Docs Home
HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi
vault.pkiSecret.getBackendCertMetadata
Explore with Pulumi AI
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const pki = new vault.Mount("pki", {
path: "pki",
type: "pki",
description: "PKI secret engine mount",
});
const root = new vault.pkisecret.SecretBackendRootCert("root", {
backend: pki.path,
type: "internal",
commonName: "example",
ttl: "86400",
issuerName: "example",
});
const testSecretBackendRole = new vault.pkisecret.SecretBackendRole("test", {
backend: testVaultPkiSecretBackendRootCert.backend,
name: "test",
allowedDomains: ["test.my.domain"],
allowSubdomains: true,
maxTtl: "3600",
keyUsages: [
"DigitalSignature",
"KeyAgreement",
"KeyEncipherment",
],
noStoreMetadata: false,
});
const testSecretBackendCert = new vault.pkisecret.SecretBackendCert("test", {
backend: testSecretBackendRole.backend,
name: testSecretBackendRole.name,
commonName: "cert.test.my.domain",
ttl: "720h",
minSecondsRemaining: 60,
certMetadata: "dGVzdCBtZXRhZGF0YQ==",
});
const test = testSecretBackendCert.serialNumber.apply(serialNumber => vault.pkiSecret.getBackendCertMetadataOutput({
path: test_root.path,
serial: serialNumber,
}));
import pulumi
import pulumi_vault as vault
pki = vault.Mount("pki",
path="pki",
type="pki",
description="PKI secret engine mount")
root = vault.pki_secret.SecretBackendRootCert("root",
backend=pki.path,
type="internal",
common_name="example",
ttl="86400",
issuer_name="example")
test_secret_backend_role = vault.pki_secret.SecretBackendRole("test",
backend=test_vault_pki_secret_backend_root_cert["backend"],
name="test",
allowed_domains=["test.my.domain"],
allow_subdomains=True,
max_ttl="3600",
key_usages=[
"DigitalSignature",
"KeyAgreement",
"KeyEncipherment",
],
no_store_metadata=False)
test_secret_backend_cert = vault.pki_secret.SecretBackendCert("test",
backend=test_secret_backend_role.backend,
name=test_secret_backend_role.name,
common_name="cert.test.my.domain",
ttl="720h",
min_seconds_remaining=60,
cert_metadata="dGVzdCBtZXRhZGF0YQ==")
test = test_secret_backend_cert.serial_number.apply(lambda serial_number: vault.pkiSecret.get_backend_cert_metadata_output(path=test_root["path"],
serial=serial_number))
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkisecret"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pki, err := vault.NewMount(ctx, "pki", &vault.MountArgs{
Path: pulumi.String("pki"),
Type: pulumi.String("pki"),
Description: pulumi.String("PKI secret engine mount"),
})
if err != nil {
return err
}
_, err = pkisecret.NewSecretBackendRootCert(ctx, "root", &pkisecret.SecretBackendRootCertArgs{
Backend: pki.Path,
Type: pulumi.String("internal"),
CommonName: pulumi.String("example"),
Ttl: pulumi.String("86400"),
IssuerName: pulumi.String("example"),
})
if err != nil {
return err
}
testSecretBackendRole, err := pkisecret.NewSecretBackendRole(ctx, "test", &pkisecret.SecretBackendRoleArgs{
Backend: pulumi.Any(testVaultPkiSecretBackendRootCert.Backend),
Name: pulumi.String("test"),
AllowedDomains: pulumi.StringArray{
pulumi.String("test.my.domain"),
},
AllowSubdomains: pulumi.Bool(true),
MaxTtl: pulumi.String("3600"),
KeyUsages: pulumi.StringArray{
pulumi.String("DigitalSignature"),
pulumi.String("KeyAgreement"),
pulumi.String("KeyEncipherment"),
},
NoStoreMetadata: pulumi.Bool(false),
})
if err != nil {
return err
}
testSecretBackendCert, err := pkisecret.NewSecretBackendCert(ctx, "test", &pkisecret.SecretBackendCertArgs{
Backend: testSecretBackendRole.Backend,
Name: testSecretBackendRole.Name,
CommonName: pulumi.String("cert.test.my.domain"),
Ttl: pulumi.String("720h"),
MinSecondsRemaining: pulumi.Int(60),
CertMetadata: pulumi.String("dGVzdCBtZXRhZGF0YQ=="),
})
if err != nil {
return err
}
_ = testSecretBackendCert.SerialNumber.ApplyT(func(serialNumber string) (pkisecret.GetBackendCertMetadataResult, error) {
return pkisecret.GetBackendCertMetadataResult(interface{}(pkisecret.GetBackendCertMetadataOutput(ctx, pkisecret.GetBackendCertMetadataOutputArgs{
Path: test_root.Path,
Serial: serialNumber,
}, nil))), nil
}).(pkisecret.GetBackendCertMetadataResultOutput)
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var pki = new Vault.Mount("pki", new()
{
Path = "pki",
Type = "pki",
Description = "PKI secret engine mount",
});
var root = new Vault.PkiSecret.SecretBackendRootCert("root", new()
{
Backend = pki.Path,
Type = "internal",
CommonName = "example",
Ttl = "86400",
IssuerName = "example",
});
var testSecretBackendRole = new Vault.PkiSecret.SecretBackendRole("test", new()
{
Backend = testVaultPkiSecretBackendRootCert.Backend,
Name = "test",
AllowedDomains = new[]
{
"test.my.domain",
},
AllowSubdomains = true,
MaxTtl = "3600",
KeyUsages = new[]
{
"DigitalSignature",
"KeyAgreement",
"KeyEncipherment",
},
NoStoreMetadata = false,
});
var testSecretBackendCert = new Vault.PkiSecret.SecretBackendCert("test", new()
{
Backend = testSecretBackendRole.Backend,
Name = testSecretBackendRole.Name,
CommonName = "cert.test.my.domain",
Ttl = "720h",
MinSecondsRemaining = 60,
CertMetadata = "dGVzdCBtZXRhZGF0YQ==",
});
var test = Vault.PkiSecret.GetBackendCertMetadata.Invoke(new()
{
Path = test_root.Path,
Serial = testSecretBackendCert.SerialNumber,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRootCert;
import com.pulumi.vault.pkiSecret.SecretBackendRootCertArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import com.pulumi.vault.pkiSecret.SecretBackendCert;
import com.pulumi.vault.pkiSecret.SecretBackendCertArgs;
import com.pulumi.vault.pkiSecret.PkiSecretFunctions;
import com.pulumi.vault.pkiSecret.inputs.GetBackendCertMetadataArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pki = new Mount("pki", MountArgs.builder()
.path("pki")
.type("pki")
.description("PKI secret engine mount")
.build());
var root = new SecretBackendRootCert("root", SecretBackendRootCertArgs.builder()
.backend(pki.path())
.type("internal")
.commonName("example")
.ttl("86400")
.issuerName("example")
.build());
var testSecretBackendRole = new SecretBackendRole("testSecretBackendRole", SecretBackendRoleArgs.builder()
.backend(testVaultPkiSecretBackendRootCert.backend())
.name("test")
.allowedDomains("test.my.domain")
.allowSubdomains(true)
.maxTtl("3600")
.keyUsages(
"DigitalSignature",
"KeyAgreement",
"KeyEncipherment")
.noStoreMetadata(false)
.build());
var testSecretBackendCert = new SecretBackendCert("testSecretBackendCert", SecretBackendCertArgs.builder()
.backend(testSecretBackendRole.backend())
.name(testSecretBackendRole.name())
.commonName("cert.test.my.domain")
.ttl("720h")
.minSecondsRemaining(60)
.certMetadata("dGVzdCBtZXRhZGF0YQ==")
.build());
final var test = testSecretBackendCert.serialNumber().applyValue(_serialNumber -> PkiSecretFunctions.getBackendCertMetadata(GetBackendCertMetadataArgs.builder()
.path(test_root.path())
.serial(_serialNumber)
.build()));
}
}
resources:
pki:
type: vault:Mount
properties:
path: pki
type: pki
description: PKI secret engine mount
root:
type: vault:pkiSecret:SecretBackendRootCert
properties:
backend: ${pki.path}
type: internal
commonName: example
ttl: '86400'
issuerName: example
testSecretBackendRole:
type: vault:pkiSecret:SecretBackendRole
name: test
properties:
backend: ${testVaultPkiSecretBackendRootCert.backend}
name: test
allowedDomains:
- test.my.domain
allowSubdomains: true
maxTtl: '3600'
keyUsages:
- DigitalSignature
- KeyAgreement
- KeyEncipherment
noStoreMetadata: false
testSecretBackendCert:
type: vault:pkiSecret:SecretBackendCert
name: test
properties:
backend: ${testSecretBackendRole.backend}
name: ${testSecretBackendRole.name}
commonName: cert.test.my.domain
ttl: 720h
minSecondsRemaining: 60
certMetadata: dGVzdCBtZXRhZGF0YQ==
variables:
test:
fn::invoke:
function: vault:pkiSecret:getBackendCertMetadata
arguments:
path: ${["test-root"].path}
serial: ${testSecretBackendCert.serialNumber}
Using getBackendCertMetadata
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getBackendCertMetadata(args: GetBackendCertMetadataArgs, opts?: InvokeOptions): Promise<GetBackendCertMetadataResult>
function getBackendCertMetadataOutput(args: GetBackendCertMetadataOutputArgs, opts?: InvokeOptions): Output<GetBackendCertMetadataResult>def get_backend_cert_metadata(namespace: Optional[str] = None,
path: Optional[str] = None,
serial: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetBackendCertMetadataResult
def get_backend_cert_metadata_output(namespace: Optional[pulumi.Input[str]] = None,
path: Optional[pulumi.Input[str]] = None,
serial: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetBackendCertMetadataResult]func GetBackendCertMetadata(ctx *Context, args *GetBackendCertMetadataArgs, opts ...InvokeOption) (*GetBackendCertMetadataResult, error)
func GetBackendCertMetadataOutput(ctx *Context, args *GetBackendCertMetadataOutputArgs, opts ...InvokeOption) GetBackendCertMetadataResultOutput> Note: This function is named GetBackendCertMetadata in the Go SDK.
public static class GetBackendCertMetadata
{
public static Task<GetBackendCertMetadataResult> InvokeAsync(GetBackendCertMetadataArgs args, InvokeOptions? opts = null)
public static Output<GetBackendCertMetadataResult> Invoke(GetBackendCertMetadataInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetBackendCertMetadataResult> getBackendCertMetadata(GetBackendCertMetadataArgs args, InvokeOptions options)
public static Output<GetBackendCertMetadataResult> getBackendCertMetadata(GetBackendCertMetadataArgs args, InvokeOptions options)
fn::invoke:
function: vault:pkiSecret/getBackendCertMetadata:getBackendCertMetadata
arguments:
# arguments dictionaryThe following arguments are supported:
- Path string
- The path to the PKI secret backend to
read the cert metadata from, with no leading or trailing
/s. - Serial string
- Specifies the serial of the certificate whose metadata to read.
- Namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.
- Path string
- The path to the PKI secret backend to
read the cert metadata from, with no leading or trailing
/s. - Serial string
- Specifies the serial of the certificate whose metadata to read.
- Namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.
- path String
- The path to the PKI secret backend to
read the cert metadata from, with no leading or trailing
/s. - serial String
- Specifies the serial of the certificate whose metadata to read.
- namespace String
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.
- path string
- The path to the PKI secret backend to
read the cert metadata from, with no leading or trailing
/s. - serial string
- Specifies the serial of the certificate whose metadata to read.
- namespace string
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.
- path str
- The path to the PKI secret backend to
read the cert metadata from, with no leading or trailing
/s. - serial str
- Specifies the serial of the certificate whose metadata to read.
- namespace str
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.
- path String
- The path to the PKI secret backend to
read the cert metadata from, with no leading or trailing
/s. - serial String
- Specifies the serial of the certificate whose metadata to read.
- namespace String
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.
getBackendCertMetadata Result
The following output properties are available:
- Cert
Metadata string - The metadata associated with the certificate
- Expiration string
- The expiration date of the certificate in unix epoch format
- Id string
- The provider-assigned unique ID for this managed resource.
- Issuer
Id string - ID of the issuer.
- Path string
- Role string
- The role used to create the certificate
- Serial string
- Serial
Number string - The serial number
- Namespace string
- Cert
Metadata string - The metadata associated with the certificate
- Expiration string
- The expiration date of the certificate in unix epoch format
- Id string
- The provider-assigned unique ID for this managed resource.
- Issuer
Id string - ID of the issuer.
- Path string
- Role string
- The role used to create the certificate
- Serial string
- Serial
Number string - The serial number
- Namespace string
- cert
Metadata String - The metadata associated with the certificate
- expiration String
- The expiration date of the certificate in unix epoch format
- id String
- The provider-assigned unique ID for this managed resource.
- issuer
Id String - ID of the issuer.
- path String
- role String
- The role used to create the certificate
- serial String
- serial
Number String - The serial number
- namespace String
- cert
Metadata string - The metadata associated with the certificate
- expiration string
- The expiration date of the certificate in unix epoch format
- id string
- The provider-assigned unique ID for this managed resource.
- issuer
Id string - ID of the issuer.
- path string
- role string
- The role used to create the certificate
- serial string
- serial
Number string - The serial number
- namespace string
- cert_
metadata str - The metadata associated with the certificate
- expiration str
- The expiration date of the certificate in unix epoch format
- id str
- The provider-assigned unique ID for this managed resource.
- issuer_
id str - ID of the issuer.
- path str
- role str
- The role used to create the certificate
- serial str
- serial_
number str - The serial number
- namespace str
- cert
Metadata String - The metadata associated with the certificate
- expiration String
- The expiration date of the certificate in unix epoch format
- id String
- The provider-assigned unique ID for this managed resource.
- issuer
Id String - ID of the issuer.
- path String
- role String
- The role used to create the certificate
- serial String
- serial
Number String - The serial number
- namespace String
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.