vault.transit.SecretBackendKey
Creates an Encryption Keyring on a Transit Secret Backend for Vault.
Deprecations
auto_rotate_interval
- Replaced byauto_rotate_period
.
Example Usage
using System.Collections.Generic;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var transit = new Vault.Mount("transit", new()
{
Path = "transit",
Type = "transit",
Description = "Example description",
DefaultLeaseTtlSeconds = 3600,
MaxLeaseTtlSeconds = 86400,
});
var key = new Vault.Transit.SecretBackendKey("key", new()
{
Backend = transit.Path,
});
});
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v5/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v5/go/vault/transit"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
transit, err := vault.NewMount(ctx, "transit", &vault.MountArgs{
Path: pulumi.String("transit"),
Type: pulumi.String("transit"),
Description: pulumi.String("Example description"),
DefaultLeaseTtlSeconds: pulumi.Int(3600),
MaxLeaseTtlSeconds: pulumi.Int(86400),
})
if err != nil {
return err
}
_, err = transit.NewSecretBackendKey(ctx, "key", &transit.SecretBackendKeyArgs{
Backend: transit.Path,
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.transit.SecretBackendKey;
import com.pulumi.vault.transit.SecretBackendKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var transit = new Mount("transit", MountArgs.builder()
.path("transit")
.type("transit")
.description("Example description")
.defaultLeaseTtlSeconds(3600)
.maxLeaseTtlSeconds(86400)
.build());
var key = new SecretBackendKey("key", SecretBackendKeyArgs.builder()
.backend(transit.path())
.build());
}
}
import pulumi
import pulumi_vault as vault
transit = vault.Mount("transit",
path="transit",
type="transit",
description="Example description",
default_lease_ttl_seconds=3600,
max_lease_ttl_seconds=86400)
key = vault.transit.SecretBackendKey("key", backend=transit.path)
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const transit = new vault.Mount("transit", {
path: "transit",
type: "transit",
description: "Example description",
defaultLeaseTtlSeconds: 3600,
maxLeaseTtlSeconds: 86400,
});
const key = new vault.transit.SecretBackendKey("key", {backend: transit.path});
resources:
transit:
type: vault:Mount
properties:
path: transit
type: transit
description: Example description
defaultLeaseTtlSeconds: 3600
maxLeaseTtlSeconds: 86400
key:
type: vault:transit:SecretBackendKey
properties:
backend: ${transit.path}
Create SecretBackendKey Resource
new SecretBackendKey(name: string, args: SecretBackendKeyArgs, opts?: CustomResourceOptions);
@overload
def SecretBackendKey(resource_name: str,
opts: Optional[ResourceOptions] = None,
allow_plaintext_backup: Optional[bool] = None,
auto_rotate_interval: Optional[int] = None,
auto_rotate_period: Optional[int] = None,
backend: Optional[str] = None,
convergent_encryption: Optional[bool] = None,
deletion_allowed: Optional[bool] = None,
derived: Optional[bool] = None,
exportable: Optional[bool] = None,
min_decryption_version: Optional[int] = None,
min_encryption_version: Optional[int] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
type: Optional[str] = None)
@overload
def SecretBackendKey(resource_name: str,
args: SecretBackendKeyArgs,
opts: Optional[ResourceOptions] = None)
func NewSecretBackendKey(ctx *Context, name string, args SecretBackendKeyArgs, opts ...ResourceOption) (*SecretBackendKey, error)
public SecretBackendKey(string name, SecretBackendKeyArgs args, CustomResourceOptions? opts = null)
public SecretBackendKey(String name, SecretBackendKeyArgs args)
public SecretBackendKey(String name, SecretBackendKeyArgs args, CustomResourceOptions options)
type: vault:transit:SecretBackendKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecretBackendKeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SecretBackendKeyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SecretBackendKeyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecretBackendKeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SecretBackendKeyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
SecretBackendKey Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The SecretBackendKey resource accepts the following input properties:
- Backend string
The path the transit secret backend is mounted at, with no leading or trailing
/
s.- Allow
Plaintext boolBackup Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- Auto
Rotate intInterval Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
Use auto_rotate_period instead
- Auto
Rotate intPeriod Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- Convergent
Encryption bool Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
.- Deletion
Allowed bool Specifies if the key is allowed to be deleted.
- Derived bool
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- Exportable bool
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- Min
Decryption intVersion Minimum key version to use for decryption.
- Min
Encryption intVersion Minimum key version to use for encryption
- Name string
The name to identify this key within the backend. Must be unique within the backend.
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- Type string
Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- Backend string
The path the transit secret backend is mounted at, with no leading or trailing
/
s.- Allow
Plaintext boolBackup Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- Auto
Rotate intInterval Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
Use auto_rotate_period instead
- Auto
Rotate intPeriod Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- Convergent
Encryption bool Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
.- Deletion
Allowed bool Specifies if the key is allowed to be deleted.
- Derived bool
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- Exportable bool
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- Min
Decryption intVersion Minimum key version to use for decryption.
- Min
Encryption intVersion Minimum key version to use for encryption
- Name string
The name to identify this key within the backend. Must be unique within the backend.
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- Type string
Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- backend String
The path the transit secret backend is mounted at, with no leading or trailing
/
s.- allow
Plaintext BooleanBackup Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- auto
Rotate IntegerInterval Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
Use auto_rotate_period instead
- auto
Rotate IntegerPeriod Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- convergent
Encryption Boolean Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
.- deletion
Allowed Boolean Specifies if the key is allowed to be deleted.
- derived Boolean
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- exportable Boolean
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- min
Decryption IntegerVersion Minimum key version to use for decryption.
- min
Encryption IntegerVersion Minimum key version to use for encryption
- name String
The name to identify this key within the backend. Must be unique within the backend.
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- type String
Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- backend string
The path the transit secret backend is mounted at, with no leading or trailing
/
s.- allow
Plaintext booleanBackup Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- auto
Rotate numberInterval Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
Use auto_rotate_period instead
- auto
Rotate numberPeriod Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- convergent
Encryption boolean Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
.- deletion
Allowed boolean Specifies if the key is allowed to be deleted.
- derived boolean
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- exportable boolean
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- min
Decryption numberVersion Minimum key version to use for decryption.
- min
Encryption numberVersion Minimum key version to use for encryption
- name string
The name to identify this key within the backend. Must be unique within the backend.
- namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- type string
Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- backend str
The path the transit secret backend is mounted at, with no leading or trailing
/
s.- allow_
plaintext_ boolbackup Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- auto_
rotate_ intinterval Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
Use auto_rotate_period instead
- auto_
rotate_ intperiod Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- convergent_
encryption bool Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
.- deletion_
allowed bool Specifies if the key is allowed to be deleted.
- derived bool
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- exportable bool
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- min_
decryption_ intversion Minimum key version to use for decryption.
- min_
encryption_ intversion Minimum key version to use for encryption
- name str
The name to identify this key within the backend. Must be unique within the backend.
- namespace str
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- type str
Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- backend String
The path the transit secret backend is mounted at, with no leading or trailing
/
s.- allow
Plaintext BooleanBackup Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- auto
Rotate NumberInterval Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
Use auto_rotate_period instead
- auto
Rotate NumberPeriod Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- convergent
Encryption Boolean Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
.- deletion
Allowed Boolean Specifies if the key is allowed to be deleted.
- derived Boolean
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- exportable Boolean
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- min
Decryption NumberVersion Minimum key version to use for decryption.
- min
Encryption NumberVersion Minimum key version to use for encryption
- name String
The name to identify this key within the backend. Must be unique within the backend.
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- type String
Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
Outputs
All input properties are implicitly available as output properties. Additionally, the SecretBackendKey resource produces the following output properties:
- Id string
The provider-assigned unique ID for this managed resource.
- Keys
List<Immutable
Dictionary<string, object>> List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- Latest
Version int Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- int
Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change.- Supports
Decryption bool Whether or not the key supports decryption, based on key type.
- Supports
Derivation bool Whether or not the key supports derivation, based on key type.
- Supports
Encryption bool Whether or not the key supports encryption, based on key type.
- Supports
Signing bool Whether or not the key supports signing, based on key type.
- Id string
The provider-assigned unique ID for this managed resource.
- Keys []map[string]interface{}
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- Latest
Version int Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- int
Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change.- Supports
Decryption bool Whether or not the key supports decryption, based on key type.
- Supports
Derivation bool Whether or not the key supports derivation, based on key type.
- Supports
Encryption bool Whether or not the key supports encryption, based on key type.
- Supports
Signing bool Whether or not the key supports signing, based on key type.
- id String
The provider-assigned unique ID for this managed resource.
- keys List<Map<String,Object>>
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- latest
Version Integer Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- Integer
Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change.- supports
Decryption Boolean Whether or not the key supports decryption, based on key type.
- supports
Derivation Boolean Whether or not the key supports derivation, based on key type.
- supports
Encryption Boolean Whether or not the key supports encryption, based on key type.
- supports
Signing Boolean Whether or not the key supports signing, based on key type.
- id string
The provider-assigned unique ID for this managed resource.
- keys {[key: string]: any}[]
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- latest
Version number Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- number
Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change.- supports
Decryption boolean Whether or not the key supports decryption, based on key type.
- supports
Derivation boolean Whether or not the key supports derivation, based on key type.
- supports
Encryption boolean Whether or not the key supports encryption, based on key type.
- supports
Signing boolean Whether or not the key supports signing, based on key type.
- id str
The provider-assigned unique ID for this managed resource.
- keys Sequence[Mapping[str, Any]]
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- latest_
version int Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- min_
available_ intversion Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change.- supports_
decryption bool Whether or not the key supports decryption, based on key type.
- supports_
derivation bool Whether or not the key supports derivation, based on key type.
- supports_
encryption bool Whether or not the key supports encryption, based on key type.
- supports_
signing bool Whether or not the key supports signing, based on key type.
- id String
The provider-assigned unique ID for this managed resource.
- keys List<Map<Any>>
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- latest
Version Number Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- Number
Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change.- supports
Decryption Boolean Whether or not the key supports decryption, based on key type.
- supports
Derivation Boolean Whether or not the key supports derivation, based on key type.
- supports
Encryption Boolean Whether or not the key supports encryption, based on key type.
- supports
Signing Boolean Whether or not the key supports signing, based on key type.
Look up Existing SecretBackendKey Resource
Get an existing SecretBackendKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SecretBackendKeyState, opts?: CustomResourceOptions): SecretBackendKey
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
allow_plaintext_backup: Optional[bool] = None,
auto_rotate_interval: Optional[int] = None,
auto_rotate_period: Optional[int] = None,
backend: Optional[str] = None,
convergent_encryption: Optional[bool] = None,
deletion_allowed: Optional[bool] = None,
derived: Optional[bool] = None,
exportable: Optional[bool] = None,
keys: Optional[Sequence[Mapping[str, Any]]] = None,
latest_version: Optional[int] = None,
min_available_version: Optional[int] = None,
min_decryption_version: Optional[int] = None,
min_encryption_version: Optional[int] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
supports_decryption: Optional[bool] = None,
supports_derivation: Optional[bool] = None,
supports_encryption: Optional[bool] = None,
supports_signing: Optional[bool] = None,
type: Optional[str] = None) -> SecretBackendKey
func GetSecretBackendKey(ctx *Context, name string, id IDInput, state *SecretBackendKeyState, opts ...ResourceOption) (*SecretBackendKey, error)
public static SecretBackendKey Get(string name, Input<string> id, SecretBackendKeyState? state, CustomResourceOptions? opts = null)
public static SecretBackendKey get(String name, Output<String> id, SecretBackendKeyState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Allow
Plaintext boolBackup Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- Auto
Rotate intInterval Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
Use auto_rotate_period instead
- Auto
Rotate intPeriod Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- Backend string
The path the transit secret backend is mounted at, with no leading or trailing
/
s.- Convergent
Encryption bool Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
.- Deletion
Allowed bool Specifies if the key is allowed to be deleted.
- Derived bool
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- Exportable bool
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- Keys
List<Immutable
Dictionary<string, object>> List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- Latest
Version int Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- int
Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change.- Min
Decryption intVersion Minimum key version to use for decryption.
- Min
Encryption intVersion Minimum key version to use for encryption
- Name string
The name to identify this key within the backend. Must be unique within the backend.
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- Supports
Decryption bool Whether or not the key supports decryption, based on key type.
- Supports
Derivation bool Whether or not the key supports derivation, based on key type.
- Supports
Encryption bool Whether or not the key supports encryption, based on key type.
- Supports
Signing bool Whether or not the key supports signing, based on key type.
- Type string
Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- Allow
Plaintext boolBackup Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- Auto
Rotate intInterval Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
Use auto_rotate_period instead
- Auto
Rotate intPeriod Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- Backend string
The path the transit secret backend is mounted at, with no leading or trailing
/
s.- Convergent
Encryption bool Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
.- Deletion
Allowed bool Specifies if the key is allowed to be deleted.
- Derived bool
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- Exportable bool
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- Keys []map[string]interface{}
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- Latest
Version int Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- int
Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change.- Min
Decryption intVersion Minimum key version to use for decryption.
- Min
Encryption intVersion Minimum key version to use for encryption
- Name string
The name to identify this key within the backend. Must be unique within the backend.
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- Supports
Decryption bool Whether or not the key supports decryption, based on key type.
- Supports
Derivation bool Whether or not the key supports derivation, based on key type.
- Supports
Encryption bool Whether or not the key supports encryption, based on key type.
- Supports
Signing bool Whether or not the key supports signing, based on key type.
- Type string
Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- allow
Plaintext BooleanBackup Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- auto
Rotate IntegerInterval Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
Use auto_rotate_period instead
- auto
Rotate IntegerPeriod Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- backend String
The path the transit secret backend is mounted at, with no leading or trailing
/
s.- convergent
Encryption Boolean Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
.- deletion
Allowed Boolean Specifies if the key is allowed to be deleted.
- derived Boolean
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- exportable Boolean
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- keys List<Map<String,Object>>
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- latest
Version Integer Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- Integer
Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change.- min
Decryption IntegerVersion Minimum key version to use for decryption.
- min
Encryption IntegerVersion Minimum key version to use for encryption
- name String
The name to identify this key within the backend. Must be unique within the backend.
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- supports
Decryption Boolean Whether or not the key supports decryption, based on key type.
- supports
Derivation Boolean Whether or not the key supports derivation, based on key type.
- supports
Encryption Boolean Whether or not the key supports encryption, based on key type.
- supports
Signing Boolean Whether or not the key supports signing, based on key type.
- type String
Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- allow
Plaintext booleanBackup Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- auto
Rotate numberInterval Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
Use auto_rotate_period instead
- auto
Rotate numberPeriod Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- backend string
The path the transit secret backend is mounted at, with no leading or trailing
/
s.- convergent
Encryption boolean Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
.- deletion
Allowed boolean Specifies if the key is allowed to be deleted.
- derived boolean
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- exportable boolean
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- keys {[key: string]: any}[]
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- latest
Version number Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- number
Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change.- min
Decryption numberVersion Minimum key version to use for decryption.
- min
Encryption numberVersion Minimum key version to use for encryption
- name string
The name to identify this key within the backend. Must be unique within the backend.
- namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- supports
Decryption boolean Whether or not the key supports decryption, based on key type.
- supports
Derivation boolean Whether or not the key supports derivation, based on key type.
- supports
Encryption boolean Whether or not the key supports encryption, based on key type.
- supports
Signing boolean Whether or not the key supports signing, based on key type.
- type string
Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- allow_
plaintext_ boolbackup Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- auto_
rotate_ intinterval Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
Use auto_rotate_period instead
- auto_
rotate_ intperiod Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- backend str
The path the transit secret backend is mounted at, with no leading or trailing
/
s.- convergent_
encryption bool Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
.- deletion_
allowed bool Specifies if the key is allowed to be deleted.
- derived bool
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- exportable bool
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- keys Sequence[Mapping[str, Any]]
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- latest_
version int Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- min_
available_ intversion Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change.- min_
decryption_ intversion Minimum key version to use for decryption.
- min_
encryption_ intversion Minimum key version to use for encryption
- name str
The name to identify this key within the backend. Must be unique within the backend.
- namespace str
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- supports_
decryption bool Whether or not the key supports decryption, based on key type.
- supports_
derivation bool Whether or not the key supports derivation, based on key type.
- supports_
encryption bool Whether or not the key supports encryption, based on key type.
- supports_
signing bool Whether or not the key supports signing, based on key type.
- type str
Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- allow
Plaintext BooleanBackup Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- auto
Rotate NumberInterval Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
Use auto_rotate_period instead
- auto
Rotate NumberPeriod Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- backend String
The path the transit secret backend is mounted at, with no leading or trailing
/
s.- convergent
Encryption Boolean Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
.- deletion
Allowed Boolean Specifies if the key is allowed to be deleted.
- derived Boolean
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- exportable Boolean
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- keys List<Map<Any>>
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- latest
Version Number Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- Number
Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change.- min
Decryption NumberVersion Minimum key version to use for decryption.
- min
Encryption NumberVersion Minimum key version to use for encryption
- name String
The name to identify this key within the backend. Must be unique within the backend.
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- supports
Decryption Boolean Whether or not the key supports decryption, based on key type.
- supports
Derivation Boolean Whether or not the key supports derivation, based on key type.
- supports
Encryption Boolean Whether or not the key supports encryption, based on key type.
- supports
Signing Boolean Whether or not the key supports signing, based on key type.
- type String
Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
Import
Transit secret backend keys can be imported using the path
, e.g.
$ pulumi import vault:transit/secretBackendKey:SecretBackendKey key transit/keys/my_key
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
vault
Terraform Provider.