← All packages

HashiCorp Vault

v5.7.0 published on Thursday, Oct 13, 2022 by Pulumi

Source code

SecretBackendKey

Creates an Encryption Keyring on a Transit Secret Backend for Vault.

Deprecations

auto_rotate_interval - Replaced by auto_rotate_period.

Example Usage

using System.Collections.Generic;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var transit = new Vault.Mount("transit", new()
    {
        Path = "transit",
        Type = "transit",
        Description = "Example description",
        DefaultLeaseTtlSeconds = 3600,
        MaxLeaseTtlSeconds = 86400,
    });

    var key = new Vault.Transit.SecretBackendKey("key", new()
    {
        Backend = transit.Path,
    });

});

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v5/go/vault"
	"github.com/pulumi/pulumi-vault/sdk/v5/go/vault/transit"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		transit, err := vault.NewMount(ctx, "transit", &vault.MountArgs{
			Path:                   pulumi.String("transit"),
			Type:                   pulumi.String("transit"),
			Description:            pulumi.String("Example description"),
			DefaultLeaseTtlSeconds: pulumi.Int(3600),
			MaxLeaseTtlSeconds:     pulumi.Int(86400),
		})
		if err != nil {
			return err
		}
		_, err = transit.NewSecretBackendKey(ctx, "key", &transit.SecretBackendKeyArgs{
			Backend: transit.Path,
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.transit.SecretBackendKey;
import com.pulumi.vault.transit.SecretBackendKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var transit = new Mount("transit", MountArgs.builder()        
            .path("transit")
            .type("transit")
            .description("Example description")
            .defaultLeaseTtlSeconds(3600)
            .maxLeaseTtlSeconds(86400)
            .build());

        var key = new SecretBackendKey("key", SecretBackendKeyArgs.builder()        
            .backend(transit.path())
            .build());

    }
}

import pulumi
import pulumi_vault as vault

transit = vault.Mount("transit",
    path="transit",
    type="transit",
    description="Example description",
    default_lease_ttl_seconds=3600,
    max_lease_ttl_seconds=86400)
key = vault.transit.SecretBackendKey("key", backend=transit.path)

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const transit = new vault.Mount("transit", {
    path: "transit",
    type: "transit",
    description: "Example description",
    defaultLeaseTtlSeconds: 3600,
    maxLeaseTtlSeconds: 86400,
});
const key = new vault.transit.SecretBackendKey("key", {backend: transit.path});

resources:
  transit:
    type: vault:Mount
    properties:
      path: transit
      type: transit
      description: Example description
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  key:
    type: vault:transit:SecretBackendKey
    properties:
      backend: ${transit.path}

Create SecretBackendKey Resource

new SecretBackendKey(name: string, args: SecretBackendKeyArgs, opts?: CustomResourceOptions);

@overload
def SecretBackendKey(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     allow_plaintext_backup: Optional[bool] = None,
                     auto_rotate_interval: Optional[int] = None,
                     auto_rotate_period: Optional[int] = None,
                     backend: Optional[str] = None,
                     convergent_encryption: Optional[bool] = None,
                     deletion_allowed: Optional[bool] = None,
                     derived: Optional[bool] = None,
                     exportable: Optional[bool] = None,
                     min_decryption_version: Optional[int] = None,
                     min_encryption_version: Optional[int] = None,
                     name: Optional[str] = None,
                     namespace: Optional[str] = None,
                     type: Optional[str] = None)
@overload
def SecretBackendKey(resource_name: str,
                     args: SecretBackendKeyArgs,
                     opts: Optional[ResourceOptions] = None)

func NewSecretBackendKey(ctx *Context, name string, args SecretBackendKeyArgs, opts ...ResourceOption) (*SecretBackendKey, error)

public SecretBackendKey(string name, SecretBackendKeyArgs args, CustomResourceOptions? opts = null)

public SecretBackendKey(String name, SecretBackendKeyArgs args)
public SecretBackendKey(String name, SecretBackendKeyArgs args, CustomResourceOptions options)

type: vault:transit:SecretBackendKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecretBackendKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SecretBackendKeyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecretBackendKeyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecretBackendKeyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SecretBackendKeyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

SecretBackendKey Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The SecretBackendKey resource accepts the following input properties:

Backend string

The path the transit secret backend is mounted at, with no leading or trailing /s.

AllowPlaintextBackup bool

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

AutoRotateInterval int

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

Deprecated:

Use auto_rotate_period instead

AutoRotatePeriod int

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

ConvergentEncryption bool

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

DeletionAllowed bool

Specifies if the key is allowed to be deleted.

Derived bool

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

Exportable bool

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

MinDecryptionVersion int

Minimum key version to use for decryption.

MinEncryptionVersion int

Minimum key version to use for encryption

Name string

The name to identify this key within the backend. Must be unique within the backend.

Namespace string

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

Type string

Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096.

Refer to the Vault documentation on transit key types for more information: Key Types

Backend string

The path the transit secret backend is mounted at, with no leading or trailing /s.

AllowPlaintextBackup bool

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

AutoRotateInterval int

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

Deprecated:

Use auto_rotate_period instead

AutoRotatePeriod int

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

ConvergentEncryption bool

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

DeletionAllowed bool

Specifies if the key is allowed to be deleted.

Derived bool

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

Exportable bool

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

MinDecryptionVersion int

Minimum key version to use for decryption.

MinEncryptionVersion int

Minimum key version to use for encryption

Name string

The name to identify this key within the backend. Must be unique within the backend.

Namespace string

Type string

Refer to the Vault documentation on transit key types for more information: Key Types

backend String

The path the transit secret backend is mounted at, with no leading or trailing /s.

allowPlaintextBackup Boolean

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

autoRotateInterval Integer

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

Deprecated:

Use auto_rotate_period instead

autoRotatePeriod Integer

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

convergentEncryption Boolean

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

deletionAllowed Boolean

Specifies if the key is allowed to be deleted.

derived Boolean

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

exportable Boolean

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

minDecryptionVersion Integer

Minimum key version to use for decryption.

minEncryptionVersion Integer

Minimum key version to use for encryption

name String

The name to identify this key within the backend. Must be unique within the backend.

namespace String

type String

Refer to the Vault documentation on transit key types for more information: Key Types

backend string

The path the transit secret backend is mounted at, with no leading or trailing /s.

allowPlaintextBackup boolean

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

autoRotateInterval number

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

Deprecated:

Use auto_rotate_period instead

autoRotatePeriod number

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

convergentEncryption boolean

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

deletionAllowed boolean

Specifies if the key is allowed to be deleted.

derived boolean

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

exportable boolean

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

minDecryptionVersion number

Minimum key version to use for decryption.

minEncryptionVersion number

Minimum key version to use for encryption

name string

The name to identify this key within the backend. Must be unique within the backend.

namespace string

type string

Refer to the Vault documentation on transit key types for more information: Key Types

backend str

The path the transit secret backend is mounted at, with no leading or trailing /s.

allow_plaintext_backup bool

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

auto_rotate_interval int

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

Deprecated:

Use auto_rotate_period instead

auto_rotate_period int

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

convergent_encryption bool

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

deletion_allowed bool

Specifies if the key is allowed to be deleted.

derived bool

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

exportable bool

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

min_decryption_version int

Minimum key version to use for decryption.

min_encryption_version int

Minimum key version to use for encryption

name str

The name to identify this key within the backend. Must be unique within the backend.

namespace str

type str

Refer to the Vault documentation on transit key types for more information: Key Types

backend String

The path the transit secret backend is mounted at, with no leading or trailing /s.

allowPlaintextBackup Boolean

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

autoRotateInterval Number

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

Deprecated:

Use auto_rotate_period instead

autoRotatePeriod Number

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

convergentEncryption Boolean

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

deletionAllowed Boolean

Specifies if the key is allowed to be deleted.

derived Boolean

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

exportable Boolean

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

minDecryptionVersion Number

Minimum key version to use for decryption.

minEncryptionVersion Number

Minimum key version to use for encryption

name String

The name to identify this key within the backend. Must be unique within the backend.

namespace String

type String

Refer to the Vault documentation on transit key types for more information: Key Types

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretBackendKey resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Keys List<ImmutableDictionary<string, object>>

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

LatestVersion int

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

MinAvailableVersion int

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

SupportsDecryption bool

Whether or not the key supports decryption, based on key type.

SupportsDerivation bool

Whether or not the key supports derivation, based on key type.

SupportsEncryption bool

Whether or not the key supports encryption, based on key type.

SupportsSigning bool

Whether or not the key supports signing, based on key type.

Id string

The provider-assigned unique ID for this managed resource.

Keys []map[string]interface{}

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

LatestVersion int

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

MinAvailableVersion int

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

SupportsDecryption bool

Whether or not the key supports decryption, based on key type.

SupportsDerivation bool

Whether or not the key supports derivation, based on key type.

SupportsEncryption bool

Whether or not the key supports encryption, based on key type.

SupportsSigning bool

Whether or not the key supports signing, based on key type.

id String

The provider-assigned unique ID for this managed resource.

keys List<Map<String,Object>>

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

latestVersion Integer

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

minAvailableVersion Integer

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

supportsDecryption Boolean

Whether or not the key supports decryption, based on key type.

supportsDerivation Boolean

Whether or not the key supports derivation, based on key type.

supportsEncryption Boolean

Whether or not the key supports encryption, based on key type.

supportsSigning Boolean

Whether or not the key supports signing, based on key type.

id string

The provider-assigned unique ID for this managed resource.

keys {[key: string]: any}[]

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

latestVersion number

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

minAvailableVersion number

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

supportsDecryption boolean

Whether or not the key supports decryption, based on key type.

supportsDerivation boolean

Whether or not the key supports derivation, based on key type.

supportsEncryption boolean

Whether or not the key supports encryption, based on key type.

supportsSigning boolean

Whether or not the key supports signing, based on key type.

id str

The provider-assigned unique ID for this managed resource.

keys Sequence[Mapping[str, Any]]

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

latest_version int

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

min_available_version int

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

supports_decryption bool

Whether or not the key supports decryption, based on key type.

supports_derivation bool

Whether or not the key supports derivation, based on key type.

supports_encryption bool

Whether or not the key supports encryption, based on key type.

supports_signing bool

Whether or not the key supports signing, based on key type.

id String

The provider-assigned unique ID for this managed resource.

keys List<Map<Any>>

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

latestVersion Number

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

minAvailableVersion Number

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

supportsDecryption Boolean

Whether or not the key supports decryption, based on key type.

supportsDerivation Boolean

Whether or not the key supports derivation, based on key type.

supportsEncryption Boolean

Whether or not the key supports encryption, based on key type.

supportsSigning Boolean

Whether or not the key supports signing, based on key type.

Look up Existing SecretBackendKey Resource

Get an existing SecretBackendKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretBackendKeyState, opts?: CustomResourceOptions): SecretBackendKey

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        allow_plaintext_backup: Optional[bool] = None,
        auto_rotate_interval: Optional[int] = None,
        auto_rotate_period: Optional[int] = None,
        backend: Optional[str] = None,
        convergent_encryption: Optional[bool] = None,
        deletion_allowed: Optional[bool] = None,
        derived: Optional[bool] = None,
        exportable: Optional[bool] = None,
        keys: Optional[Sequence[Mapping[str, Any]]] = None,
        latest_version: Optional[int] = None,
        min_available_version: Optional[int] = None,
        min_decryption_version: Optional[int] = None,
        min_encryption_version: Optional[int] = None,
        name: Optional[str] = None,
        namespace: Optional[str] = None,
        supports_decryption: Optional[bool] = None,
        supports_derivation: Optional[bool] = None,
        supports_encryption: Optional[bool] = None,
        supports_signing: Optional[bool] = None,
        type: Optional[str] = None) -> SecretBackendKey

func GetSecretBackendKey(ctx *Context, name string, id IDInput, state *SecretBackendKeyState, opts ...ResourceOption) (*SecretBackendKey, error)

public static SecretBackendKey Get(string name, Input<string> id, SecretBackendKeyState? state, CustomResourceOptions? opts = null)

public static SecretBackendKey get(String name, Output<String> id, SecretBackendKeyState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AllowPlaintextBackup bool

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

AutoRotateInterval int

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

Deprecated:

Use auto_rotate_period instead

AutoRotatePeriod int

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

Backend string

The path the transit secret backend is mounted at, with no leading or trailing /s.

ConvergentEncryption bool

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

DeletionAllowed bool

Specifies if the key is allowed to be deleted.

Derived bool

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

Exportable bool

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

Keys List<ImmutableDictionary<string, object>>

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

LatestVersion int

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

MinAvailableVersion int

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

MinDecryptionVersion int

Minimum key version to use for decryption.

MinEncryptionVersion int

Minimum key version to use for encryption

Name string

The name to identify this key within the backend. Must be unique within the backend.

Namespace string

SupportsDecryption bool

Whether or not the key supports decryption, based on key type.

SupportsDerivation bool

Whether or not the key supports derivation, based on key type.

SupportsEncryption bool

Whether or not the key supports encryption, based on key type.

SupportsSigning bool

Whether or not the key supports signing, based on key type.

Type string

Refer to the Vault documentation on transit key types for more information: Key Types

AllowPlaintextBackup bool

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

AutoRotateInterval int

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

Deprecated:

Use auto_rotate_period instead

AutoRotatePeriod int

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

Backend string

The path the transit secret backend is mounted at, with no leading or trailing /s.

ConvergentEncryption bool

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

DeletionAllowed bool

Specifies if the key is allowed to be deleted.

Derived bool

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

Exportable bool

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

Keys []map[string]interface{}

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

LatestVersion int

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

MinAvailableVersion int

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

MinDecryptionVersion int

Minimum key version to use for decryption.

MinEncryptionVersion int

Minimum key version to use for encryption

Name string

The name to identify this key within the backend. Must be unique within the backend.

Namespace string

SupportsDecryption bool

Whether or not the key supports decryption, based on key type.

SupportsDerivation bool

Whether or not the key supports derivation, based on key type.

SupportsEncryption bool

Whether or not the key supports encryption, based on key type.

SupportsSigning bool

Whether or not the key supports signing, based on key type.

Type string

Refer to the Vault documentation on transit key types for more information: Key Types

allowPlaintextBackup Boolean

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

autoRotateInterval Integer

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

Deprecated:

Use auto_rotate_period instead

autoRotatePeriod Integer

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

backend String

The path the transit secret backend is mounted at, with no leading or trailing /s.

convergentEncryption Boolean

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

deletionAllowed Boolean

Specifies if the key is allowed to be deleted.

derived Boolean

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

exportable Boolean

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

keys List<Map<String,Object>>

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

latestVersion Integer

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

minAvailableVersion Integer

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

minDecryptionVersion Integer

Minimum key version to use for decryption.

minEncryptionVersion Integer

Minimum key version to use for encryption

name String

The name to identify this key within the backend. Must be unique within the backend.

namespace String

supportsDecryption Boolean

Whether or not the key supports decryption, based on key type.

supportsDerivation Boolean

Whether or not the key supports derivation, based on key type.

supportsEncryption Boolean

Whether or not the key supports encryption, based on key type.

supportsSigning Boolean

Whether or not the key supports signing, based on key type.

type String

Refer to the Vault documentation on transit key types for more information: Key Types

allowPlaintextBackup boolean

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

autoRotateInterval number

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

Deprecated:

Use auto_rotate_period instead

autoRotatePeriod number

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

backend string

The path the transit secret backend is mounted at, with no leading or trailing /s.

convergentEncryption boolean

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

deletionAllowed boolean

Specifies if the key is allowed to be deleted.

derived boolean

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

exportable boolean

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

keys {[key: string]: any}[]

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

latestVersion number

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

minAvailableVersion number

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

minDecryptionVersion number

Minimum key version to use for decryption.

minEncryptionVersion number

Minimum key version to use for encryption

name string

The name to identify this key within the backend. Must be unique within the backend.

namespace string

supportsDecryption boolean

Whether or not the key supports decryption, based on key type.

supportsDerivation boolean

Whether or not the key supports derivation, based on key type.

supportsEncryption boolean

Whether or not the key supports encryption, based on key type.

supportsSigning boolean

Whether or not the key supports signing, based on key type.

type string

Refer to the Vault documentation on transit key types for more information: Key Types

allow_plaintext_backup bool

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

auto_rotate_interval int

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

Deprecated:

Use auto_rotate_period instead

auto_rotate_period int

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

backend str

The path the transit secret backend is mounted at, with no leading or trailing /s.

convergent_encryption bool

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

deletion_allowed bool

Specifies if the key is allowed to be deleted.

derived bool

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

exportable bool

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

keys Sequence[Mapping[str, Any]]

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

latest_version int

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

min_available_version int

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

min_decryption_version int

Minimum key version to use for decryption.

min_encryption_version int

Minimum key version to use for encryption

name str

The name to identify this key within the backend. Must be unique within the backend.

namespace str

supports_decryption bool

Whether or not the key supports decryption, based on key type.

supports_derivation bool

Whether or not the key supports derivation, based on key type.

supports_encryption bool

Whether or not the key supports encryption, based on key type.

supports_signing bool

Whether or not the key supports signing, based on key type.

type str

Refer to the Vault documentation on transit key types for more information: Key Types

allowPlaintextBackup Boolean

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

Refer to Vault API documentation on key backups for more information: Backup Key

autoRotateInterval Number

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

Deprecated:

Use auto_rotate_period instead

autoRotatePeriod Number

Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

backend String

The path the transit secret backend is mounted at, with no leading or trailing /s.

convergentEncryption Boolean

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

deletionAllowed Boolean

Specifies if the key is allowed to be deleted.

derived Boolean

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

exportable Boolean

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

keys List<Map<Any>>

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:

latestVersion Number

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

minAvailableVersion Number

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

minDecryptionVersion Number

Minimum key version to use for decryption.

minEncryptionVersion Number

Minimum key version to use for encryption

name String

The name to identify this key within the backend. Must be unique within the backend.

namespace String

supportsDecryption Boolean

Whether or not the key supports decryption, based on key type.

supportsDerivation Boolean

Whether or not the key supports derivation, based on key type.

supportsEncryption Boolean

Whether or not the key supports encryption, based on key type.

supportsSigning Boolean

Whether or not the key supports signing, based on key type.

type String

Refer to the Vault documentation on transit key types for more information: Key Types

Import

Transit secret backend keys can be imported using the path, e.g.

 $ pulumi import vault:transit/secretBackendKey:SecretBackendKey key transit/keys/my_key

Package Details

Repository: https://github.com/pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

HashiCorp Vault

SecretBackendKey

Deprecations

Example Usage

Create SecretBackendKey Resource

SecretBackendKey Resource Properties

Inputs

Outputs

Look up Existing SecretBackendKey Resource

Import

Package Details

Contents