedUserIds List<String>
    Defines allowed User IDs
    backend String
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    basicConstraintsValidForNonCa Boolean
    Flag to mark basic constraints valid when issuing non-CA certificates
    clientFlag Boolean
    Flag to specify certificates for client use
    codeSigningFlag Boolean
    Flag to specify certificates for code signing use
    countries List<String>
    The country of generated certificates
    emailProtectionFlag Boolean
    Flag to specify certificates for email protection use
    enforceHostnames Boolean
    Flag to allow only valid host names
    extKeyUsageOids List<String>
    Specify the allowed extended key usage OIDs constraint on issued certificates
    extKeyUsages List<String>
    Specify the allowed extended key usage constraint on issued certificates
    generateLease Boolean
    Flag to generate leases with certificates
    issuerRef String
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    keyBits Integer
    The number of bits of generated keys
    keyType String
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    keyUsages List<String>
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    localities List<String>
    The locality of generated certificates
    maxTtl String
    The maximum lease TTL, in seconds, for the role.
    name String
    The name to identify this role within the backend. Must be unique within the backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    noStore Boolean
    Flag to not store certificates in the storage backend
    notBeforeDuration String
    Specifies the duration by which to backdate the NotBefore property.
    organizationUnit List<String>
    The organization unit of generated certificates
    organizations List<String>
    The organization of generated certificates
    policyIdentifier List<SecretBackendRolePolicyIdentifier>
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    policyIdentifiers List<String>
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    postalCodes List<String>
    The postal code of generated certificates
    provinces List<String>
    The province of generated certificates
    requireCn Boolean
    Flag to force CN usage
    serverFlag Boolean
    Flag to specify certificates for server use
    streetAddresses List<String>
    The street address of generated certificates
    ttl String
    The TTL, in seconds, for any certificate issued against this role.
    useCsrCommonName Boolean
    Flag to use the CN in the CSR
    useCsrSans Boolean
    Flag to use the SANs in the CSR
    allowAnyName boolean
    Flag to allow any name
    allowBareDomains boolean
    Flag to allow certificates matching the actual domain
    allowGlobDomains boolean
    Flag to allow names containing glob patterns.
    allowIpSans boolean
    Flag to allow IP SANs
    allowLocalhost boolean
    Flag to allow certificates for localhost
    allowSubdomains boolean
    Flag to allow certificates matching subdomains
    allowWildcardCertificates boolean
    Flag to allow wildcard certificates.
    allowedDomains string[]
    List of allowed domains for certificates
    allowedDomainsTemplate boolean
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedOtherSans string[]
    Defines allowed custom SANs
    allowedSerialNumbers string[]
    An array of allowed serial numbers to put in Subject
    allowedUriSans string[]
    Defines allowed URI SANs
    allowedUriSansTemplate boolean
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedUserIds string[]
    Defines allowed User IDs
    backend string
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    basicConstraintsValidForNonCa boolean
    Flag to mark basic constraints valid when issuing non-CA certificates
    clientFlag boolean
    Flag to specify certificates for client use
    codeSigningFlag boolean
    Flag to specify certificates for code signing use
    countries string[]
    The country of generated certificates
    emailProtectionFlag boolean
    Flag to specify certificates for email protection use
    enforceHostnames boolean
    Flag to allow only valid host names
    extKeyUsageOids string[]
    Specify the allowed extended key usage OIDs constraint on issued certificates
    extKeyUsages string[]
    Specify the allowed extended key usage constraint on issued certificates
    generateLease boolean
    Flag to generate leases with certificates
    issuerRef string
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    keyBits number
    The number of bits of generated keys
    keyType string
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    keyUsages string[]
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    localities string[]
    The locality of generated certificates
    maxTtl string
    The maximum lease TTL, in seconds, for the role.
    name string
    The name to identify this role within the backend. Must be unique within the backend.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    noStore boolean
    Flag to not store certificates in the storage backend
    notBeforeDuration string
    Specifies the duration by which to backdate the NotBefore property.
    organizationUnit string[]
    The organization unit of generated certificates
    organizations string[]
    The organization of generated certificates
    policyIdentifier SecretBackendRolePolicyIdentifier[]
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    policyIdentifiers string[]
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    postalCodes string[]
    The postal code of generated certificates
    provinces string[]
    The province of generated certificates
    requireCn boolean
    Flag to force CN usage
    serverFlag boolean
    Flag to specify certificates for server use
    streetAddresses string[]
    The street address of generated certificates
    ttl string
    The TTL, in seconds, for any certificate issued against this role.
    useCsrCommonName boolean
    Flag to use the CN in the CSR
    useCsrSans boolean
    Flag to use the SANs in the CSR
    allow_any_name bool
    Flag to allow any name
    allow_bare_domains bool
    Flag to allow certificates matching the actual domain
    allow_glob_domains bool
    Flag to allow names containing glob patterns.
    allow_ip_sans bool
    Flag to allow IP SANs
    allow_localhost bool
    Flag to allow certificates for localhost
    allow_subdomains bool
    Flag to allow certificates matching subdomains
    allow_wildcard_certificates bool
    Flag to allow wildcard certificates.
    allowed_domains Sequence[str]
    List of allowed domains for certificates
    allowed_domains_template bool
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowed_other_sans Sequence[str]
    Defines allowed custom SANs
    allowed_serial_numbers Sequence[str]
    An array of allowed serial numbers to put in Subject
    allowed_uri_sans Sequence[str]
    Defines allowed URI SANs
    allowed_uri_sans_template bool
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowed_user_ids Sequence[str]
    Defines allowed User IDs
    backend str
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    basic_constraints_valid_for_non_ca bool
    Flag to mark basic constraints valid when issuing non-CA certificates
    client_flag bool
    Flag to specify certificates for client use
    code_signing_flag bool
    Flag to specify certificates for code signing use
    countries Sequence[str]
    The country of generated certificates
    email_protection_flag bool
    Flag to specify certificates for email protection use
    enforce_hostnames bool
    Flag to allow only valid host names
    ext_key_usage_oids Sequence[str]
    Specify the allowed extended key usage OIDs constraint on issued certificates
    ext_key_usages Sequence[str]
    Specify the allowed extended key usage constraint on issued certificates
    generate_lease bool
    Flag to generate leases with certificates
    issuer_ref str
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    key_bits int
    The number of bits of generated keys
    key_type str
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    key_usages Sequence[str]
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    localities Sequence[str]
    The locality of generated certificates
    max_ttl str
    The maximum lease TTL, in seconds, for the role.
    name str
    The name to identify this role within the backend. Must be unique within the backend.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    no_store bool
    Flag to not store certificates in the storage backend
    not_before_duration str
    Specifies the duration by which to backdate the NotBefore property.
    organization_unit Sequence[str]
    The organization unit of generated certificates
    organizations Sequence[str]
    The organization of generated certificates
    policy_identifier SecretBackendRolePolicyIdentifierArgs]
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    policy_identifiers Sequence[str]
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    postal_codes Sequence[str]
    The postal code of generated certificates
    provinces Sequence[str]
    The province of generated certificates
    require_cn bool
    Flag to force CN usage
    server_flag bool
    Flag to specify certificates for server use
    street_addresses Sequence[str]
    The street address of generated certificates
    ttl str
    The TTL, in seconds, for any certificate issued against this role.
    use_csr_common_name bool
    Flag to use the CN in the CSR
    use_csr_sans bool
    Flag to use the SANs in the CSR
    allowAnyName Boolean
    Flag to allow any name
    allowBareDomains Boolean
    Flag to allow certificates matching the actual domain
    allowGlobDomains Boolean
    Flag to allow names containing glob patterns.
    allowIpSans Boolean
    Flag to allow IP SANs
    allowLocalhost Boolean
    Flag to allow certificates for localhost
    allowSubdomains Boolean
    Flag to allow certificates matching subdomains
    allowWildcardCertificates Boolean
    Flag to allow wildcard certificates.
    allowedDomains List<String>
    List of allowed domains for certificates
    allowedDomainsTemplate Boolean
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedOtherSans List<String>
    Defines allowed custom SANs
    allowedSerialNumbers List<String>
    An array of allowed serial numbers to put in Subject
    allowedUriSans List<String>
    Defines allowed URI SANs
    allowedUriSansTemplate Boolean
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedUserIds List<String>
    Defines allowed User IDs
    backend String
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    basicConstraintsValidForNonCa Boolean
    Flag to mark basic constraints valid when issuing non-CA certificates
    clientFlag Boolean
    Flag to specify certificates for client use
    codeSigningFlag Boolean
    Flag to specify certificates for code signing use
    countries List<String>
    The country of generated certificates
    emailProtectionFlag Boolean
    Flag to specify certificates for email protection use
    enforceHostnames Boolean
    Flag to allow only valid host names
    extKeyUsageOids List<String>
    Specify the allowed extended key usage OIDs constraint on issued certificates
    extKeyUsages List<String>
    Specify the allowed extended key usage constraint on issued certificates
    generateLease Boolean
    Flag to generate leases with certificates
    issuerRef String
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    keyBits Number
    The number of bits of generated keys
    keyType String
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    keyUsages List<String>
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    localities List<String>
    The locality of generated certificates
    maxTtl String
    The maximum lease TTL, in seconds, for the role.
    name String
    The name to identify this role within the backend. Must be unique within the backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    noStore Boolean
    Flag to not store certificates in the storage backend
    notBeforeDuration String
    Specifies the duration by which to backdate the NotBefore property.
    organizationUnit List<String>
    The organization unit of generated certificates
    organizations List<String>
    The organization of generated certificates
    policyIdentifier List<Property Map>
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    policyIdentifiers List<String>
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    postalCodes List<String>
    The postal code of generated certificates
    provinces List<String>
    The province of generated certificates
    requireCn Boolean
    Flag to force CN usage
    serverFlag Boolean
    Flag to specify certificates for server use
    streetAddresses List<String>
    The street address of generated certificates
    ttl String
    The TTL, in seconds, for any certificate issued against this role.
    useCsrCommonName Boolean
    Flag to use the CN in the CSR
    useCsrSans Boolean
    Flag to use the SANs in the CSR

    Supporting Types

    SecretBackendRolePolicyIdentifier, SecretBackendRolePolicyIdentifierArgs

    Oid string
    The OID for the policy identifier
    Cps string

    The URL of the CPS for the policy identifier

    Example usage:

    package generated_program;
    

    import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.vault.Mount; import com.pulumi.vault.MountArgs; import com.pulumi.vault.pkiSecret.SecretBackendRole; import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths;

    public class App { public static void main(String[] args) { Pulumi.run(App::stack); }

    public static void stack(Context ctx) {
        var pki = new Mount(&quot;pki&quot;, MountArgs.builder()        
            .path(&quot;pki&quot;)
            .type(&quot;pki&quot;)
            .defaultLeaseTtlSeconds(3600)
            .maxLeaseTtlSeconds(86400)
            .build());
    
        var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()        
            .backend(pki.path())
            .ttl(3600)
            .allowIpSans(true)
            .keyType(&quot;rsa&quot;)
            .keyBits(4096)
            .allowedDomains(            
                &quot;example.com&quot;,
                &quot;my.domain&quot;)
            .allowSubdomains(true)
            .policyIdentifiers(            
                Map.ofEntries(
                    Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                    Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
                ),
                Map.ofEntries(
                    Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                    Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
                ))
            .build());
    
    }
    

    }

    resources:
      pki:
        type: vault:Mount
        properties:
          path: pki
          type: pki
          defaultLeaseTtlSeconds: 3600
          maxLeaseTtlSeconds: 86400
      role:
        type: vault:pkiSecret:SecretBackendRole
        properties:
          backend: ${pki.path}
          ttl: 3600
          allowIpSans: true
          keyType: rsa
          keyBits: 4096
          allowedDomains:
            - example.com
            - my.domain
          allowSubdomains: true
          policyIdentifiers:
            - oid: 1.3.6.1.4.1.7.8
              notice: I am a user Notice
            - oid: 1.3.6.1.4.1.44947.1.2.4
              cps: https://example.com
    
    Notice string
    A notice for the policy identifier
    Oid string
    The OID for the policy identifier
    Cps string

    The URL of the CPS for the policy identifier

    Example usage:

    package generated_program;
    

    import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.vault.Mount; import com.pulumi.vault.MountArgs; import com.pulumi.vault.pkiSecret.SecretBackendRole; import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths;

    public class App { public static void main(String[] args) { Pulumi.run(App::stack); }

    public static void stack(Context ctx) {
        var pki = new Mount(&quot;pki&quot;, MountArgs.builder()        
            .path(&quot;pki&quot;)
            .type(&quot;pki&quot;)
            .defaultLeaseTtlSeconds(3600)
            .maxLeaseTtlSeconds(86400)
            .build());
    
        var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()        
            .backend(pki.path())
            .ttl(3600)
            .allowIpSans(true)
            .keyType(&quot;rsa&quot;)
            .keyBits(4096)
            .allowedDomains(            
                &quot;example.com&quot;,
                &quot;my.domain&quot;)
            .allowSubdomains(true)
            .policyIdentifiers(            
                Map.ofEntries(
                    Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                    Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
                ),
                Map.ofEntries(
                    Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                    Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
                ))
            .build());
    
    }
    

    }

    resources:
      pki:
        type: vault:Mount
        properties:
          path: pki
          type: pki
          defaultLeaseTtlSeconds: 3600
          maxLeaseTtlSeconds: 86400
      role:
        type: vault:pkiSecret:SecretBackendRole
        properties:
          backend: ${pki.path}
          ttl: 3600
          allowIpSans: true
          keyType: rsa
          keyBits: 4096
          allowedDomains:
            - example.com
            - my.domain
          allowSubdomains: true
          policyIdentifiers:
            - oid: 1.3.6.1.4.1.7.8
              notice: I am a user Notice
            - oid: 1.3.6.1.4.1.44947.1.2.4
              cps: https://example.com
    
    Notice string
    A notice for the policy identifier
    oid String
    The OID for the policy identifier
    cps String

    The URL of the CPS for the policy identifier

    Example usage:

    package generated_program;
    

    import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.vault.Mount; import com.pulumi.vault.MountArgs; import com.pulumi.vault.pkiSecret.SecretBackendRole; import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths;

    public class App { public static void main(String[] args) { Pulumi.run(App::stack); }

    public static void stack(Context ctx) {
        var pki = new Mount(&quot;pki&quot;, MountArgs.builder()        
            .path(&quot;pki&quot;)
            .type(&quot;pki&quot;)
            .defaultLeaseTtlSeconds(3600)
            .maxLeaseTtlSeconds(86400)
            .build());
    
        var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()        
            .backend(pki.path())
            .ttl(3600)
            .allowIpSans(true)
            .keyType(&quot;rsa&quot;)
            .keyBits(4096)
            .allowedDomains(            
                &quot;example.com&quot;,
                &quot;my.domain&quot;)
            .allowSubdomains(true)
            .policyIdentifiers(            
                Map.ofEntries(
                    Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                    Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
                ),
                Map.ofEntries(
                    Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                    Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
                ))
            .build());
    
    }
    

    }

    resources:
      pki:
        type: vault:Mount
        properties:
          path: pki
          type: pki
          defaultLeaseTtlSeconds: 3600
          maxLeaseTtlSeconds: 86400
      role:
        type: vault:pkiSecret:SecretBackendRole
        properties:
          backend: ${pki.path}
          ttl: 3600
          allowIpSans: true
          keyType: rsa
          keyBits: 4096
          allowedDomains:
            - example.com
            - my.domain
          allowSubdomains: true
          policyIdentifiers:
            - oid: 1.3.6.1.4.1.7.8
              notice: I am a user Notice
            - oid: 1.3.6.1.4.1.44947.1.2.4
              cps: https://example.com
    
    notice String
    A notice for the policy identifier
    oid string
    The OID for the policy identifier
    cps string

    The URL of the CPS for the policy identifier

    Example usage:

    package generated_program;
    

    import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.vault.Mount; import com.pulumi.vault.MountArgs; import com.pulumi.vault.pkiSecret.SecretBackendRole; import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths;

    public class App { public static void main(String[] args) { Pulumi.run(App::stack); }

    public static void stack(Context ctx) {
        var pki = new Mount(&quot;pki&quot;, MountArgs.builder()        
            .path(&quot;pki&quot;)
            .type(&quot;pki&quot;)
            .defaultLeaseTtlSeconds(3600)
            .maxLeaseTtlSeconds(86400)
            .build());
    
        var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()        
            .backend(pki.path())
            .ttl(3600)
            .allowIpSans(true)
            .keyType(&quot;rsa&quot;)
            .keyBits(4096)
            .allowedDomains(            
                &quot;example.com&quot;,
                &quot;my.domain&quot;)
            .allowSubdomains(true)
            .policyIdentifiers(            
                Map.ofEntries(
                    Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                    Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
                ),
                Map.ofEntries(
                    Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                    Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
                ))
            .build());
    
    }
    

    }

    resources:
      pki:
        type: vault:Mount
        properties:
          path: pki
          type: pki
          defaultLeaseTtlSeconds: 3600
          maxLeaseTtlSeconds: 86400
      role:
        type: vault:pkiSecret:SecretBackendRole
        properties:
          backend: ${pki.path}
          ttl: 3600
          allowIpSans: true
          keyType: rsa
          keyBits: 4096
          allowedDomains:
            - example.com
            - my.domain
          allowSubdomains: true
          policyIdentifiers:
            - oid: 1.3.6.1.4.1.7.8
              notice: I am a user Notice
            - oid: 1.3.6.1.4.1.44947.1.2.4
              cps: https://example.com
    
    notice string
    A notice for the policy identifier
    oid str
    The OID for the policy identifier
    cps str

    The URL of the CPS for the policy identifier

    Example usage:

    package generated_program;
    

    import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.vault.Mount; import com.pulumi.vault.MountArgs; import com.pulumi.vault.pkiSecret.SecretBackendRole; import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths;

    public class App { public static void main(String[] args) { Pulumi.run(App::stack); }

    public static void stack(Context ctx) {
        var pki = new Mount(&quot;pki&quot;, MountArgs.builder()        
            .path(&quot;pki&quot;)
            .type(&quot;pki&quot;)
            .defaultLeaseTtlSeconds(3600)
            .maxLeaseTtlSeconds(86400)
            .build());
    
        var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()        
            .backend(pki.path())
            .ttl(3600)
            .allowIpSans(true)
            .keyType(&quot;rsa&quot;)
            .keyBits(4096)
            .allowedDomains(            
                &quot;example.com&quot;,
                &quot;my.domain&quot;)
            .allowSubdomains(true)
            .policyIdentifiers(            
                Map.ofEntries(
                    Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                    Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
                ),
                Map.ofEntries(
                    Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                    Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
                ))
            .build());
    
    }
    

    }

    resources:
      pki:
        type: vault:Mount
        properties:
          path: pki
          type: pki
          defaultLeaseTtlSeconds: 3600
          maxLeaseTtlSeconds: 86400
      role:
        type: vault:pkiSecret:SecretBackendRole
        properties:
          backend: ${pki.path}
          ttl: 3600
          allowIpSans: true
          keyType: rsa
          keyBits: 4096
          allowedDomains:
            - example.com
            - my.domain
          allowSubdomains: true
          policyIdentifiers:
            - oid: 1.3.6.1.4.1.7.8
              notice: I am a user Notice
            - oid: 1.3.6.1.4.1.44947.1.2.4
              cps: https://example.com
    
    notice str
    A notice for the policy identifier
    oid String
    The OID for the policy identifier
    cps String

    The URL of the CPS for the policy identifier

    Example usage:

    package generated_program;
    

    import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.vault.Mount; import com.pulumi.vault.MountArgs; import com.pulumi.vault.pkiSecret.SecretBackendRole; import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths;

    public class App { public static void main(String[] args) { Pulumi.run(App::stack); }

    public static void stack(Context ctx) {
        var pki = new Mount(&quot;pki&quot;, MountArgs.builder()        
            .path(&quot;pki&quot;)
            .type(&quot;pki&quot;)
            .defaultLeaseTtlSeconds(3600)
            .maxLeaseTtlSeconds(86400)
            .build());
    
        var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()        
            .backend(pki.path())
            .ttl(3600)
            .allowIpSans(true)
            .keyType(&quot;rsa&quot;)
            .keyBits(4096)
            .allowedDomains(            
                &quot;example.com&quot;,
                &quot;my.domain&quot;)
            .allowSubdomains(true)
            .policyIdentifiers(            
                Map.ofEntries(
                    Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                    Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
                ),
                Map.ofEntries(
                    Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                    Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
                ))
            .build());
    
    }
    

    }

    resources:
      pki:
        type: vault:Mount
        properties:
          path: pki
          type: pki
          defaultLeaseTtlSeconds: 3600
          maxLeaseTtlSeconds: 86400
      role:
        type: vault:pkiSecret:SecretBackendRole
        properties:
          backend: ${pki.path}
          ttl: 3600
          allowIpSans: true
          keyType: rsa
          keyBits: 4096
          allowedDomains:
            - example.com
            - my.domain
          allowSubdomains: true
          policyIdentifiers:
            - oid: 1.3.6.1.4.1.7.8
              notice: I am a user Notice
            - oid: 1.3.6.1.4.1.44947.1.2.4
              cps: https://example.com
    
    notice String
    A notice for the policy identifier

    Import

    PKI secret backend roles can be imported using the path, e.g.

     $ pulumi import vault:pkiSecret/secretBackendRole:SecretBackendRole role pki/roles/my_role
    

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the vault Terraform Provider.
    vault logo
    HashiCorp Vault v5.20.0 published on Tuesday, Feb 20, 2024 by Pulumi