Docs Home
HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi
vault.pkiSecret.SecretBackendRole
Explore with Pulumi AI
Creates a role on an PKI Secret Backend for Vault.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const pki = new vault.Mount("pki", {
path: "pki",
type: "pki",
defaultLeaseTtlSeconds: 3600,
maxLeaseTtlSeconds: 86400,
});
const role = new vault.pkisecret.SecretBackendRole("role", {
backend: pki.path,
name: "my_role",
ttl: "3600",
allowIpSans: true,
keyType: "rsa",
keyBits: 4096,
allowedDomains: [
"example.com",
"my.domain",
],
allowSubdomains: true,
});
import pulumi
import pulumi_vault as vault
pki = vault.Mount("pki",
path="pki",
type="pki",
default_lease_ttl_seconds=3600,
max_lease_ttl_seconds=86400)
role = vault.pki_secret.SecretBackendRole("role",
backend=pki.path,
name="my_role",
ttl="3600",
allow_ip_sans=True,
key_type="rsa",
key_bits=4096,
allowed_domains=[
"example.com",
"my.domain",
],
allow_subdomains=True)
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkisecret"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pki, err := vault.NewMount(ctx, "pki", &vault.MountArgs{
Path: pulumi.String("pki"),
Type: pulumi.String("pki"),
DefaultLeaseTtlSeconds: pulumi.Int(3600),
MaxLeaseTtlSeconds: pulumi.Int(86400),
})
if err != nil {
return err
}
_, err = pkisecret.NewSecretBackendRole(ctx, "role", &pkisecret.SecretBackendRoleArgs{
Backend: pki.Path,
Name: pulumi.String("my_role"),
Ttl: pulumi.String("3600"),
AllowIpSans: pulumi.Bool(true),
KeyType: pulumi.String("rsa"),
KeyBits: pulumi.Int(4096),
AllowedDomains: pulumi.StringArray{
pulumi.String("example.com"),
pulumi.String("my.domain"),
},
AllowSubdomains: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var pki = new Vault.Mount("pki", new()
{
Path = "pki",
Type = "pki",
DefaultLeaseTtlSeconds = 3600,
MaxLeaseTtlSeconds = 86400,
});
var role = new Vault.PkiSecret.SecretBackendRole("role", new()
{
Backend = pki.Path,
Name = "my_role",
Ttl = "3600",
AllowIpSans = true,
KeyType = "rsa",
KeyBits = 4096,
AllowedDomains = new[]
{
"example.com",
"my.domain",
},
AllowSubdomains = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pki = new Mount("pki", MountArgs.builder()
.path("pki")
.type("pki")
.defaultLeaseTtlSeconds(3600)
.maxLeaseTtlSeconds(86400)
.build());
var role = new SecretBackendRole("role", SecretBackendRoleArgs.builder()
.backend(pki.path())
.name("my_role")
.ttl("3600")
.allowIpSans(true)
.keyType("rsa")
.keyBits(4096)
.allowedDomains(
"example.com",
"my.domain")
.allowSubdomains(true)
.build());
}
}
resources:
pki:
type: vault:Mount
properties:
path: pki
type: pki
defaultLeaseTtlSeconds: 3600
maxLeaseTtlSeconds: 86400
role:
type: vault:pkiSecret:SecretBackendRole
properties:
backend: ${pki.path}
name: my_role
ttl: 3600
allowIpSans: true
keyType: rsa
keyBits: 4096
allowedDomains:
- example.com
- my.domain
allowSubdomains: true
Create SecretBackendRole Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SecretBackendRole(name: string, args: SecretBackendRoleArgs, opts?: CustomResourceOptions);@overload
def SecretBackendRole(resource_name: str,
args: SecretBackendRoleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def SecretBackendRole(resource_name: str,
opts: Optional[ResourceOptions] = None,
backend: Optional[str] = None,
key_bits: Optional[int] = None,
server_flag: Optional[bool] = None,
allow_ip_sans: Optional[bool] = None,
allow_localhost: Optional[bool] = None,
allow_subdomains: Optional[bool] = None,
allow_wildcard_certificates: Optional[bool] = None,
allowed_domains: Optional[Sequence[str]] = None,
allowed_domains_template: Optional[bool] = None,
allowed_other_sans: Optional[Sequence[str]] = None,
allowed_serial_numbers: Optional[Sequence[str]] = None,
allowed_uri_sans: Optional[Sequence[str]] = None,
allowed_uri_sans_template: Optional[bool] = None,
allowed_user_ids: Optional[Sequence[str]] = None,
allow_bare_domains: Optional[bool] = None,
basic_constraints_valid_for_non_ca: Optional[bool] = None,
client_flag: Optional[bool] = None,
cn_validations: Optional[Sequence[str]] = None,
code_signing_flag: Optional[bool] = None,
countries: Optional[Sequence[str]] = None,
email_protection_flag: Optional[bool] = None,
enforce_hostnames: Optional[bool] = None,
ext_key_usage_oids: Optional[Sequence[str]] = None,
ext_key_usages: Optional[Sequence[str]] = None,
generate_lease: Optional[bool] = None,
allow_glob_domains: Optional[bool] = None,
issuer_ref: Optional[str] = None,
not_before_duration: Optional[str] = None,
key_usages: Optional[Sequence[str]] = None,
localities: Optional[Sequence[str]] = None,
max_ttl: Optional[str] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
no_store: Optional[bool] = None,
no_store_metadata: Optional[bool] = None,
not_after: Optional[str] = None,
key_type: Optional[str] = None,
organization_unit: Optional[Sequence[str]] = None,
organizations: Optional[Sequence[str]] = None,
policy_identifier: Optional[Sequence[SecretBackendRolePolicyIdentifierArgs]] = None,
policy_identifiers: Optional[Sequence[str]] = None,
postal_codes: Optional[Sequence[str]] = None,
provinces: Optional[Sequence[str]] = None,
require_cn: Optional[bool] = None,
serial_number_source: Optional[str] = None,
allow_any_name: Optional[bool] = None,
signature_bits: Optional[int] = None,
street_addresses: Optional[Sequence[str]] = None,
ttl: Optional[str] = None,
use_csr_common_name: Optional[bool] = None,
use_csr_sans: Optional[bool] = None,
use_pss: Optional[bool] = None)func NewSecretBackendRole(ctx *Context, name string, args SecretBackendRoleArgs, opts ...ResourceOption) (*SecretBackendRole, error)public SecretBackendRole(string name, SecretBackendRoleArgs args, CustomResourceOptions? opts = null)
public SecretBackendRole(String name, SecretBackendRoleArgs args)
public SecretBackendRole(String name, SecretBackendRoleArgs args, CustomResourceOptions options)
type: vault:pkiSecret:SecretBackendRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SecretBackendRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SecretBackendRoleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SecretBackendRoleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecretBackendRoleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SecretBackendRoleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole = new Vault.PkiSecret.SecretBackendRole("examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole", new()
{
Backend = "string",
KeyBits = 0,
ServerFlag = false,
AllowIpSans = false,
AllowLocalhost = false,
AllowSubdomains = false,
AllowWildcardCertificates = false,
AllowedDomains = new[]
{
"string",
},
AllowedDomainsTemplate = false,
AllowedOtherSans = new[]
{
"string",
},
AllowedSerialNumbers = new[]
{
"string",
},
AllowedUriSans = new[]
{
"string",
},
AllowedUriSansTemplate = false,
AllowedUserIds = new[]
{
"string",
},
AllowBareDomains = false,
BasicConstraintsValidForNonCa = false,
ClientFlag = false,
CnValidations = new[]
{
"string",
},
CodeSigningFlag = false,
Countries = new[]
{
"string",
},
EmailProtectionFlag = false,
EnforceHostnames = false,
ExtKeyUsageOids = new[]
{
"string",
},
ExtKeyUsages = new[]
{
"string",
},
GenerateLease = false,
AllowGlobDomains = false,
IssuerRef = "string",
NotBeforeDuration = "string",
KeyUsages = new[]
{
"string",
},
Localities = new[]
{
"string",
},
MaxTtl = "string",
Name = "string",
Namespace = "string",
NoStore = false,
NoStoreMetadata = false,
NotAfter = "string",
KeyType = "string",
OrganizationUnit = new[]
{
"string",
},
Organizations = new[]
{
"string",
},
PolicyIdentifier = new[]
{
new Vault.PkiSecret.Inputs.SecretBackendRolePolicyIdentifierArgs
{
Oid = "string",
Cps = "string",
Notice = "string",
},
},
PolicyIdentifiers = new[]
{
"string",
},
PostalCodes = new[]
{
"string",
},
Provinces = new[]
{
"string",
},
RequireCn = false,
SerialNumberSource = "string",
AllowAnyName = false,
SignatureBits = 0,
StreetAddresses = new[]
{
"string",
},
Ttl = "string",
UseCsrCommonName = false,
UseCsrSans = false,
UsePss = false,
});
example, err := pkisecret.NewSecretBackendRole(ctx, "examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole", &pkisecret.SecretBackendRoleArgs{
Backend: pulumi.String("string"),
KeyBits: pulumi.Int(0),
ServerFlag: pulumi.Bool(false),
AllowIpSans: pulumi.Bool(false),
AllowLocalhost: pulumi.Bool(false),
AllowSubdomains: pulumi.Bool(false),
AllowWildcardCertificates: pulumi.Bool(false),
AllowedDomains: pulumi.StringArray{
pulumi.String("string"),
},
AllowedDomainsTemplate: pulumi.Bool(false),
AllowedOtherSans: pulumi.StringArray{
pulumi.String("string"),
},
AllowedSerialNumbers: pulumi.StringArray{
pulumi.String("string"),
},
AllowedUriSans: pulumi.StringArray{
pulumi.String("string"),
},
AllowedUriSansTemplate: pulumi.Bool(false),
AllowedUserIds: pulumi.StringArray{
pulumi.String("string"),
},
AllowBareDomains: pulumi.Bool(false),
BasicConstraintsValidForNonCa: pulumi.Bool(false),
ClientFlag: pulumi.Bool(false),
CnValidations: pulumi.StringArray{
pulumi.String("string"),
},
CodeSigningFlag: pulumi.Bool(false),
Countries: pulumi.StringArray{
pulumi.String("string"),
},
EmailProtectionFlag: pulumi.Bool(false),
EnforceHostnames: pulumi.Bool(false),
ExtKeyUsageOids: pulumi.StringArray{
pulumi.String("string"),
},
ExtKeyUsages: pulumi.StringArray{
pulumi.String("string"),
},
GenerateLease: pulumi.Bool(false),
AllowGlobDomains: pulumi.Bool(false),
IssuerRef: pulumi.String("string"),
NotBeforeDuration: pulumi.String("string"),
KeyUsages: pulumi.StringArray{
pulumi.String("string"),
},
Localities: pulumi.StringArray{
pulumi.String("string"),
},
MaxTtl: pulumi.String("string"),
Name: pulumi.String("string"),
Namespace: pulumi.String("string"),
NoStore: pulumi.Bool(false),
NoStoreMetadata: pulumi.Bool(false),
NotAfter: pulumi.String("string"),
KeyType: pulumi.String("string"),
OrganizationUnit: pulumi.StringArray{
pulumi.String("string"),
},
Organizations: pulumi.StringArray{
pulumi.String("string"),
},
PolicyIdentifier: pkisecret.SecretBackendRolePolicyIdentifierArray{
&pkisecret.SecretBackendRolePolicyIdentifierArgs{
Oid: pulumi.String("string"),
Cps: pulumi.String("string"),
Notice: pulumi.String("string"),
},
},
PolicyIdentifiers: pulumi.StringArray{
pulumi.String("string"),
},
PostalCodes: pulumi.StringArray{
pulumi.String("string"),
},
Provinces: pulumi.StringArray{
pulumi.String("string"),
},
RequireCn: pulumi.Bool(false),
SerialNumberSource: pulumi.String("string"),
AllowAnyName: pulumi.Bool(false),
SignatureBits: pulumi.Int(0),
StreetAddresses: pulumi.StringArray{
pulumi.String("string"),
},
Ttl: pulumi.String("string"),
UseCsrCommonName: pulumi.Bool(false),
UseCsrSans: pulumi.Bool(false),
UsePss: pulumi.Bool(false),
})
var examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole = new com.pulumi.vault.pkiSecret.SecretBackendRole("examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole", com.pulumi.vault.pkiSecret.SecretBackendRoleArgs.builder()
.backend("string")
.keyBits(0)
.serverFlag(false)
.allowIpSans(false)
.allowLocalhost(false)
.allowSubdomains(false)
.allowWildcardCertificates(false)
.allowedDomains("string")
.allowedDomainsTemplate(false)
.allowedOtherSans("string")
.allowedSerialNumbers("string")
.allowedUriSans("string")
.allowedUriSansTemplate(false)
.allowedUserIds("string")
.allowBareDomains(false)
.basicConstraintsValidForNonCa(false)
.clientFlag(false)
.cnValidations("string")
.codeSigningFlag(false)
.countries("string")
.emailProtectionFlag(false)
.enforceHostnames(false)
.extKeyUsageOids("string")
.extKeyUsages("string")
.generateLease(false)
.allowGlobDomains(false)
.issuerRef("string")
.notBeforeDuration("string")
.keyUsages("string")
.localities("string")
.maxTtl("string")
.name("string")
.namespace("string")
.noStore(false)
.noStoreMetadata(false)
.notAfter("string")
.keyType("string")
.organizationUnit("string")
.organizations("string")
.policyIdentifier(SecretBackendRolePolicyIdentifierArgs.builder()
.oid("string")
.cps("string")
.notice("string")
.build())
.policyIdentifiers("string")
.postalCodes("string")
.provinces("string")
.requireCn(false)
.serialNumberSource("string")
.allowAnyName(false)
.signatureBits(0)
.streetAddresses("string")
.ttl("string")
.useCsrCommonName(false)
.useCsrSans(false)
.usePss(false)
.build());
examplesecret_backend_role_resource_resource_from_pki_secretsecret_backend_role = vault.pki_secret.SecretBackendRole("examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole",
backend="string",
key_bits=0,
server_flag=False,
allow_ip_sans=False,
allow_localhost=False,
allow_subdomains=False,
allow_wildcard_certificates=False,
allowed_domains=["string"],
allowed_domains_template=False,
allowed_other_sans=["string"],
allowed_serial_numbers=["string"],
allowed_uri_sans=["string"],
allowed_uri_sans_template=False,
allowed_user_ids=["string"],
allow_bare_domains=False,
basic_constraints_valid_for_non_ca=False,
client_flag=False,
cn_validations=["string"],
code_signing_flag=False,
countries=["string"],
email_protection_flag=False,
enforce_hostnames=False,
ext_key_usage_oids=["string"],
ext_key_usages=["string"],
generate_lease=False,
allow_glob_domains=False,
issuer_ref="string",
not_before_duration="string",
key_usages=["string"],
localities=["string"],
max_ttl="string",
name="string",
namespace="string",
no_store=False,
no_store_metadata=False,
not_after="string",
key_type="string",
organization_unit=["string"],
organizations=["string"],
policy_identifier=[{
"oid": "string",
"cps": "string",
"notice": "string",
}],
policy_identifiers=["string"],
postal_codes=["string"],
provinces=["string"],
require_cn=False,
serial_number_source="string",
allow_any_name=False,
signature_bits=0,
street_addresses=["string"],
ttl="string",
use_csr_common_name=False,
use_csr_sans=False,
use_pss=False)
const examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole = new vault.pkisecret.SecretBackendRole("examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole", {
backend: "string",
keyBits: 0,
serverFlag: false,
allowIpSans: false,
allowLocalhost: false,
allowSubdomains: false,
allowWildcardCertificates: false,
allowedDomains: ["string"],
allowedDomainsTemplate: false,
allowedOtherSans: ["string"],
allowedSerialNumbers: ["string"],
allowedUriSans: ["string"],
allowedUriSansTemplate: false,
allowedUserIds: ["string"],
allowBareDomains: false,
basicConstraintsValidForNonCa: false,
clientFlag: false,
cnValidations: ["string"],
codeSigningFlag: false,
countries: ["string"],
emailProtectionFlag: false,
enforceHostnames: false,
extKeyUsageOids: ["string"],
extKeyUsages: ["string"],
generateLease: false,
allowGlobDomains: false,
issuerRef: "string",
notBeforeDuration: "string",
keyUsages: ["string"],
localities: ["string"],
maxTtl: "string",
name: "string",
namespace: "string",
noStore: false,
noStoreMetadata: false,
notAfter: "string",
keyType: "string",
organizationUnit: ["string"],
organizations: ["string"],
policyIdentifier: [{
oid: "string",
cps: "string",
notice: "string",
}],
policyIdentifiers: ["string"],
postalCodes: ["string"],
provinces: ["string"],
requireCn: false,
serialNumberSource: "string",
allowAnyName: false,
signatureBits: 0,
streetAddresses: ["string"],
ttl: "string",
useCsrCommonName: false,
useCsrSans: false,
usePss: false,
});
type: vault:pkiSecret:SecretBackendRole
properties:
allowAnyName: false
allowBareDomains: false
allowGlobDomains: false
allowIpSans: false
allowLocalhost: false
allowSubdomains: false
allowWildcardCertificates: false
allowedDomains:
- string
allowedDomainsTemplate: false
allowedOtherSans:
- string
allowedSerialNumbers:
- string
allowedUriSans:
- string
allowedUriSansTemplate: false
allowedUserIds:
- string
backend: string
basicConstraintsValidForNonCa: false
clientFlag: false
cnValidations:
- string
codeSigningFlag: false
countries:
- string
emailProtectionFlag: false
enforceHostnames: false
extKeyUsageOids:
- string
extKeyUsages:
- string
generateLease: false
issuerRef: string
keyBits: 0
keyType: string
keyUsages:
- string
localities:
- string
maxTtl: string
name: string
namespace: string
noStore: false
noStoreMetadata: false
notAfter: string
notBeforeDuration: string
organizationUnit:
- string
organizations:
- string
policyIdentifier:
- cps: string
notice: string
oid: string
policyIdentifiers:
- string
postalCodes:
- string
provinces:
- string
requireCn: false
serialNumberSource: string
serverFlag: false
signatureBits: 0
streetAddresses:
- string
ttl: string
useCsrCommonName: false
useCsrSans: false
usePss: false
SecretBackendRole Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The SecretBackendRole resource accepts the following input properties:
- Backend string
- The path the PKI secret backend is mounted at, with no leading or trailing
/s. - Allow
Any boolName - Flag to allow any name
- Allow
Bare boolDomains - Flag to allow certificates matching the actual domain
- Allow
Glob boolDomains - Flag to allow names containing glob patterns.
- Allow
Ip boolSans - Flag to allow IP SANs
- Allow
Localhost bool - Flag to allow certificates for localhost
- Allow
Subdomains bool - Flag to allow certificates matching subdomains
- Allow
Wildcard boolCertificates - Flag to allow wildcard certificates.
- Allowed
Domains List<string> - List of allowed domains for certificates
- Allowed
Domains boolTemplate - Flag, if set,
allowed_domainscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - Allowed
Other List<string>Sans - Defines allowed custom SANs
- Allowed
Serial List<string>Numbers - An array of allowed serial numbers to put in Subject
- Allowed
Uri List<string>Sans - Defines allowed URI SANs
- Allowed
Uri boolSans Template - Flag, if set,
allowed_uri_sanscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - Allowed
User List<string>Ids - Defines allowed User IDs
- Basic
Constraints boolValid For Non Ca - Flag to mark basic constraints valid when issuing non-CA certificates
- Client
Flag bool - Flag to specify certificates for client use
- Cn
Validations List<string> - Validations to run on the Common Name field of the certificate, choices:
email,hostname,disabled - Code
Signing boolFlag - Flag to specify certificates for code signing use
- Countries List<string>
- The country of generated certificates
- Email
Protection boolFlag - Flag to specify certificates for email protection use
- Enforce
Hostnames bool - Flag to allow only valid host names
- Ext
Key List<string>Usage Oids - Specify the allowed extended key usage OIDs constraint on issued certificates
- Ext
Key List<string>Usages - Specify the allowed extended key usage constraint on issued certificates
- Generate
Lease bool - Flag to generate leases with certificates
- Issuer
Ref string - Specifies the default issuer of this request. May
be the value
default, a name, or an issuer ID. Use ACLs to prevent access to the/pki/issuer/:issuer_ref/{issue,sign}/:namepaths to prevent users overriding the role'sissuer_refvalue. - Key
Bits int - The number of bits of generated keys
- Key
Type string - The generated key type, choices:
rsa,ec,ed25519,anyDefaults torsa - Key
Usages List<string> - Specify the allowed key usage constraint on issued
certificates. Defaults to
["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list[]. - Localities List<string>
- The locality of generated certificates
- Max
Ttl string - The maximum lease TTL, in seconds, for the role.
- Name string
- The name to identify this role within the backend. Must be unique within the backend.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - No
Store bool - Flag to not store certificates in the storage backend
- No
Store boolMetadata - Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
- Not
After string - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- Not
Before stringDuration - Specifies the duration by which to backdate the NotBefore property.
- Organization
Unit List<string> - The organization unit of generated certificates
- Organizations List<string>
- The organization of generated certificates
- Policy
Identifier List<SecretBackend Role Policy Identifier> - (Vault 1.11+ only) A block for specifying policy identifers. The
policy_identifierblock can be repeated, and supports the following arguments: - Policy
Identifiers List<string> - Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use
policy_identifierblocks instead - Postal
Codes List<string> - The postal code of generated certificates
- Provinces List<string>
- The province of generated certificates
- Require
Cn bool - Flag to force CN usage
- Serial
Number stringSource Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.
Example usage:
resources: pki: type: vault:Mount properties: path: pki type: pki defaultLeaseTtlSeconds: 3600 maxLeaseTtlSeconds: 86400 role: type: vault:pkiSecret:SecretBackendRole properties: backend: ${pki.path} name: my_role ttl: 3600 allowIpSans: true keyType: rsa keyBits: 4096 allowedDomains: - example.com - my.domain allowSubdomains: true policyIdentifiers: - oid: 1.3.6.1.4.1.7.8 notice: I am a user Notice - oid: 1.3.6.1.4.1.44947.1.2.4 cps: https://example.com- Server
Flag bool - Flag to specify certificates for server use
- Signature
Bits int - The number of bits to use in the signature algorithm
- Street
Addresses List<string> - The street address of generated certificates
- Ttl string
- The TTL, in seconds, for any certificate issued against this role.
- Use
Csr boolCommon Name - Flag to use the CN in the CSR
- Use
Csr boolSans - Flag to use the SANs in the CSR
- Use
Pss bool - Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
- Backend string
- The path the PKI secret backend is mounted at, with no leading or trailing
/s. - Allow
Any boolName - Flag to allow any name
- Allow
Bare boolDomains - Flag to allow certificates matching the actual domain
- Allow
Glob boolDomains - Flag to allow names containing glob patterns.
- Allow
Ip boolSans - Flag to allow IP SANs
- Allow
Localhost bool - Flag to allow certificates for localhost
- Allow
Subdomains bool - Flag to allow certificates matching subdomains
- Allow
Wildcard boolCertificates - Flag to allow wildcard certificates.
- Allowed
Domains []string - List of allowed domains for certificates
- Allowed
Domains boolTemplate - Flag, if set,
allowed_domainscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - Allowed
Other []stringSans - Defines allowed custom SANs
- Allowed
Serial []stringNumbers - An array of allowed serial numbers to put in Subject
- Allowed
Uri []stringSans - Defines allowed URI SANs
- Allowed
Uri boolSans Template - Flag, if set,
allowed_uri_sanscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - Allowed
User []stringIds - Defines allowed User IDs
- Basic
Constraints boolValid For Non Ca - Flag to mark basic constraints valid when issuing non-CA certificates
- Client
Flag bool - Flag to specify certificates for client use
- Cn
Validations []string - Validations to run on the Common Name field of the certificate, choices:
email,hostname,disabled - Code
Signing boolFlag - Flag to specify certificates for code signing use
- Countries []string
- The country of generated certificates
- Email
Protection boolFlag - Flag to specify certificates for email protection use
- Enforce
Hostnames bool - Flag to allow only valid host names
- Ext
Key []stringUsage Oids - Specify the allowed extended key usage OIDs constraint on issued certificates
- Ext
Key []stringUsages - Specify the allowed extended key usage constraint on issued certificates
- Generate
Lease bool - Flag to generate leases with certificates
- Issuer
Ref string - Specifies the default issuer of this request. May
be the value
default, a name, or an issuer ID. Use ACLs to prevent access to the/pki/issuer/:issuer_ref/{issue,sign}/:namepaths to prevent users overriding the role'sissuer_refvalue. - Key
Bits int - The number of bits of generated keys
- Key
Type string - The generated key type, choices:
rsa,ec,ed25519,anyDefaults torsa - Key
Usages []string - Specify the allowed key usage constraint on issued
certificates. Defaults to
["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list[]. - Localities []string
- The locality of generated certificates
- Max
Ttl string - The maximum lease TTL, in seconds, for the role.
- Name string
- The name to identify this role within the backend. Must be unique within the backend.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - No
Store bool - Flag to not store certificates in the storage backend
- No
Store boolMetadata - Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
- Not
After string - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- Not
Before stringDuration - Specifies the duration by which to backdate the NotBefore property.
- Organization
Unit []string - The organization unit of generated certificates
- Organizations []string
- The organization of generated certificates
- Policy
Identifier []SecretBackend Role Policy Identifier Args - (Vault 1.11+ only) A block for specifying policy identifers. The
policy_identifierblock can be repeated, and supports the following arguments: - Policy
Identifiers []string - Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use
policy_identifierblocks instead - Postal
Codes []string - The postal code of generated certificates
- Provinces []string
- The province of generated certificates
- Require
Cn bool - Flag to force CN usage
- Serial
Number stringSource Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.
Example usage:
resources: pki: type: vault:Mount properties: path: pki type: pki defaultLeaseTtlSeconds: 3600 maxLeaseTtlSeconds: 86400 role: type: vault:pkiSecret:SecretBackendRole properties: backend: ${pki.path} name: my_role ttl: 3600 allowIpSans: true keyType: rsa keyBits: 4096 allowedDomains: - example.com - my.domain allowSubdomains: true policyIdentifiers: - oid: 1.3.6.1.4.1.7.8 notice: I am a user Notice - oid: 1.3.6.1.4.1.44947.1.2.4 cps: https://example.com- Server
Flag bool - Flag to specify certificates for server use
- Signature
Bits int - The number of bits to use in the signature algorithm
- Street
Addresses []string - The street address of generated certificates
- Ttl string
- The TTL, in seconds, for any certificate issued against this role.
- Use
Csr boolCommon Name - Flag to use the CN in the CSR
- Use
Csr boolSans - Flag to use the SANs in the CSR
- Use
Pss bool - Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
- backend String
- The path the PKI secret backend is mounted at, with no leading or trailing
/s. - allow
Any BooleanName - Flag to allow any name
- allow
Bare BooleanDomains - Flag to allow certificates matching the actual domain
- allow
Glob BooleanDomains - Flag to allow names containing glob patterns.
- allow
Ip BooleanSans - Flag to allow IP SANs
- allow
Localhost Boolean - Flag to allow certificates for localhost
- allow
Subdomains Boolean - Flag to allow certificates matching subdomains
- allow
Wildcard BooleanCertificates - Flag to allow wildcard certificates.
- allowed
Domains List<String> - List of allowed domains for certificates
- allowed
Domains BooleanTemplate - Flag, if set,
allowed_domainscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - allowed
Other List<String>Sans - Defines allowed custom SANs
- allowed
Serial List<String>Numbers - An array of allowed serial numbers to put in Subject
- allowed
Uri List<String>Sans - Defines allowed URI SANs
- allowed
Uri BooleanSans Template - Flag, if set,
allowed_uri_sanscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - allowed
User List<String>Ids - Defines allowed User IDs
- basic
Constraints BooleanValid For Non Ca - Flag to mark basic constraints valid when issuing non-CA certificates
- client
Flag Boolean - Flag to specify certificates for client use
- cn
Validations List<String> - Validations to run on the Common Name field of the certificate, choices:
email,hostname,disabled - code
Signing BooleanFlag - Flag to specify certificates for code signing use
- countries List<String>
- The country of generated certificates
- email
Protection BooleanFlag - Flag to specify certificates for email protection use
- enforce
Hostnames Boolean - Flag to allow only valid host names
- ext
Key List<String>Usage Oids - Specify the allowed extended key usage OIDs constraint on issued certificates
- ext
Key List<String>Usages - Specify the allowed extended key usage constraint on issued certificates
- generate
Lease Boolean - Flag to generate leases with certificates
- issuer
Ref String - Specifies the default issuer of this request. May
be the value
default, a name, or an issuer ID. Use ACLs to prevent access to the/pki/issuer/:issuer_ref/{issue,sign}/:namepaths to prevent users overriding the role'sissuer_refvalue. - key
Bits Integer - The number of bits of generated keys
- key
Type String - The generated key type, choices:
rsa,ec,ed25519,anyDefaults torsa - key
Usages List<String> - Specify the allowed key usage constraint on issued
certificates. Defaults to
["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list[]. - localities List<String>
- The locality of generated certificates
- max
Ttl String - The maximum lease TTL, in seconds, for the role.
- name String
- The name to identify this role within the backend. Must be unique within the backend.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - no
Store Boolean - Flag to not store certificates in the storage backend
- no
Store BooleanMetadata - Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
- not
After String - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- not
Before StringDuration - Specifies the duration by which to backdate the NotBefore property.
- organization
Unit List<String> - The organization unit of generated certificates
- organizations List<String>
- The organization of generated certificates
- policy
Identifier List<SecretBackend Role Policy Identifier> - (Vault 1.11+ only) A block for specifying policy identifers. The
policy_identifierblock can be repeated, and supports the following arguments: - policy
Identifiers List<String> - Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use
policy_identifierblocks instead - postal
Codes List<String> - The postal code of generated certificates
- provinces List<String>
- The province of generated certificates
- require
Cn Boolean - Flag to force CN usage
- serial
Number StringSource Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.
Example usage:
resources: pki: type: vault:Mount properties: path: pki type: pki defaultLeaseTtlSeconds: 3600 maxLeaseTtlSeconds: 86400 role: type: vault:pkiSecret:SecretBackendRole properties: backend: ${pki.path} name: my_role ttl: 3600 allowIpSans: true keyType: rsa keyBits: 4096 allowedDomains: - example.com - my.domain allowSubdomains: true policyIdentifiers: - oid: 1.3.6.1.4.1.7.8 notice: I am a user Notice - oid: 1.3.6.1.4.1.44947.1.2.4 cps: https://example.com- server
Flag Boolean - Flag to specify certificates for server use
- signature
Bits Integer - The number of bits to use in the signature algorithm
- street
Addresses List<String> - The street address of generated certificates
- ttl String
- The TTL, in seconds, for any certificate issued against this role.
- use
Csr BooleanCommon Name - Flag to use the CN in the CSR
- use
Csr BooleanSans - Flag to use the SANs in the CSR
- use
Pss Boolean - Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
- backend string
- The path the PKI secret backend is mounted at, with no leading or trailing
/s. - allow
Any booleanName - Flag to allow any name
- allow
Bare booleanDomains - Flag to allow certificates matching the actual domain
- allow
Glob booleanDomains - Flag to allow names containing glob patterns.
- allow
Ip booleanSans - Flag to allow IP SANs
- allow
Localhost boolean - Flag to allow certificates for localhost
- allow
Subdomains boolean - Flag to allow certificates matching subdomains
- allow
Wildcard booleanCertificates - Flag to allow wildcard certificates.
- allowed
Domains string[] - List of allowed domains for certificates
- allowed
Domains booleanTemplate - Flag, if set,
allowed_domainscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - allowed
Other string[]Sans - Defines allowed custom SANs
- allowed
Serial string[]Numbers - An array of allowed serial numbers to put in Subject
- allowed
Uri string[]Sans - Defines allowed URI SANs
- allowed
Uri booleanSans Template - Flag, if set,
allowed_uri_sanscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - allowed
User string[]Ids - Defines allowed User IDs
- basic
Constraints booleanValid For Non Ca - Flag to mark basic constraints valid when issuing non-CA certificates
- client
Flag boolean - Flag to specify certificates for client use
- cn
Validations string[] - Validations to run on the Common Name field of the certificate, choices:
email,hostname,disabled - code
Signing booleanFlag - Flag to specify certificates for code signing use
- countries string[]
- The country of generated certificates
- email
Protection booleanFlag - Flag to specify certificates for email protection use
- enforce
Hostnames boolean - Flag to allow only valid host names
- ext
Key string[]Usage Oids - Specify the allowed extended key usage OIDs constraint on issued certificates
- ext
Key string[]Usages - Specify the allowed extended key usage constraint on issued certificates
- generate
Lease boolean - Flag to generate leases with certificates
- issuer
Ref string - Specifies the default issuer of this request. May
be the value
default, a name, or an issuer ID. Use ACLs to prevent access to the/pki/issuer/:issuer_ref/{issue,sign}/:namepaths to prevent users overriding the role'sissuer_refvalue. - key
Bits number - The number of bits of generated keys
- key
Type string - The generated key type, choices:
rsa,ec,ed25519,anyDefaults torsa - key
Usages string[] - Specify the allowed key usage constraint on issued
certificates. Defaults to
["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list[]. - localities string[]
- The locality of generated certificates
- max
Ttl string - The maximum lease TTL, in seconds, for the role.
- name string
- The name to identify this role within the backend. Must be unique within the backend.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - no
Store boolean - Flag to not store certificates in the storage backend
- no
Store booleanMetadata - Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
- not
After string - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- not
Before stringDuration - Specifies the duration by which to backdate the NotBefore property.
- organization
Unit string[] - The organization unit of generated certificates
- organizations string[]
- The organization of generated certificates
- policy
Identifier SecretBackend Role Policy Identifier[] - (Vault 1.11+ only) A block for specifying policy identifers. The
policy_identifierblock can be repeated, and supports the following arguments: - policy
Identifiers string[] - Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use
policy_identifierblocks instead - postal
Codes string[] - The postal code of generated certificates
- provinces string[]
- The province of generated certificates
- require
Cn boolean - Flag to force CN usage
- serial
Number stringSource Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.
Example usage:
resources: pki: type: vault:Mount properties: path: pki type: pki defaultLeaseTtlSeconds: 3600 maxLeaseTtlSeconds: 86400 role: type: vault:pkiSecret:SecretBackendRole properties: backend: ${pki.path} name: my_role ttl: 3600 allowIpSans: true keyType: rsa keyBits: 4096 allowedDomains: - example.com - my.domain allowSubdomains: true policyIdentifiers: - oid: 1.3.6.1.4.1.7.8 notice: I am a user Notice - oid: 1.3.6.1.4.1.44947.1.2.4 cps: https://example.com- server
Flag boolean - Flag to specify certificates for server use
- signature
Bits number - The number of bits to use in the signature algorithm
- street
Addresses string[] - The street address of generated certificates
- ttl string
- The TTL, in seconds, for any certificate issued against this role.
- use
Csr booleanCommon Name - Flag to use the CN in the CSR
- use
Csr booleanSans - Flag to use the SANs in the CSR
- use
Pss boolean - Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
- backend str
- The path the PKI secret backend is mounted at, with no leading or trailing
/s. - allow_
any_ boolname - Flag to allow any name
- allow_
bare_ booldomains - Flag to allow certificates matching the actual domain
- allow_
glob_ booldomains - Flag to allow names containing glob patterns.
- allow_
ip_ boolsans - Flag to allow IP SANs
- allow_
localhost bool - Flag to allow certificates for localhost
- allow_
subdomains bool - Flag to allow certificates matching subdomains
- allow_
wildcard_ boolcertificates - Flag to allow wildcard certificates.
- allowed_
domains Sequence[str] - List of allowed domains for certificates
- allowed_
domains_ booltemplate - Flag, if set,
allowed_domainscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - allowed_
other_ Sequence[str]sans - Defines allowed custom SANs
- allowed_
serial_ Sequence[str]numbers - An array of allowed serial numbers to put in Subject
- allowed_
uri_ Sequence[str]sans - Defines allowed URI SANs
- allowed_
uri_ boolsans_ template - Flag, if set,
allowed_uri_sanscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - allowed_
user_ Sequence[str]ids - Defines allowed User IDs
- basic_
constraints_ boolvalid_ for_ non_ ca - Flag to mark basic constraints valid when issuing non-CA certificates
- client_
flag bool - Flag to specify certificates for client use
- cn_
validations Sequence[str] - Validations to run on the Common Name field of the certificate, choices:
email,hostname,disabled - code_
signing_ boolflag - Flag to specify certificates for code signing use
- countries Sequence[str]
- The country of generated certificates
- email_
protection_ boolflag - Flag to specify certificates for email protection use
- enforce_
hostnames bool - Flag to allow only valid host names
- ext_
key_ Sequence[str]usage_ oids - Specify the allowed extended key usage OIDs constraint on issued certificates
- ext_
key_ Sequence[str]usages - Specify the allowed extended key usage constraint on issued certificates
- generate_
lease bool - Flag to generate leases with certificates
- issuer_
ref str - Specifies the default issuer of this request. May
be the value
default, a name, or an issuer ID. Use ACLs to prevent access to the/pki/issuer/:issuer_ref/{issue,sign}/:namepaths to prevent users overriding the role'sissuer_refvalue. - key_
bits int - The number of bits of generated keys
- key_
type str - The generated key type, choices:
rsa,ec,ed25519,anyDefaults torsa - key_
usages Sequence[str] - Specify the allowed key usage constraint on issued
certificates. Defaults to
["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list[]. - localities Sequence[str]
- The locality of generated certificates
- max_
ttl str - The maximum lease TTL, in seconds, for the role.
- name str
- The name to identify this role within the backend. Must be unique within the backend.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - no_
store bool - Flag to not store certificates in the storage backend
- no_
store_ boolmetadata - Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
- not_
after str - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- not_
before_ strduration - Specifies the duration by which to backdate the NotBefore property.
- organization_
unit Sequence[str] - The organization unit of generated certificates
- organizations Sequence[str]
- The organization of generated certificates
- policy_
identifier Sequence[SecretBackend Role Policy Identifier Args] - (Vault 1.11+ only) A block for specifying policy identifers. The
policy_identifierblock can be repeated, and supports the following arguments: - policy_
identifiers Sequence[str] - Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use
policy_identifierblocks instead - postal_
codes Sequence[str] - The postal code of generated certificates
- provinces Sequence[str]
- The province of generated certificates
- require_
cn bool - Flag to force CN usage
- serial_
number_ strsource Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.
Example usage:
resources: pki: type: vault:Mount properties: path: pki type: pki defaultLeaseTtlSeconds: 3600 maxLeaseTtlSeconds: 86400 role: type: vault:pkiSecret:SecretBackendRole properties: backend: ${pki.path} name: my_role ttl: 3600 allowIpSans: true keyType: rsa keyBits: 4096 allowedDomains: - example.com - my.domain allowSubdomains: true policyIdentifiers: - oid: 1.3.6.1.4.1.7.8 notice: I am a user Notice - oid: 1.3.6.1.4.1.44947.1.2.4 cps: https://example.com- server_
flag bool - Flag to specify certificates for server use
- signature_
bits int - The number of bits to use in the signature algorithm
- street_
addresses Sequence[str] - The street address of generated certificates
- ttl str
- The TTL, in seconds, for any certificate issued against this role.
- use_
csr_ boolcommon_ name - Flag to use the CN in the CSR
- use_
csr_ boolsans - Flag to use the SANs in the CSR
- use_
pss bool - Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
- backend String
- The path the PKI secret backend is mounted at, with no leading or trailing
/s. - allow
Any BooleanName - Flag to allow any name
- allow
Bare BooleanDomains - Flag to allow certificates matching the actual domain
- allow
Glob BooleanDomains - Flag to allow names containing glob patterns.
- allow
Ip BooleanSans - Flag to allow IP SANs
- allow
Localhost Boolean - Flag to allow certificates for localhost
- allow
Subdomains Boolean - Flag to allow certificates matching subdomains
- allow
Wildcard BooleanCertificates - Flag to allow wildcard certificates.
- allowed
Domains List<String> - List of allowed domains for certificates
- allowed
Domains BooleanTemplate - Flag, if set,
allowed_domainscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - allowed
Other List<String>Sans - Defines allowed custom SANs
- allowed
Serial List<String>Numbers - An array of allowed serial numbers to put in Subject
- allowed
Uri List<String>Sans - Defines allowed URI SANs
- allowed
Uri BooleanSans Template - Flag, if set,
allowed_uri_sanscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - allowed
User List<String>Ids - Defines allowed User IDs
- basic
Constraints BooleanValid For Non Ca - Flag to mark basic constraints valid when issuing non-CA certificates
- client
Flag Boolean - Flag to specify certificates for client use
- cn
Validations List<String> - Validations to run on the Common Name field of the certificate, choices:
email,hostname,disabled - code
Signing BooleanFlag - Flag to specify certificates for code signing use
- countries List<String>
- The country of generated certificates
- email
Protection BooleanFlag - Flag to specify certificates for email protection use
- enforce
Hostnames Boolean - Flag to allow only valid host names
- ext
Key List<String>Usage Oids - Specify the allowed extended key usage OIDs constraint on issued certificates
- ext
Key List<String>Usages - Specify the allowed extended key usage constraint on issued certificates
- generate
Lease Boolean - Flag to generate leases with certificates
- issuer
Ref String - Specifies the default issuer of this request. May
be the value
default, a name, or an issuer ID. Use ACLs to prevent access to the/pki/issuer/:issuer_ref/{issue,sign}/:namepaths to prevent users overriding the role'sissuer_refvalue. - key
Bits Number - The number of bits of generated keys
- key
Type String - The generated key type, choices:
rsa,ec,ed25519,anyDefaults torsa - key
Usages List<String> - Specify the allowed key usage constraint on issued
certificates. Defaults to
["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list[]. - localities List<String>
- The locality of generated certificates
- max
Ttl String - The maximum lease TTL, in seconds, for the role.
- name String
- The name to identify this role within the backend. Must be unique within the backend.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - no
Store Boolean - Flag to not store certificates in the storage backend
- no
Store BooleanMetadata - Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
- not
After String - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- not
Before StringDuration - Specifies the duration by which to backdate the NotBefore property.
- organization
Unit List<String> - The organization unit of generated certificates
- organizations List<String>
- The organization of generated certificates
- policy
Identifier List<Property Map> - (Vault 1.11+ only) A block for specifying policy identifers. The
policy_identifierblock can be repeated, and supports the following arguments: - policy
Identifiers List<String> - Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use
policy_identifierblocks instead - postal
Codes List<String> - The postal code of generated certificates
- provinces List<String>
- The province of generated certificates
- require
Cn Boolean - Flag to force CN usage
- serial
Number StringSource Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.
Example usage:
resources: pki: type: vault:Mount properties: path: pki type: pki defaultLeaseTtlSeconds: 3600 maxLeaseTtlSeconds: 86400 role: type: vault:pkiSecret:SecretBackendRole properties: backend: ${pki.path} name: my_role ttl: 3600 allowIpSans: true keyType: rsa keyBits: 4096 allowedDomains: - example.com - my.domain allowSubdomains: true policyIdentifiers: - oid: 1.3.6.1.4.1.7.8 notice: I am a user Notice - oid: 1.3.6.1.4.1.44947.1.2.4 cps: https://example.com- server
Flag Boolean - Flag to specify certificates for server use
- signature
Bits Number - The number of bits to use in the signature algorithm
- street
Addresses List<String> - The street address of generated certificates
- ttl String
- The TTL, in seconds, for any certificate issued against this role.
- use
Csr BooleanCommon Name - Flag to use the CN in the CSR
- use
Csr BooleanSans - Flag to use the SANs in the CSR
- use
Pss Boolean - Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
Outputs
All input properties are implicitly available as output properties. Additionally, the SecretBackendRole resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing SecretBackendRole Resource
Get an existing SecretBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SecretBackendRoleState, opts?: CustomResourceOptions): SecretBackendRole@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
allow_any_name: Optional[bool] = None,
allow_bare_domains: Optional[bool] = None,
allow_glob_domains: Optional[bool] = None,
allow_ip_sans: Optional[bool] = None,
allow_localhost: Optional[bool] = None,
allow_subdomains: Optional[bool] = None,
allow_wildcard_certificates: Optional[bool] = None,
allowed_domains: Optional[Sequence[str]] = None,
allowed_domains_template: Optional[bool] = None,
allowed_other_sans: Optional[Sequence[str]] = None,
allowed_serial_numbers: Optional[Sequence[str]] = None,
allowed_uri_sans: Optional[Sequence[str]] = None,
allowed_uri_sans_template: Optional[bool] = None,
allowed_user_ids: Optional[Sequence[str]] = None,
backend: Optional[str] = None,
basic_constraints_valid_for_non_ca: Optional[bool] = None,
client_flag: Optional[bool] = None,
cn_validations: Optional[Sequence[str]] = None,
code_signing_flag: Optional[bool] = None,
countries: Optional[Sequence[str]] = None,
email_protection_flag: Optional[bool] = None,
enforce_hostnames: Optional[bool] = None,
ext_key_usage_oids: Optional[Sequence[str]] = None,
ext_key_usages: Optional[Sequence[str]] = None,
generate_lease: Optional[bool] = None,
issuer_ref: Optional[str] = None,
key_bits: Optional[int] = None,
key_type: Optional[str] = None,
key_usages: Optional[Sequence[str]] = None,
localities: Optional[Sequence[str]] = None,
max_ttl: Optional[str] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
no_store: Optional[bool] = None,
no_store_metadata: Optional[bool] = None,
not_after: Optional[str] = None,
not_before_duration: Optional[str] = None,
organization_unit: Optional[Sequence[str]] = None,
organizations: Optional[Sequence[str]] = None,
policy_identifier: Optional[Sequence[SecretBackendRolePolicyIdentifierArgs]] = None,
policy_identifiers: Optional[Sequence[str]] = None,
postal_codes: Optional[Sequence[str]] = None,
provinces: Optional[Sequence[str]] = None,
require_cn: Optional[bool] = None,
serial_number_source: Optional[str] = None,
server_flag: Optional[bool] = None,
signature_bits: Optional[int] = None,
street_addresses: Optional[Sequence[str]] = None,
ttl: Optional[str] = None,
use_csr_common_name: Optional[bool] = None,
use_csr_sans: Optional[bool] = None,
use_pss: Optional[bool] = None) -> SecretBackendRolefunc GetSecretBackendRole(ctx *Context, name string, id IDInput, state *SecretBackendRoleState, opts ...ResourceOption) (*SecretBackendRole, error)public static SecretBackendRole Get(string name, Input<string> id, SecretBackendRoleState? state, CustomResourceOptions? opts = null)public static SecretBackendRole get(String name, Output<String> id, SecretBackendRoleState state, CustomResourceOptions options)resources: _: type: vault:pkiSecret:SecretBackendRole get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Allow
Any boolName - Flag to allow any name
- Allow
Bare boolDomains - Flag to allow certificates matching the actual domain
- Allow
Glob boolDomains - Flag to allow names containing glob patterns.
- Allow
Ip boolSans - Flag to allow IP SANs
- Allow
Localhost bool - Flag to allow certificates for localhost
- Allow
Subdomains bool - Flag to allow certificates matching subdomains
- Allow
Wildcard boolCertificates - Flag to allow wildcard certificates.
- Allowed
Domains List<string> - List of allowed domains for certificates
- Allowed
Domains boolTemplate - Flag, if set,
allowed_domainscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - Allowed
Other List<string>Sans - Defines allowed custom SANs
- Allowed
Serial List<string>Numbers - An array of allowed serial numbers to put in Subject
- Allowed
Uri List<string>Sans - Defines allowed URI SANs
- Allowed
Uri boolSans Template - Flag, if set,
allowed_uri_sanscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - Allowed
User List<string>Ids - Defines allowed User IDs
- Backend string
- The path the PKI secret backend is mounted at, with no leading or trailing
/s. - Basic
Constraints boolValid For Non Ca - Flag to mark basic constraints valid when issuing non-CA certificates
- Client
Flag bool - Flag to specify certificates for client use
- Cn
Validations List<string> - Validations to run on the Common Name field of the certificate, choices:
email,hostname,disabled - Code
Signing boolFlag - Flag to specify certificates for code signing use
- Countries List<string>
- The country of generated certificates
- Email
Protection boolFlag - Flag to specify certificates for email protection use
- Enforce
Hostnames bool - Flag to allow only valid host names
- Ext
Key List<string>Usage Oids - Specify the allowed extended key usage OIDs constraint on issued certificates
- Ext
Key List<string>Usages - Specify the allowed extended key usage constraint on issued certificates
- Generate
Lease bool - Flag to generate leases with certificates
- Issuer
Ref string - Specifies the default issuer of this request. May
be the value
default, a name, or an issuer ID. Use ACLs to prevent access to the/pki/issuer/:issuer_ref/{issue,sign}/:namepaths to prevent users overriding the role'sissuer_refvalue. - Key
Bits int - The number of bits of generated keys
- Key
Type string - The generated key type, choices:
rsa,ec,ed25519,anyDefaults torsa - Key
Usages List<string> - Specify the allowed key usage constraint on issued
certificates. Defaults to
["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list[]. - Localities List<string>
- The locality of generated certificates
- Max
Ttl string - The maximum lease TTL, in seconds, for the role.
- Name string
- The name to identify this role within the backend. Must be unique within the backend.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - No
Store bool - Flag to not store certificates in the storage backend
- No
Store boolMetadata - Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
- Not
After string - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- Not
Before stringDuration - Specifies the duration by which to backdate the NotBefore property.
- Organization
Unit List<string> - The organization unit of generated certificates
- Organizations List<string>
- The organization of generated certificates
- Policy
Identifier List<SecretBackend Role Policy Identifier> - (Vault 1.11+ only) A block for specifying policy identifers. The
policy_identifierblock can be repeated, and supports the following arguments: - Policy
Identifiers List<string> - Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use
policy_identifierblocks instead - Postal
Codes List<string> - The postal code of generated certificates
- Provinces List<string>
- The province of generated certificates
- Require
Cn bool - Flag to force CN usage
- Serial
Number stringSource Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.
Example usage:
resources: pki: type: vault:Mount properties: path: pki type: pki defaultLeaseTtlSeconds: 3600 maxLeaseTtlSeconds: 86400 role: type: vault:pkiSecret:SecretBackendRole properties: backend: ${pki.path} name: my_role ttl: 3600 allowIpSans: true keyType: rsa keyBits: 4096 allowedDomains: - example.com - my.domain allowSubdomains: true policyIdentifiers: - oid: 1.3.6.1.4.1.7.8 notice: I am a user Notice - oid: 1.3.6.1.4.1.44947.1.2.4 cps: https://example.com- Server
Flag bool - Flag to specify certificates for server use
- Signature
Bits int - The number of bits to use in the signature algorithm
- Street
Addresses List<string> - The street address of generated certificates
- Ttl string
- The TTL, in seconds, for any certificate issued against this role.
- Use
Csr boolCommon Name - Flag to use the CN in the CSR
- Use
Csr boolSans - Flag to use the SANs in the CSR
- Use
Pss bool - Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
- Allow
Any boolName - Flag to allow any name
- Allow
Bare boolDomains - Flag to allow certificates matching the actual domain
- Allow
Glob boolDomains - Flag to allow names containing glob patterns.
- Allow
Ip boolSans - Flag to allow IP SANs
- Allow
Localhost bool - Flag to allow certificates for localhost
- Allow
Subdomains bool - Flag to allow certificates matching subdomains
- Allow
Wildcard boolCertificates - Flag to allow wildcard certificates.
- Allowed
Domains []string - List of allowed domains for certificates
- Allowed
Domains boolTemplate - Flag, if set,
allowed_domainscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - Allowed
Other []stringSans - Defines allowed custom SANs
- Allowed
Serial []stringNumbers - An array of allowed serial numbers to put in Subject
- Allowed
Uri []stringSans - Defines allowed URI SANs
- Allowed
Uri boolSans Template - Flag, if set,
allowed_uri_sanscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - Allowed
User []stringIds - Defines allowed User IDs
- Backend string
- The path the PKI secret backend is mounted at, with no leading or trailing
/s. - Basic
Constraints boolValid For Non Ca - Flag to mark basic constraints valid when issuing non-CA certificates
- Client
Flag bool - Flag to specify certificates for client use
- Cn
Validations []string - Validations to run on the Common Name field of the certificate, choices:
email,hostname,disabled - Code
Signing boolFlag - Flag to specify certificates for code signing use
- Countries []string
- The country of generated certificates
- Email
Protection boolFlag - Flag to specify certificates for email protection use
- Enforce
Hostnames bool - Flag to allow only valid host names
- Ext
Key []stringUsage Oids - Specify the allowed extended key usage OIDs constraint on issued certificates
- Ext
Key []stringUsages - Specify the allowed extended key usage constraint on issued certificates
- Generate
Lease bool - Flag to generate leases with certificates
- Issuer
Ref string - Specifies the default issuer of this request. May
be the value
default, a name, or an issuer ID. Use ACLs to prevent access to the/pki/issuer/:issuer_ref/{issue,sign}/:namepaths to prevent users overriding the role'sissuer_refvalue. - Key
Bits int - The number of bits of generated keys
- Key
Type string - The generated key type, choices:
rsa,ec,ed25519,anyDefaults torsa - Key
Usages []string - Specify the allowed key usage constraint on issued
certificates. Defaults to
["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list[]. - Localities []string
- The locality of generated certificates
- Max
Ttl string - The maximum lease TTL, in seconds, for the role.
- Name string
- The name to identify this role within the backend. Must be unique within the backend.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - No
Store bool - Flag to not store certificates in the storage backend
- No
Store boolMetadata - Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
- Not
After string - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- Not
Before stringDuration - Specifies the duration by which to backdate the NotBefore property.
- Organization
Unit []string - The organization unit of generated certificates
- Organizations []string
- The organization of generated certificates
- Policy
Identifier []SecretBackend Role Policy Identifier Args - (Vault 1.11+ only) A block for specifying policy identifers. The
policy_identifierblock can be repeated, and supports the following arguments: - Policy
Identifiers []string - Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use
policy_identifierblocks instead - Postal
Codes []string - The postal code of generated certificates
- Provinces []string
- The province of generated certificates
- Require
Cn bool - Flag to force CN usage
- Serial
Number stringSource Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.
Example usage:
resources: pki: type: vault:Mount properties: path: pki type: pki defaultLeaseTtlSeconds: 3600 maxLeaseTtlSeconds: 86400 role: type: vault:pkiSecret:SecretBackendRole properties: backend: ${pki.path} name: my_role ttl: 3600 allowIpSans: true keyType: rsa keyBits: 4096 allowedDomains: - example.com - my.domain allowSubdomains: true policyIdentifiers: - oid: 1.3.6.1.4.1.7.8 notice: I am a user Notice - oid: 1.3.6.1.4.1.44947.1.2.4 cps: https://example.com- Server
Flag bool - Flag to specify certificates for server use
- Signature
Bits int - The number of bits to use in the signature algorithm
- Street
Addresses []string - The street address of generated certificates
- Ttl string
- The TTL, in seconds, for any certificate issued against this role.
- Use
Csr boolCommon Name - Flag to use the CN in the CSR
- Use
Csr boolSans - Flag to use the SANs in the CSR
- Use
Pss bool - Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
- allow
Any BooleanName - Flag to allow any name
- allow
Bare BooleanDomains - Flag to allow certificates matching the actual domain
- allow
Glob BooleanDomains - Flag to allow names containing glob patterns.
- allow
Ip BooleanSans - Flag to allow IP SANs
- allow
Localhost Boolean - Flag to allow certificates for localhost
- allow
Subdomains Boolean - Flag to allow certificates matching subdomains
- allow
Wildcard BooleanCertificates - Flag to allow wildcard certificates.
- allowed
Domains List<String> - List of allowed domains for certificates
- allowed
Domains BooleanTemplate - Flag, if set,
allowed_domainscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - allowed
Other List<String>Sans - Defines allowed custom SANs
- allowed
Serial List<String>Numbers - An array of allowed serial numbers to put in Subject
- allowed
Uri List<String>Sans - Defines allowed URI SANs
- allowed
Uri BooleanSans Template - Flag, if set,
allowed_uri_sanscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - allowed
User List<String>Ids - Defines allowed User IDs
- backend String
- The path the PKI secret backend is mounted at, with no leading or trailing
/s. - basic
Constraints BooleanValid For Non Ca - Flag to mark basic constraints valid when issuing non-CA certificates
- client
Flag Boolean - Flag to specify certificates for client use
- cn
Validations List<String> - Validations to run on the Common Name field of the certificate, choices:
email,hostname,disabled - code
Signing BooleanFlag - Flag to specify certificates for code signing use
- countries List<String>
- The country of generated certificates
- email
Protection BooleanFlag - Flag to specify certificates for email protection use
- enforce
Hostnames Boolean - Flag to allow only valid host names
- ext
Key List<String>Usage Oids - Specify the allowed extended key usage OIDs constraint on issued certificates
- ext
Key List<String>Usages - Specify the allowed extended key usage constraint on issued certificates
- generate
Lease Boolean - Flag to generate leases with certificates
- issuer
Ref String - Specifies the default issuer of this request. May
be the value
default, a name, or an issuer ID. Use ACLs to prevent access to the/pki/issuer/:issuer_ref/{issue,sign}/:namepaths to prevent users overriding the role'sissuer_refvalue. - key
Bits Integer - The number of bits of generated keys
- key
Type String - The generated key type, choices:
rsa,ec,ed25519,anyDefaults torsa - key
Usages List<String> - Specify the allowed key usage constraint on issued
certificates. Defaults to
["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list[]. - localities List<String>
- The locality of generated certificates
- max
Ttl String - The maximum lease TTL, in seconds, for the role.
- name String
- The name to identify this role within the backend. Must be unique within the backend.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - no
Store Boolean - Flag to not store certificates in the storage backend
- no
Store BooleanMetadata - Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
- not
After String - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- not
Before StringDuration - Specifies the duration by which to backdate the NotBefore property.
- organization
Unit List<String> - The organization unit of generated certificates
- organizations List<String>
- The organization of generated certificates
- policy
Identifier List<SecretBackend Role Policy Identifier> - (Vault 1.11+ only) A block for specifying policy identifers. The
policy_identifierblock can be repeated, and supports the following arguments: - policy
Identifiers List<String> - Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use
policy_identifierblocks instead - postal
Codes List<String> - The postal code of generated certificates
- provinces List<String>
- The province of generated certificates
- require
Cn Boolean - Flag to force CN usage
- serial
Number StringSource Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.
Example usage:
resources: pki: type: vault:Mount properties: path: pki type: pki defaultLeaseTtlSeconds: 3600 maxLeaseTtlSeconds: 86400 role: type: vault:pkiSecret:SecretBackendRole properties: backend: ${pki.path} name: my_role ttl: 3600 allowIpSans: true keyType: rsa keyBits: 4096 allowedDomains: - example.com - my.domain allowSubdomains: true policyIdentifiers: - oid: 1.3.6.1.4.1.7.8 notice: I am a user Notice - oid: 1.3.6.1.4.1.44947.1.2.4 cps: https://example.com- server
Flag Boolean - Flag to specify certificates for server use
- signature
Bits Integer - The number of bits to use in the signature algorithm
- street
Addresses List<String> - The street address of generated certificates
- ttl String
- The TTL, in seconds, for any certificate issued against this role.
- use
Csr BooleanCommon Name - Flag to use the CN in the CSR
- use
Csr BooleanSans - Flag to use the SANs in the CSR
- use
Pss Boolean - Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
- allow
Any booleanName - Flag to allow any name
- allow
Bare booleanDomains - Flag to allow certificates matching the actual domain
- allow
Glob booleanDomains - Flag to allow names containing glob patterns.
- allow
Ip booleanSans - Flag to allow IP SANs
- allow
Localhost boolean - Flag to allow certificates for localhost
- allow
Subdomains boolean - Flag to allow certificates matching subdomains
- allow
Wildcard booleanCertificates - Flag to allow wildcard certificates.
- allowed
Domains string[] - List of allowed domains for certificates
- allowed
Domains booleanTemplate - Flag, if set,
allowed_domainscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - allowed
Other string[]Sans - Defines allowed custom SANs
- allowed
Serial string[]Numbers - An array of allowed serial numbers to put in Subject
- allowed
Uri string[]Sans - Defines allowed URI SANs
- allowed
Uri booleanSans Template - Flag, if set,
allowed_uri_sanscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - allowed
User string[]Ids - Defines allowed User IDs
- backend string
- The path the PKI secret backend is mounted at, with no leading or trailing
/s. - basic
Constraints booleanValid For Non Ca - Flag to mark basic constraints valid when issuing non-CA certificates
- client
Flag boolean - Flag to specify certificates for client use
- cn
Validations string[] - Validations to run on the Common Name field of the certificate, choices:
email,hostname,disabled - code
Signing booleanFlag - Flag to specify certificates for code signing use
- countries string[]
- The country of generated certificates
- email
Protection booleanFlag - Flag to specify certificates for email protection use
- enforce
Hostnames boolean - Flag to allow only valid host names
- ext
Key string[]Usage Oids - Specify the allowed extended key usage OIDs constraint on issued certificates
- ext
Key string[]Usages - Specify the allowed extended key usage constraint on issued certificates
- generate
Lease boolean - Flag to generate leases with certificates
- issuer
Ref string - Specifies the default issuer of this request. May
be the value
default, a name, or an issuer ID. Use ACLs to prevent access to the/pki/issuer/:issuer_ref/{issue,sign}/:namepaths to prevent users overriding the role'sissuer_refvalue. - key
Bits number - The number of bits of generated keys
- key
Type string - The generated key type, choices:
rsa,ec,ed25519,anyDefaults torsa - key
Usages string[] - Specify the allowed key usage constraint on issued
certificates. Defaults to
["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list[]. - localities string[]
- The locality of generated certificates
- max
Ttl string - The maximum lease TTL, in seconds, for the role.
- name string
- The name to identify this role within the backend. Must be unique within the backend.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - no
Store boolean - Flag to not store certificates in the storage backend
- no
Store booleanMetadata - Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
- not
After string - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- not
Before stringDuration - Specifies the duration by which to backdate the NotBefore property.
- organization
Unit string[] - The organization unit of generated certificates
- organizations string[]
- The organization of generated certificates
- policy
Identifier SecretBackend Role Policy Identifier[] - (Vault 1.11+ only) A block for specifying policy identifers. The
policy_identifierblock can be repeated, and supports the following arguments: - policy
Identifiers string[] - Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use
policy_identifierblocks instead - postal
Codes string[] - The postal code of generated certificates
- provinces string[]
- The province of generated certificates
- require
Cn boolean - Flag to force CN usage
- serial
Number stringSource Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.
Example usage:
resources: pki: type: vault:Mount properties: path: pki type: pki defaultLeaseTtlSeconds: 3600 maxLeaseTtlSeconds: 86400 role: type: vault:pkiSecret:SecretBackendRole properties: backend: ${pki.path} name: my_role ttl: 3600 allowIpSans: true keyType: rsa keyBits: 4096 allowedDomains: - example.com - my.domain allowSubdomains: true policyIdentifiers: - oid: 1.3.6.1.4.1.7.8 notice: I am a user Notice - oid: 1.3.6.1.4.1.44947.1.2.4 cps: https://example.com- server
Flag boolean - Flag to specify certificates for server use
- signature
Bits number - The number of bits to use in the signature algorithm
- street
Addresses string[] - The street address of generated certificates
- ttl string
- The TTL, in seconds, for any certificate issued against this role.
- use
Csr booleanCommon Name - Flag to use the CN in the CSR
- use
Csr booleanSans - Flag to use the SANs in the CSR
- use
Pss boolean - Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
- allow_
any_ boolname - Flag to allow any name
- allow_
bare_ booldomains - Flag to allow certificates matching the actual domain
- allow_
glob_ booldomains - Flag to allow names containing glob patterns.
- allow_
ip_ boolsans - Flag to allow IP SANs
- allow_
localhost bool - Flag to allow certificates for localhost
- allow_
subdomains bool - Flag to allow certificates matching subdomains
- allow_
wildcard_ boolcertificates - Flag to allow wildcard certificates.
- allowed_
domains Sequence[str] - List of allowed domains for certificates
- allowed_
domains_ booltemplate - Flag, if set,
allowed_domainscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - allowed_
other_ Sequence[str]sans - Defines allowed custom SANs
- allowed_
serial_ Sequence[str]numbers - An array of allowed serial numbers to put in Subject
- allowed_
uri_ Sequence[str]sans - Defines allowed URI SANs
- allowed_
uri_ boolsans_ template - Flag, if set,
allowed_uri_sanscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - allowed_
user_ Sequence[str]ids - Defines allowed User IDs
- backend str
- The path the PKI secret backend is mounted at, with no leading or trailing
/s. - basic_
constraints_ boolvalid_ for_ non_ ca - Flag to mark basic constraints valid when issuing non-CA certificates
- client_
flag bool - Flag to specify certificates for client use
- cn_
validations Sequence[str] - Validations to run on the Common Name field of the certificate, choices:
email,hostname,disabled - code_
signing_ boolflag - Flag to specify certificates for code signing use
- countries Sequence[str]
- The country of generated certificates
- email_
protection_ boolflag - Flag to specify certificates for email protection use
- enforce_
hostnames bool - Flag to allow only valid host names
- ext_
key_ Sequence[str]usage_ oids - Specify the allowed extended key usage OIDs constraint on issued certificates
- ext_
key_ Sequence[str]usages - Specify the allowed extended key usage constraint on issued certificates
- generate_
lease bool - Flag to generate leases with certificates
- issuer_
ref str - Specifies the default issuer of this request. May
be the value
default, a name, or an issuer ID. Use ACLs to prevent access to the/pki/issuer/:issuer_ref/{issue,sign}/:namepaths to prevent users overriding the role'sissuer_refvalue. - key_
bits int - The number of bits of generated keys
- key_
type str - The generated key type, choices:
rsa,ec,ed25519,anyDefaults torsa - key_
usages Sequence[str] - Specify the allowed key usage constraint on issued
certificates. Defaults to
["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list[]. - localities Sequence[str]
- The locality of generated certificates
- max_
ttl str - The maximum lease TTL, in seconds, for the role.
- name str
- The name to identify this role within the backend. Must be unique within the backend.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - no_
store bool - Flag to not store certificates in the storage backend
- no_
store_ boolmetadata - Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
- not_
after str - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- not_
before_ strduration - Specifies the duration by which to backdate the NotBefore property.
- organization_
unit Sequence[str] - The organization unit of generated certificates
- organizations Sequence[str]
- The organization of generated certificates
- policy_
identifier Sequence[SecretBackend Role Policy Identifier Args] - (Vault 1.11+ only) A block for specifying policy identifers. The
policy_identifierblock can be repeated, and supports the following arguments: - policy_
identifiers Sequence[str] - Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use
policy_identifierblocks instead - postal_
codes Sequence[str] - The postal code of generated certificates
- provinces Sequence[str]
- The province of generated certificates
- require_
cn bool - Flag to force CN usage
- serial_
number_ strsource Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.
Example usage:
resources: pki: type: vault:Mount properties: path: pki type: pki defaultLeaseTtlSeconds: 3600 maxLeaseTtlSeconds: 86400 role: type: vault:pkiSecret:SecretBackendRole properties: backend: ${pki.path} name: my_role ttl: 3600 allowIpSans: true keyType: rsa keyBits: 4096 allowedDomains: - example.com - my.domain allowSubdomains: true policyIdentifiers: - oid: 1.3.6.1.4.1.7.8 notice: I am a user Notice - oid: 1.3.6.1.4.1.44947.1.2.4 cps: https://example.com- server_
flag bool - Flag to specify certificates for server use
- signature_
bits int - The number of bits to use in the signature algorithm
- street_
addresses Sequence[str] - The street address of generated certificates
- ttl str
- The TTL, in seconds, for any certificate issued against this role.
- use_
csr_ boolcommon_ name - Flag to use the CN in the CSR
- use_
csr_ boolsans - Flag to use the SANs in the CSR
- use_
pss bool - Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
- allow
Any BooleanName - Flag to allow any name
- allow
Bare BooleanDomains - Flag to allow certificates matching the actual domain
- allow
Glob BooleanDomains - Flag to allow names containing glob patterns.
- allow
Ip BooleanSans - Flag to allow IP SANs
- allow
Localhost Boolean - Flag to allow certificates for localhost
- allow
Subdomains Boolean - Flag to allow certificates matching subdomains
- allow
Wildcard BooleanCertificates - Flag to allow wildcard certificates.
- allowed
Domains List<String> - List of allowed domains for certificates
- allowed
Domains BooleanTemplate - Flag, if set,
allowed_domainscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - allowed
Other List<String>Sans - Defines allowed custom SANs
- allowed
Serial List<String>Numbers - An array of allowed serial numbers to put in Subject
- allowed
Uri List<String>Sans - Defines allowed URI SANs
- allowed
Uri BooleanSans Template - Flag, if set,
allowed_uri_sanscan be specified using identity template expressions such as{{identity.entity.aliases.<mount accessor>.name}}. - allowed
User List<String>Ids - Defines allowed User IDs
- backend String
- The path the PKI secret backend is mounted at, with no leading or trailing
/s. - basic
Constraints BooleanValid For Non Ca - Flag to mark basic constraints valid when issuing non-CA certificates
- client
Flag Boolean - Flag to specify certificates for client use
- cn
Validations List<String> - Validations to run on the Common Name field of the certificate, choices:
email,hostname,disabled - code
Signing BooleanFlag - Flag to specify certificates for code signing use
- countries List<String>
- The country of generated certificates
- email
Protection BooleanFlag - Flag to specify certificates for email protection use
- enforce
Hostnames Boolean - Flag to allow only valid host names
- ext
Key List<String>Usage Oids - Specify the allowed extended key usage OIDs constraint on issued certificates
- ext
Key List<String>Usages - Specify the allowed extended key usage constraint on issued certificates
- generate
Lease Boolean - Flag to generate leases with certificates
- issuer
Ref String - Specifies the default issuer of this request. May
be the value
default, a name, or an issuer ID. Use ACLs to prevent access to the/pki/issuer/:issuer_ref/{issue,sign}/:namepaths to prevent users overriding the role'sissuer_refvalue. - key
Bits Number - The number of bits of generated keys
- key
Type String - The generated key type, choices:
rsa,ec,ed25519,anyDefaults torsa - key
Usages List<String> - Specify the allowed key usage constraint on issued
certificates. Defaults to
["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list[]. - localities List<String>
- The locality of generated certificates
- max
Ttl String - The maximum lease TTL, in seconds, for the role.
- name String
- The name to identify this role within the backend. Must be unique within the backend.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - no
Store Boolean - Flag to not store certificates in the storage backend
- no
Store BooleanMetadata - Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
- not
After String - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
- not
Before StringDuration - Specifies the duration by which to backdate the NotBefore property.
- organization
Unit List<String> - The organization unit of generated certificates
- organizations List<String>
- The organization of generated certificates
- policy
Identifier List<Property Map> - (Vault 1.11+ only) A block for specifying policy identifers. The
policy_identifierblock can be repeated, and supports the following arguments: - policy
Identifiers List<String> - Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use
policy_identifierblocks instead - postal
Codes List<String> - The postal code of generated certificates
- provinces List<String>
- The province of generated certificates
- require
Cn Boolean - Flag to force CN usage
- serial
Number StringSource Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.
Example usage:
resources: pki: type: vault:Mount properties: path: pki type: pki defaultLeaseTtlSeconds: 3600 maxLeaseTtlSeconds: 86400 role: type: vault:pkiSecret:SecretBackendRole properties: backend: ${pki.path} name: my_role ttl: 3600 allowIpSans: true keyType: rsa keyBits: 4096 allowedDomains: - example.com - my.domain allowSubdomains: true policyIdentifiers: - oid: 1.3.6.1.4.1.7.8 notice: I am a user Notice - oid: 1.3.6.1.4.1.44947.1.2.4 cps: https://example.com- server
Flag Boolean - Flag to specify certificates for server use
- signature
Bits Number - The number of bits to use in the signature algorithm
- street
Addresses List<String> - The street address of generated certificates
- ttl String
- The TTL, in seconds, for any certificate issued against this role.
- use
Csr BooleanCommon Name - Flag to use the CN in the CSR
- use
Csr BooleanSans - Flag to use the SANs in the CSR
- use
Pss Boolean - Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
Supporting Types
SecretBackendRolePolicyIdentifier, SecretBackendRolePolicyIdentifierArgs
Import
PKI secret backend roles can be imported using the path, e.g.
$ pulumi import vault:pkiSecret/secretBackendRole:SecretBackendRole role pki/roles/my_role
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.