Docs Home
HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi
vault.ssh.getSecretBackendSign
Explore with Pulumi AI
This is a data source which can be used to sign an SSH public key
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const test = vault.ssh.getSecretBackendSign({
path: "ssh",
publicKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com",
name: "test",
validPrincipals: "my-user",
});
import pulumi
import pulumi_vault as vault
test = vault.ssh.get_secret_backend_sign(path="ssh",
public_key="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com",
name="test",
valid_principals="my-user")
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/ssh"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ssh.GetSecretBackendSign(ctx, &ssh.GetSecretBackendSignArgs{
Path: "ssh",
PublicKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com",
Name: "test",
ValidPrincipals: pulumi.StringRef("my-user"),
}, nil)
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var test = Vault.Ssh.GetSecretBackendSign.Invoke(new()
{
Path = "ssh",
PublicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com",
Name = "test",
ValidPrincipals = "my-user",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.ssh.SshFunctions;
import com.pulumi.vault.ssh.inputs.GetSecretBackendSignArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var test = SshFunctions.getSecretBackendSign(GetSecretBackendSignArgs.builder()
.path("ssh")
.publicKey("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com")
.name("test")
.validPrincipals("my-user")
.build());
}
}
variables:
test:
fn::invoke:
function: vault:ssh:getSecretBackendSign
arguments:
path: ssh
publicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com
name: test
validPrincipals: my-user
Using getSecretBackendSign
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getSecretBackendSign(args: GetSecretBackendSignArgs, opts?: InvokeOptions): Promise<GetSecretBackendSignResult>
function getSecretBackendSignOutput(args: GetSecretBackendSignOutputArgs, opts?: InvokeOptions): Output<GetSecretBackendSignResult>def get_secret_backend_sign(cert_type: Optional[str] = None,
critical_options: Optional[Mapping[str, str]] = None,
extensions: Optional[Mapping[str, str]] = None,
key_id: Optional[str] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
path: Optional[str] = None,
public_key: Optional[str] = None,
ttl: Optional[str] = None,
valid_principals: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetSecretBackendSignResult
def get_secret_backend_sign_output(cert_type: Optional[pulumi.Input[str]] = None,
critical_options: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
extensions: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
key_id: Optional[pulumi.Input[str]] = None,
name: Optional[pulumi.Input[str]] = None,
namespace: Optional[pulumi.Input[str]] = None,
path: Optional[pulumi.Input[str]] = None,
public_key: Optional[pulumi.Input[str]] = None,
ttl: Optional[pulumi.Input[str]] = None,
valid_principals: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetSecretBackendSignResult]func GetSecretBackendSign(ctx *Context, args *GetSecretBackendSignArgs, opts ...InvokeOption) (*GetSecretBackendSignResult, error)
func GetSecretBackendSignOutput(ctx *Context, args *GetSecretBackendSignOutputArgs, opts ...InvokeOption) GetSecretBackendSignResultOutput> Note: This function is named GetSecretBackendSign in the Go SDK.
public static class GetSecretBackendSign
{
public static Task<GetSecretBackendSignResult> InvokeAsync(GetSecretBackendSignArgs args, InvokeOptions? opts = null)
public static Output<GetSecretBackendSignResult> Invoke(GetSecretBackendSignInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetSecretBackendSignResult> getSecretBackendSign(GetSecretBackendSignArgs args, InvokeOptions options)
public static Output<GetSecretBackendSignResult> getSecretBackendSign(GetSecretBackendSignArgs args, InvokeOptions options)
fn::invoke:
function: vault:ssh/getSecretBackendSign:getSecretBackendSign
arguments:
# arguments dictionaryThe following arguments are supported:
- Name string
- Specifies the name of the role to sign.
- Path string
- Full path where SSH backend is mounted.
- Public
Key string - Specifies the SSH public key that should be signed.
- Cert
Type string - Specifies the type of certificate to be created; either "user" or "host".
- Critical
Options Dictionary<string, string> - Specifies a map of the critical options that the certificate should be signed for. Defaults to none.
- Extensions Dictionary<string, string>
- Specifies a map of the extensions that the certificate should be signed for. Defaults to none.
- Key
Id string - Specifies the key id that the created certificate should have. If not specified, the display name of the token will be used.
- Namespace string
- Ttl string
- Specifies the Requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.
- Valid
Principals string - Specifies valid principals, either usernames or hostnames, that the certificate should be signed for. Required unless the role has specified allow_empty_principals or a value has been set for either the default_user or default_user_template role parameters.
- Name string
- Specifies the name of the role to sign.
- Path string
- Full path where SSH backend is mounted.
- Public
Key string - Specifies the SSH public key that should be signed.
- Cert
Type string - Specifies the type of certificate to be created; either "user" or "host".
- Critical
Options map[string]string - Specifies a map of the critical options that the certificate should be signed for. Defaults to none.
- Extensions map[string]string
- Specifies a map of the extensions that the certificate should be signed for. Defaults to none.
- Key
Id string - Specifies the key id that the created certificate should have. If not specified, the display name of the token will be used.
- Namespace string
- Ttl string
- Specifies the Requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.
- Valid
Principals string - Specifies valid principals, either usernames or hostnames, that the certificate should be signed for. Required unless the role has specified allow_empty_principals or a value has been set for either the default_user or default_user_template role parameters.
- name String
- Specifies the name of the role to sign.
- path String
- Full path where SSH backend is mounted.
- public
Key String - Specifies the SSH public key that should be signed.
- cert
Type String - Specifies the type of certificate to be created; either "user" or "host".
- critical
Options Map<String,String> - Specifies a map of the critical options that the certificate should be signed for. Defaults to none.
- extensions Map<String,String>
- Specifies a map of the extensions that the certificate should be signed for. Defaults to none.
- key
Id String - Specifies the key id that the created certificate should have. If not specified, the display name of the token will be used.
- namespace String
- ttl String
- Specifies the Requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.
- valid
Principals String - Specifies valid principals, either usernames or hostnames, that the certificate should be signed for. Required unless the role has specified allow_empty_principals or a value has been set for either the default_user or default_user_template role parameters.
- name string
- Specifies the name of the role to sign.
- path string
- Full path where SSH backend is mounted.
- public
Key string - Specifies the SSH public key that should be signed.
- cert
Type string - Specifies the type of certificate to be created; either "user" or "host".
- critical
Options {[key: string]: string} - Specifies a map of the critical options that the certificate should be signed for. Defaults to none.
- extensions {[key: string]: string}
- Specifies a map of the extensions that the certificate should be signed for. Defaults to none.
- key
Id string - Specifies the key id that the created certificate should have. If not specified, the display name of the token will be used.
- namespace string
- ttl string
- Specifies the Requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.
- valid
Principals string - Specifies valid principals, either usernames or hostnames, that the certificate should be signed for. Required unless the role has specified allow_empty_principals or a value has been set for either the default_user or default_user_template role parameters.
- name str
- Specifies the name of the role to sign.
- path str
- Full path where SSH backend is mounted.
- public_
key str - Specifies the SSH public key that should be signed.
- cert_
type str - Specifies the type of certificate to be created; either "user" or "host".
- critical_
options Mapping[str, str] - Specifies a map of the critical options that the certificate should be signed for. Defaults to none.
- extensions Mapping[str, str]
- Specifies a map of the extensions that the certificate should be signed for. Defaults to none.
- key_
id str - Specifies the key id that the created certificate should have. If not specified, the display name of the token will be used.
- namespace str
- ttl str
- Specifies the Requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.
- valid_
principals str - Specifies valid principals, either usernames or hostnames, that the certificate should be signed for. Required unless the role has specified allow_empty_principals or a value has been set for either the default_user or default_user_template role parameters.
- name String
- Specifies the name of the role to sign.
- path String
- Full path where SSH backend is mounted.
- public
Key String - Specifies the SSH public key that should be signed.
- cert
Type String - Specifies the type of certificate to be created; either "user" or "host".
- critical
Options Map<String> - Specifies a map of the critical options that the certificate should be signed for. Defaults to none.
- extensions Map<String>
- Specifies a map of the extensions that the certificate should be signed for. Defaults to none.
- key
Id String - Specifies the key id that the created certificate should have. If not specified, the display name of the token will be used.
- namespace String
- ttl String
- Specifies the Requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.
- valid
Principals String - Specifies valid principals, either usernames or hostnames, that the certificate should be signed for. Required unless the role has specified allow_empty_principals or a value has been set for either the default_user or default_user_template role parameters.
getSecretBackendSign Result
The following output properties are available:
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Path string
- Public
Key string - Serial
Number string - The serial number of the certificate returned from Vault
- Signed
Key string - The signed certificate returned from Vault
- Cert
Type string - Critical
Options Dictionary<string, string> - Extensions Dictionary<string, string>
- Key
Id string - Namespace string
- Ttl string
- Valid
Principals string
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Path string
- Public
Key string - Serial
Number string - The serial number of the certificate returned from Vault
- Signed
Key string - The signed certificate returned from Vault
- Cert
Type string - Critical
Options map[string]string - Extensions map[string]string
- Key
Id string - Namespace string
- Ttl string
- Valid
Principals string
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- path String
- public
Key String - serial
Number String - The serial number of the certificate returned from Vault
- signed
Key String - The signed certificate returned from Vault
- cert
Type String - critical
Options Map<String,String> - extensions Map<String,String>
- key
Id String - namespace String
- ttl String
- valid
Principals String
- id string
- The provider-assigned unique ID for this managed resource.
- name string
- path string
- public
Key string - serial
Number string - The serial number of the certificate returned from Vault
- signed
Key string - The signed certificate returned from Vault
- cert
Type string - critical
Options {[key: string]: string} - extensions {[key: string]: string}
- key
Id string - namespace string
- ttl string
- valid
Principals string
- id str
- The provider-assigned unique ID for this managed resource.
- name str
- path str
- public_
key str - serial_
number str - The serial number of the certificate returned from Vault
- signed_
key str - The signed certificate returned from Vault
- cert_
type str - critical_
options Mapping[str, str] - extensions Mapping[str, str]
- key_
id str - namespace str
- ttl str
- valid_
principals str
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- path String
- public
Key String - serial
Number String - The serial number of the certificate returned from Vault
- signed
Key String - The signed certificate returned from Vault
- cert
Type String - critical
Options Map<String> - extensions Map<String>
- key
Id String - namespace String
- ttl String
- valid
Principals String
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.