vault.pkiSecret.getBackendIssuer

Explore with Pulumi AI

HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const pki = new vault.Mount("pki", {
    path: "pki",
    type: "pki",
    description: "PKI secret engine mount",
});
const root = new vault.pkisecret.SecretBackendRootCert("root", {
    backend: pki.path,
    type: "internal",
    commonName: "example",
    ttl: "86400",
    issuerName: "example",
});
const example = root.issuerId.apply(issuerId => vault.pkiSecret.getBackendIssuerOutput({
    backend: root.path,
    issuerRef: issuerId,
}));

import pulumi
import pulumi_vault as vault

pki = vault.Mount("pki",
    path="pki",
    type="pki",
    description="PKI secret engine mount")
root = vault.pki_secret.SecretBackendRootCert("root",
    backend=pki.path,
    type="internal",
    common_name="example",
    ttl="86400",
    issuer_name="example")
example = root.issuer_id.apply(lambda issuer_id: vault.pkiSecret.get_backend_issuer_output(backend=root.path,
    issuer_ref=issuer_id))

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkisecret"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pki, err := vault.NewMount(ctx, "pki", &vault.MountArgs{
			Path:        pulumi.String("pki"),
			Type:        pulumi.String("pki"),
			Description: pulumi.String("PKI secret engine mount"),
		})
		if err != nil {
			return err
		}
		root, err := pkisecret.NewSecretBackendRootCert(ctx, "root", &pkisecret.SecretBackendRootCertArgs{
			Backend:    pki.Path,
			Type:       pulumi.String("internal"),
			CommonName: pulumi.String("example"),
			Ttl:        pulumi.String("86400"),
			IssuerName: pulumi.String("example"),
		})
		if err != nil {
			return err
		}
		_ = root.IssuerId.ApplyT(func(issuerId string) (pkisecret.GetBackendIssuerResult, error) {
			return pkisecret.GetBackendIssuerResult(interface{}(pkisecret.GetBackendIssuerOutput(ctx, pkisecret.GetBackendIssuerOutputArgs{
				Backend:   root.Path,
				IssuerRef: issuerId,
			}, nil))), nil
		}).(pkisecret.GetBackendIssuerResultOutput)
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var pki = new Vault.Mount("pki", new()
    {
        Path = "pki",
        Type = "pki",
        Description = "PKI secret engine mount",
    });

    var root = new Vault.PkiSecret.SecretBackendRootCert("root", new()
    {
        Backend = pki.Path,
        Type = "internal",
        CommonName = "example",
        Ttl = "86400",
        IssuerName = "example",
    });

    var example = Vault.PkiSecret.GetBackendIssuer.Invoke(new()
    {
        Backend = root.Path,
        IssuerRef = root.IssuerId,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRootCert;
import com.pulumi.vault.pkiSecret.SecretBackendRootCertArgs;
import com.pulumi.vault.pkiSecret.PkiSecretFunctions;
import com.pulumi.vault.pkiSecret.inputs.GetBackendIssuerArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pki = new Mount("pki", MountArgs.builder()
            .path("pki")
            .type("pki")
            .description("PKI secret engine mount")
            .build());

        var root = new SecretBackendRootCert("root", SecretBackendRootCertArgs.builder()
            .backend(pki.path())
            .type("internal")
            .commonName("example")
            .ttl("86400")
            .issuerName("example")
            .build());

        final var example = root.issuerId().applyValue(_issuerId -> PkiSecretFunctions.getBackendIssuer(GetBackendIssuerArgs.builder()
            .backend(root.path())
            .issuerRef(_issuerId)
            .build()));

    }
}

resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      description: PKI secret engine mount
  root:
    type: vault:pkiSecret:SecretBackendRootCert
    properties:
      backend: ${pki.path}
      type: internal
      commonName: example
      ttl: '86400'
      issuerName: example
variables:
  example:
    fn::invoke:
      function: vault:pkiSecret:getBackendIssuer
      arguments:
        backend: ${root.path}
        issuerRef: ${root.issuerId}

Using getBackendIssuer

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getBackendIssuer(args: GetBackendIssuerArgs, opts?: InvokeOptions): Promise<GetBackendIssuerResult>
function getBackendIssuerOutput(args: GetBackendIssuerOutputArgs, opts?: InvokeOptions): Output<GetBackendIssuerResult>

def get_backend_issuer(backend: Optional[str] = None,
                       disable_critical_extension_checks: Optional[bool] = None,
                       disable_name_checks: Optional[bool] = None,
                       disable_name_constraint_checks: Optional[bool] = None,
                       disable_path_length_checks: Optional[bool] = None,
                       issuer_ref: Optional[str] = None,
                       namespace: Optional[str] = None,
                       opts: Optional[InvokeOptions] = None) -> GetBackendIssuerResult
def get_backend_issuer_output(backend: Optional[pulumi.Input[str]] = None,
                       disable_critical_extension_checks: Optional[pulumi.Input[bool]] = None,
                       disable_name_checks: Optional[pulumi.Input[bool]] = None,
                       disable_name_constraint_checks: Optional[pulumi.Input[bool]] = None,
                       disable_path_length_checks: Optional[pulumi.Input[bool]] = None,
                       issuer_ref: Optional[pulumi.Input[str]] = None,
                       namespace: Optional[pulumi.Input[str]] = None,
                       opts: Optional[InvokeOptions] = None) -> Output[GetBackendIssuerResult]

func GetBackendIssuer(ctx *Context, args *GetBackendIssuerArgs, opts ...InvokeOption) (*GetBackendIssuerResult, error)
func GetBackendIssuerOutput(ctx *Context, args *GetBackendIssuerOutputArgs, opts ...InvokeOption) GetBackendIssuerResultOutput

> Note: This function is named GetBackendIssuer in the Go SDK.

public static class GetBackendIssuer 
{
    public static Task<GetBackendIssuerResult> InvokeAsync(GetBackendIssuerArgs args, InvokeOptions? opts = null)
    public static Output<GetBackendIssuerResult> Invoke(GetBackendIssuerInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetBackendIssuerResult> getBackendIssuer(GetBackendIssuerArgs args, InvokeOptions options)
public static Output<GetBackendIssuerResult> getBackendIssuer(GetBackendIssuerArgs args, InvokeOptions options)

fn::invoke:
  function: vault:pkiSecret/getBackendIssuer:getBackendIssuer
  arguments:
    # arguments dictionary

The following arguments are supported:

Backend string: The path to the PKI secret backend to read the issuer from, with no leading or trailing /s.
IssuerRef string: Reference to an existing issuer.
DisableCriticalExtensionChecks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
DisableNameChecks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
DisableNameConstraintChecks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
DisablePathLengthChecks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
Namespace string: The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

Backend string: The path to the PKI secret backend to read the issuer from, with no leading or trailing /s.
IssuerRef string: Reference to an existing issuer.
DisableCriticalExtensionChecks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
DisableNameChecks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
DisableNameConstraintChecks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
DisablePathLengthChecks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
Namespace string: The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

backend String: The path to the PKI secret backend to read the issuer from, with no leading or trailing /s.
issuerRef String: Reference to an existing issuer.
disableCriticalExtensionChecks Boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
disableNameChecks Boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
disableNameConstraintChecks Boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
disablePathLengthChecks Boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
namespace String: The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

backend string: The path to the PKI secret backend to read the issuer from, with no leading or trailing /s.
issuerRef string: Reference to an existing issuer.
disableCriticalExtensionChecks boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
disableNameChecks boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
disableNameConstraintChecks boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
disablePathLengthChecks boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
namespace string: The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

backend str: The path to the PKI secret backend to read the issuer from, with no leading or trailing /s.
issuer_ref str: Reference to an existing issuer.
disable_critical_extension_checks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
disable_name_checks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
disable_name_constraint_checks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
disable_path_length_checks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
namespace str: The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

backend String: The path to the PKI secret backend to read the issuer from, with no leading or trailing /s.
issuerRef String: Reference to an existing issuer.
disableCriticalExtensionChecks Boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
disableNameChecks Boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
disableNameConstraintChecks Boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
disablePathLengthChecks Boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
namespace String: The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

getBackendIssuer Result

The following output properties are available:

Backend string
CaChains List<string>: The CA chain as a list of format specific certificates.
Certificate string: Certificate associated with this issuer.
Id string: The provider-assigned unique ID for this managed resource.
IssuerId string: ID of the issuer.
IssuerName string: Name of the issuer.
IssuerRef string
KeyId string: ID of the key used by the issuer.
LeafNotAfterBehavior string: Behavior of a leaf's NotAfter field during issuance.
ManualChains List<string>: Chain of issuer references to build this issuer's computed CAChain field from, when non-empty.
Usage string: Allowed usages for this issuer.
DisableCriticalExtensionChecks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
DisableNameChecks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
DisableNameConstraintChecks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
DisablePathLengthChecks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
Namespace string

Backend string
CaChains []string: The CA chain as a list of format specific certificates.
Certificate string: Certificate associated with this issuer.
Id string: The provider-assigned unique ID for this managed resource.
IssuerId string: ID of the issuer.
IssuerName string: Name of the issuer.
IssuerRef string
KeyId string: ID of the key used by the issuer.
LeafNotAfterBehavior string: Behavior of a leaf's NotAfter field during issuance.
ManualChains []string: Chain of issuer references to build this issuer's computed CAChain field from, when non-empty.
Usage string: Allowed usages for this issuer.
DisableCriticalExtensionChecks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
DisableNameChecks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
DisableNameConstraintChecks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
DisablePathLengthChecks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
Namespace string

backend String
caChains List<String>: The CA chain as a list of format specific certificates.
certificate String: Certificate associated with this issuer.
id String: The provider-assigned unique ID for this managed resource.
issuerId String: ID of the issuer.
issuerName String: Name of the issuer.
issuerRef String
keyId String: ID of the key used by the issuer.
leafNotAfterBehavior String: Behavior of a leaf's NotAfter field during issuance.
manualChains List<String>: Chain of issuer references to build this issuer's computed CAChain field from, when non-empty.
usage String: Allowed usages for this issuer.
disableCriticalExtensionChecks Boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
disableNameChecks Boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
disableNameConstraintChecks Boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
disablePathLengthChecks Boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
namespace String

backend string
caChains string[]: The CA chain as a list of format specific certificates.
certificate string: Certificate associated with this issuer.
id string: The provider-assigned unique ID for this managed resource.
issuerId string: ID of the issuer.
issuerName string: Name of the issuer.
issuerRef string
keyId string: ID of the key used by the issuer.
leafNotAfterBehavior string: Behavior of a leaf's NotAfter field during issuance.
manualChains string[]: Chain of issuer references to build this issuer's computed CAChain field from, when non-empty.
usage string: Allowed usages for this issuer.
disableCriticalExtensionChecks boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
disableNameChecks boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
disableNameConstraintChecks boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
disablePathLengthChecks boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
namespace string

backend str
ca_chains Sequence[str]: The CA chain as a list of format specific certificates.
certificate str: Certificate associated with this issuer.
id str: The provider-assigned unique ID for this managed resource.
issuer_id str: ID of the issuer.
issuer_name str: Name of the issuer.
issuer_ref str
key_id str: ID of the key used by the issuer.
leaf_not_after_behavior str: Behavior of a leaf's NotAfter field during issuance.
manual_chains Sequence[str]: Chain of issuer references to build this issuer's computed CAChain field from, when non-empty.
usage str: Allowed usages for this issuer.
disable_critical_extension_checks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
disable_name_checks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
disable_name_constraint_checks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
disable_path_length_checks bool: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
namespace str

backend String
caChains List<String>: The CA chain as a list of format specific certificates.
certificate String: Certificate associated with this issuer.
id String: The provider-assigned unique ID for this managed resource.
issuerId String: ID of the issuer.
issuerName String: Name of the issuer.
issuerRef String
keyId String: ID of the key used by the issuer.
leafNotAfterBehavior String: Behavior of a leaf's NotAfter field during issuance.
manualChains List<String>: Chain of issuer references to build this issuer's computed CAChain field from, when non-empty.
usage String: Allowed usages for this issuer.
disableCriticalExtensionChecks Boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
disableNameChecks Boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
disableNameConstraintChecks Boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
disablePathLengthChecks Boolean: This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
namespace String

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi

pulumi/pulumi-vault

vault.pkiSecret.getBackendIssuer

On this page

On this page

Example Usage

Using getBackendIssuer

getBackendIssuer Result

Package Details

On this page

On this page