Viewing docs for HashiCorp Vault v7.7.0
published on Friday, Feb 6, 2026 by Pulumi
published on Friday, Feb 6, 2026 by Pulumi
Viewing docs for HashiCorp Vault v7.7.0
published on Friday, Feb 6, 2026 by Pulumi
published on Friday, Feb 6, 2026 by Pulumi
This is a data source which can be used to sign an SSH public key
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const test = vault.ssh.getSecretBackendSign({
path: "ssh",
publicKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com",
name: "test",
validPrincipals: "my-user",
});
import pulumi
import pulumi_vault as vault
test = vault.ssh.get_secret_backend_sign(path="ssh",
public_key="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com",
name="test",
valid_principals="my-user")
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/ssh"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ssh.GetSecretBackendSign(ctx, &ssh.GetSecretBackendSignArgs{
Path: "ssh",
PublicKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com",
Name: "test",
ValidPrincipals: pulumi.StringRef("my-user"),
}, nil)
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var test = Vault.Ssh.GetSecretBackendSign.Invoke(new()
{
Path = "ssh",
PublicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com",
Name = "test",
ValidPrincipals = "my-user",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.ssh.SshFunctions;
import com.pulumi.vault.ssh.inputs.GetSecretBackendSignArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var test = SshFunctions.getSecretBackendSign(GetSecretBackendSignArgs.builder()
.path("ssh")
.publicKey("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com")
.name("test")
.validPrincipals("my-user")
.build());
}
}
variables:
test:
fn::invoke:
function: vault:ssh:getSecretBackendSign
arguments:
path: ssh
publicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com
name: test
validPrincipals: my-user
Using getSecretBackendSign
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getSecretBackendSign(args: GetSecretBackendSignArgs, opts?: InvokeOptions): Promise<GetSecretBackendSignResult>
function getSecretBackendSignOutput(args: GetSecretBackendSignOutputArgs, opts?: InvokeOptions): Output<GetSecretBackendSignResult>def get_secret_backend_sign(cert_type: Optional[str] = None,
critical_options: Optional[Mapping[str, str]] = None,
extensions: Optional[Mapping[str, str]] = None,
key_id: Optional[str] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
path: Optional[str] = None,
public_key: Optional[str] = None,
ttl: Optional[str] = None,
valid_principals: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetSecretBackendSignResult
def get_secret_backend_sign_output(cert_type: Optional[pulumi.Input[str]] = None,
critical_options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
extensions: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
key_id: Optional[pulumi.Input[str]] = None,
name: Optional[pulumi.Input[str]] = None,
namespace: Optional[pulumi.Input[str]] = None,
path: Optional[pulumi.Input[str]] = None,
public_key: Optional[pulumi.Input[str]] = None,
ttl: Optional[pulumi.Input[str]] = None,
valid_principals: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetSecretBackendSignResult]func GetSecretBackendSign(ctx *Context, args *GetSecretBackendSignArgs, opts ...InvokeOption) (*GetSecretBackendSignResult, error)
func GetSecretBackendSignOutput(ctx *Context, args *GetSecretBackendSignOutputArgs, opts ...InvokeOption) GetSecretBackendSignResultOutput> Note: This function is named GetSecretBackendSign in the Go SDK.
public static class GetSecretBackendSign
{
public static Task<GetSecretBackendSignResult> InvokeAsync(GetSecretBackendSignArgs args, InvokeOptions? opts = null)
public static Output<GetSecretBackendSignResult> Invoke(GetSecretBackendSignInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetSecretBackendSignResult> getSecretBackendSign(GetSecretBackendSignArgs args, InvokeOptions options)
public static Output<GetSecretBackendSignResult> getSecretBackendSign(GetSecretBackendSignArgs args, InvokeOptions options)
fn::invoke:
function: vault:ssh/getSecretBackendSign:getSecretBackendSign
arguments:
# arguments dictionaryThe following arguments are supported:
- Name string
- Specifies the name of the role to sign.
- Path string
- Full path where SSH backend is mounted.
- Public
Key string - Specifies the SSH public key that should be signed.
- Cert
Type string - Specifies the type of certificate to be created; either "user" or "host".
- Critical
Options Dictionary<string, string> - Specifies a map of the critical options that the certificate should be signed for. Defaults to none.
- Extensions Dictionary<string, string>
- Specifies a map of the extensions that the certificate should be signed for. Defaults to none.
- Key
Id string - Specifies the key id that the created certificate should have. If not specified, the display name of the token will be used.
- Namespace string
- Ttl string
- Specifies the Requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.
- Valid
Principals string - Specifies valid principals, either usernames or hostnames, that the certificate should be signed for. Required unless the role has specified allow_empty_principals or a value has been set for either the default_user or default_user_template role parameters.
- Name string
- Specifies the name of the role to sign.
- Path string
- Full path where SSH backend is mounted.
- Public
Key string - Specifies the SSH public key that should be signed.
- Cert
Type string - Specifies the type of certificate to be created; either "user" or "host".
- Critical
Options map[string]string - Specifies a map of the critical options that the certificate should be signed for. Defaults to none.
- Extensions map[string]string
- Specifies a map of the extensions that the certificate should be signed for. Defaults to none.
- Key
Id string - Specifies the key id that the created certificate should have. If not specified, the display name of the token will be used.
- Namespace string
- Ttl string
- Specifies the Requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.
- Valid
Principals string - Specifies valid principals, either usernames or hostnames, that the certificate should be signed for. Required unless the role has specified allow_empty_principals or a value has been set for either the default_user or default_user_template role parameters.
- name String
- Specifies the name of the role to sign.
- path String
- Full path where SSH backend is mounted.
- public
Key String - Specifies the SSH public key that should be signed.
- cert
Type String - Specifies the type of certificate to be created; either "user" or "host".
- critical
Options Map<String,String> - Specifies a map of the critical options that the certificate should be signed for. Defaults to none.
- extensions Map<String,String>
- Specifies a map of the extensions that the certificate should be signed for. Defaults to none.
- key
Id String - Specifies the key id that the created certificate should have. If not specified, the display name of the token will be used.
- namespace String
- ttl String
- Specifies the Requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.
- valid
Principals String - Specifies valid principals, either usernames or hostnames, that the certificate should be signed for. Required unless the role has specified allow_empty_principals or a value has been set for either the default_user or default_user_template role parameters.
- name string
- Specifies the name of the role to sign.
- path string
- Full path where SSH backend is mounted.
- public
Key string - Specifies the SSH public key that should be signed.
- cert
Type string - Specifies the type of certificate to be created; either "user" or "host".
- critical
Options {[key: string]: string} - Specifies a map of the critical options that the certificate should be signed for. Defaults to none.
- extensions {[key: string]: string}
- Specifies a map of the extensions that the certificate should be signed for. Defaults to none.
- key
Id string - Specifies the key id that the created certificate should have. If not specified, the display name of the token will be used.
- namespace string
- ttl string
- Specifies the Requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.
- valid
Principals string - Specifies valid principals, either usernames or hostnames, that the certificate should be signed for. Required unless the role has specified allow_empty_principals or a value has been set for either the default_user or default_user_template role parameters.
- name str
- Specifies the name of the role to sign.
- path str
- Full path where SSH backend is mounted.
- public_
key str - Specifies the SSH public key that should be signed.
- cert_
type str - Specifies the type of certificate to be created; either "user" or "host".
- critical_
options Mapping[str, str] - Specifies a map of the critical options that the certificate should be signed for. Defaults to none.
- extensions Mapping[str, str]
- Specifies a map of the extensions that the certificate should be signed for. Defaults to none.
- key_
id str - Specifies the key id that the created certificate should have. If not specified, the display name of the token will be used.
- namespace str
- ttl str
- Specifies the Requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.
- valid_
principals str - Specifies valid principals, either usernames or hostnames, that the certificate should be signed for. Required unless the role has specified allow_empty_principals or a value has been set for either the default_user or default_user_template role parameters.
- name String
- Specifies the name of the role to sign.
- path String
- Full path where SSH backend is mounted.
- public
Key String - Specifies the SSH public key that should be signed.
- cert
Type String - Specifies the type of certificate to be created; either "user" or "host".
- critical
Options Map<String> - Specifies a map of the critical options that the certificate should be signed for. Defaults to none.
- extensions Map<String>
- Specifies a map of the extensions that the certificate should be signed for. Defaults to none.
- key
Id String - Specifies the key id that the created certificate should have. If not specified, the display name of the token will be used.
- namespace String
- ttl String
- Specifies the Requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.
- valid
Principals String - Specifies valid principals, either usernames or hostnames, that the certificate should be signed for. Required unless the role has specified allow_empty_principals or a value has been set for either the default_user or default_user_template role parameters.
getSecretBackendSign Result
The following output properties are available:
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Path string
- Public
Key string - Serial
Number string - The serial number of the certificate returned from Vault
- Signed
Key string - The signed certificate returned from Vault
- Cert
Type string - Critical
Options Dictionary<string, string> - Extensions Dictionary<string, string>
- Key
Id string - Namespace string
- Ttl string
- Valid
Principals string
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Path string
- Public
Key string - Serial
Number string - The serial number of the certificate returned from Vault
- Signed
Key string - The signed certificate returned from Vault
- Cert
Type string - Critical
Options map[string]string - Extensions map[string]string
- Key
Id string - Namespace string
- Ttl string
- Valid
Principals string
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- path String
- public
Key String - serial
Number String - The serial number of the certificate returned from Vault
- signed
Key String - The signed certificate returned from Vault
- cert
Type String - critical
Options Map<String,String> - extensions Map<String,String>
- key
Id String - namespace String
- ttl String
- valid
Principals String
- id string
- The provider-assigned unique ID for this managed resource.
- name string
- path string
- public
Key string - serial
Number string - The serial number of the certificate returned from Vault
- signed
Key string - The signed certificate returned from Vault
- cert
Type string - critical
Options {[key: string]: string} - extensions {[key: string]: string}
- key
Id string - namespace string
- ttl string
- valid
Principals string
- id str
- The provider-assigned unique ID for this managed resource.
- name str
- path str
- public_
key str - serial_
number str - The serial number of the certificate returned from Vault
- signed_
key str - The signed certificate returned from Vault
- cert_
type str - critical_
options Mapping[str, str] - extensions Mapping[str, str]
- key_
id str - namespace str
- ttl str
- valid_
principals str
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- path String
- public
Key String - serial
Number String - The serial number of the certificate returned from Vault
- signed
Key String - The signed certificate returned from Vault
- cert
Type String - critical
Options Map<String> - extensions Map<String>
- key
Id String - namespace String
- ttl String
- valid
Principals String
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.
Viewing docs for HashiCorp Vault v7.7.0
published on Friday, Feb 6, 2026 by Pulumi
published on Friday, Feb 6, 2026 by Pulumi
