HashiCorp Vault v6.7.1, May 2 25

HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi

vault.ssh.SecretBackendRole

Explore with Pulumi AI

HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const example = new vault.Mount("example", {type: "ssh"});
const foo = new vault.ssh.SecretBackendRole("foo", {
    name: "my-role",
    backend: example.path,
    keyType: "ca",
    allowUserCertificates: true,
});
const bar = new vault.ssh.SecretBackendRole("bar", {
    name: "otp-role",
    backend: example.path,
    keyType: "otp",
    defaultUser: "default",
    allowedUsers: "default,baz",
    cidrList: "0.0.0.0/0",
});

import pulumi
import pulumi_vault as vault

example = vault.Mount("example", type="ssh")
foo = vault.ssh.SecretBackendRole("foo",
    name="my-role",
    backend=example.path,
    key_type="ca",
    allow_user_certificates=True)
bar = vault.ssh.SecretBackendRole("bar",
    name="otp-role",
    backend=example.path,
    key_type="otp",
    default_user="default",
    allowed_users="default,baz",
    cidr_list="0.0.0.0/0")

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/ssh"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := vault.NewMount(ctx, "example", &vault.MountArgs{
			Type: pulumi.String("ssh"),
		})
		if err != nil {
			return err
		}
		_, err = ssh.NewSecretBackendRole(ctx, "foo", &ssh.SecretBackendRoleArgs{
			Name:                  pulumi.String("my-role"),
			Backend:               example.Path,
			KeyType:               pulumi.String("ca"),
			AllowUserCertificates: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = ssh.NewSecretBackendRole(ctx, "bar", &ssh.SecretBackendRoleArgs{
			Name:         pulumi.String("otp-role"),
			Backend:      example.Path,
			KeyType:      pulumi.String("otp"),
			DefaultUser:  pulumi.String("default"),
			AllowedUsers: pulumi.String("default,baz"),
			CidrList:     pulumi.String("0.0.0.0/0"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var example = new Vault.Mount("example", new()
    {
        Type = "ssh",
    });

    var foo = new Vault.Ssh.SecretBackendRole("foo", new()
    {
        Name = "my-role",
        Backend = example.Path,
        KeyType = "ca",
        AllowUserCertificates = true,
    });

    var bar = new Vault.Ssh.SecretBackendRole("bar", new()
    {
        Name = "otp-role",
        Backend = example.Path,
        KeyType = "otp",
        DefaultUser = "default",
        AllowedUsers = "default,baz",
        CidrList = "0.0.0.0/0",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.ssh.SecretBackendRole;
import com.pulumi.vault.ssh.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new Mount("example", MountArgs.builder()
            .type("ssh")
            .build());

        var foo = new SecretBackendRole("foo", SecretBackendRoleArgs.builder()
            .name("my-role")
            .backend(example.path())
            .keyType("ca")
            .allowUserCertificates(true)
            .build());

        var bar = new SecretBackendRole("bar", SecretBackendRoleArgs.builder()
            .name("otp-role")
            .backend(example.path())
            .keyType("otp")
            .defaultUser("default")
            .allowedUsers("default,baz")
            .cidrList("0.0.0.0/0")
            .build());

    }
}

resources:
  example:
    type: vault:Mount
    properties:
      type: ssh
  foo:
    type: vault:ssh:SecretBackendRole
    properties:
      name: my-role
      backend: ${example.path}
      keyType: ca
      allowUserCertificates: true
  bar:
    type: vault:ssh:SecretBackendRole
    properties:
      name: otp-role
      backend: ${example.path}
      keyType: otp
      defaultUser: default
      allowedUsers: default,baz
      cidrList: 0.0.0.0/0

Create SecretBackendRole Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SecretBackendRole(name: string, args: SecretBackendRoleArgs, opts?: CustomResourceOptions);

@overload
def SecretBackendRole(resource_name: str,
                      args: SecretBackendRoleArgs,
                      opts: Optional[ResourceOptions] = None)

@overload
def SecretBackendRole(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      backend: Optional[str] = None,
                      key_type: Optional[str] = None,
                      allowed_users: Optional[str] = None,
                      name: Optional[str] = None,
                      allow_subdomains: Optional[bool] = None,
                      allow_user_certificates: Optional[bool] = None,
                      allow_user_key_ids: Optional[bool] = None,
                      allowed_critical_options: Optional[str] = None,
                      allowed_domains: Optional[str] = None,
                      allowed_domains_template: Optional[bool] = None,
                      allowed_extensions: Optional[str] = None,
                      allowed_user_key_configs: Optional[Sequence[SecretBackendRoleAllowedUserKeyConfigArgs]] = None,
                      algorithm_signer: Optional[str] = None,
                      allowed_users_template: Optional[bool] = None,
                      allow_host_certificates: Optional[bool] = None,
                      default_critical_options: Optional[Mapping[str, str]] = None,
                      allow_empty_principals: Optional[bool] = None,
                      default_extensions: Optional[Mapping[str, str]] = None,
                      default_user: Optional[str] = None,
                      default_user_template: Optional[bool] = None,
                      key_id_format: Optional[str] = None,
                      allow_bare_domains: Optional[bool] = None,
                      max_ttl: Optional[str] = None,
                      cidr_list: Optional[str] = None,
                      namespace: Optional[str] = None,
                      not_before_duration: Optional[str] = None,
                      ttl: Optional[str] = None)

func NewSecretBackendRole(ctx *Context, name string, args SecretBackendRoleArgs, opts ...ResourceOption) (*SecretBackendRole, error)

public SecretBackendRole(string name, SecretBackendRoleArgs args, CustomResourceOptions? opts = null)

public SecretBackendRole(String name, SecretBackendRoleArgs args)
public SecretBackendRole(String name, SecretBackendRoleArgs args, CustomResourceOptions options)

type: vault:ssh:SecretBackendRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SecretBackendRoleArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var examplesecretBackendRoleResourceResourceFromSshsecretBackendRole = new Vault.Ssh.SecretBackendRole("examplesecretBackendRoleResourceResourceFromSshsecretBackendRole", new()
{
    Backend = "string",
    KeyType = "string",
    AllowedUsers = "string",
    Name = "string",
    AllowSubdomains = false,
    AllowUserCertificates = false,
    AllowUserKeyIds = false,
    AllowedCriticalOptions = "string",
    AllowedDomains = "string",
    AllowedDomainsTemplate = false,
    AllowedExtensions = "string",
    AllowedUserKeyConfigs = new[]
    {
        new Vault.Ssh.Inputs.SecretBackendRoleAllowedUserKeyConfigArgs
        {
            Lengths = new[]
            {
                0,
            },
            Type = "string",
        },
    },
    AlgorithmSigner = "string",
    AllowedUsersTemplate = false,
    AllowHostCertificates = false,
    DefaultCriticalOptions = 
    {
        { "string", "string" },
    },
    AllowEmptyPrincipals = false,
    DefaultExtensions = 
    {
        { "string", "string" },
    },
    DefaultUser = "string",
    DefaultUserTemplate = false,
    KeyIdFormat = "string",
    AllowBareDomains = false,
    MaxTtl = "string",
    CidrList = "string",
    Namespace = "string",
    NotBeforeDuration = "string",
    Ttl = "string",
});

example, err := ssh.NewSecretBackendRole(ctx, "examplesecretBackendRoleResourceResourceFromSshsecretBackendRole", &ssh.SecretBackendRoleArgs{
	Backend:                pulumi.String("string"),
	KeyType:                pulumi.String("string"),
	AllowedUsers:           pulumi.String("string"),
	Name:                   pulumi.String("string"),
	AllowSubdomains:        pulumi.Bool(false),
	AllowUserCertificates:  pulumi.Bool(false),
	AllowUserKeyIds:        pulumi.Bool(false),
	AllowedCriticalOptions: pulumi.String("string"),
	AllowedDomains:         pulumi.String("string"),
	AllowedDomainsTemplate: pulumi.Bool(false),
	AllowedExtensions:      pulumi.String("string"),
	AllowedUserKeyConfigs: ssh.SecretBackendRoleAllowedUserKeyConfigArray{
		&ssh.SecretBackendRoleAllowedUserKeyConfigArgs{
			Lengths: pulumi.IntArray{
				pulumi.Int(0),
			},
			Type: pulumi.String("string"),
		},
	},
	AlgorithmSigner:       pulumi.String("string"),
	AllowedUsersTemplate:  pulumi.Bool(false),
	AllowHostCertificates: pulumi.Bool(false),
	DefaultCriticalOptions: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	AllowEmptyPrincipals: pulumi.Bool(false),
	DefaultExtensions: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	DefaultUser:         pulumi.String("string"),
	DefaultUserTemplate: pulumi.Bool(false),
	KeyIdFormat:         pulumi.String("string"),
	AllowBareDomains:    pulumi.Bool(false),
	MaxTtl:              pulumi.String("string"),
	CidrList:            pulumi.String("string"),
	Namespace:           pulumi.String("string"),
	NotBeforeDuration:   pulumi.String("string"),
	Ttl:                 pulumi.String("string"),
})

var examplesecretBackendRoleResourceResourceFromSshsecretBackendRole = new com.pulumi.vault.ssh.SecretBackendRole("examplesecretBackendRoleResourceResourceFromSshsecretBackendRole", com.pulumi.vault.ssh.SecretBackendRoleArgs.builder()
    .backend("string")
    .keyType("string")
    .allowedUsers("string")
    .name("string")
    .allowSubdomains(false)
    .allowUserCertificates(false)
    .allowUserKeyIds(false)
    .allowedCriticalOptions("string")
    .allowedDomains("string")
    .allowedDomainsTemplate(false)
    .allowedExtensions("string")
    .allowedUserKeyConfigs(SecretBackendRoleAllowedUserKeyConfigArgs.builder()
        .lengths(0)
        .type("string")
        .build())
    .algorithmSigner("string")
    .allowedUsersTemplate(false)
    .allowHostCertificates(false)
    .defaultCriticalOptions(Map.of("string", "string"))
    .allowEmptyPrincipals(false)
    .defaultExtensions(Map.of("string", "string"))
    .defaultUser("string")
    .defaultUserTemplate(false)
    .keyIdFormat("string")
    .allowBareDomains(false)
    .maxTtl("string")
    .cidrList("string")
    .namespace("string")
    .notBeforeDuration("string")
    .ttl("string")
    .build());

examplesecret_backend_role_resource_resource_from_sshsecret_backend_role = vault.ssh.SecretBackendRole("examplesecretBackendRoleResourceResourceFromSshsecretBackendRole",
    backend="string",
    key_type="string",
    allowed_users="string",
    name="string",
    allow_subdomains=False,
    allow_user_certificates=False,
    allow_user_key_ids=False,
    allowed_critical_options="string",
    allowed_domains="string",
    allowed_domains_template=False,
    allowed_extensions="string",
    allowed_user_key_configs=[{
        "lengths": [0],
        "type": "string",
    }],
    algorithm_signer="string",
    allowed_users_template=False,
    allow_host_certificates=False,
    default_critical_options={
        "string": "string",
    },
    allow_empty_principals=False,
    default_extensions={
        "string": "string",
    },
    default_user="string",
    default_user_template=False,
    key_id_format="string",
    allow_bare_domains=False,
    max_ttl="string",
    cidr_list="string",
    namespace="string",
    not_before_duration="string",
    ttl="string")

const examplesecretBackendRoleResourceResourceFromSshsecretBackendRole = new vault.ssh.SecretBackendRole("examplesecretBackendRoleResourceResourceFromSshsecretBackendRole", {
    backend: "string",
    keyType: "string",
    allowedUsers: "string",
    name: "string",
    allowSubdomains: false,
    allowUserCertificates: false,
    allowUserKeyIds: false,
    allowedCriticalOptions: "string",
    allowedDomains: "string",
    allowedDomainsTemplate: false,
    allowedExtensions: "string",
    allowedUserKeyConfigs: [{
        lengths: [0],
        type: "string",
    }],
    algorithmSigner: "string",
    allowedUsersTemplate: false,
    allowHostCertificates: false,
    defaultCriticalOptions: {
        string: "string",
    },
    allowEmptyPrincipals: false,
    defaultExtensions: {
        string: "string",
    },
    defaultUser: "string",
    defaultUserTemplate: false,
    keyIdFormat: "string",
    allowBareDomains: false,
    maxTtl: "string",
    cidrList: "string",
    namespace: "string",
    notBeforeDuration: "string",
    ttl: "string",
});

type: vault:ssh:SecretBackendRole
properties:
    algorithmSigner: string
    allowBareDomains: false
    allowEmptyPrincipals: false
    allowHostCertificates: false
    allowSubdomains: false
    allowUserCertificates: false
    allowUserKeyIds: false
    allowedCriticalOptions: string
    allowedDomains: string
    allowedDomainsTemplate: false
    allowedExtensions: string
    allowedUserKeyConfigs:
        - lengths:
            - 0
          type: string
    allowedUsers: string
    allowedUsersTemplate: false
    backend: string
    cidrList: string
    defaultCriticalOptions:
        string: string
    defaultExtensions:
        string: string
    defaultUser: string
    defaultUserTemplate: false
    keyIdFormat: string
    keyType: string
    maxTtl: string
    name: string
    namespace: string
    notBeforeDuration: string
    ttl: string

SecretBackendRole Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The SecretBackendRole resource accepts the following input properties:

Backend string: The path where the SSH secret backend is mounted.
KeyType string: Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.
AlgorithmSigner string: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
AllowBareDomains bool: Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.
AllowEmptyPrincipals bool: Allow signing certificates with no valid principals (e.g. any valid principal). For backwards compatibility only. The default of false is highly recommended.
AllowHostCertificates bool: Specifies if certificates are allowed to be signed for use as a 'host'.
AllowSubdomains bool: Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.
AllowUserCertificates bool: Specifies if certificates are allowed to be signed for use as a 'user'.
AllowUserKeyIds bool: Specifies if users can override the key ID for a signed certificate with the key_id field.
AllowedCriticalOptions string: Specifies a comma-separated list of critical options that certificates can have when signed.
AllowedDomains string: The list of domains for which a client can request a host certificate.
AllowedDomainsTemplate bool: Specifies if allowed_domains can be declared using identity template policies. Non-templated domains are also permitted.
AllowedExtensions string: Specifies a comma-separated list of extensions that certificates can have when signed.
AllowedUserKeyConfigs List<SecretBackendRoleAllowedUserKeyConfig>: Set of configuration blocks to define allowed
user key configuration, like key type and their lengths. Can be specified multiple times. See Configuration-Options for more info
AllowedUsers string: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
AllowedUsersTemplate bool: Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted.
CidrList string: The comma-separated string of CIDR blocks for which this role is applicable.
DefaultCriticalOptions Dictionary<string, string>: Specifies a map of critical options that certificates have when signed.
DefaultExtensions Dictionary<string, string>: Specifies a map of extensions that certificates have when signed.
DefaultUser string: Specifies the default username for which a credential will be generated.
DefaultUserTemplate bool: If set, default_users can be specified using identity template values. A non-templated user is also permitted.
KeyIdFormat string: Specifies a custom format for the key id of a signed certificate.
MaxTtl string: Specifies the maximum Time To Live value.
Name string: Specifies the name of the role to create.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NotBeforeDuration string: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
Ttl string: Specifies the Time To Live value.

Backend string: The path where the SSH secret backend is mounted.
KeyType string: Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.
AlgorithmSigner string: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
AllowBareDomains bool: Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.
AllowEmptyPrincipals bool: Allow signing certificates with no valid principals (e.g. any valid principal). For backwards compatibility only. The default of false is highly recommended.
AllowHostCertificates bool: Specifies if certificates are allowed to be signed for use as a 'host'.
AllowSubdomains bool: Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.
AllowUserCertificates bool: Specifies if certificates are allowed to be signed for use as a 'user'.
AllowUserKeyIds bool: Specifies if users can override the key ID for a signed certificate with the key_id field.
AllowedCriticalOptions string: Specifies a comma-separated list of critical options that certificates can have when signed.
AllowedDomains string: The list of domains for which a client can request a host certificate.
AllowedDomainsTemplate bool: Specifies if allowed_domains can be declared using identity template policies. Non-templated domains are also permitted.
AllowedExtensions string: Specifies a comma-separated list of extensions that certificates can have when signed.
AllowedUserKeyConfigs []SecretBackendRoleAllowedUserKeyConfigArgs: Set of configuration blocks to define allowed
user key configuration, like key type and their lengths. Can be specified multiple times. See Configuration-Options for more info
AllowedUsers string: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
AllowedUsersTemplate bool: Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted.
CidrList string: The comma-separated string of CIDR blocks for which this role is applicable.
DefaultCriticalOptions map[string]string: Specifies a map of critical options that certificates have when signed.
DefaultExtensions map[string]string: Specifies a map of extensions that certificates have when signed.
DefaultUser string: Specifies the default username for which a credential will be generated.
DefaultUserTemplate bool: If set, default_users can be specified using identity template values. A non-templated user is also permitted.
KeyIdFormat string: Specifies a custom format for the key id of a signed certificate.
MaxTtl string: Specifies the maximum Time To Live value.
Name string: Specifies the name of the role to create.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NotBeforeDuration string: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
Ttl string: Specifies the Time To Live value.

backend String: The path where the SSH secret backend is mounted.
keyType String: Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.
algorithmSigner String: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
allowBareDomains Boolean: Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.
allowEmptyPrincipals Boolean: Allow signing certificates with no valid principals (e.g. any valid principal). For backwards compatibility only. The default of false is highly recommended.
allowHostCertificates Boolean: Specifies if certificates are allowed to be signed for use as a 'host'.
allowSubdomains Boolean: Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.
allowUserCertificates Boolean: Specifies if certificates are allowed to be signed for use as a 'user'.
allowUserKeyIds Boolean: Specifies if users can override the key ID for a signed certificate with the key_id field.
allowedCriticalOptions String: Specifies a comma-separated list of critical options that certificates can have when signed.
allowedDomains String: The list of domains for which a client can request a host certificate.
allowedDomainsTemplate Boolean: Specifies if allowed_domains can be declared using identity template policies. Non-templated domains are also permitted.
allowedExtensions String: Specifies a comma-separated list of extensions that certificates can have when signed.
allowedUserKeyConfigs List<SecretBackendRoleAllowedUserKeyConfig>: Set of configuration blocks to define allowed
user key configuration, like key type and their lengths. Can be specified multiple times. See Configuration-Options for more info
allowedUsers String: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
allowedUsersTemplate Boolean: Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted.
cidrList String: The comma-separated string of CIDR blocks for which this role is applicable.
defaultCriticalOptions Map<String,String>: Specifies a map of critical options that certificates have when signed.
defaultExtensions Map<String,String>: Specifies a map of extensions that certificates have when signed.
defaultUser String: Specifies the default username for which a credential will be generated.
defaultUserTemplate Boolean: If set, default_users can be specified using identity template values. A non-templated user is also permitted.
keyIdFormat String: Specifies a custom format for the key id of a signed certificate.
maxTtl String: Specifies the maximum Time To Live value.
name String: Specifies the name of the role to create.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
notBeforeDuration String: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
ttl String: Specifies the Time To Live value.

backend string: The path where the SSH secret backend is mounted.
keyType string: Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.
algorithmSigner string: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
allowBareDomains boolean: Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.
allowEmptyPrincipals boolean: Allow signing certificates with no valid principals (e.g. any valid principal). For backwards compatibility only. The default of false is highly recommended.
allowHostCertificates boolean: Specifies if certificates are allowed to be signed for use as a 'host'.
allowSubdomains boolean: Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.
allowUserCertificates boolean: Specifies if certificates are allowed to be signed for use as a 'user'.
allowUserKeyIds boolean: Specifies if users can override the key ID for a signed certificate with the key_id field.
allowedCriticalOptions string: Specifies a comma-separated list of critical options that certificates can have when signed.
allowedDomains string: The list of domains for which a client can request a host certificate.
allowedDomainsTemplate boolean: Specifies if allowed_domains can be declared using identity template policies. Non-templated domains are also permitted.
allowedExtensions string: Specifies a comma-separated list of extensions that certificates can have when signed.
allowedUserKeyConfigs SecretBackendRoleAllowedUserKeyConfig[]: Set of configuration blocks to define allowed
user key configuration, like key type and their lengths. Can be specified multiple times. See Configuration-Options for more info
allowedUsers string: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
allowedUsersTemplate boolean: Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted.
cidrList string: The comma-separated string of CIDR blocks for which this role is applicable.
defaultCriticalOptions {[key: string]: string}: Specifies a map of critical options that certificates have when signed.
defaultExtensions {[key: string]: string}: Specifies a map of extensions that certificates have when signed.
defaultUser string: Specifies the default username for which a credential will be generated.
defaultUserTemplate boolean: If set, default_users can be specified using identity template values. A non-templated user is also permitted.
keyIdFormat string: Specifies a custom format for the key id of a signed certificate.
maxTtl string: Specifies the maximum Time To Live value.
name string: Specifies the name of the role to create.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
notBeforeDuration string: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
ttl string: Specifies the Time To Live value.

backend str: The path where the SSH secret backend is mounted.
key_type str: Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.
algorithm_signer str: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
allow_bare_domains bool: Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.
allow_empty_principals bool: Allow signing certificates with no valid principals (e.g. any valid principal). For backwards compatibility only. The default of false is highly recommended.
allow_host_certificates bool: Specifies if certificates are allowed to be signed for use as a 'host'.
allow_subdomains bool: Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.
allow_user_certificates bool: Specifies if certificates are allowed to be signed for use as a 'user'.
allow_user_key_ids bool: Specifies if users can override the key ID for a signed certificate with the key_id field.
allowed_critical_options str: Specifies a comma-separated list of critical options that certificates can have when signed.
allowed_domains str: The list of domains for which a client can request a host certificate.
allowed_domains_template bool: Specifies if allowed_domains can be declared using identity template policies. Non-templated domains are also permitted.
allowed_extensions str: Specifies a comma-separated list of extensions that certificates can have when signed.
allowed_user_key_configs Sequence[SecretBackendRoleAllowedUserKeyConfigArgs]: Set of configuration blocks to define allowed
user key configuration, like key type and their lengths. Can be specified multiple times. See Configuration-Options for more info
allowed_users str: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
allowed_users_template bool: Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted.
cidr_list str: The comma-separated string of CIDR blocks for which this role is applicable.
default_critical_options Mapping[str, str]: Specifies a map of critical options that certificates have when signed.
default_extensions Mapping[str, str]: Specifies a map of extensions that certificates have when signed.
default_user str: Specifies the default username for which a credential will be generated.
default_user_template bool: If set, default_users can be specified using identity template values. A non-templated user is also permitted.
key_id_format str: Specifies a custom format for the key id of a signed certificate.
max_ttl str: Specifies the maximum Time To Live value.
name str: Specifies the name of the role to create.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
not_before_duration str: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
ttl str: Specifies the Time To Live value.

backend String: The path where the SSH secret backend is mounted.
keyType String: Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.
algorithmSigner String: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
allowBareDomains Boolean: Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.
allowEmptyPrincipals Boolean: Allow signing certificates with no valid principals (e.g. any valid principal). For backwards compatibility only. The default of false is highly recommended.
allowHostCertificates Boolean: Specifies if certificates are allowed to be signed for use as a 'host'.
allowSubdomains Boolean: Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.
allowUserCertificates Boolean: Specifies if certificates are allowed to be signed for use as a 'user'.
allowUserKeyIds Boolean: Specifies if users can override the key ID for a signed certificate with the key_id field.
allowedCriticalOptions String: Specifies a comma-separated list of critical options that certificates can have when signed.
allowedDomains String: The list of domains for which a client can request a host certificate.
allowedDomainsTemplate Boolean: Specifies if allowed_domains can be declared using identity template policies. Non-templated domains are also permitted.
allowedExtensions String: Specifies a comma-separated list of extensions that certificates can have when signed.
allowedUserKeyConfigs List<Property Map>: Set of configuration blocks to define allowed
user key configuration, like key type and their lengths. Can be specified multiple times. See Configuration-Options for more info
allowedUsers String: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
allowedUsersTemplate Boolean: Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted.
cidrList String: The comma-separated string of CIDR blocks for which this role is applicable.
defaultCriticalOptions Map<String>: Specifies a map of critical options that certificates have when signed.
defaultExtensions Map<String>: Specifies a map of extensions that certificates have when signed.
defaultUser String: Specifies the default username for which a credential will be generated.
defaultUserTemplate Boolean: If set, default_users can be specified using identity template values. A non-templated user is also permitted.
keyIdFormat String: Specifies a custom format for the key id of a signed certificate.
maxTtl String: Specifies the maximum Time To Live value.
name String: Specifies the name of the role to create.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
notBeforeDuration String: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
ttl String: Specifies the Time To Live value.

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretBackendRole resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing SecretBackendRole Resource

Get an existing SecretBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretBackendRoleState, opts?: CustomResourceOptions): SecretBackendRole

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        algorithm_signer: Optional[str] = None,
        allow_bare_domains: Optional[bool] = None,
        allow_empty_principals: Optional[bool] = None,
        allow_host_certificates: Optional[bool] = None,
        allow_subdomains: Optional[bool] = None,
        allow_user_certificates: Optional[bool] = None,
        allow_user_key_ids: Optional[bool] = None,
        allowed_critical_options: Optional[str] = None,
        allowed_domains: Optional[str] = None,
        allowed_domains_template: Optional[bool] = None,
        allowed_extensions: Optional[str] = None,
        allowed_user_key_configs: Optional[Sequence[SecretBackendRoleAllowedUserKeyConfigArgs]] = None,
        allowed_users: Optional[str] = None,
        allowed_users_template: Optional[bool] = None,
        backend: Optional[str] = None,
        cidr_list: Optional[str] = None,
        default_critical_options: Optional[Mapping[str, str]] = None,
        default_extensions: Optional[Mapping[str, str]] = None,
        default_user: Optional[str] = None,
        default_user_template: Optional[bool] = None,
        key_id_format: Optional[str] = None,
        key_type: Optional[str] = None,
        max_ttl: Optional[str] = None,
        name: Optional[str] = None,
        namespace: Optional[str] = None,
        not_before_duration: Optional[str] = None,
        ttl: Optional[str] = None) -> SecretBackendRole

func GetSecretBackendRole(ctx *Context, name string, id IDInput, state *SecretBackendRoleState, opts ...ResourceOption) (*SecretBackendRole, error)

public static SecretBackendRole Get(string name, Input<string> id, SecretBackendRoleState? state, CustomResourceOptions? opts = null)

public static SecretBackendRole get(String name, Output<String> id, SecretBackendRoleState state, CustomResourceOptions options)

resources:  _:    type: vault:ssh:SecretBackendRole    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AlgorithmSigner string: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
AllowBareDomains bool: Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.
AllowEmptyPrincipals bool: Allow signing certificates with no valid principals (e.g. any valid principal). For backwards compatibility only. The default of false is highly recommended.
AllowHostCertificates bool: Specifies if certificates are allowed to be signed for use as a 'host'.
AllowSubdomains bool: Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.
AllowUserCertificates bool: Specifies if certificates are allowed to be signed for use as a 'user'.
AllowUserKeyIds bool: Specifies if users can override the key ID for a signed certificate with the key_id field.
AllowedCriticalOptions string: Specifies a comma-separated list of critical options that certificates can have when signed.
AllowedDomains string: The list of domains for which a client can request a host certificate.
AllowedDomainsTemplate bool: Specifies if allowed_domains can be declared using identity template policies. Non-templated domains are also permitted.
AllowedExtensions string: Specifies a comma-separated list of extensions that certificates can have when signed.
AllowedUserKeyConfigs List<SecretBackendRoleAllowedUserKeyConfig>: Set of configuration blocks to define allowed
user key configuration, like key type and their lengths. Can be specified multiple times. See Configuration-Options for more info
AllowedUsers string: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
AllowedUsersTemplate bool: Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted.
Backend string: The path where the SSH secret backend is mounted.
CidrList string: The comma-separated string of CIDR blocks for which this role is applicable.
DefaultCriticalOptions Dictionary<string, string>: Specifies a map of critical options that certificates have when signed.
DefaultExtensions Dictionary<string, string>: Specifies a map of extensions that certificates have when signed.
DefaultUser string: Specifies the default username for which a credential will be generated.
DefaultUserTemplate bool: If set, default_users can be specified using identity template values. A non-templated user is also permitted.
KeyIdFormat string: Specifies a custom format for the key id of a signed certificate.
KeyType string: Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.
MaxTtl string: Specifies the maximum Time To Live value.
Name string: Specifies the name of the role to create.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NotBeforeDuration string: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
Ttl string: Specifies the Time To Live value.

AlgorithmSigner string: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
AllowBareDomains bool: Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.
AllowEmptyPrincipals bool: Allow signing certificates with no valid principals (e.g. any valid principal). For backwards compatibility only. The default of false is highly recommended.
AllowHostCertificates bool: Specifies if certificates are allowed to be signed for use as a 'host'.
AllowSubdomains bool: Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.
AllowUserCertificates bool: Specifies if certificates are allowed to be signed for use as a 'user'.
AllowUserKeyIds bool: Specifies if users can override the key ID for a signed certificate with the key_id field.
AllowedCriticalOptions string: Specifies a comma-separated list of critical options that certificates can have when signed.
AllowedDomains string: The list of domains for which a client can request a host certificate.
AllowedDomainsTemplate bool: Specifies if allowed_domains can be declared using identity template policies. Non-templated domains are also permitted.
AllowedExtensions string: Specifies a comma-separated list of extensions that certificates can have when signed.
AllowedUserKeyConfigs []SecretBackendRoleAllowedUserKeyConfigArgs: Set of configuration blocks to define allowed
user key configuration, like key type and their lengths. Can be specified multiple times. See Configuration-Options for more info
AllowedUsers string: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
AllowedUsersTemplate bool: Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted.
Backend string: The path where the SSH secret backend is mounted.
CidrList string: The comma-separated string of CIDR blocks for which this role is applicable.
DefaultCriticalOptions map[string]string: Specifies a map of critical options that certificates have when signed.
DefaultExtensions map[string]string: Specifies a map of extensions that certificates have when signed.
DefaultUser string: Specifies the default username for which a credential will be generated.
DefaultUserTemplate bool: If set, default_users can be specified using identity template values. A non-templated user is also permitted.
KeyIdFormat string: Specifies a custom format for the key id of a signed certificate.
KeyType string: Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.
MaxTtl string: Specifies the maximum Time To Live value.
Name string: Specifies the name of the role to create.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NotBeforeDuration string: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
Ttl string: Specifies the Time To Live value.

algorithmSigner String: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
allowBareDomains Boolean: Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.
allowEmptyPrincipals Boolean: Allow signing certificates with no valid principals (e.g. any valid principal). For backwards compatibility only. The default of false is highly recommended.
allowHostCertificates Boolean: Specifies if certificates are allowed to be signed for use as a 'host'.
allowSubdomains Boolean: Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.
allowUserCertificates Boolean: Specifies if certificates are allowed to be signed for use as a 'user'.
allowUserKeyIds Boolean: Specifies if users can override the key ID for a signed certificate with the key_id field.
allowedCriticalOptions String: Specifies a comma-separated list of critical options that certificates can have when signed.
allowedDomains String: The list of domains for which a client can request a host certificate.
allowedDomainsTemplate Boolean: Specifies if allowed_domains can be declared using identity template policies. Non-templated domains are also permitted.
allowedExtensions String: Specifies a comma-separated list of extensions that certificates can have when signed.
allowedUserKeyConfigs List<SecretBackendRoleAllowedUserKeyConfig>: Set of configuration blocks to define allowed
user key configuration, like key type and their lengths. Can be specified multiple times. See Configuration-Options for more info
allowedUsers String: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
allowedUsersTemplate Boolean: Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted.
backend String: The path where the SSH secret backend is mounted.
cidrList String: The comma-separated string of CIDR blocks for which this role is applicable.
defaultCriticalOptions Map<String,String>: Specifies a map of critical options that certificates have when signed.
defaultExtensions Map<String,String>: Specifies a map of extensions that certificates have when signed.
defaultUser String: Specifies the default username for which a credential will be generated.
defaultUserTemplate Boolean: If set, default_users can be specified using identity template values. A non-templated user is also permitted.
keyIdFormat String: Specifies a custom format for the key id of a signed certificate.
keyType String: Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.
maxTtl String: Specifies the maximum Time To Live value.
name String: Specifies the name of the role to create.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
notBeforeDuration String: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
ttl String: Specifies the Time To Live value.

algorithmSigner string: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
allowBareDomains boolean: Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.
allowEmptyPrincipals boolean: Allow signing certificates with no valid principals (e.g. any valid principal). For backwards compatibility only. The default of false is highly recommended.
allowHostCertificates boolean: Specifies if certificates are allowed to be signed for use as a 'host'.
allowSubdomains boolean: Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.
allowUserCertificates boolean: Specifies if certificates are allowed to be signed for use as a 'user'.
allowUserKeyIds boolean: Specifies if users can override the key ID for a signed certificate with the key_id field.
allowedCriticalOptions string: Specifies a comma-separated list of critical options that certificates can have when signed.
allowedDomains string: The list of domains for which a client can request a host certificate.
allowedDomainsTemplate boolean: Specifies if allowed_domains can be declared using identity template policies. Non-templated domains are also permitted.
allowedExtensions string: Specifies a comma-separated list of extensions that certificates can have when signed.
allowedUserKeyConfigs SecretBackendRoleAllowedUserKeyConfig[]: Set of configuration blocks to define allowed
user key configuration, like key type and their lengths. Can be specified multiple times. See Configuration-Options for more info
allowedUsers string: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
allowedUsersTemplate boolean: Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted.
backend string: The path where the SSH secret backend is mounted.
cidrList string: The comma-separated string of CIDR blocks for which this role is applicable.
defaultCriticalOptions {[key: string]: string}: Specifies a map of critical options that certificates have when signed.
defaultExtensions {[key: string]: string}: Specifies a map of extensions that certificates have when signed.
defaultUser string: Specifies the default username for which a credential will be generated.
defaultUserTemplate boolean: If set, default_users can be specified using identity template values. A non-templated user is also permitted.
keyIdFormat string: Specifies a custom format for the key id of a signed certificate.
keyType string: Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.
maxTtl string: Specifies the maximum Time To Live value.
name string: Specifies the name of the role to create.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
notBeforeDuration string: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
ttl string: Specifies the Time To Live value.

algorithm_signer str: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
allow_bare_domains bool: Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.
allow_empty_principals bool: Allow signing certificates with no valid principals (e.g. any valid principal). For backwards compatibility only. The default of false is highly recommended.
allow_host_certificates bool: Specifies if certificates are allowed to be signed for use as a 'host'.
allow_subdomains bool: Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.
allow_user_certificates bool: Specifies if certificates are allowed to be signed for use as a 'user'.
allow_user_key_ids bool: Specifies if users can override the key ID for a signed certificate with the key_id field.
allowed_critical_options str: Specifies a comma-separated list of critical options that certificates can have when signed.
allowed_domains str: The list of domains for which a client can request a host certificate.
allowed_domains_template bool: Specifies if allowed_domains can be declared using identity template policies. Non-templated domains are also permitted.
allowed_extensions str: Specifies a comma-separated list of extensions that certificates can have when signed.
allowed_user_key_configs Sequence[SecretBackendRoleAllowedUserKeyConfigArgs]: Set of configuration blocks to define allowed
user key configuration, like key type and their lengths. Can be specified multiple times. See Configuration-Options for more info
allowed_users str: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
allowed_users_template bool: Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted.
backend str: The path where the SSH secret backend is mounted.
cidr_list str: The comma-separated string of CIDR blocks for which this role is applicable.
default_critical_options Mapping[str, str]: Specifies a map of critical options that certificates have when signed.
default_extensions Mapping[str, str]: Specifies a map of extensions that certificates have when signed.
default_user str: Specifies the default username for which a credential will be generated.
default_user_template bool: If set, default_users can be specified using identity template values. A non-templated user is also permitted.
key_id_format str: Specifies a custom format for the key id of a signed certificate.
key_type str: Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.
max_ttl str: Specifies the maximum Time To Live value.
name str: Specifies the name of the role to create.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
not_before_duration str: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
ttl str: Specifies the Time To Live value.

algorithmSigner String: When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
allowBareDomains Boolean: Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.
allowEmptyPrincipals Boolean: Allow signing certificates with no valid principals (e.g. any valid principal). For backwards compatibility only. The default of false is highly recommended.
allowHostCertificates Boolean: Specifies if certificates are allowed to be signed for use as a 'host'.
allowSubdomains Boolean: Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.
allowUserCertificates Boolean: Specifies if certificates are allowed to be signed for use as a 'user'.
allowUserKeyIds Boolean: Specifies if users can override the key ID for a signed certificate with the key_id field.
allowedCriticalOptions String: Specifies a comma-separated list of critical options that certificates can have when signed.
allowedDomains String: The list of domains for which a client can request a host certificate.
allowedDomainsTemplate Boolean: Specifies if allowed_domains can be declared using identity template policies. Non-templated domains are also permitted.
allowedExtensions String: Specifies a comma-separated list of extensions that certificates can have when signed.
allowedUserKeyConfigs List<Property Map>: Set of configuration blocks to define allowed
user key configuration, like key type and their lengths. Can be specified multiple times. See Configuration-Options for more info
allowedUsers String: Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
allowedUsersTemplate Boolean: Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted.
backend String: The path where the SSH secret backend is mounted.
cidrList String: The comma-separated string of CIDR blocks for which this role is applicable.
defaultCriticalOptions Map<String>: Specifies a map of critical options that certificates have when signed.
defaultExtensions Map<String>: Specifies a map of extensions that certificates have when signed.
defaultUser String: Specifies the default username for which a credential will be generated.
defaultUserTemplate Boolean: If set, default_users can be specified using identity template values. A non-templated user is also permitted.
keyIdFormat String: Specifies a custom format for the key id of a signed certificate.
keyType String: Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca.
maxTtl String: Specifies the maximum Time To Live value.
name String: Specifies the name of the role to create.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
notBeforeDuration String: Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.
ttl String: Specifies the Time To Live value.

Supporting Types

SecretBackendRoleAllowedUserKeyConfig, SecretBackendRoleAllowedUserKeyConfigArgs

Lengths List<int>: List of allowed key lengths, vault-1.10 and above
Type string: Key type, choices: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521

Lengths []int: List of allowed key lengths, vault-1.10 and above
Type string: Key type, choices: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521

lengths List<Integer>: List of allowed key lengths, vault-1.10 and above
type String: Key type, choices: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521

lengths number[]: List of allowed key lengths, vault-1.10 and above
type string: Key type, choices: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521

lengths Sequence[int]: List of allowed key lengths, vault-1.10 and above
type str: Key type, choices: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521

lengths List<Number>: List of allowed key lengths, vault-1.10 and above
type String: Key type, choices: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521

Import

SSH secret backend roles can be imported using the path, e.g.

$ pulumi import vault:ssh/secretBackendRole:SecretBackendRole foo ssh/roles/my-role

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi

pulumi/pulumi-vault

vault.ssh.SecretBackendRole

On this page

On this page

Example Usage

Create SecretBackendRole Resource

Constructor syntax

Parameters

Constructor example

SecretBackendRole Resource Properties

Inputs

Outputs

Look up Existing SecretBackendRole Resource

Supporting Types

SecretBackendRoleAllowedUserKeyConfig, SecretBackendRoleAllowedUserKeyConfigArgs

Import

Package Details

On this page

On this page