Docs Home
HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi
vault.managed.Keys
Explore with Pulumi AI
A resource that manages the lifecycle of all Managed Keys in Vault.
Note this feature is available only with Vault Enterprise.
Create Keys Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Keys(name: string, args?: KeysArgs, opts?: CustomResourceOptions);@overload
def Keys(resource_name: str,
args: Optional[KeysArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def Keys(resource_name: str,
opts: Optional[ResourceOptions] = None,
aws: Optional[Sequence[KeysAwArgs]] = None,
azures: Optional[Sequence[KeysAzureArgs]] = None,
namespace: Optional[str] = None,
pkcs: Optional[Sequence[KeysPkcArgs]] = None)func NewKeys(ctx *Context, name string, args *KeysArgs, opts ...ResourceOption) (*Keys, error)public Keys(string name, KeysArgs? args = null, CustomResourceOptions? opts = null)type: vault:managed:Keys
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args KeysArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args KeysArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args KeysArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args KeysArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args KeysArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var keysResource = new Vault.Managed.Keys("keysResource", new()
{
Aws = new[]
{
new Vault.Managed.Inputs.KeysAwArgs
{
KeyBits = "string",
SecretKey = "string",
Name = "string",
AccessKey = "string",
KmsKey = "string",
KeyType = "string",
AllowStoreKey = false,
Endpoint = "string",
Curve = "string",
AnyMount = false,
AllowReplaceKey = false,
Region = "string",
AllowGenerateKey = false,
Uuid = "string",
},
},
Azures = new[]
{
new Vault.Managed.Inputs.KeysAzureArgs
{
KeyName = "string",
VaultName = "string",
TenantId = "string",
Name = "string",
ClientId = "string",
ClientSecret = "string",
KeyType = "string",
AnyMount = false,
KeyBits = "string",
Environment = "string",
AllowGenerateKey = false,
Resource = "string",
AllowStoreKey = false,
Uuid = "string",
AllowReplaceKey = false,
},
},
Namespace = "string",
Pkcs = new[]
{
new Vault.Managed.Inputs.KeysPkcArgs
{
Pin = "string",
Mechanism = "string",
Name = "string",
KeyId = "string",
KeyLabel = "string",
Library = "string",
AllowReplaceKey = false,
ForceRwSession = "string",
Curve = "string",
AnyMount = false,
KeyBits = "string",
AllowStoreKey = false,
AllowGenerateKey = false,
Slot = "string",
TokenLabel = "string",
Uuid = "string",
},
},
});
example, err := managed.NewKeys(ctx, "keysResource", &managed.KeysArgs{
Aws: managed.KeysAwArray{
&managed.KeysAwArgs{
KeyBits: pulumi.String("string"),
SecretKey: pulumi.String("string"),
Name: pulumi.String("string"),
AccessKey: pulumi.String("string"),
KmsKey: pulumi.String("string"),
KeyType: pulumi.String("string"),
AllowStoreKey: pulumi.Bool(false),
Endpoint: pulumi.String("string"),
Curve: pulumi.String("string"),
AnyMount: pulumi.Bool(false),
AllowReplaceKey: pulumi.Bool(false),
Region: pulumi.String("string"),
AllowGenerateKey: pulumi.Bool(false),
Uuid: pulumi.String("string"),
},
},
Azures: managed.KeysAzureArray{
&managed.KeysAzureArgs{
KeyName: pulumi.String("string"),
VaultName: pulumi.String("string"),
TenantId: pulumi.String("string"),
Name: pulumi.String("string"),
ClientId: pulumi.String("string"),
ClientSecret: pulumi.String("string"),
KeyType: pulumi.String("string"),
AnyMount: pulumi.Bool(false),
KeyBits: pulumi.String("string"),
Environment: pulumi.String("string"),
AllowGenerateKey: pulumi.Bool(false),
Resource: pulumi.String("string"),
AllowStoreKey: pulumi.Bool(false),
Uuid: pulumi.String("string"),
AllowReplaceKey: pulumi.Bool(false),
},
},
Namespace: pulumi.String("string"),
Pkcs: managed.KeysPkcArray{
&managed.KeysPkcArgs{
Pin: pulumi.String("string"),
Mechanism: pulumi.String("string"),
Name: pulumi.String("string"),
KeyId: pulumi.String("string"),
KeyLabel: pulumi.String("string"),
Library: pulumi.String("string"),
AllowReplaceKey: pulumi.Bool(false),
ForceRwSession: pulumi.String("string"),
Curve: pulumi.String("string"),
AnyMount: pulumi.Bool(false),
KeyBits: pulumi.String("string"),
AllowStoreKey: pulumi.Bool(false),
AllowGenerateKey: pulumi.Bool(false),
Slot: pulumi.String("string"),
TokenLabel: pulumi.String("string"),
Uuid: pulumi.String("string"),
},
},
})
var keysResource = new Keys("keysResource", KeysArgs.builder()
.aws(KeysAwArgs.builder()
.keyBits("string")
.secretKey("string")
.name("string")
.accessKey("string")
.kmsKey("string")
.keyType("string")
.allowStoreKey(false)
.endpoint("string")
.curve("string")
.anyMount(false)
.allowReplaceKey(false)
.region("string")
.allowGenerateKey(false)
.uuid("string")
.build())
.azures(KeysAzureArgs.builder()
.keyName("string")
.vaultName("string")
.tenantId("string")
.name("string")
.clientId("string")
.clientSecret("string")
.keyType("string")
.anyMount(false)
.keyBits("string")
.environment("string")
.allowGenerateKey(false)
.resource("string")
.allowStoreKey(false)
.uuid("string")
.allowReplaceKey(false)
.build())
.namespace("string")
.pkcs(KeysPkcArgs.builder()
.pin("string")
.mechanism("string")
.name("string")
.keyId("string")
.keyLabel("string")
.library("string")
.allowReplaceKey(false)
.forceRwSession("string")
.curve("string")
.anyMount(false)
.keyBits("string")
.allowStoreKey(false)
.allowGenerateKey(false)
.slot("string")
.tokenLabel("string")
.uuid("string")
.build())
.build());
keys_resource = vault.managed.Keys("keysResource",
aws=[{
"key_bits": "string",
"secret_key": "string",
"name": "string",
"access_key": "string",
"kms_key": "string",
"key_type": "string",
"allow_store_key": False,
"endpoint": "string",
"curve": "string",
"any_mount": False,
"allow_replace_key": False,
"region": "string",
"allow_generate_key": False,
"uuid": "string",
}],
azures=[{
"key_name": "string",
"vault_name": "string",
"tenant_id": "string",
"name": "string",
"client_id": "string",
"client_secret": "string",
"key_type": "string",
"any_mount": False,
"key_bits": "string",
"environment": "string",
"allow_generate_key": False,
"resource": "string",
"allow_store_key": False,
"uuid": "string",
"allow_replace_key": False,
}],
namespace="string",
pkcs=[{
"pin": "string",
"mechanism": "string",
"name": "string",
"key_id": "string",
"key_label": "string",
"library": "string",
"allow_replace_key": False,
"force_rw_session": "string",
"curve": "string",
"any_mount": False,
"key_bits": "string",
"allow_store_key": False,
"allow_generate_key": False,
"slot": "string",
"token_label": "string",
"uuid": "string",
}])
const keysResource = new vault.managed.Keys("keysResource", {
aws: [{
keyBits: "string",
secretKey: "string",
name: "string",
accessKey: "string",
kmsKey: "string",
keyType: "string",
allowStoreKey: false,
endpoint: "string",
curve: "string",
anyMount: false,
allowReplaceKey: false,
region: "string",
allowGenerateKey: false,
uuid: "string",
}],
azures: [{
keyName: "string",
vaultName: "string",
tenantId: "string",
name: "string",
clientId: "string",
clientSecret: "string",
keyType: "string",
anyMount: false,
keyBits: "string",
environment: "string",
allowGenerateKey: false,
resource: "string",
allowStoreKey: false,
uuid: "string",
allowReplaceKey: false,
}],
namespace: "string",
pkcs: [{
pin: "string",
mechanism: "string",
name: "string",
keyId: "string",
keyLabel: "string",
library: "string",
allowReplaceKey: false,
forceRwSession: "string",
curve: "string",
anyMount: false,
keyBits: "string",
allowStoreKey: false,
allowGenerateKey: false,
slot: "string",
tokenLabel: "string",
uuid: "string",
}],
});
type: vault:managed:Keys
properties:
aws:
- accessKey: string
allowGenerateKey: false
allowReplaceKey: false
allowStoreKey: false
anyMount: false
curve: string
endpoint: string
keyBits: string
keyType: string
kmsKey: string
name: string
region: string
secretKey: string
uuid: string
azures:
- allowGenerateKey: false
allowReplaceKey: false
allowStoreKey: false
anyMount: false
clientId: string
clientSecret: string
environment: string
keyBits: string
keyName: string
keyType: string
name: string
resource: string
tenantId: string
uuid: string
vaultName: string
namespace: string
pkcs:
- allowGenerateKey: false
allowReplaceKey: false
allowStoreKey: false
anyMount: false
curve: string
forceRwSession: string
keyBits: string
keyId: string
keyLabel: string
library: string
mechanism: string
name: string
pin: string
slot: string
tokenLabel: string
uuid: string
Keys Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Keys resource accepts the following input properties:
- Aws
List<Keys
Aw> - Configuration block for AWS Managed Keys
- Azures
List<Keys
Azure> - Configuration block for Azure Managed Keys
- Namespace string
- Target namespace. (requires Enterprise)
- Pkcs
List<Keys
Pkc> - Configuration block for PKCS Managed Keys
- Aws
[]Keys
Aw Args - Configuration block for AWS Managed Keys
- Azures
[]Keys
Azure Args - Configuration block for Azure Managed Keys
- Namespace string
- Target namespace. (requires Enterprise)
- Pkcs
[]Keys
Pkc Args - Configuration block for PKCS Managed Keys
- aws
List<Keys
Aw> - Configuration block for AWS Managed Keys
- azures
List<Keys
Azure> - Configuration block for Azure Managed Keys
- namespace String
- Target namespace. (requires Enterprise)
- pkcs
List<Keys
Pkc> - Configuration block for PKCS Managed Keys
- aws
Sequence[Keys
Aw Args] - Configuration block for AWS Managed Keys
- azures
Sequence[Keys
Azure Args] - Configuration block for Azure Managed Keys
- namespace str
- Target namespace. (requires Enterprise)
- pkcs
Sequence[Keys
Pkc Args] - Configuration block for PKCS Managed Keys
- aws List<Property Map>
- Configuration block for AWS Managed Keys
- azures List<Property Map>
- Configuration block for Azure Managed Keys
- namespace String
- Target namespace. (requires Enterprise)
- pkcs List<Property Map>
- Configuration block for PKCS Managed Keys
Outputs
All input properties are implicitly available as output properties. Additionally, the Keys resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing Keys Resource
Get an existing Keys resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: KeysState, opts?: CustomResourceOptions): Keys@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
aws: Optional[Sequence[KeysAwArgs]] = None,
azures: Optional[Sequence[KeysAzureArgs]] = None,
namespace: Optional[str] = None,
pkcs: Optional[Sequence[KeysPkcArgs]] = None) -> Keysfunc GetKeys(ctx *Context, name string, id IDInput, state *KeysState, opts ...ResourceOption) (*Keys, error)public static Keys Get(string name, Input<string> id, KeysState? state, CustomResourceOptions? opts = null)public static Keys get(String name, Output<String> id, KeysState state, CustomResourceOptions options)resources: _: type: vault:managed:Keys get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Aws
List<Keys
Aw> - Configuration block for AWS Managed Keys
- Azures
List<Keys
Azure> - Configuration block for Azure Managed Keys
- Namespace string
- Target namespace. (requires Enterprise)
- Pkcs
List<Keys
Pkc> - Configuration block for PKCS Managed Keys
- Aws
[]Keys
Aw Args - Configuration block for AWS Managed Keys
- Azures
[]Keys
Azure Args - Configuration block for Azure Managed Keys
- Namespace string
- Target namespace. (requires Enterprise)
- Pkcs
[]Keys
Pkc Args - Configuration block for PKCS Managed Keys
- aws
List<Keys
Aw> - Configuration block for AWS Managed Keys
- azures
List<Keys
Azure> - Configuration block for Azure Managed Keys
- namespace String
- Target namespace. (requires Enterprise)
- pkcs
List<Keys
Pkc> - Configuration block for PKCS Managed Keys
- aws
Sequence[Keys
Aw Args] - Configuration block for AWS Managed Keys
- azures
Sequence[Keys
Azure Args] - Configuration block for Azure Managed Keys
- namespace str
- Target namespace. (requires Enterprise)
- pkcs
Sequence[Keys
Pkc Args] - Configuration block for PKCS Managed Keys
- aws List<Property Map>
- Configuration block for AWS Managed Keys
- azures List<Property Map>
- Configuration block for Azure Managed Keys
- namespace String
- Target namespace. (requires Enterprise)
- pkcs List<Property Map>
- Configuration block for PKCS Managed Keys
Supporting Types
KeysAw, KeysAwArgs
- Access
Key string - The AWS access key to use
- Key
Bits string - The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'
- Key
Type string - The type of key to use
- Kms
Key string - An identifier for the key
- Name string
- A unique lowercase name that serves as identifying the key
- Secret
Key string - The AWS secret key to use
- Allow
Generate boolKey - If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
- Allow
Replace boolKey - Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
- Allow
Store boolKey - Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
- Any
Mount bool - Allow usage from any mount point within the namespace if 'true'
- Curve string
- The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true
- Endpoint string
- Used to specify a custom AWS endpoint
- Region string
- The AWS region where the keys are stored (or will be stored)
- Uuid string
- ID of the managed key read from Vault
- Access
Key string - The AWS access key to use
- Key
Bits string - The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'
- Key
Type string - The type of key to use
- Kms
Key string - An identifier for the key
- Name string
- A unique lowercase name that serves as identifying the key
- Secret
Key string - The AWS secret key to use
- Allow
Generate boolKey - If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
- Allow
Replace boolKey - Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
- Allow
Store boolKey - Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
- Any
Mount bool - Allow usage from any mount point within the namespace if 'true'
- Curve string
- The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true
- Endpoint string
- Used to specify a custom AWS endpoint
- Region string
- The AWS region where the keys are stored (or will be stored)
- Uuid string
- ID of the managed key read from Vault
- access
Key String - The AWS access key to use
- key
Bits String - The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'
- key
Type String - The type of key to use
- kms
Key String - An identifier for the key
- name String
- A unique lowercase name that serves as identifying the key
- secret
Key String - The AWS secret key to use
- allow
Generate BooleanKey - If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
- allow
Replace BooleanKey - Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
- allow
Store BooleanKey - Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
- any
Mount Boolean - Allow usage from any mount point within the namespace if 'true'
- curve String
- The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true
- endpoint String
- Used to specify a custom AWS endpoint
- region String
- The AWS region where the keys are stored (or will be stored)
- uuid String
- ID of the managed key read from Vault
- access
Key string - The AWS access key to use
- key
Bits string - The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'
- key
Type string - The type of key to use
- kms
Key string - An identifier for the key
- name string
- A unique lowercase name that serves as identifying the key
- secret
Key string - The AWS secret key to use
- allow
Generate booleanKey - If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
- allow
Replace booleanKey - Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
- allow
Store booleanKey - Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
- any
Mount boolean - Allow usage from any mount point within the namespace if 'true'
- curve string
- The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true
- endpoint string
- Used to specify a custom AWS endpoint
- region string
- The AWS region where the keys are stored (or will be stored)
- uuid string
- ID of the managed key read from Vault
- access_
key str - The AWS access key to use
- key_
bits str - The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'
- key_
type str - The type of key to use
- kms_
key str - An identifier for the key
- name str
- A unique lowercase name that serves as identifying the key
- secret_
key str - The AWS secret key to use
- allow_
generate_ boolkey - If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
- allow_
replace_ boolkey - Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
- allow_
store_ boolkey - Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
- any_
mount bool - Allow usage from any mount point within the namespace if 'true'
- curve str
- The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true
- endpoint str
- Used to specify a custom AWS endpoint
- region str
- The AWS region where the keys are stored (or will be stored)
- uuid str
- ID of the managed key read from Vault
- access
Key String - The AWS access key to use
- key
Bits String - The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'
- key
Type String - The type of key to use
- kms
Key String - An identifier for the key
- name String
- A unique lowercase name that serves as identifying the key
- secret
Key String - The AWS secret key to use
- allow
Generate BooleanKey - If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
- allow
Replace BooleanKey - Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
- allow
Store BooleanKey - Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
- any
Mount Boolean - Allow usage from any mount point within the namespace if 'true'
- curve String
- The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true
- endpoint String
- Used to specify a custom AWS endpoint
- region String
- The AWS region where the keys are stored (or will be stored)
- uuid String
- ID of the managed key read from Vault
KeysAzure, KeysAzureArgs
- Client
Id string - The client id for credentials to query the Azure APIs
- Client
Secret string - The client secret for credentials to query the Azure APIs
- Key
Name string - The Key Vault key to use for encryption and decryption
- Key
Type string - The type of key to use
- Name string
- A unique lowercase name that serves as identifying the key
- Tenant
Id string - The tenant id for the Azure Active Directory organization
- Vault
Name string - The Key Vault vault to use the encryption keys for encryption and decryption
- Allow
Generate boolKey - If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
- Allow
Replace boolKey - Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
- Allow
Store boolKey - Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
- Any
Mount bool - Allow usage from any mount point within the namespace if 'true'
- Environment string
- The Azure Cloud environment API endpoints to use
- Key
Bits string - The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true
- Resource string
- The Azure Key Vault resource's DNS Suffix to connect to
- Uuid string
- ID of the managed key read from Vault
- Client
Id string - The client id for credentials to query the Azure APIs
- Client
Secret string - The client secret for credentials to query the Azure APIs
- Key
Name string - The Key Vault key to use for encryption and decryption
- Key
Type string - The type of key to use
- Name string
- A unique lowercase name that serves as identifying the key
- Tenant
Id string - The tenant id for the Azure Active Directory organization
- Vault
Name string - The Key Vault vault to use the encryption keys for encryption and decryption
- Allow
Generate boolKey - If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
- Allow
Replace boolKey - Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
- Allow
Store boolKey - Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
- Any
Mount bool - Allow usage from any mount point within the namespace if 'true'
- Environment string
- The Azure Cloud environment API endpoints to use
- Key
Bits string - The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true
- Resource string
- The Azure Key Vault resource's DNS Suffix to connect to
- Uuid string
- ID of the managed key read from Vault
- client
Id String - The client id for credentials to query the Azure APIs
- client
Secret String - The client secret for credentials to query the Azure APIs
- key
Name String - The Key Vault key to use for encryption and decryption
- key
Type String - The type of key to use
- name String
- A unique lowercase name that serves as identifying the key
- tenant
Id String - The tenant id for the Azure Active Directory organization
- vault
Name String - The Key Vault vault to use the encryption keys for encryption and decryption
- allow
Generate BooleanKey - If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
- allow
Replace BooleanKey - Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
- allow
Store BooleanKey - Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
- any
Mount Boolean - Allow usage from any mount point within the namespace if 'true'
- environment String
- The Azure Cloud environment API endpoints to use
- key
Bits String - The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true
- resource String
- The Azure Key Vault resource's DNS Suffix to connect to
- uuid String
- ID of the managed key read from Vault
- client
Id string - The client id for credentials to query the Azure APIs
- client
Secret string - The client secret for credentials to query the Azure APIs
- key
Name string - The Key Vault key to use for encryption and decryption
- key
Type string - The type of key to use
- name string
- A unique lowercase name that serves as identifying the key
- tenant
Id string - The tenant id for the Azure Active Directory organization
- vault
Name string - The Key Vault vault to use the encryption keys for encryption and decryption
- allow
Generate booleanKey - If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
- allow
Replace booleanKey - Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
- allow
Store booleanKey - Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
- any
Mount boolean - Allow usage from any mount point within the namespace if 'true'
- environment string
- The Azure Cloud environment API endpoints to use
- key
Bits string - The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true
- resource string
- The Azure Key Vault resource's DNS Suffix to connect to
- uuid string
- ID of the managed key read from Vault
- client_
id str - The client id for credentials to query the Azure APIs
- client_
secret str - The client secret for credentials to query the Azure APIs
- key_
name str - The Key Vault key to use for encryption and decryption
- key_
type str - The type of key to use
- name str
- A unique lowercase name that serves as identifying the key
- tenant_
id str - The tenant id for the Azure Active Directory organization
- vault_
name str - The Key Vault vault to use the encryption keys for encryption and decryption
- allow_
generate_ boolkey - If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
- allow_
replace_ boolkey - Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
- allow_
store_ boolkey - Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
- any_
mount bool - Allow usage from any mount point within the namespace if 'true'
- environment str
- The Azure Cloud environment API endpoints to use
- key_
bits str - The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true
- resource str
- The Azure Key Vault resource's DNS Suffix to connect to
- uuid str
- ID of the managed key read from Vault
- client
Id String - The client id for credentials to query the Azure APIs
- client
Secret String - The client secret for credentials to query the Azure APIs
- key
Name String - The Key Vault key to use for encryption and decryption
- key
Type String - The type of key to use
- name String
- A unique lowercase name that serves as identifying the key
- tenant
Id String - The tenant id for the Azure Active Directory organization
- vault
Name String - The Key Vault vault to use the encryption keys for encryption and decryption
- allow
Generate BooleanKey - If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
- allow
Replace BooleanKey - Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
- allow
Store BooleanKey - Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
- any
Mount Boolean - Allow usage from any mount point within the namespace if 'true'
- environment String
- The Azure Cloud environment API endpoints to use
- key
Bits String - The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true
- resource String
- The Azure Key Vault resource's DNS Suffix to connect to
- uuid String
- ID of the managed key read from Vault
KeysPkc, KeysPkcArgs
- Key
Id string - The id of a PKCS#11 key to use
- Key
Label string - The label of the key to use
- Library string
- The name of the kms_library stanza to use from Vault's config to lookup the local library path
- Mechanism string
- The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
- Name string
- A unique lowercase name that serves as identifying the key
- Pin string
- The PIN for login
- Allow
Generate boolKey - If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
- Allow
Replace boolKey - Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
- Allow
Store boolKey - Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
- Any
Mount bool - Allow usage from any mount point within the namespace if 'true'
- Curve string
- Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true
- Force
Rw stringSession - Force all operations to open up a read-write session to the HSM
- Key
Bits string - Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true
- Slot string
- The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')
- Token
Label string - The slot token label to use
- Uuid string
- ID of the managed key read from Vault
- Key
Id string - The id of a PKCS#11 key to use
- Key
Label string - The label of the key to use
- Library string
- The name of the kms_library stanza to use from Vault's config to lookup the local library path
- Mechanism string
- The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
- Name string
- A unique lowercase name that serves as identifying the key
- Pin string
- The PIN for login
- Allow
Generate boolKey - If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
- Allow
Replace boolKey - Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
- Allow
Store boolKey - Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
- Any
Mount bool - Allow usage from any mount point within the namespace if 'true'
- Curve string
- Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true
- Force
Rw stringSession - Force all operations to open up a read-write session to the HSM
- Key
Bits string - Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true
- Slot string
- The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')
- Token
Label string - The slot token label to use
- Uuid string
- ID of the managed key read from Vault
- key
Id String - The id of a PKCS#11 key to use
- key
Label String - The label of the key to use
- library String
- The name of the kms_library stanza to use from Vault's config to lookup the local library path
- mechanism String
- The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
- name String
- A unique lowercase name that serves as identifying the key
- pin String
- The PIN for login
- allow
Generate BooleanKey - If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
- allow
Replace BooleanKey - Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
- allow
Store BooleanKey - Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
- any
Mount Boolean - Allow usage from any mount point within the namespace if 'true'
- curve String
- Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true
- force
Rw StringSession - Force all operations to open up a read-write session to the HSM
- key
Bits String - Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true
- slot String
- The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')
- token
Label String - The slot token label to use
- uuid String
- ID of the managed key read from Vault
- key
Id string - The id of a PKCS#11 key to use
- key
Label string - The label of the key to use
- library string
- The name of the kms_library stanza to use from Vault's config to lookup the local library path
- mechanism string
- The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
- name string
- A unique lowercase name that serves as identifying the key
- pin string
- The PIN for login
- allow
Generate booleanKey - If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
- allow
Replace booleanKey - Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
- allow
Store booleanKey - Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
- any
Mount boolean - Allow usage from any mount point within the namespace if 'true'
- curve string
- Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true
- force
Rw stringSession - Force all operations to open up a read-write session to the HSM
- key
Bits string - Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true
- slot string
- The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')
- token
Label string - The slot token label to use
- uuid string
- ID of the managed key read from Vault
- key_
id str - The id of a PKCS#11 key to use
- key_
label str - The label of the key to use
- library str
- The name of the kms_library stanza to use from Vault's config to lookup the local library path
- mechanism str
- The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
- name str
- A unique lowercase name that serves as identifying the key
- pin str
- The PIN for login
- allow_
generate_ boolkey - If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
- allow_
replace_ boolkey - Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
- allow_
store_ boolkey - Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
- any_
mount bool - Allow usage from any mount point within the namespace if 'true'
- curve str
- Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true
- force_
rw_ strsession - Force all operations to open up a read-write session to the HSM
- key_
bits str - Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true
- slot str
- The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')
- token_
label str - The slot token label to use
- uuid str
- ID of the managed key read from Vault
- key
Id String - The id of a PKCS#11 key to use
- key
Label String - The label of the key to use
- library String
- The name of the kms_library stanza to use from Vault's config to lookup the local library path
- mechanism String
- The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
- name String
- A unique lowercase name that serves as identifying the key
- pin String
- The PIN for login
- allow
Generate BooleanKey - If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
- allow
Replace BooleanKey - Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
- allow
Store BooleanKey - Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
- any
Mount Boolean - Allow usage from any mount point within the namespace if 'true'
- curve String
- Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true
- force
Rw StringSession - Force all operations to open up a read-write session to the HSM
- key
Bits String - Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true
- slot String
- The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')
- token
Label String - The slot token label to use
- uuid String
- ID of the managed key read from Vault
Import
Mounts can be imported using the id of default, e.g.
$ pulumi import vault:managed/keys:Keys keys default
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.