HashiCorp Vault v7.0.0, Jun 21 25

HashiCorp Vault v7.0.0 published on Saturday, Jun 21, 2025 by Pulumi

vault.transit.SecretBackendKey

Explore with Pulumi AI

HashiCorp Vault v7.0.0 published on Saturday, Jun 21, 2025 by Pulumi

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const transit = new vault.Mount("transit", {
    path: "transit",
    type: "transit",
    description: "Example description",
    defaultLeaseTtlSeconds: 3600,
    maxLeaseTtlSeconds: 86400,
});
const key = new vault.transit.SecretBackendKey("key", {
    backend: transit.path,
    name: "my_key",
});

import pulumi
import pulumi_vault as vault

transit = vault.Mount("transit",
    path="transit",
    type="transit",
    description="Example description",
    default_lease_ttl_seconds=3600,
    max_lease_ttl_seconds=86400)
key = vault.transit.SecretBackendKey("key",
    backend=transit.path,
    name="my_key")

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault"
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/transit"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		transit, err := vault.NewMount(ctx, "transit", &vault.MountArgs{
			Path:                   pulumi.String("transit"),
			Type:                   pulumi.String("transit"),
			Description:            pulumi.String("Example description"),
			DefaultLeaseTtlSeconds: pulumi.Int(3600),
			MaxLeaseTtlSeconds:     pulumi.Int(86400),
		})
		if err != nil {
			return err
		}
		_, err = transit.NewSecretBackendKey(ctx, "key", &transit.SecretBackendKeyArgs{
			Backend: transit.Path,
			Name:    pulumi.String("my_key"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var transit = new Vault.Mount("transit", new()
    {
        Path = "transit",
        Type = "transit",
        Description = "Example description",
        DefaultLeaseTtlSeconds = 3600,
        MaxLeaseTtlSeconds = 86400,
    });

    var key = new Vault.Transit.SecretBackendKey("key", new()
    {
        Backend = transit.Path,
        Name = "my_key",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.transit.SecretBackendKey;
import com.pulumi.vault.transit.SecretBackendKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var transit = new Mount("transit", MountArgs.builder()
            .path("transit")
            .type("transit")
            .description("Example description")
            .defaultLeaseTtlSeconds(3600)
            .maxLeaseTtlSeconds(86400)
            .build());

        var key = new SecretBackendKey("key", SecretBackendKeyArgs.builder()
            .backend(transit.path())
            .name("my_key")
            .build());

    }
}

resources:
  transit:
    type: vault:Mount
    properties:
      path: transit
      type: transit
      description: Example description
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  key:
    type: vault:transit:SecretBackendKey
    properties:
      backend: ${transit.path}
      name: my_key

Create SecretBackendKey Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SecretBackendKey(name: string, args: SecretBackendKeyArgs, opts?: CustomResourceOptions);

@overload
def SecretBackendKey(resource_name: str,
                     args: SecretBackendKeyArgs,
                     opts: Optional[ResourceOptions] = None)

@overload
def SecretBackendKey(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     backend: Optional[str] = None,
                     hybrid_key_type_pqc: Optional[str] = None,
                     min_encryption_version: Optional[int] = None,
                     convergent_encryption: Optional[bool] = None,
                     deletion_allowed: Optional[bool] = None,
                     derived: Optional[bool] = None,
                     exportable: Optional[bool] = None,
                     auto_rotate_period: Optional[int] = None,
                     key_size: Optional[int] = None,
                     hybrid_key_type_ec: Optional[str] = None,
                     min_decryption_version: Optional[int] = None,
                     allow_plaintext_backup: Optional[bool] = None,
                     name: Optional[str] = None,
                     namespace: Optional[str] = None,
                     parameter_set: Optional[str] = None,
                     type: Optional[str] = None)

func NewSecretBackendKey(ctx *Context, name string, args SecretBackendKeyArgs, opts ...ResourceOption) (*SecretBackendKey, error)

public SecretBackendKey(string name, SecretBackendKeyArgs args, CustomResourceOptions? opts = null)

public SecretBackendKey(String name, SecretBackendKeyArgs args)
public SecretBackendKey(String name, SecretBackendKeyArgs args, CustomResourceOptions options)

type: vault:transit:SecretBackendKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SecretBackendKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SecretBackendKeyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecretBackendKeyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecretBackendKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SecretBackendKeyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var vaultSecretBackendKeyResource = new Vault.Transit.SecretBackendKey("vaultSecretBackendKeyResource", new()
{
    Backend = "string",
    HybridKeyTypePqc = "string",
    MinEncryptionVersion = 0,
    ConvergentEncryption = false,
    DeletionAllowed = false,
    Derived = false,
    Exportable = false,
    AutoRotatePeriod = 0,
    KeySize = 0,
    HybridKeyTypeEc = "string",
    MinDecryptionVersion = 0,
    AllowPlaintextBackup = false,
    Name = "string",
    Namespace = "string",
    ParameterSet = "string",
    Type = "string",
});

example, err := transit.NewSecretBackendKey(ctx, "vaultSecretBackendKeyResource", &transit.SecretBackendKeyArgs{
	Backend:              pulumi.String("string"),
	HybridKeyTypePqc:     pulumi.String("string"),
	MinEncryptionVersion: pulumi.Int(0),
	ConvergentEncryption: pulumi.Bool(false),
	DeletionAllowed:      pulumi.Bool(false),
	Derived:              pulumi.Bool(false),
	Exportable:           pulumi.Bool(false),
	AutoRotatePeriod:     pulumi.Int(0),
	KeySize:              pulumi.Int(0),
	HybridKeyTypeEc:      pulumi.String("string"),
	MinDecryptionVersion: pulumi.Int(0),
	AllowPlaintextBackup: pulumi.Bool(false),
	Name:                 pulumi.String("string"),
	Namespace:            pulumi.String("string"),
	ParameterSet:         pulumi.String("string"),
	Type:                 pulumi.String("string"),
})

var vaultSecretBackendKeyResource = new com.pulumi.vault.transit.SecretBackendKey("vaultSecretBackendKeyResource", com.pulumi.vault.transit.SecretBackendKeyArgs.builder()
    .backend("string")
    .hybridKeyTypePqc("string")
    .minEncryptionVersion(0)
    .convergentEncryption(false)
    .deletionAllowed(false)
    .derived(false)
    .exportable(false)
    .autoRotatePeriod(0)
    .keySize(0)
    .hybridKeyTypeEc("string")
    .minDecryptionVersion(0)
    .allowPlaintextBackup(false)
    .name("string")
    .namespace("string")
    .parameterSet("string")
    .type("string")
    .build());

vault_secret_backend_key_resource = vault.transit.SecretBackendKey("vaultSecretBackendKeyResource",
    backend="string",
    hybrid_key_type_pqc="string",
    min_encryption_version=0,
    convergent_encryption=False,
    deletion_allowed=False,
    derived=False,
    exportable=False,
    auto_rotate_period=0,
    key_size=0,
    hybrid_key_type_ec="string",
    min_decryption_version=0,
    allow_plaintext_backup=False,
    name="string",
    namespace="string",
    parameter_set="string",
    type="string")

const vaultSecretBackendKeyResource = new vault.transit.SecretBackendKey("vaultSecretBackendKeyResource", {
    backend: "string",
    hybridKeyTypePqc: "string",
    minEncryptionVersion: 0,
    convergentEncryption: false,
    deletionAllowed: false,
    derived: false,
    exportable: false,
    autoRotatePeriod: 0,
    keySize: 0,
    hybridKeyTypeEc: "string",
    minDecryptionVersion: 0,
    allowPlaintextBackup: false,
    name: "string",
    namespace: "string",
    parameterSet: "string",
    type: "string",
});

type: vault:transit:SecretBackendKey
properties:
    allowPlaintextBackup: false
    autoRotatePeriod: 0
    backend: string
    convergentEncryption: false
    deletionAllowed: false
    derived: false
    exportable: false
    hybridKeyTypeEc: string
    hybridKeyTypePqc: string
    keySize: 0
    minDecryptionVersion: 0
    minEncryptionVersion: 0
    name: string
    namespace: string
    parameterSet: string
    type: string

SecretBackendKey Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The SecretBackendKey resource accepts the following input properties:

Backend string

The path the transit secret backend is mounted at, with no leading or trailing /s.

AllowPlaintextBackup bool

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

AutoRotatePeriod int

Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

ConvergentEncryption bool

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

DeletionAllowed bool

Specifies if the key is allowed to be deleted.

Derived bool

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

Exportable bool

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

HybridKeyTypeEc string

The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.

HybridKeyTypePqc string

The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.

KeySize int

The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.

MinDecryptionVersion int

Minimum key version to use for decryption.

MinEncryptionVersion int

Minimum key version to use for encryption

Name string

The name to identify this key within the backend. Must be unique within the backend.

Namespace string

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

ParameterSet string

The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.

Type string

Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

Refer to the Vault documentation on transit key types for more information: Key Types

Backend string

The path the transit secret backend is mounted at, with no leading or trailing /s.

AllowPlaintextBackup bool

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

AutoRotatePeriod int

Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

ConvergentEncryption bool

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

DeletionAllowed bool

Specifies if the key is allowed to be deleted.

Derived bool

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

Exportable bool

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

HybridKeyTypeEc string

The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.

HybridKeyTypePqc string

The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.

KeySize int

The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.

MinDecryptionVersion int

Minimum key version to use for decryption.

MinEncryptionVersion int

Minimum key version to use for encryption

Name string

The name to identify this key within the backend. Must be unique within the backend.

Namespace string

ParameterSet string

The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.

Type string

Refer to the Vault documentation on transit key types for more information: Key Types

backend String

The path the transit secret backend is mounted at, with no leading or trailing /s.

allowPlaintextBackup Boolean

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

autoRotatePeriod Integer

Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

convergentEncryption Boolean

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

deletionAllowed Boolean

Specifies if the key is allowed to be deleted.

derived Boolean

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

exportable Boolean

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

hybridKeyTypeEc String

The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.

hybridKeyTypePqc String

The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.

keySize Integer

The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.

minDecryptionVersion Integer

Minimum key version to use for decryption.

minEncryptionVersion Integer

Minimum key version to use for encryption

name String

The name to identify this key within the backend. Must be unique within the backend.

namespace String

parameterSet String

The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.

type String

Refer to the Vault documentation on transit key types for more information: Key Types

backend string

The path the transit secret backend is mounted at, with no leading or trailing /s.

allowPlaintextBackup boolean

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

autoRotatePeriod number

Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

convergentEncryption boolean

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

deletionAllowed boolean

Specifies if the key is allowed to be deleted.

derived boolean

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

exportable boolean

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

hybridKeyTypeEc string

The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.

hybridKeyTypePqc string

The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.

keySize number

The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.

minDecryptionVersion number

Minimum key version to use for decryption.

minEncryptionVersion number

Minimum key version to use for encryption

name string

The name to identify this key within the backend. Must be unique within the backend.

namespace string

parameterSet string

The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.

type string

Refer to the Vault documentation on transit key types for more information: Key Types

backend str

The path the transit secret backend is mounted at, with no leading or trailing /s.

allow_plaintext_backup bool

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

auto_rotate_period int

Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

convergent_encryption bool

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

deletion_allowed bool

Specifies if the key is allowed to be deleted.

derived bool

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

exportable bool

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

hybrid_key_type_ec str

The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.

hybrid_key_type_pqc str

The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.

key_size int

The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.

min_decryption_version int

Minimum key version to use for decryption.

min_encryption_version int

Minimum key version to use for encryption

name str

The name to identify this key within the backend. Must be unique within the backend.

namespace str

parameter_set str

The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.

type str

Refer to the Vault documentation on transit key types for more information: Key Types

backend String

The path the transit secret backend is mounted at, with no leading or trailing /s.

allowPlaintextBackup Boolean

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

autoRotatePeriod Number

Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

convergentEncryption Boolean

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

deletionAllowed Boolean

Specifies if the key is allowed to be deleted.

derived Boolean

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

exportable Boolean

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

hybridKeyTypeEc String

The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.

hybridKeyTypePqc String

The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.

keySize Number

The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.

minDecryptionVersion Number

Minimum key version to use for decryption.

minEncryptionVersion Number

Minimum key version to use for encryption

name String

The name to identify this key within the backend. Must be unique within the backend.

namespace String

parameterSet String

The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.

type String

Refer to the Vault documentation on transit key types for more information: Key Types

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretBackendKey resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Keys List<ImmutableDictionary<string, string>>

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

LatestVersion int

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

MinAvailableVersion int

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

SupportsDecryption bool

Whether or not the key supports decryption, based on key type.

SupportsDerivation bool

Whether or not the key supports derivation, based on key type.

SupportsEncryption bool

Whether or not the key supports encryption, based on key type.

SupportsSigning bool

Whether or not the key supports signing, based on key type.

Id string

The provider-assigned unique ID for this managed resource.

Keys []map[string]string

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

LatestVersion int

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

MinAvailableVersion int

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

SupportsDecryption bool

Whether or not the key supports decryption, based on key type.

SupportsDerivation bool

Whether or not the key supports derivation, based on key type.

SupportsEncryption bool

Whether or not the key supports encryption, based on key type.

SupportsSigning bool

Whether or not the key supports signing, based on key type.

id String

The provider-assigned unique ID for this managed resource.

keys List<Map<String,String>>

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

latestVersion Integer

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

minAvailableVersion Integer

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

supportsDecryption Boolean

Whether or not the key supports decryption, based on key type.

supportsDerivation Boolean

Whether or not the key supports derivation, based on key type.

supportsEncryption Boolean

Whether or not the key supports encryption, based on key type.

supportsSigning Boolean

Whether or not the key supports signing, based on key type.

id string

The provider-assigned unique ID for this managed resource.

keys {[key: string]: string}[]

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

latestVersion number

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

minAvailableVersion number

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

supportsDecryption boolean

Whether or not the key supports decryption, based on key type.

supportsDerivation boolean

Whether or not the key supports derivation, based on key type.

supportsEncryption boolean

Whether or not the key supports encryption, based on key type.

supportsSigning boolean

Whether or not the key supports signing, based on key type.

id str

The provider-assigned unique ID for this managed resource.

keys Sequence[Mapping[str, str]]

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

latest_version int

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

min_available_version int

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

supports_decryption bool

Whether or not the key supports decryption, based on key type.

supports_derivation bool

Whether or not the key supports derivation, based on key type.

supports_encryption bool

Whether or not the key supports encryption, based on key type.

supports_signing bool

Whether or not the key supports signing, based on key type.

id String

The provider-assigned unique ID for this managed resource.

keys List<Map<String>>

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

latestVersion Number

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

minAvailableVersion Number

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

supportsDecryption Boolean

Whether or not the key supports decryption, based on key type.

supportsDerivation Boolean

Whether or not the key supports derivation, based on key type.

supportsEncryption Boolean

Whether or not the key supports encryption, based on key type.

supportsSigning Boolean

Whether or not the key supports signing, based on key type.

Look up Existing SecretBackendKey Resource

Get an existing SecretBackendKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretBackendKeyState, opts?: CustomResourceOptions): SecretBackendKey

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        allow_plaintext_backup: Optional[bool] = None,
        auto_rotate_period: Optional[int] = None,
        backend: Optional[str] = None,
        convergent_encryption: Optional[bool] = None,
        deletion_allowed: Optional[bool] = None,
        derived: Optional[bool] = None,
        exportable: Optional[bool] = None,
        hybrid_key_type_ec: Optional[str] = None,
        hybrid_key_type_pqc: Optional[str] = None,
        key_size: Optional[int] = None,
        keys: Optional[Sequence[Mapping[str, str]]] = None,
        latest_version: Optional[int] = None,
        min_available_version: Optional[int] = None,
        min_decryption_version: Optional[int] = None,
        min_encryption_version: Optional[int] = None,
        name: Optional[str] = None,
        namespace: Optional[str] = None,
        parameter_set: Optional[str] = None,
        supports_decryption: Optional[bool] = None,
        supports_derivation: Optional[bool] = None,
        supports_encryption: Optional[bool] = None,
        supports_signing: Optional[bool] = None,
        type: Optional[str] = None) -> SecretBackendKey

func GetSecretBackendKey(ctx *Context, name string, id IDInput, state *SecretBackendKeyState, opts ...ResourceOption) (*SecretBackendKey, error)

public static SecretBackendKey Get(string name, Input<string> id, SecretBackendKeyState? state, CustomResourceOptions? opts = null)

public static SecretBackendKey get(String name, Output<String> id, SecretBackendKeyState state, CustomResourceOptions options)

resources:  _:    type: vault:transit:SecretBackendKey    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AllowPlaintextBackup bool

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

AutoRotatePeriod int

Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

Backend string

The path the transit secret backend is mounted at, with no leading or trailing /s.

ConvergentEncryption bool

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

DeletionAllowed bool

Specifies if the key is allowed to be deleted.

Derived bool

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

Exportable bool

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

HybridKeyTypeEc string

The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.

HybridKeyTypePqc string

The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.

KeySize int

The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.

Keys List<ImmutableDictionary<string, string>>

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

LatestVersion int

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

MinAvailableVersion int

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

MinDecryptionVersion int

Minimum key version to use for decryption.

MinEncryptionVersion int

Minimum key version to use for encryption

Name string

The name to identify this key within the backend. Must be unique within the backend.

Namespace string

ParameterSet string

The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.

SupportsDecryption bool

Whether or not the key supports decryption, based on key type.

SupportsDerivation bool

Whether or not the key supports derivation, based on key type.

SupportsEncryption bool

Whether or not the key supports encryption, based on key type.

SupportsSigning bool

Whether or not the key supports signing, based on key type.

Type string

Refer to the Vault documentation on transit key types for more information: Key Types

AllowPlaintextBackup bool

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

AutoRotatePeriod int

Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

Backend string

The path the transit secret backend is mounted at, with no leading or trailing /s.

ConvergentEncryption bool

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

DeletionAllowed bool

Specifies if the key is allowed to be deleted.

Derived bool

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

Exportable bool

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

HybridKeyTypeEc string

The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.

HybridKeyTypePqc string

The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.

KeySize int

The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.

Keys []map[string]string

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

LatestVersion int

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

MinAvailableVersion int

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

MinDecryptionVersion int

Minimum key version to use for decryption.

MinEncryptionVersion int

Minimum key version to use for encryption

Name string

The name to identify this key within the backend. Must be unique within the backend.

Namespace string

ParameterSet string

The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.

SupportsDecryption bool

Whether or not the key supports decryption, based on key type.

SupportsDerivation bool

Whether or not the key supports derivation, based on key type.

SupportsEncryption bool

Whether or not the key supports encryption, based on key type.

SupportsSigning bool

Whether or not the key supports signing, based on key type.

Type string

Refer to the Vault documentation on transit key types for more information: Key Types

allowPlaintextBackup Boolean

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

autoRotatePeriod Integer

Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

backend String

The path the transit secret backend is mounted at, with no leading or trailing /s.

convergentEncryption Boolean

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

deletionAllowed Boolean

Specifies if the key is allowed to be deleted.

derived Boolean

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

exportable Boolean

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

hybridKeyTypeEc String

The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.

hybridKeyTypePqc String

The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.

keySize Integer

The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.

keys List<Map<String,String>>

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

latestVersion Integer

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

minAvailableVersion Integer

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

minDecryptionVersion Integer

Minimum key version to use for decryption.

minEncryptionVersion Integer

Minimum key version to use for encryption

name String

The name to identify this key within the backend. Must be unique within the backend.

namespace String

parameterSet String

The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.

supportsDecryption Boolean

Whether or not the key supports decryption, based on key type.

supportsDerivation Boolean

Whether or not the key supports derivation, based on key type.

supportsEncryption Boolean

Whether or not the key supports encryption, based on key type.

supportsSigning Boolean

Whether or not the key supports signing, based on key type.

type String

Refer to the Vault documentation on transit key types for more information: Key Types

allowPlaintextBackup boolean

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

autoRotatePeriod number

Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

backend string

The path the transit secret backend is mounted at, with no leading or trailing /s.

convergentEncryption boolean

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

deletionAllowed boolean

Specifies if the key is allowed to be deleted.

derived boolean

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

exportable boolean

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

hybridKeyTypeEc string

The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.

hybridKeyTypePqc string

The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.

keySize number

The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.

keys {[key: string]: string}[]

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

latestVersion number

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

minAvailableVersion number

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

minDecryptionVersion number

Minimum key version to use for decryption.

minEncryptionVersion number

Minimum key version to use for encryption

name string

The name to identify this key within the backend. Must be unique within the backend.

namespace string

parameterSet string

The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.

supportsDecryption boolean

Whether or not the key supports decryption, based on key type.

supportsDerivation boolean

Whether or not the key supports derivation, based on key type.

supportsEncryption boolean

Whether or not the key supports encryption, based on key type.

supportsSigning boolean

Whether or not the key supports signing, based on key type.

type string

Refer to the Vault documentation on transit key types for more information: Key Types

allow_plaintext_backup bool

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

auto_rotate_period int

Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

backend str

The path the transit secret backend is mounted at, with no leading or trailing /s.

convergent_encryption bool

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

deletion_allowed bool

Specifies if the key is allowed to be deleted.

derived bool

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

exportable bool

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

hybrid_key_type_ec str

The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.

hybrid_key_type_pqc str

The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.

key_size int

The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.

keys Sequence[Mapping[str, str]]

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

latest_version int

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

min_available_version int

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

min_decryption_version int

Minimum key version to use for decryption.

min_encryption_version int

Minimum key version to use for encryption

name str

The name to identify this key within the backend. Must be unique within the backend.

namespace str

parameter_set str

The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.

supports_decryption bool

Whether or not the key supports decryption, based on key type.

supports_derivation bool

Whether or not the key supports derivation, based on key type.

supports_encryption bool

Whether or not the key supports encryption, based on key type.

supports_signing bool

Whether or not the key supports signing, based on key type.

type str

Refer to the Vault documentation on transit key types for more information: Key Types

allowPlaintextBackup Boolean

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

autoRotatePeriod Number

Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

backend String

The path the transit secret backend is mounted at, with no leading or trailing /s.

convergentEncryption Boolean

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

deletionAllowed Boolean

Specifies if the key is allowed to be deleted.

derived Boolean

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

exportable Boolean

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

hybridKeyTypeEc String

The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.

hybridKeyTypePqc String

The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.

keySize Number

The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.

keys List<Map<String>>

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

latestVersion Number

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

minAvailableVersion Number

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

minDecryptionVersion Number

Minimum key version to use for decryption.

minEncryptionVersion Number

Minimum key version to use for encryption

name String

The name to identify this key within the backend. Must be unique within the backend.

namespace String

parameterSet String

The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.

supportsDecryption Boolean

Whether or not the key supports decryption, based on key type.

supportsDerivation Boolean

Whether or not the key supports derivation, based on key type.

supportsEncryption Boolean

Whether or not the key supports encryption, based on key type.

supportsSigning Boolean

Whether or not the key supports signing, based on key type.

type String

Refer to the Vault documentation on transit key types for more information: Key Types

Import

Transit secret backend keys can be imported using the path, e.g.

$ pulumi import vault:transit/secretBackendKey:SecretBackendKey key transit/keys/my_key

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

HashiCorp Vault v7.0.0 published on Saturday, Jun 21, 2025 by Pulumi

pulumi/pulumi-vault

vault.transit.SecretBackendKey

On this page

On this page

Example Usage

Create SecretBackendKey Resource

Constructor syntax

Parameters

Constructor example

SecretBackendKey Resource Properties

Inputs

Outputs

Look up Existing SecretBackendKey Resource

Import

Package Details

On this page

On this page